From 89bb28f267c81965f03e936cbc9e6902c9908307 Mon Sep 17 00:00:00 2001
From: Michael Schwarz <mschwar2@math.uni-paderborn.de>
Date: Wed, 24 Apr 2013 13:20:16 +0200
Subject: [PATCH] Do some spoofcheks even in ipv6. This is probably not
 complete

---
 share/plugins/plugin.d/create_chain_spoofcheck |   25 ++++++++++++++++++++++++
 share/plugins/plugin.d/drop_spoofed_packets_   |    1 +
 2 files changed, 26 insertions(+)

diff --git a/share/plugins/plugin.d/create_chain_spoofcheck b/share/plugins/plugin.d/create_chain_spoofcheck
index f03739f..48e291b 100755
--- a/share/plugins/plugin.d/create_chain_spoofcheck
+++ b/share/plugins/plugin.d/create_chain_spoofcheck
@@ -43,3 +43,28 @@ iptables -A spoofcheck -p all -i ! lo -s 127.0.0.0/8 -j LOG --log-prefix "alff s
 iptables -A spoofcheck -p all -i ! lo -s 127.0.0.0/8 -j DROP
 
 EOF
+
+# do the same for ipv6
+cat << EOF >&3
+##
+# Some sample networks to block, there might be more
+
+##
+# site local unicast is deprecated (RFC3879)
+ip6tables -A spoofcheck -p all -i ! lo -s fec0::/10 -j LOG --log-prefix "alff spoofed: "
+ip6tables -A spoofcheck -p all -i ! lo -s fec0::/10 -j DROP
+
+##
+# Uniqe local unicast (RFC4193) should be opt in
+ip6tables -A spoofcheck -p all -i ! lo -s fc00::/7 -j LOG --log-prefix "alff spoofed: "
+ip6tables -A spoofcheck -p all -i ! lo -s fc00::/7 -j DROP
+
+##
+# Some more deprecated networks
+
+##
+# ipv4 compability, deprecated by RFC4291
+ip6tables -A spoofcheck -p all -i ! lo -s ::/96 -j LOG --log-prefix "alff spoofed: "
+ip6tables -A spoofcheck -p all -i ! lo -s ::/96 -j DROP
+
+EOF
diff --git a/share/plugins/plugin.d/drop_spoofed_packets_ b/share/plugins/plugin.d/drop_spoofed_packets_
index 2306266..41e9b5b 100755
--- a/share/plugins/plugin.d/drop_spoofed_packets_
+++ b/share/plugins/plugin.d/drop_spoofed_packets_
@@ -28,6 +28,7 @@ if [ "${chain}" ]; then
 	if [ "${valid_chain}" = 'true' ]; then
 		echo " * Creating rule to DROP spoofed packets... "
 		echo "iptables -A ${chain} -j spoofcheck" >&3
+		echo "ip6tables -A ${chain} -j spoofcheck" >&3
 	else
 		echo "Error: Chain \"spoofcheck\" does not exist, but should be hooked in into ${chain}!">&2
 	fi
-- 
1.7.10.4