HACK_IPV4 Option

include/functions

@@ -118,3 +118,20 @@ function show_help {
  	 echo -e "\t--help\t\tShows this info"
  	 echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
  }
+ 
+ 
+ 
+# apply_ipv4_hack $HACKS
+function apply_ipv4_hack {
+	display_c YELLOW "Applying IPv4 hack/fix:" N
+	while [ $# -gt 0 ]; do
+		case "$1" in
+		NS-IN-DDOS)
+			display_c PURPLE " ./NS/IN-DDOS-FIX"
+			$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
+			"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
+		;;	
+		esac
+		shift
+	done
+}

options.default

@@ -12,9 +12,9 @@ IP6TABLES=/bin/true
 # options you don't want to use, uncomment them to use them.
 
 # Do we want NAT/Conntrack/Forward features?
-NAT=1
-CONNTRACK=1
-FORWARD=1
+#NAT=1
+#CONNTRACK=1
+#FORWARD=1
 
 # Blocking incoming connections by default?
 BLOCKINCOMING=1
@@ -49,6 +49,15 @@ DONTTRACK="127.0.0.1"
 # IP range(s) to forward
 ROUTING=$BASEDIR/ipv4-routing
 
+
+# Hacks to either block specific kinds of attacks or fix problems
+#
+# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
+# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
+#
+HACK_IPV4="NS-IN-DDOS"
+
+
 #==============
 # Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
 # IP ranges(s) to NAT using SNAT.

rc.firewall

@@ -136,8 +136,10 @@ if [ "$CLAMPMSS" ]; then
 echo -en "\n"
 fi
 
-$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
-"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
+
+if [ $HACK_IPV4 ]; then
+	apply_ipv4_hack $HACK_IPV4
+fi
 
 if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
 	display_c YELLOW "Loading custom conntrack rules..."