• Branko Mikić's avatar
    ~ BugFix! In checkIPArgFormat() and obtainNetPrefix() the regex expression were revised. · 2e2bf5a2
    Branko Mikić authored
    ~ obtainRuleIndices() didn't force hostnames of iptables output to be numeric only but could also be a FQDN entry which lead the regex expression to fail.
    ~ BugFix! In FORWARD_SUBNET_PROTECTIVE chain the ID could easily exceed the maximum length when used with IPv6 as they can naturally grow very large if short (::) notation is omitted. Especially when such an ID is used eg. as a chain name!
    Therefore the chain name for forwarded IPv6 subnets now uses 'cksum' instead of the ID returned by formatSubnetAsHexID() function.
    The new ID format is now a shorter version to fit them into chain names as well as comment fields of iptables.
    ~ In the BASE_RULE_SET command using the ANTI-FLOOD chain on anything regardless of being internal or external traffic wasn't a good idea at all. So the new LOCAL chain now allows internal traffic before ANTI-FLOOD protection is applied while any external traffic still needs to pass the ANTI-FLOOD and INVALID chains without creating wild, complex exceptions in the BLOCK chain to dinstinguish invalid, internal traffic from invalid, external traffic.
    ~ By reordering the rules in the BASE_RULE_SET a lot of stuff was simplyfied to be used on both (IPv4|6) protocols in the same manner.
    ~ EXPERIMENTAL! A new command called 6TO4 implemented for tunneling IPv6 traffic over IPv4 links. This code is heavily experimental not meant to be used in production environments.
    ~ NEW! ALLOW_PORT (or ALLOW_SERVICE) command implemented. This is a simple version of allowing traffic for specific ports on the router to reach local daemons.
    It would be possible to do that manually by adding a rule to the USER-IN chain but this one uses iptables' 'multiport' feature so that one rule can allow multiple ports at once. Anyway ALLOW_PORT can also be used to only allow a single port per rule.
    There can be reasons to _not_ do that and have implicitly one rule for allowing one port especially when the firewall rules are tweaked at runtime and removing all ports at once isn't desired.
    ~ For IPv6 the filter for RH0 headers were removed (!) as nearly any new kernel version does that on it's own even without any netfilter.
    ~ Outbound traffic on safe ports (eg: 80,443) are now allowed by default for forwared subnets only.