Skip to content
Find file Blame History Permalink
  • Branko Mikić's avatar
    BugFixes and various changes · 34cbc9d6
    Branko Mikić authored 
    ~ BugFix! getLinkMAC() accidentally checked the hardwired 'eth2' interface regardless of the argument. This has been fixed by using the argument instead.
~ obtainLinkOfIP() and is_local_IP() functions added.
~ BugFix! On RESET the raw table rulesets were never emptied and flushed. This has been fixed.
~ DHCP negotiation can now differentiate between initial broadcast requests and follow up requests to extend the lease.
For everyone wondering why a DHCP request via broadcast like 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP ... is never seen by netfilter on any outgoing chain on any table that's because most dhcp daemons are using PF_PACKET sockets for the _first_, _initial_ request which bypasses the whole netfilter.
To keep things more confusing this doesn't apply for any 'ordinary' follow up dhcp packet (only the first one!)
See https://unix.stackexchange.com/questions/447440/ufw-iptables-not-blocking-dhcp-udp-port-67 for details.
~ BugFix! In DHCP chain any returning follow-up reply packet was filtered by source port set to DHCP server port (68) which is obviously wrong here. This has been fixed by accepting reply packets with any source port number.
Attention!
For such DHCP follow-up packets additionally the destination address type now filters to LOCAL and limits it's IP address only to be received on the configured, corresponding interface.
~ BugFix! Limiter is too aggressive. This has been fixed by mitigating the limiter's filter for common http(s) and email traffic.
Additionally the hashlimit has been set to a tighter setting of >8/day for every other traffic which is explicitly configured to use the LIMITER chain.
~ Attention! BLOCK chain has been renamed to QUASH. All packets which were send to BLOCK are now sent to QUASH (!)
Alot of iptables log messages in the format "[BLOCK] (...)" have been chaged for the QUASH, ANTI-FLOOD, LIMITER, ... chains to avoid confusion wether blocking is intended or just notifying a packet loss. Some are now in the format: "[CHAIN_NAME] ACTION" eg: "[LIMITER] drop" or "[DHCP] packet loss".
~ ALLOW_STATEFUL_PACKETS now checks IP address arguments to be an IP address on a local interface of the host.
~ BugFix! The USER_OUT chain of ALLOW_STATEFUL_PACKETS now allows NEW, RELATED and ESTABLISHED packets to leave for interfaces with a local IP address only (!)
Attention!
This doesn't apply when using ALLOW_STATEFUL_PACKETS with an interface arg (!)
~ LIST now shows iptables dumps for both protocols IPv(4|6)
    34cbc9d6