-
Branko Mikić authored
~ Warnings, errors and about are now printed to stderr instead stdout to keep the rules files clean. ~ Dry-run added via argument -d which will print all iptables commands instead of executing them. ~ RESET function can now reset the firewall with an optional default policy argument like ACCEPT, DROP and REJECT. ~ ALLOW_DHCP_CLIENT function and it's rules were completely revised. Since the new code can handle client and server modes the function has been renamed to ALLOW_DHCP. DHCP is hard to track in the filter chains therefore it's now handled in the magle table marking packets on interfaces configured by the ALLOW_DHCP function. The marked packets are then finally accepted in the filter chains. Further it allow implcit IPv6 link local addresses for the dhcp ports only. If you want full link local access you still need the ALLOW_LINK_LOCAL function. ~ The REMOVE_RULES functions has been renamed to REMOVE. ~ NEW! Now the log facility used can be selected with LOG and NFLOG argument. Be aware that log modes can't be mixed when additional parts of the ruleset are executed at later time. ~ setupEnv() function removed and it's code now resides in the main code. It's only used once. ~ getLinkID() function revised to avoid fails under strange bash conditions. ~ obtainNetPrefix() reimplemented. The old version had different problems. Some minor bash errors fixed which could ocur in different scenarios. ~ NEW! probeChains() can now handle chains from different tables. When the first argument starts with -t TABLENAME followed by chain names to probe. ~ Limiter chain revised into two stages. The first is the usual rate limiting eg. for people bashing on the ssh port. The second stage is triggered when there are IP adresses intensifying attacks which now gets blocked for longer periods. ~ BLOCK chain removed and block rules placed directly into the corresponding chains. ~ LOCAL chain heavily revised and is now the main chain for internal interfaces. ~ ALLOW_SERVICE_DISCOVERY is still available but considered obsolete. It was to tedious to handle any multicast traffic like mDNS, LLMNR, ... etc. ~ NEW! It has been replaced by ALLOW_MULTICAST_ADDRS which uses the 'addrtype' feature. Wihtout any optional ports argument it allows any multicast traffic but to achieve the same behavior as ALLOW_SERVICE_DISCOVERY it's possible to give a list of port arguments. ~ NEW! ALLOW_STATEFUL_PACKETS added to allow fine grained control of the stateful firewall mechanism to allow NEW packets out in only RELATED, ESTABLISHED packets in. Instead of allowing this for any interface this chain can be set for an interface explicitly which is very useful when you have multiple WAN interfaces. ~ ALLOW_LINK_LOCAL revised to limit link local traffic only on the interface it has been configured for. This similar to the behavior before but now the addrtype is additionally checked which ensures that the interface the link local traffic is going through is an routeable address on an interface of the host. ~ Simple LIST function added. Same like 'iptables --line-numbers -nvL' ~ Some error conditions were replaced by warnings and aren't stopping execution anymore. Especially when it's desired to place rules for interfaces which aren't available at the time the rule is invoked. Some may be some functions like ALLOW_SUBNETS or FORWARD_SUBNET which read IP addresses from the interfaces and therefore can only be used when the interface is already active but this may change in the future.
fab0e69a