Commit 1833d749 authored by Branko Mikić's avatar Branko Mikić
Browse files

~ BUGFIX! returnRuleCount didn't return the correct rule count. This has been fixed.

~ FORWARD_SUBNET and FORWARD_SUBNET_PROTECTIVE calls are now always inserted at the second last position of the FORWARD chain to avoid interference with FORWARD_MAC_FILTER rules. See documentation for details.
parent 0bc617a4
......@@ -310,7 +310,7 @@ an unusual setup but nevertheless possible.
.SS FORWARD_MAC_FILTER \fRmac address
Filters any traffic with the desired mac address on the FORWARD chain may it be either in- or outbound traffic. This suppresses any routing of the specified host through the router.
Filters any traffic with the desired mac address on the FORWARD chain may it be either in- or outbound traffic. This suppresses any routing of the specified host through the router. To avoid interference with the FORWARD_SUBNET and FORWARD_SUBNET_PROTECTIVE calls FORWARD_MAC_FILTER calls will remain at the top of the FORWARD chain to be executed before any of these forwarder rules even when those are added while some mac filters already exist.
.P
eg: FORWARD_MAC_FILTER 00:de:ea:be:ef:00
.P
......
......@@ -261,8 +261,8 @@ returnRuleCount()
[ -z $1 ] && error 1 "returnRuleCount(): chain argument is mandatory."
sz=$($IPTABLES --line-numbers -vL $1 | grep -P -o "^[0-9]")
return ${#sz}
let sz=$($IPTABLES --line-numbers -L $1 | grep -P -c ^[0-9]+)
return $sz
}
###
......@@ -559,7 +559,7 @@ formatSubnetAsHexID() {
# ~~~ FORWARD (mangle table)
# intercept all the TCP handshakes and correct in-fly the wrong MSS value requested by internal hosts
# intercept all the TCP handshakes and correct on-the-fly the wrong MSS value requested by internal hosts
$IPTABLES -A FORWARD -t mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
......@@ -772,10 +772,15 @@ formatSubnetAsHexID() {
ID="FORWARD_SUBNET $1 on $(getLinkID $sz) to $2"
deleteRules FORWARD "$ID"
$IPTABLES -A FORWARD -i $sz -o $2 -s $1 -j ACCEPT -m comment --comment "$ID"
$IPTABLES -A FORWARD -i $2 -o $sz -d $1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "$ID"
$IPTABLES -A FORWARD -i $2 -o $sz -d $1 -m state --state NEW -j ACCEPT -m comment --comment "$ID"
# get index position for placing subchains in FORWARD chain
returnRuleCount FORWARD
n=$?
$IPTABLES -I FORWARD $n -i $sz -o $2 -s $1 -j ACCEPT -m comment --comment "$ID"
$IPTABLES -I FORWARD $n -i $2 -o $sz -d $1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "$ID"
$IPTABLES -I FORWARD $n -i $2 -o $sz -d $1 -m state --state NEW -j ACCEPT -m comment --comment "$ID"
unset n
shift; shift
;;
......@@ -806,6 +811,10 @@ formatSubnetAsHexID() {
# forward to the inside when a related or established connection exists
$IPTABLES -A $CHAIN -m state --state RELATED,ESTABLISHED -j ACCEPT
# get index position for placing subchains in FORWARD chain
returnRuleCount FORWARD
n=$?
# allow ICMP requests from the inner
[ $ENVID -eq 4 ] && sz="icmp"
[ $ENVID -eq 6 ] && sz="ipv6-icmp"
......@@ -823,7 +832,7 @@ formatSubnetAsHexID() {
# allow safe ports for inbound traffic
#$IPTABLES -A $CHAIN -p tcp -m tcp -m multiport --sports 80,443 -j ACCEPT
$IPTABLES -I FORWARD -i $2 -o $DEV -d $1 -j $CHAIN -m comment --comment "$ID"
$IPTABLES -I FORWARD $n -i $2 -o $DEV -d $1 -j $CHAIN -m comment --comment "$ID"
CHAIN=$(printf "%s-%s-%s" $(formatSubnetAsHexID "$1") $DEV $2)
......@@ -835,9 +844,9 @@ formatSubnetAsHexID() {
# allow safe ports for outbound traffic
$IPTABLES -A $CHAIN -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
$IPTABLES -I FORWARD -i $DEV -o $2 -s $1 -j $CHAIN -m comment --comment "$ID"
$IPTABLES -I FORWARD $n -i $DEV -o $2 -s $1 -j $CHAIN -m comment --comment "$ID"
unset sz; unset DEV; unset CHAIN
unset sz; unset DEV; unset CHAIN; unset n
shift; shift
;;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment