Commit 2e2bf5a2 authored by Branko Mikić's avatar Branko Mikić
Browse files

~ BugFix! In checkIPArgFormat() and obtainNetPrefix() the regex expression were revised.

~ obtainRuleIndices() didn't force hostnames of iptables output to be numeric only but could also be a FQDN entry which lead the regex expression to fail.
~ BugFix! In FORWARD_SUBNET_PROTECTIVE chain the ID could easily exceed the maximum length when used with IPv6 as they can naturally grow very large if short (::) notation is omitted. Especially when such an ID is used eg. as a chain name!
Therefore the chain name for forwarded IPv6 subnets now uses 'cksum' instead of the ID returned by formatSubnetAsHexID() function.
The new ID format is now a shorter version to fit them into chain names as well as comment fields of iptables.
~ In the BASE_RULE_SET command using the ANTI-FLOOD chain on anything regardless of being internal or external traffic wasn't a good idea at all. So the new LOCAL chain now allows internal traffic before ANTI-FLOOD protection is applied while any external traffic still needs to pass the ANTI-FLOOD and INVALID chains without creating wild, complex exceptions in the BLOCK chain to dinstinguish invalid, internal traffic from invalid, external traffic.
~ By reordering the rules in the BASE_RULE_SET a lot of stuff was simplyfied to be used on both (IPv4|6) protocols in the same manner.
~ EXPERIMENTAL! A new command called 6TO4 implemented for tunneling IPv6 traffic over IPv4 links. This code is heavily experimental not meant to be used in production environments.
~ NEW! ALLOW_PORT (or ALLOW_SERVICE) command implemented. This is a simple version of allowing traffic for specific ports on the router to reach local daemons.
It would be possible to do that manually by adding a rule to the USER-IN chain but this one uses iptables' 'multiport' feature so that one rule can allow multiple ports at once. Anyway ALLOW_PORT can also be used to only allow a single port per rule.
Attention!
There can be reasons to _not_ do that and have implicitly one rule for allowing one port especially when the firewall rules are tweaked at runtime and removing all ports at once isn't desired.
~ For IPv6 the filter for RH0 headers were removed (!) as nearly any new kernel version does that on it's own even without any netfilter.
~ Outbound traffic on safe ports (eg: 80,443) are now allowed by default for forwared subnets only.
parent 9ec7202f
This diff is collapsed.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment