Commit 3eb05a9f authored by Branko Mikić's avatar Branko Mikić
Browse files

~ getLinkID() implemented which extends getLinkMAC() function. In case of...

~ getLinkID() implemented which extends getLinkMAC() function. In case of virtual network interfaces no appropriate ID was returned. getLinkID() returns a hash of the interface name instead of an empty MAC identifer when no MAC address is available. Further the MAC address is now obtained from the /sys/class/net/* path instead of calling ip command plus expensive grep'ing.
~ getLinkMac() was revised to just return a the MAC address. Additionally it provides a return code for successful retrieval of a MAC address.
~ The ALLOW_DHCPV6_CLIENT call was revised to handle IPv4 protocol too and has been renamed to ALLOW_DHCP_CLIENT accordingly.
parent bc4af073
...@@ -308,12 +308,17 @@ FORWARD_SUBNET_PROTECTIVE to allow a subnet to reach the outgoing WAN link ...@@ -308,12 +308,17 @@ FORWARD_SUBNET_PROTECTIVE to allow a subnet to reach the outgoing WAN link
or FORWARD_SUBNET when subnets should be masqueraded internally which is or FORWARD_SUBNET when subnets should be masqueraded internally which is
an unusual setup but nevertheless possible. an unusual setup but nevertheless possible.
.SS ALLOW_DHCPV6_CLIENT \fRlink .SS ALLOW_DHCP_CLIENT \fRlink
Some providers may use dynamically created net prefixes for IPv6 on the WAN link. In order to get router & neighbour solicication
working this rule allows the router himself to obtain a dhcp lease from a provider via link local only. This call works only with Allows a DHCP client request (Ports 67, 68 (IPv4) & 546, 547 (IPv6)) to pass on the desired link only. Is some cases this is necessary before calling ALLOW_SUBNET as that would require a fully configured IP address.
the IPv6 protocol (\'\-6\' argument set) otherwise execution is aborted. Another scenario is that providers may use dynamically created net prefixes for IPv6 on the WAN link. In order to get router & neighbour solicication working this rule allows the router himself to obtain a dhcp lease from a provider via link local only before the interface has acquired an IP address.
.P
eg: ALLOW_DHCP_CLIENT ppp0
.P .P
eg: ALLOW_DHCPV6_CLIENT ppp0 .RS 2
Attention!
.br
It's not sufficient for a link to have just ALLOW_DHCP_CLIENT set as this allows DHCP client requests (on that interface) only. When the interface has acquired an IP address from it's DHCP server an ALLOW_SUBNET call is additionally necessary to allow traffic passing otherwise the interface is just allowed to retrieve an IP address but not using it.
.SH EXAMPLES .SH EXAMPLES
Here's an example of an ipturntables output: Here's an example of an ipturntables output:
......
...@@ -137,7 +137,7 @@ checkLink() ...@@ -137,7 +137,7 @@ checkLink()
{ {
local sz; local i; local sz; local i;
(( ${#@} == 0 )) && error 1102 "checkDevice(): device or device list argument is mandatory." (( ${#@} == 0 )) && error 1202 "checkDevice(): device or device list argument is mandatory."
(( i=0 )) (( i=0 ))
for sz in $@; do for sz in $@; do
...@@ -150,11 +150,40 @@ checkLink() ...@@ -150,11 +150,40 @@ checkLink()
### ###
### $1: A network device (eg: eth0 or eth1, ...) ### $1: A network device (eg: eth0 or eth1, ...)
### ###
### Returns an unique hex ID derived from the MAC address.
### Virtual network devices return a special hash value since
### they usally don't have a MAC address.
###
getLinkID()
{
local i;
[ -z "$1" ] && error 1203 "getLinkID(): device argument is mandatory."
if [ $(cat /sys/class/net/$1/addr_len) -gt 0 ]; then
printf "0x%s" $(cat /sys/class/net/$1/address | sed "s/://g")
else
printf "0x"
for (( i=0; i<${#1}; i++ )); do
printf '%02X' "'${1:$i:1}"
done
fi
}
###
### $1: A network device (eg: eth0 or eth1, ...)
###
### Returns the MAC address of the desired network interface
###
getLinkMAC() getLinkMAC()
{ {
[ -z "$1" ] && error 1102 "getLinkMAC(): device argument is mandatory." [ -z "$1" ] && error 1204 "getLinkMAC(): device argument is mandatory."
# printf "%s" $($IP link show $1 | grep -o -P "(?<=link/ether ).*(?=\sbrd)")
printf "%s" $(cat /sys/class/net/$1/address)
printf "0x%s" $($IP link show $1 | grep -o -P "(?<=link/ether ).*(?=\sbrd)" | sed "s/://g") # tricky! regardless wether it's true or false >> just return the return code
[ $(cat /sys/class/net/eth2/addr_len) -gt 0 ] ; return $?
} }
### ###
...@@ -601,6 +630,28 @@ formatSubnetAsHexID() { ...@@ -601,6 +630,28 @@ formatSubnetAsHexID() {
;; ;;
ALLOW_DHCP_CLIENT)
sz=""
checkLink $1
(( $? != 0 )) && sz=" (WARNING! '$1' is currently not available. Maybe invoked later?)"
printf "# allowing DHCP (IPv%s) client requests on '%s'.%s\n" $ENVID $1 "$sz"
ID="ALLOW_DHCP_CLIENT on $(getLinkID $1)"
deleteRules USER-IN "$ID"
if [ $ENVID -eq 4 ]; then
$IPTABLES -A USER-IN -p udp -m udp -i $1 -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT -m comment --comment "$ID"
$IPTABLES -A USER-IN -p udp -m udp -i $1 --sport 67 --dport 68 -j ACCEPT -m comment --comment "$ID"
fi
if [ $ENVID -eq 6 ]; then
$IPTABLES -A USER-IN -p udp -m udp -i $1 -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT -m comment --comment "$ID"
fi
shift
unset ID;
;;
ALLOW_SUBNETS) ALLOW_SUBNETS)
checkLink $1 checkLink $1
(( $? != 0 )) && error 41 "ALLOW_SUBNETS expects a network device argument (eg: eth0)" (( $? != 0 )) && error 41 "ALLOW_SUBNETS expects a network device argument (eg: eth0)"
...@@ -608,7 +659,7 @@ formatSubnetAsHexID() { ...@@ -608,7 +659,7 @@ formatSubnetAsHexID() {
probeChains USER-IN USER-OUT probeChains USER-IN USER-OUT
(( $? != 0 )) && error 42 "The 'USER-IN' or 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first." (( $? != 0 )) && error 42 "The 'USER-IN' or 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
ID="ALLOW_SUBNETS on $(getLinkMAC $1)" ID="ALLOW_SUBNETS on $(getLinkID $1)"
deleteRules USER-IN "$ID" deleteRules USER-IN "$ID"
deleteRules USER-OUT "$ID" deleteRules USER-OUT "$ID"
...@@ -654,7 +705,7 @@ formatSubnetAsHexID() { ...@@ -654,7 +705,7 @@ formatSubnetAsHexID() {
probeChains USER-IN USER-OUT probeChains USER-IN USER-OUT
(( $? != 0 )) && error 42 "The 'USER-IN' or 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first." (( $? != 0 )) && error 42 "The 'USER-IN' or 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
ID="ALLOW_LINK_LOCAL on $(getLinkMAC $1)" ID="ALLOW_LINK_LOCAL on $(getLinkID $1)"
deleteRules USER-IN "$ID" deleteRules USER-IN "$ID"
deleteRules USER-OUT "$ID" deleteRules USER-OUT "$ID"
...@@ -679,7 +730,7 @@ formatSubnetAsHexID() { ...@@ -679,7 +730,7 @@ formatSubnetAsHexID() {
printf "# allowing service discovery on %s link.\n" $1 printf "# allowing service discovery on %s link.\n" $1
ID="ALLOW_SERVICE_DISCOVERY on $(getLinkMAC $1)" ID="ALLOW_SERVICE_DISCOVERY on $(getLinkID $1)"
deleteRules USER-IN "$ID" deleteRules USER-IN "$ID"
if [ $ENVID -eq 4 ]; then if [ $ENVID -eq 4 ]; then
...@@ -709,7 +760,7 @@ formatSubnetAsHexID() { ...@@ -709,7 +760,7 @@ formatSubnetAsHexID() {
printf "# forwarding %s (%s) to %s.\n" $1 $sz $2 printf "# forwarding %s (%s) to %s.\n" $1 $sz $2
ID="FORWARD_SUBNET $1 on $(getLinkMAC $sz) to $2" ID="FORWARD_SUBNET $1 on $(getLinkID $sz) to $2"
deleteRules FORWARD "$ID" deleteRules FORWARD "$ID"
$IPTABLES -A FORWARD -i $sz -o $2 -s $1 -j ACCEPT -m comment --comment "$ID" $IPTABLES -A FORWARD -i $sz -o $2 -s $1 -j ACCEPT -m comment --comment "$ID"
...@@ -807,7 +858,7 @@ formatSubnetAsHexID() { ...@@ -807,7 +858,7 @@ formatSubnetAsHexID() {
(( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)" (( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)"
printf "# masquerading %s when leaving through %s.%s\n" $1 $2 $sz printf "# masquerading %s when leaving through %s.%s\n" $1 $2 $sz
ID="MASQUERADE $1 to $(getLinkMAC $2)" ID="MASQUERADE $1 to $(getLinkID $2)"
deleteRules -t nat POSTROUTING "$ID" deleteRules -t nat POSTROUTING "$ID"
$IPTABLES -t nat -A POSTROUTING -s $1 -o $2 -j MASQUERADE -m comment --comment "$ID" $IPTABLES -t nat -A POSTROUTING -s $1 -o $2 -j MASQUERADE -m comment --comment "$ID"
...@@ -816,23 +867,6 @@ formatSubnetAsHexID() { ...@@ -816,23 +867,6 @@ formatSubnetAsHexID() {
unset ID; unset ID;
;; ;;
ALLOW_DHCPV6_CLIENT)
[ $ENVID -ne 6 ] && error 25 "Allowing DHCPv6 client requests is only useful for IPv6!"
sz=""
checkLink $1
(( $? != 0 )) && sz=" (WARNING! '$1' is currently not available. Maybe invoked later?)"
printf "# allowing DHCPv6 client requests on '%s'.%s\n" $1 "$sz"
ID="ALLOW_DHCPV6_CLIENT on $(getLinkMAC $1)"
deleteRules USER-IN "$ID"
$IPTABLES -A USER-IN -p udp -m udp -i $1 -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT -m comment --comment "$ID"
shift
unset ID;
;;
DEBUG_CHAIN) DEBUG_CHAIN)
$IPTABLES -nvL $1 1>/dev/nul 2>/dev/nul $IPTABLES -nvL $1 1>/dev/nul 2>/dev/nul
(( $? != 0 )) && error 83 "DEBUG_CHAIN expects a chain name argument. A chain called '$1' was not found." (( $? != 0 )) && error 83 "DEBUG_CHAIN expects a chain name argument. A chain called '$1' was not found."
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment