Commit 9498bb11 authored by Branko Mikić's avatar Branko Mikić
Browse files

~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing.

~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step.
~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.
parent 3eb05a9f
......@@ -320,6 +320,60 @@ Attention!
.br
It's not sufficient for a link to have just ALLOW_DHCP_CLIENT set as this allows DHCP client requests (on that interface) only. When the interface has acquired an IP address from it's DHCP server an ALLOW_SUBNET call is additionally necessary to allow traffic passing otherwise the interface is just allowed to retrieve an IP address but not using it.
.SS REMOVE_RULES \fR"ID matching string"
For a dynamic approach altering rules on the fly (eg. in (pre-|post)-up|down events this call removes any rule matching the given ID string in it's comment in \fIany\fR chain found (even in the nat table!). It may be possible that on such an operation some chains are left orphaned (with no rule referencing them anymore). To keep the rules table clean these chains are deallocated (removed) from the rules table completely.
.P
eg: REMOVE_RULES "ALLOW_SUBNETS on 0x0700a721a8d7"
A protected IPv4 subnet has been forwarded and masqueraded on the eth1 interface in it's post-up event:
.RS 2
./ipturntables.sh -4 FORWARD_SUBNET_PROTECTIVE 10.10.10.0/24 eth2 \\
POSTROUTING_MASQUERADE 10.10.10.0/24 eth2
.RE
.P
This created three rules in two chains
.P
.RS 2
Chain FORWARD (policy DROP 5 packets, 606 bytes)
pkts bytes target prot opt in out source destination
... ... 0A0A0A0018-eth1-eth2 ... ... ... /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
... ... 0A0A0A0018-eth2-eth1 ... ... ... /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
Chain 0A02010018-eth0-eth2 (1 references)
pkts bytes target prot opt in out source destination
[...]
Chain 0A02010018-eth2-eth0 (1 references)
pkts bytes target prot opt in out source destination
[...]
Chain POSTROUTING (policy ACCEPT 230 packets, 14589 bytes)
pkts bytes target prot opt in out source destination
... ... MASQUERADE ... ... ... ... ... /* \fBPOSTROUTING_MASQUERADE eth1_0A0A0A0018_eth2\fR */
.RE
.P
By selecting the approriate part of the ID string the deletion scope can be managed. For only deleting the forwarding rules along with it's target chains the whole ID string is passed:
.RS 2
./ipturntables.sh -4 REMOVE_RULES "\fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR"
.RE
.P
Same goes for for removing only the masquerade rule:
.RS 2
./ipturntables.sh -4 REMOVE_RULES "\fBPOSTROUTING_MASQUERADE eth1_0A0A0A0018_eth2\fR"
.RE
.P
By narrowing the ID string all three rules and it's corresponding chains can be deleted at once:
.RS 2
./ipturntables.sh -4 REMOVE_RULES "\fBeth1_0A0A0A0018_eth2\fR"
Attention!
.br
IDs in comments created by ipturntables script are unique. However be sure to avoid narrowing the matching ID string too much otherwise rules could be deleted unintentionally!
.SH EXAMPLES
Here's an example of an ipturntables output:
.RS 2
......
......@@ -315,7 +315,7 @@ obtainRuleIndices()
deleteRules()
{
local i; local ia;
local sz;
local sz; local tgt;
if [[ $1 =~ -t ]]; then
[ -z $2 ] && error 70 "deleteRules() expects a tablename after optional -t argument."
......@@ -323,12 +323,11 @@ deleteRules()
shift; shift;
fi
# putting it in brackets returns it as an array
ia=($(obtainRuleIndices $sz $1 "$2"))
for (( i=${#ia[@]}-1; i>=0; i-- )); do
# delete rule
$IPTABLES $sz -D $1 ${ia[$i]}
done
}
###
......@@ -366,8 +365,7 @@ allocChain()
}
###
### $1: Desired name of chain to alloc
### (only for user-defined chains!)
### $1: Desired name of chain to dealloc (only for user-defined chains!)
###
deallocChain()
{
......@@ -788,10 +786,9 @@ formatSubnetAsHexID() {
(( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)"
printf "# forwarding protectively %s (%s) to %s.%s\n" $1 $DEV $2 $sz
ID="FORWARD_SUBNET_PROTECTIVE $1 among $DEV and $2"
ID=$(printf "FORWARD_SUBNET_PROTECTIVE %s_%s_%s" $DEV $(formatSubnetAsHexID "$1") $2)
deleteRules FORWARD "$ID"
CHAIN=$(printf "%s-%s-%s" $(formatSubnetAsHexID "$1") $2 $DEV)
allocChain $CHAIN
......@@ -858,7 +855,7 @@ formatSubnetAsHexID() {
(( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)"
printf "# masquerading %s when leaving through %s.%s\n" $1 $2 $sz
ID="MASQUERADE $1 to $(getLinkID $2)"
ID=$(printf "POSTROUTING_MASQUERADE %s_%s_%s" $(obtainLinkFromSubnetPrefix $1) $(formatSubnetAsHexID "$1") $2)
deleteRules -t nat POSTROUTING "$ID"
$IPTABLES -t nat -A POSTROUTING -s $1 -o $2 -j MASQUERADE -m comment --comment "$ID"
......@@ -878,18 +875,44 @@ formatSubnetAsHexID() {
shift;
;;
REMOVE)
#TODO: remove a set of rules by pattern matching the ID in the comment
;;
REMOVE_RULES)
#TODO: REMOVE_RULES should also be able to delete rules by a link name
printf "# Removing rules containing '$1' in:"
for sz in $($IPTABLES -nvL | grep -o -P "(?<=Chain\s)\S+"); do
$IPTABLES -nvL $sz | grep "$1" 1>/dev/nul 2>/dev/nul
if (( $? == 0 )); then
printf " $sz"
deleteRules $sz "$1"
fi
done
for sz in $($IPTABLES -t nat -nvL | grep -o -P "(?<=Chain\s)\S+"); do
$IPTABLES -t nat -nvL $sz | grep "$1" 1>/dev/nul 2>/dev/nul
if (( $? == 0 )); then
printf " $sz"
deleteRules -t nat $sz "$1"
fi
done
echo " ... done"
EXAMPLE_MARK_PACKET)
# mark a packet with a value of 1
#$IPTABLES -A INPUT -m state --state INVALID -j MARK --set-mark 1
printf "# Deallocating orphaned chains:"
for sz in $($IPTABLES -nvL | grep -o -P "(?<=Chain\s)\S+(?=\s\(0 ref)"); do
printf " $sz"
deallocChain $sz
done
echo " ... done"
# packet is marked with our value?
#$IPTABLES -A INPUT -m mark --mark 0x1 -j BLOCK
unset sz;
shift;
;;
# MARK_PACKET)
# # mark a packet with a value of 1
# $IPTABLES -A INPUT -m state --state INVALID -j MARK --set-mark 1
#
# # packet is marked with our value?
# $IPTABLES -A INPUT -m mark --mark 0x1 -j BLOCK
# ;;
*)
echo "(ERROR) >> Unknown argument: '$arg'"
printAbout
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment