~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing.

~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step. ~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.

~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing.
~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step. ~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.
9498bb11 · Branko Mikić · 3eb05a9f · 9498bb11 · 9498bb11
Commit 9498bb11 authored Mar 24, 2016 by Branko Mikić
--- a/ipturntables.8
+++ b/ipturntables.8
@@ -320,6 +320,60 @@ Attention!
 .br
 It's not sufficient for a link to have just ALLOW_DHCP_CLIENT set as this allows DHCP client requests (on that interface) only. When the interface has acquired an IP address from it's DHCP server an ALLOW_SUBNET call is additionally necessary to allow traffic passing otherwise the interface is just allowed to retrieve an IP address but not using it.
+.SS REMOVE_RULES \fR"ID matching string"
+For a dynamic approach altering rules on the fly (eg. in (pre-|post)-up|down events this call removes any rule matching the given ID string in it's comment in \fIany\fR chain found (even in the nat table!). It may be possible that on such an operation some chains are left orphaned (with no rule referencing them anymore). To keep the rules table clean these chains are deallocated (removed) from the rules table completely.
+.P
+eg: REMOVE_RULES "ALLOW_SUBNETS on 0x0700a721a8d7"
+A protected IPv4 subnet has been forwarded and masqueraded on the eth1 interface in it's post-up event:
+.RS 2
+ ./ipturntables.sh -4 FORWARD_SUBNET_PROTECTIVE 10.10.10.0/24 eth2 \\
+                      POSTROUTING_MASQUERADE 10.10.10.0/24 eth2
+.RE
+.P
+This created three rules in two chains
+.P
+.RS 2
+Chain FORWARD (policy DROP 5 packets, 606 bytes)
+ pkts bytes target     prot opt in     out     source       destination         
+ ...   ...  0A0A0A0018-eth1-eth2       ...      ...          ...       /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
+ ...   ...  0A0A0A0018-eth2-eth1       ...      ...          ...       /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
+Chain 0A02010018-eth0-eth2 (1 references)
+ pkts bytes target     prot opt in     out     source       destination         
+ [...]
+Chain 0A02010018-eth2-eth0 (1 references)
+ pkts bytes target     prot opt in     out     source       destination         
+ [...]
+Chain POSTROUTING (policy ACCEPT 230 packets, 14589 bytes)
+ pkts bytes target     prot opt in     out     source       destination         
+ ...   ...  MASQUERADE  ... ...        ...      ...          ...       /* \fBPOSTROUTING_MASQUERADE eth1_0A0A0A0018_eth2\fR */
+.RE
+.P
+By selecting the approriate part of the ID string the deletion scope can be managed. For only deleting the forwarding rules along with it's target chains the whole ID string is passed:
+.RS 2
+ ./ipturntables.sh -4 REMOVE_RULES "\fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR"
+.RE
+.P
+Same goes for for removing only the masquerade rule:
+.RS 2
+ ./ipturntables.sh -4 REMOVE_RULES "\fBPOSTROUTING_MASQUERADE eth1_0A0A0A0018_eth2\fR"
+.RE
+.P
+By narrowing the ID string all three rules and it's corresponding chains can be deleted at once:
+.RS 2
+ ./ipturntables.sh -4 REMOVE_RULES "\fBeth1_0A0A0A0018_eth2\fR"
+Attention!
+.br
+IDs in comments created by ipturntables script are unique. However be sure to avoid narrowing the matching ID string too much otherwise rules could be deleted unintentionally!
 .SH EXAMPLES
 Here's an example of an ipturntables output:
 .RS 2

--- a/ipturntables.sh
+++ b/ipturntables.sh
@@ -315,7 +315,7 @@ obtainRuleIndices()
 deleteRules()
 {
 local i; local ia;
- local sz;
+ local sz; local tgt;
 	if [[ $1 =~ -t ]]; then
 		[ -z $2 ] && error 70 "deleteRules() expects a tablename after optional -t argument."
@@ -323,12 +323,11 @@ deleteRules()
 		shift; shift;
 	fi
 		# putting it in brackets returns it as an array
 	ia=($(obtainRuleIndices $sz $1 "$2"))
 	for (( i=${#ia[@]}-1; i>=0; i-- )); do
+			# delete rule
 		$IPTABLES $sz -D $1 ${ia[$i]}
 	done
 }
 ###
@@ -366,8 +365,7 @@ allocChain()
 }
 ###
-### $1: Desired name of chain to alloc
+### $1: Desired name of chain to dealloc (only for user-defined chains!)
-###     (only for user-defined chains!)
 ###
 deallocChain()
 {
@@ -788,10 +786,9 @@ formatSubnetAsHexID() {
 				(( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)" 
 				printf "# forwarding protectively %s (%s) to %s.%s\n" $1 $DEV $2 $sz
-				ID="FORWARD_SUBNET_PROTECTIVE $1 among $DEV and $2"
+				ID=$(printf "FORWARD_SUBNET_PROTECTIVE %s_%s_%s" $DEV $(formatSubnetAsHexID "$1") $2)
 				deleteRules FORWARD "$ID"
 				CHAIN=$(printf "%s-%s-%s" $(formatSubnetAsHexID "$1") $2 $DEV)
 				allocChain $CHAIN
@@ -858,7 +855,7 @@ formatSubnetAsHexID() {
 				(( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)" 
 				printf "# masquerading %s when leaving through %s.%s\n" $1 $2 $sz
-				ID="MASQUERADE $1 to $(getLinkID $2)"
+				ID=$(printf "POSTROUTING_MASQUERADE %s_%s_%s" $(obtainLinkFromSubnetPrefix $1) $(formatSubnetAsHexID "$1") $2)
 				deleteRules -t nat POSTROUTING "$ID"
 				$IPTABLES -t nat -A POSTROUTING -s $1 -o $2 -j MASQUERADE -m comment --comment "$ID"
@@ -878,18 +875,44 @@ formatSubnetAsHexID() {
 				shift;
 				;;
-			REMOVE)
+			REMOVE_RULES)
-				#TODO: remove a set of rules by pattern matching the ID in the comment
+	#TODO: REMOVE_RULES should also be able to delete rules by a link name
-				;;
+				printf "# Removing rules containing '$1' in:"
+				for sz in $($IPTABLES -nvL | grep -o -P "(?<=Chain\s)\S+"); do
+					$IPTABLES -nvL $sz | grep "$1" 1>/dev/nul 2>/dev/nul
+					if (( $? == 0 )); then
+						printf " $sz"
+						deleteRules $sz "$1"
+					fi
+				done
+				for sz in $($IPTABLES -t nat -nvL | grep -o -P "(?<=Chain\s)\S+"); do
+					$IPTABLES -t nat -nvL $sz | grep "$1" 1>/dev/nul 2>/dev/nul
+					if (( $? == 0 )); then
+						printf " $sz"
+						deleteRules -t nat $sz "$1"
+					fi
+				done
+				echo " ... done"
-			EXAMPLE_MARK_PACKET)
+				printf "# Deallocating orphaned chains:"
-				# mark a packet with a value of 1
+				for sz in $($IPTABLES -nvL | grep -o -P "(?<=Chain\s)\S+(?=\s\(0 ref)"); do
-				#$IPTABLES -A INPUT -m state --state INVALID -j MARK --set-mark 1
+					printf " $sz"
+					deallocChain $sz
+				done
+				echo " ... done"
-				# packet is marked with our value?
+				unset sz;
-				#$IPTABLES -A INPUT -m mark --mark 0x1 -j BLOCK
+				shift;
 				;;
+#			MARK_PACKET)
+#				# mark a packet with a value of 1
+#				$IPTABLES -A INPUT -m state --state INVALID -j MARK --set-mark 1
+#
+#				# packet is marked with our value?
+#				$IPTABLES -A INPUT -m mark --mark 0x1 -j BLOCK
+#				;;
 			*)
 				echo "(ERROR) >> Unknown argument: '$arg'"
 				printAbout