1. 15 Apr, 2016 3 commits
  2. 09 Apr, 2016 3 commits
    • Branko Mikić's avatar
    • Branko Mikić's avatar
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion... · edca0ffa
      Branko Mikić authored
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion with the RESET function of ipturntables which rather resets (clears) all rules instead of restoring a preset file.
    • root's avatar
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies... · e79331a3
      root authored
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies can tweak in their local 'Makefile' file without commit such configurations to the repo.
      ~ The default make targets and respectively their output files 'IPv4.rules' and 'IPv6.rules' aren't handy for completion on the console. The default base configs are now called '4.rules' and '6.rules'
      ~ A new 'reset' make target was added which just uses ip(6)tables-restore on the default configs to reset the firewall without the necessity to process '4.rules' and '6.rules' targets again. A convenient way to just reset the firewall.
      ~ iptables-save isn't called implicitly when running ipturntables.sh anymore, that cluttered the output too much when using small additional calls. Instead the keywords VERBOSE, LIST_RULES or SHOW_RULES can be used to output the rules tables to stdout. In default these aren't printed anymore but in a full make run this is explicitly set to have a full output there only.
      ~ ICMP route & neighbor discovery has been revised. The ICMP subtype 143 was added to the output chain to allow "multicast listener report V2" and some additional comments about the ICMP subtypes were added.
      ~ An INVALID chain has been added and is called in the BLOCK chain which usally logs just '[BLOCKED]' but when a packet is invalid the log-prefix now adds '(Invalid)'. Invalid packets give a good indication if someone's trying something suspicous and can be differentiated from usual packets getting blocked.
  3. 28 Mar, 2016 2 commits
  4. 24 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing. · 9498bb11
      Branko Mikić authored
      ~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step.
      ~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.
  5. 23 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of... · 3eb05a9f
      Branko Mikić authored
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of virtual network interfaces no appropriate ID was returned. getLinkID() returns a hash of the interface name instead of an empty MAC identifer when no MAC address is available. Further the MAC address is now obtained from the /sys/class/net/* path instead of calling ip command plus expensive grep'ing.
      ~ getLinkMac() was revised to just return a the MAC address. Additionally it provides a return code for successful retrieval of a MAC address.
      ~ The ALLOW_DHCPV6_CLIENT call was revised to handle IPv4 protocol too and has been renamed to ALLOW_DHCP_CLIENT accordingly.
  6. 31 Jan, 2016 1 commit