1. 17 Nov, 2016 3 commits
  2. 25 Oct, 2016 1 commit
    • Branko Mikić's avatar
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(),... · caf9aa22
      Branko Mikić authored
      ~ some helpers added for checking numbers like isNaturalNumber(), isInteger(), isFloat() and isNumber() functions.
      ~ ALLOW_DHCPV6_CLIENT revised to work with both IPv(4|6) therefore the function was renamed to ALLOW_DHCP_CLIENT.
      ~ obtainRouteToIP() renamed to obtainNetPrefix() and revised to work with both IPv(4|6)
      ~ obtainNetPrefix() renamed to checkSubnetArgFormat()
      ~ NEW! checkMACArgFormat(), checkIPArgFormat() and checkSubnetArgFormat() implemented to check passed arguments.
      ~ deleteRules() revised to return the number of rules deleted. Useful when giving a feedback to the usser about deletions.
      ~ The LOG target now includes the ENVID to distinguish between logs from iptables and ip6tables. Instead of [IN|OUT|FWD-DROP] prefix the logs are now prefixed like [IN4-DROP], [OU6-DROP] or [FW4-DROP], ...
      ~ When creating chain names usally formatSubnetAsHexID() function was used but for IPv6 subents this can lead to chain names longer than 28 chars which iptables will not accept therefore chain names now use the shorter ID created from cksum with '-IN' or '-OUT' suffixes (eg: A273DBBD-OUT or A0C182C8-IN)
      ~ FORWARD_MAC_FILTER renamed to MAC_FILTER and revised to accept a chain name on which the mac filter is placed.
      ~ FORWARD_PORT|FORWARD_ROUTING implemented to allow pre- & postrouting forwards in the nat table. This function can forward through a WAN into a private subnet but can be used to forward between hosts inside a private subnet.
      ~ REMOVE_RULES revised to show only chains on which entries were deleted instead of chains processed regardless of deletions. This way the user gets a better feedback about deletions when removing rules by regex expression.
      ~ ALLOW_TUNNEL implemented. Allows a router to receive ipip, gre or sit tunnels on the given node from a specified address. At the moment sit tunnels are working, ipip and grep still needs some work to do. A hacky script added to includes/sit_tunnel.sh which is not exactly a part of ipturntables but may be useful anyway.
      caf9aa22
  3. 15 Apr, 2016 3 commits
  4. 09 Apr, 2016 3 commits
    • Branko Mikić's avatar
    • Branko Mikić's avatar
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion... · edca0ffa
      Branko Mikić authored
      ~ The reset target of 'Makefile.example' has been renamed to avoid confusion with the RESET function of ipturntables which rather resets (clears) all rules instead of restoring a preset file.
      edca0ffa
    • root's avatar
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies... · e79331a3
      root authored
      ~ The 'Makefile' has been renamed to 'Makefile.example' so that working copies can tweak in their local 'Makefile' file without commit such configurations to the repo.
      ~ The default make targets and respectively their output files 'IPv4.rules' and 'IPv6.rules' aren't handy for completion on the console. The default base configs are now called '4.rules' and '6.rules'
      ~ A new 'reset' make target was added which just uses ip(6)tables-restore on the default configs to reset the firewall without the necessity to process '4.rules' and '6.rules' targets again. A convenient way to just reset the firewall.
      ~ iptables-save isn't called implicitly when running ipturntables.sh anymore, that cluttered the output too much when using small additional calls. Instead the keywords VERBOSE, LIST_RULES or SHOW_RULES can be used to output the rules tables to stdout. In default these aren't printed anymore but in a full make run this is explicitly set to have a full output there only.
      ~ ICMP route & neighbor discovery has been revised. The ICMP subtype 143 was added to the output chain to allow "multicast listener report V2" and some additional comments about the ICMP subtypes were added.
      ~ An INVALID chain has been added and is called in the BLOCK chain which usally logs just '[BLOCKED]' but when a packet is invalid the log-prefix now adds '(Invalid)'. Invalid packets give a good indication if someone's trying something suspicous and can be differentiated from usual packets getting blocked.
      e79331a3
  5. 28 Mar, 2016 2 commits
  6. 24 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ FORWARD_SUBNET_PROTECTIVE call now uses an ID string better suitable for grep'ing. · 9498bb11
      Branko Mikić authored
      ~ Also the ID string of MASQUERADE has been changed to POSTROUTING_MASQUERADE and it uses the same format for device and subnet (INPUTDEV_SUBNET_OUTPUTDEV) as the FORWARD_SUBNET_PROTECTIVE call. This way it's possible to grep both and delete FORWARD_SUBNET_PROTECTIVE rules for a specific subnet config along with it's POSTROUTING_MASQUERADE rule entries in one step.
      ~ REMOVE_RULES call implemented. It deletes all rules matching the given ID string. Any possible orphaned chain is deallocated (removed) too. This keeps the rules table clean.
      9498bb11
  7. 23 Mar, 2016 1 commit
    • Branko Mikić's avatar
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of... · 3eb05a9f
      Branko Mikić authored
      ~ getLinkID() implemented which extends getLinkMAC() function. In case of virtual network interfaces no appropriate ID was returned. getLinkID() returns a hash of the interface name instead of an empty MAC identifer when no MAC address is available. Further the MAC address is now obtained from the /sys/class/net/* path instead of calling ip command plus expensive grep'ing.
      ~ getLinkMac() was revised to just return a the MAC address. Additionally it provides a return code for successful retrieval of a MAC address.
      ~ The ALLOW_DHCPV6_CLIENT call was revised to handle IPv4 protocol too and has been renamed to ALLOW_DHCP_CLIENT accordingly.
      3eb05a9f
  8. 31 Jan, 2016 1 commit