1. 07 Sep, 2016 4 commits
  2. 06 Sep, 2016 11 commits
  3. 05 Sep, 2016 2 commits
  4. 01 Sep, 2016 15 commits
  5. 23 Jun, 2016 1 commit
  6. 11 Nov, 2015 2 commits
  7. 04 Nov, 2015 1 commit
  8. 17 Sep, 2015 1 commit
    • Morten Knutsen's avatar
      Merge branch 'allow-reset' into 'master' · 0ff23e24
      Morten Knutsen authored
      Allow reset
      
      Untested proposal for how to fix dropping RST packets between nodes in instance net. Differences in generated output is as follows:
      
      ```
      diff -ur a/generated_ip6tables b/generated_ip6tables
      --- a/generated_ip6tables	2015-09-14 14:36:30.858554062 +0200
      +++ b/generated_ip6tables	2015-09-14 14:39:25.267693618 +0200
      @@ -25,14 +25,22 @@
       -A INPUT -i eth3.900 -p tcp -m tcp --dport 1936 -j DROP
       -A INPUT ! -s 2001:700:1::/64 -i eth1 -p tcp -m tcp --dport 1936 -j DROP
       -A NOVAFORWARD -m set --match-set rls_from_any_inet6_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set rls_from_any_inet6_0 src,src -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_from_cidr_inet6_0 dst,dst,src -j ACCEPT
      +-A NOVAFORWARD -m set --match-set rls_from_cidr_inet6_0 src,src,dst -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_from_any_to_ip_inet6_0 dst -j ACCEPT
       -A NOVAFORWARD -m set --match-set source36_inet6_0 src -m set --match-set rls_by_src140_inet6_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source36_inet6_0 dst -m set --match-set rls_by_src140_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source66_inet6_0 src -m set --match-set rls_by_src67_inet6_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source66_inet6_0 dst -m set --match-set rls_by_src67_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source94_inet6_0 src -m set --match-set rls_by_src231_inet6_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source94_inet6_0 dst -m set --match-set rls_by_src231_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source164_inet6_0 src -m set --match-set rls_by_src165_inet6_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source164_inet6_0 dst -m set --match-set rls_by_src165_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source186_inet6_0 src -m set --match-set rls_by_src126_inet6_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source186_inet6_0 dst -m set --match-set rls_by_src126_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source230_inet6_0 src -m set --match-set rls_by_src69_inet6_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source230_inet6_0 dst -m set --match-set rls_by_src69_inet6_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_cidr_to_ip61_inet6_0 src -m set --match-set source60_inet6_0 dst -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_cidr_to_ip78_inet6_0 src -m set --match-set source77_inet6_0 dst -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_cidr_to_ip81_inet6_0 src -m set --match-set source80_inet6_0 dst -j ACCEPT
      diff -ur a/generated_iptables b/generated_iptables
      --- a/generated_iptables	2015-09-14 14:36:30.858554062 +0200
      +++ b/generated_iptables	2015-09-14 14:39:25.267693618 +0200
      @@ -34,14 +34,22 @@
       -A INPUT -i eth3.900 -p tcp -m tcp --dport 1936 -j DROP
       -A INPUT ! -s 158.38.62.0/23 -i eth1 -p tcp -m tcp --dport 1936 -j DROP
       -A NOVAFORWARD -m set --match-set rls_from_any_inet_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set rls_from_any_inet_0 src,src -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_from_cidr_inet_0 dst,dst,src -j ACCEPT
      +-A NOVAFORWARD -m set --match-set rls_from_cidr_inet_0 src,src,dst -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_from_any_to_ip_inet_0 dst -j ACCEPT
       -A NOVAFORWARD -m set --match-set source36_inet_0 src -m set --match-set rls_by_src140_inet_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source36_inet_0 dst -m set --match-set rls_by_src140_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source66_inet_0 src -m set --match-set rls_by_src67_inet_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source66_inet_0 dst -m set --match-set rls_by_src67_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source94_inet_0 src -m set --match-set rls_by_src231_inet_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source94_inet_0 dst -m set --match-set rls_by_src231_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source164_inet_0 src -m set --match-set rls_by_src165_inet_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source164_inet_0 dst -m set --match-set rls_by_src165_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source186_inet_0 src -m set --match-set rls_by_src126_inet_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source186_inet_0 dst -m set --match-set rls_by_src126_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set source230_inet_0 src -m set --match-set rls_by_src69_inet_0 dst,dst -j ACCEPT
      +-A NOVAFORWARD -m set --match-set source230_inet_0 dst -m set --match-set rls_by_src69_inet_0 src,src  -p tcp --tcp-flags RST RST -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_cidr_to_ip8_inet_0 src -m set --match-set source7_inet_0 dst -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_cidr_to_ip17_inet_0 src -m set --match-set source16_inet_0 dst -j ACCEPT
       -A NOVAFORWARD -m set --match-set rls_cidr_to_ip43_inet_0 src -m set --match-set source42_inet_0 dst -j ACCEPT
      ```
      
      See merge request !8
      0ff23e24
  9. 14 Sep, 2015 1 commit
  10. 02 Sep, 2015 1 commit
  11. 01 Sep, 2015 1 commit