quota and mac addresses

[roadhawk]

No, iptables doesn't accept that syntax. The ! needs to be before --mac-source, not after it, thus:

Code: Select all

iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT

Whether it actually does what it is supposed to do is a different matter which I will test in 8 hours.

[nworbnhoj]

Really!!?
http://linux.die.net/man/8/iptables

mac

--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.

What am I missing??

[roadhawk]

From my raspbian jessie:

Code: Select all

jh@rpi01-jh:~ $man iptables-extensions
.
.
mac
[!] --mac-source address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains. 
.
.

Strange, because die.net is usually the reference.

[nworbnhoj]

OK so that is weird - up until now I trusted man *

I have just tested on my TL-WDR3600 and indeed

Code: Select all

iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT

Is the only syntax discussed above that does not raise an error from iptables after /etc/init.d/firewall restart

So let's work with this going forward and keep an eye out for errors on other platforms (just in case).

well done @roadhawk

[Tareq]

hi nworbnhoj,

i didn't understand, what can i do exactly to fix my issue ?

Now i use this the original gargoyle_firewall_util.sh file in my router.

Code: Select all

block_static_ip_mismatches()
{
	block_mismatches=$(uci get firewall.@defaults[0].block_static_ip_mismatches 2> /dev/null)
	delete_chain_from_table static_mismatch_check filter
	if [ "$block_mismatches" = "1" ] && [ -e /etc/ethers ] ; then
		local pairs
		pairs=$(cat /etc/ethers | sed '/^[ \t]*$/d' | awk ' { print $1"^"$2"\n" ; } ' )
		if [ -n "$pairs" ] ; then
			iptables -t filter -N static_mismatch_check
			local p
			for p in $pairs ; do
				local mac
				local ip
				mac=$(echo $p | sed 's/\^.*$//g')
				ip=$(echo $p | sed 's/^.*\^//g')
				if [ -n "$ip" ] && [ -n "$mac" ] ; then
					iptables -t filter -A static_mismatch_check  ! -s  "$ip"  -m mac --mac-source  "$mac"  -j REJECT
				fi
			done
			iptables -t filter -I delegate_forward -j static_mismatch_check
		fi
	fi
}

Edit:
I really appreciate your efforts, so thank you.

[nworbnhoj]

Try adding a single line to your gargoyle_firewall_util.sh file

Code: Select all

iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT

immediately below the existing similar "iptables" line in your post so that it looks like

Code: Select all

for p in $pairs ; do
   local mac
   local ip
   mac=$(echo $p | sed 's/\^.*$//g')
   ip=$(echo $p | sed 's/^.*\^//g')
   if [ -n "$ip" ] && [ -n "$mac" ] ; then
      iptables -t filter -A lease_mismatch_check  ! -s  "$ip"  -m mac --mac-source  "$mac"  -j REJECT
      iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT
   fi
done

and then restart the firewall with

Code: Select all

/etc/init.d/firewall restart

[Tareq]

Hi, nworbnhoj

Thank you man, it works fine.

[Tareq]

Code: Select all

for p in $pairs ; do
   local mac
   local ip
   mac=$(echo $p | sed 's/\^.*$//g')
   ip=$(echo $p | sed 's/^.*\^//g')
   if [ -n "$ip" ] && [ -n "$mac" ] ; then
      iptables -t filter -A lease_mismatch_check  ! -s  "$ip"  -m mac --mac-source  "$mac"  -j REJECT
      iptables -t filter -A lease_mismatch_check  -s  "$ip" -m mac ! --mac-source "$mac"  -j REJECT
   fi
done

This code no longer works in the new update 1.10.0 .

please can you help.

[Lantis]

What evidence do you have to say it doesn't work? What exactly are you trying to do and what error are you encountering?

[Tareq]

What evidence do you have to say it doesn't work? What exactly are you trying to do and what error are you encountering?

I'm sorry, it is really work fine without that code.

I have files that I have customized for myself, and when i copied it to new version, i had a problem because i replaced "gargoyle_firewall_ultil.sh" file.

Now it is work fine without replacing that file.

Thank you.