From 6a86202f30b2fc58ca9db99b2c730a8f790bbb45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toralf=20F=C3=B6rster?= <toralf.foerster@gmx.de> Date: Sat, 20 Jul 2024 18:56:36 +0200 Subject: [PATCH] stop packet length investigations --- ipv4-rules.sh | 7 ++----- ipv6-rules.sh | 8 ++------ metrics.sh | 16 ---------------- 3 files changed, 4 insertions(+), 27 deletions(-) diff --git a/ipv4-rules.sh b/ipv4-rules.sh index 564af5e..230142f 100755 --- a/ipv4-rules.sh +++ b/ipv4-rules.sh @@ -22,10 +22,7 @@ function addCommon() { $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $jump $ipt -A INPUT -m conntrack --ctstate INVALID -j $jump - for relay in $*; do - relay_2_ip_and_port - $ipt -A INPUT -p tcp --dst $orip --dport $orport -m length --length 40:60 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - done + # do not touch established connections $ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # ssh @@ -255,7 +252,7 @@ start) trap bailOut INT QUIT TERM EXIT clearRules setSysctlValues - addCommon ${*:-${CONFIGURED_RELAYS:-$(getConfiguredRelays)}} + addCommon addHetzner additionalServices addTor ${*:-${CONFIGURED_RELAYS:-$(getConfiguredRelays)}} diff --git a/ipv6-rules.sh b/ipv6-rules.sh index 1050fd9..502f6ff 100755 --- a/ipv6-rules.sh +++ b/ipv6-rules.sh @@ -28,11 +28,7 @@ function addCommon() { # make sure NEW incoming tcp connections are SYN packets $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $jump $ipt -A INPUT -m conntrack --ctstate INVALID -j $jump - - for relay in $*; do - relay_2_ip_and_port - $ipt -A INPUT -p tcp --dst $orip --dport $orport -m length --length 40:60 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - done + # do not touch established connections $ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # ssh @@ -240,7 +236,7 @@ case $action in start) trap bailOut INT QUIT TERM EXIT clearRules - addCommon ${*:-${CONFIGURED_RELAYS6:-$(getConfiguredRelays6)}} + addCommon addHetzner additionalServices addTor ${*:-${CONFIGURED_RELAYS6:-$(getConfiguredRelays6)}} diff --git a/metrics.sh b/metrics.sh index 91c3602..8af314c 100755 --- a/metrics.sh +++ b/metrics.sh @@ -42,22 +42,6 @@ function printMetricsIptables() { echo "$var{ipver=\"${v:-4}\",nickname=\"$nickname\"} $pkts" done done - - var="torutils_dropped_length_packets" - echo -e "# HELP $var Total number of dropped packets due to having a wrong length\n# TYPE $var gauge" - for v in "" 6; do - if [[ -z $v ]]; then - echo "$tables4" - else - echo "$tables6" - fi | - grep 'length .* ctstate RELATED,ESTABLISHED' | awk '{ print $1, $11 }' | - while read -r pkts dport; do - orport=$(cut -f 2 -d ':' <<<$dport) - nickname=${NICKNAME:-$(_orport2nickname $orport)} - echo "$var{ipver=\"${v:-4}\",nickname=\"$nickname\"} $pkts" - done - done } function _orport2nickname() {