/>/ [44net] ampr-ripd 1.12 released />/ From: "Marius Petrescu" / Date: 11/16/2014 01:36 PM />/ />/ To: AMPRNet working group />/ />/ />/ Hello OMs, />/ />/ Following the idea from Rob, PE1CHL, I added the possibility to execute a />/ system command from ampr-ripd if routes are set or changed. />/ This will happen on startup, after an existing encap is found in />/ /var/lib/ampr-ripd, or after 30 seconds after a RIP update, if there is a />/ change in the encap data (AFTER saving the new encap file if requested). / Thanks Marius! I have installed it on my own gateway and the 44.137 gateway and first tests shows it works fine. For the others: I requested this feature to modify a firewall when gateways change address. Before I accepted IPIP packets from everyone, but this is a weakness in the system that maybe could be exploited. I observed rogue IPIP packets from the far east. So instead of: iptables -A firewall -p 4 -j ACCEPT on the incoming interface, I now have: iptables -A firewall -p 4 -j ipipfilter and I have the following script that inserts/updates the ipipfilter list: #!/bin/sh # load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="169.228.66.251" gwfile="/tmp/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile iptables -A ipipfilter -j DROP else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi rm -f $gwfile The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x option to ampr-ripd. It will load the entire filter the first time, and later it will only update the filters that have changed. It is required that the -s option is passed as well, so the encap.txt file is created by ampr-ripd. Now I only accept IPIP packets from addresses in the gateway list, which makes me feel a bit safer. (of course sanity checks were already done on the incoming IPIP packets) Rob, PE1CHL