My ClearOs 5.1 is acting as a wireless access point. Therefore I also enabled mac address filtering in /etc/firewall (0x12000200 rules). All worked to my satisfaction, until yesterday.
My wireless clients did not receive an ip-address anymore.
I remembered having had this problem in the passed. What I then found (and redid again), was that /etc/rc.d/firewall.lua installs the iptables rules. More precise, function RunIncomingDenied in this file adds the mac-filtering to the nat prerouting table. This function contains a loop, iterating over all rules and adding them to iptables if the rule is a mac-filtering rule.
The fragment below is from function RunIncomingDenied in file /etc/rc.d/firewall.lua:
| Code: |
for _, rule in RULES do
r_type, r_proto, r_addr, r_port, r_param = ExpandRule(rule)
if b_and(r_type, tonumber(os.getenv("FWR_ENABLED"))) ~= 0 and
b_and(r_type, tonumber(os.getenv("FWR_MAC_FILTER"))) ~= 0 and
b_and(r_type, tonumber(os.getenv("FWR_WIFI"))) ~= 0 and
b_and(r_type, tonumber(os.getenv("FWR_CUSTOM"))) == 0 then
mac_filter = "yes"
echo("Adding wireless MAC filtering for: " .. WIFIF)
iptables("nat",
string.format("-A PREROUTING -i %s -m mac --mac-source %s -j %s",
WIFIF, r_addr, FW_ACCEPT))
end
-- AKo
end
-- AKo
if mac_filter ~= nil then
iptables("nat", "-A PREROUTING -i " .. WIFIF .. " -j " .. FW_DROP)
end
-- AKo end
end
|
However, also inside the loop is a statement to add a drop rule. The end effect is only the first mac-address being accepted, all others are below the added drop statement. When I make the modification indicated with the "-- AKo" lines, I get a correct iptables "nat" PREROUTING.
Can somebody please tell me if this change is necessary, or what I did wrong in setting up my mac-address filtering rules?
Thanks in advance,
albert
