Re: GUPnP and Zones

From: Mark Ryan <mark d ryan linux intel com>
To: gupnp-list gnome org
Subject: Re: GUPnP and Zones
Date: Fri, 26 Apr 2013 12:07:13 +0200


Hi Ludo,

>

I must said I'm a little confused about your proposals and about the
direction which takes this discussion.


Sorry about the confusion.  Let me try to summarise the proposals again.

Rygel currently has a mechanism ( a setting in its configuration file )that allows users to specify the networks on which Rygel publishesmedia. Currently, users can identify networks by specifying an IPaddress, a network name or an SSID for wireless networks. So theproposal is to

1. Move this feature, which works by filtering contexts, into GUPnP sothat it can be used by all GUPnP clients. A new GUPnP API would beadded to allow users to specify the networks we are safe to use.

2. Expand this feature so that it can take advantage of zone informationwhere available. So this would mean that users could identify safenetworks by IP addresses, SSIDs and zones.

Originally, I was proposing introducing a default value for the filterin GUPnP but Jussi has convinced me that this would not be a good ideaas it would change the behaviour of existing applications.


So, are we talking about managing 'white list', or real support of zones
provided by the Network Manager?

If the goal is to support the Network Manager zones new feature, we
should work with the Network Manager team to ensure DLNA rules are
correctly managed in the various zones.

> But we have nothing to do in GUPnP/Rygel/dLeyna as it's NM that will
> allow or deny networks.
>
> If your proposal of 'white list' is in addition to Network Zone, then
> this is a lame solution, as your solution will only works on networks
> already granted by NM.
>
> You won't be able to enable a network, even if you add it in the white
> list, if NM has already blocked it.
> We will only be able to block a network previously granted by NM.

Your concern about adding zone support to a whitelist in GUPnP seems tobe that the setting might be redundant as it will be overridden by anyrules in the firewall. This is of course true in theory but I wonder ifit will be in practice. If we take Ubuntu as an example, AFAIK, thedefault Ubuntu firewall on 12.10 doesn't block anything. I think weneed to now see what happens in Ubuntu 13.04 which supports firewalldand hence has proper zone support. Assuming that it doesn't block UPnPeither by default in any zones, then I think we have a good case foradding zone support to GUPnP, rather than trying to configure firewallrules for every distro.

As I mentioned in a previous email, I suspect blocking UPnP in thefirewall is probably not a workable solution and I don't think we shouldpursue this, if it is not already done. In addition, if you readJussi's emails you will see that such a solution is not really desirableas it applies one set of rules for all UPnP applications, whether theyare based on GUPnP or on other stacks. As Jussi points out this is notwhat we want. Each application has its own set of requirements. If weunilaterally block things in the firewall, we will take this freedomaway from applications and their users and break existing applications.



Best Regards,

Mark

Follow-Ups:
- Re: GUPnP and Zones
  - From: Jussi Kukkonen
- Re: GUPnP and Zones
  - From: Ludovic Ferrandis

References:
- GUPnP and Zones
  - From: Mark Ryan
- Re: GUPnP and Zones
  - From: Jussi Kukkonen
- Re: GUPnP and Zones
  - From: Mark Ryan
- Re: GUPnP and Zones
  - From: Jussi Kukkonen
- Re: GUPnP and Zones
  - From: Ludovic Ferrandis

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]