Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld

From: poma <pomidorabelisima gmail com>
To: Network Manager <networkmanager-list gnome org>
Subject: Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld
Date: Wed, 1 Mar 2017 08:20:40 +0100

On 01.03.2017 08:07, poma wrote:

From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00 2001
From: poma <poma gmail com>
Date: Wed, 1 Mar 2017 07:05:40 +0100
Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld.

With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) requires
explicit load of nf_conntrack_pptp kernel module to achieve the operating state of the service itself.
However this is not the case with the PPTP Client (pptp) on a Linux based platform.
What is needed is to apply directly, rule within the firewalld, to grant proto gre,
to achieve the operating state of the client itself.

Ref.
https://bugzilla.redhat.com/show_bug.cgi?id=1187328
https://bugzilla.redhat.com/show_bug.cgi?id=1214643
---
 src/nm-pptp-service.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/nm-pptp-service.c b/src/nm-pptp-service.c
index 1710fd9..6a66386 100644
--- a/src/nm-pptp-service.c
+++ b/src/nm-pptp-service.c
@@ -1113,7 +1113,7 @@ main (int argc, char *argv[])
      GMainLoop *main_loop;
      gboolean persist = FALSE;
      GOptionContext *opt_ctx = NULL;
-     char *conntrack_module[] = { "/sbin/modprobe", "nf_conntrack_pptp", NULL };
+     char *firewalld_grant_proto_gre[] = { "/bin/firewall-cmd", "--direct", "--add-rule", "ipv4", 
"filter", "INPUT", "0", "-p", "gre", "-j", "ACCEPT", NULL };
      GError *error = NULL;
      gs_free char *bus_name_free = NULL;
      const char *bus_name;
@@ -1178,13 +1178,17 @@ main (int argc, char *argv[])
      if (!persist)
              g_signal_connect (plugin, "quit", G_CALLBACK (quit_mainloop), main_loop);
 
-     /* Newer kernels require nf_conntrack_pptp kernel module so that PPTP
-      * worked correctly. Load the module now. Ignore errors, the module
-      * might not exist (older kernels).
+     /* With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) requires
+      * explicit load of nf_conntrack_pptp kernel module to achieve the operating state of the service 
itself.
+      * However this is not the case with the PPTP Client (pptp) on a Linux.
+      * What is needed is to apply directly, rule within the firewalld, to grant proto gre,
+      * to achieve the operating state of the client itself.
+      * Apply the rule now. Ignore errors, the rule may already be enabled.
       * https://bugzilla.redhat.com/show_bug.cgi?id=1187328
+      * https://bugzilla.redhat.com/show_bug.cgi?id=1214643
       */
-     if (!g_spawn_sync (NULL, conntrack_module, NULL, 0, NULL, NULL, NULL, NULL, NULL, &error)) {
-             _LOGW ("modprobing nf_conntrack_pptp failed: %s", error->message);
+     if (!g_spawn_sync (NULL, firewalld_grant_proto_gre, NULL, 0, NULL, NULL, NULL, NULL, NULL, &error)) {
+             _LOGW ("granting proto gre by firewalld failed: %s", error->message);
              g_error_free (error);
      }


For PPTP Server see:
https://lists.fedorahosted.org/archives/list/firewalld-users%40lists.fedorahosted.org/message/JZAOCCL3UKGE64E5PCOTTLHJJSRRQWMT

References:
- [PATCH] nm-pptp-service: Grant proto GRE by firewalld
  - From: poma

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]