Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld

From: poma <pomidorabelisima gmail com>
To: Thomas Haller <thaller redhat com>, Network Manager <networkmanager-list gnome org>
Cc: Jiří Klimeš <blueowl centrum cz>
Subject: Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld
Date: Wed, 1 Mar 2017 18:14:46 +0100

On 01.03.2017 17:11, Thomas Haller wrote:

On Wed, 2017-03-01 at 08:07 +0100, poma wrote:

From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00
2001
From: poma <poma gmail com>
Date: Wed, 1 Mar 2017 07:05:40 +0100
Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld.

With recent kernels, the Poptop - The PPTP Server for Linux (pptpd)
requires
explicit load of nf_conntrack_pptp kernel module to achieve the
operating state of the service itself.
However this is not the case with the PPTP Client (pptp) on a Linux
based platform.
What is needed is to apply directly, rule within the firewalld, to
grant proto gre,
to achieve the operating state of the client itself.

Ref.
https://bugzilla.redhat.com/show_bug.cgi?id=1187328
https://bugzilla.redhat.com/show_bug.cgi?id=1214643


Hi poma,

the patch does two things. I think there should be two patches for it.

1) drop loading the kernel module "nf_conntrack_pptp". The patch
basically reverts
https://git.gnome.org/browse/network-manager-pptp/commit/?id=695d4f2f3d1003e18be6f97bbb103e44f75d3c2b
but it's not explained why that is correct beyond "this is not the case
with...". It should be explained better whats wrong with 695d4f2f
and how that affects the two bugs that were closed by it. Will the issue
reapar, or was there a different issue in the first place?


Here, just for you, once again ;)

by By Ryan Roth
6/07/2005
"Troubleshooting 'GRE: Protocol not available' errors"
http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml
#1. Client firewall:
"Make sure your client is not running a software firewall. If it is make sure port 1723 and protocol 47 are 
allowed."

Port 1723 is not a problem, but proto GRE is, meaning,
to achieve the operating state of the client itself,
"protocol 47 must be allowed" i.e. "grant proto gre".

2) call to firewallcmd. firewalld is commonly only available on
Fedora/RHEL, thus patch would cause a warning on Debian systems...
You would at least need to check whether such a binary file exists and
only call it if necessary.


I am a user of the Fedora - a Linux based operating system.
"Choose Freedom. Choose Fedora."

Follow-Ups:
- Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld
  - From: poma
- Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld
  - From: Jetchko Jekov

References:
- [PATCH] nm-pptp-service: Grant proto GRE by firewalld
  - From: poma
- Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]