On Thu, 2017-03-02 at 06:26 +0100, poma wrote:
On 01.03.2017 18:14, poma wrote:On 01.03.2017 17:11, Thomas Haller wrote:On Wed, 2017-03-01 at 08:07 +0100, poma wrote:From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00 2001 From: poma <poma gmail com> Date: Wed, 1 Mar 2017 07:05:40 +0100 Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld. With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) requires explicit load of nf_conntrack_pptp kernel module to achieve the operating state of the service itself. However this is not the case with the PPTP Client (pptp) on a Linux based platform. What is needed is to apply directly, rule within the firewalld, to grant proto gre, to achieve the operating state of the client itself. Ref. https://bugzilla.redhat.com/show_bug.cgi?id=1187328 https://bugzilla.redhat.com/show_bug.cgi?id=1214643Hi poma, the patch does two things. I think there should be two patches for it. 1) drop loading the kernel module "nf_conntrack_pptp". The patch basically reverts https://git.gnome.org/browse/network-manager-pptp/commit/?id=695d 4f2f3d1003e18be6f97bbb103e44f75d3c2b but it's not explained why that is correct beyond "this is not the case with...". It should be explained better whats wrong with 695d4f2f and how that affects the two bugs that were closed by it. Will the issue reapar, or was there a different issue in the first place?Here, just for you, once again ;) by By Ryan Roth 6/07/2005 "Troubleshooting 'GRE: Protocol not available' errors" http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml #1. Client firewall: "Make sure your client is not running a software firewall. If it is make sure port 1723 and protocol 47 are allowed." Port 1723 is not a problem, but proto GRE is, meaning, to achieve the operating state of the client itself, "protocol 47 must be allowed" i.e. "grant proto gre".2) call to firewallcmd. firewalld is commonly only available on Fedora/RHEL, thus patch would cause a warning on Debian systems... You would at least need to check whether such a binary file exists and only call it if necessary.I am a user of the Fedora - a Linux based operating system. "Choose Freedom. Choose Fedora."= Brief analysis and diagnosis, Point-to-Point Tunneling Protocol (PPTP) Client Commands and outputs speak for themselves. $ uname -r 4.10.1-1.fc24.x86_64 $ cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper N $ dmesg -t | grep conntrack nf_conntrack version 0.5.0 (16384 buckets, 65536 max) $ lsmod | grep gre $ firewall-cmd --version 0.4.4.3 $ firewall-cmd --get-automatic-helpers system $ firewall-cmd --direct --get-all-rules $ rpm -q --changelog NetworkManager-pptp | head -2 * Thu Mar 02 2017 poma <poma gmail com> - 1.2.4-3 - nm-pptp-service: rm modprobe $ nmcli --version nmcli tool, version 1.7.1-0.9.20170224git9138967.fc24 $ nmcli connection up pptp ifname enp2s5 Error: Connection activation failed: the VPN service stopped unexpectedly. $ dmesg -t | grep conntrack nf_conntrack version 0.5.0 (16384 buckets, 65536 max) conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. $ su Password: # journalctl -b -u NetworkManager -o cat | grep LCP LCP: timeout sending Config-Requests LCP: timeout sending Config-Requests # modprobe -v nf_conntrack_pptp insmod /lib/modules/4.10.1- 1.fc24.x86_64/kernel/net/netfilter/nf_conntrack_proto_gre.ko.xz insmod /lib/modules/4.10.1- 1.fc24.x86_64/kernel/net/netfilter/nf_conntrack_pptp.ko.xz # lsmod | grep pptp nf_conntrack_pptp 16384 0 nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp nf_conntrack 131072 8 nf_conntrack_ipv6,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_pr oto_gre,nf_nat_ipv6,xt_conntrack,nf_nat_ipv4,nf_nat # exit exit $ nmcli connection up pptp ifname enp2s5 Error: Connection activation failed: the VPN service stopped unexpectedly. $ dmesg -t | grep conntrack nf_conntrack version 0.5.0 (16384 buckets, 65536 max) conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. $ su Password: # modprobe -vr nf_conntrack_pptp rmmod nf_conntrack_pptp rmmod nf_conntrack_proto_gre # lsmod | grep pptp # exit exit $ firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT success $ firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p gre -j ACCEPT $ nmcli connection up pptp ifname enp2s5 VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4) For additional questions, developers Eric Leblond and Pablo Neira Ayuso, can be contacted at: The netfilter user mailinglist http://www.netfilter.org/mailinglists.html#ml-user
Hi poma, This answers the questions only in part. question 1 was: why is it correct to remove the loading of nf_conntrack_pptp. You showed that it works *for you* to do so, but bugs https://bugzilla.redhat.com/show_bug.cgi?id=1206276 https://bugzilla.redhat.com/show_bug.cgi?id=1187328 indicate that is is (was?) required on some systems. Why is the outcome of those bugs no longer valid and loading of the module is no longer desired? question 2 was: the code needs fixing on systems that don't use firewalld. I didn't question that this is required on your setup or on Fedora. I simple hack may be as simple as adding: if (g_file_test ("/bin/firewall-cmd", G_FILE_TEST_IS_EXECUTABLE) { if (!g_spawn_sync (NULL, firewalld_grant_proto_gre, NULL,.... .... } And finally, lets split the patch in two. Where each part better describes what the patch does (and more importantly: why). Thanks, and sorry for being a pain :) Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part