Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld

From: Lubomir Rintel <lkundrak v3 sk>
To: poma <pomidorabelisima gmail com>, Network Manager <networkmanager-list gnome org>
Subject: Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld
Date: Thu, 02 Mar 2017 20:32:46 +0100

On Wed, 2017-03-01 at 08:07 +0100, poma wrote:

From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00 2001

From: poma <poma gmail com>

Date: Wed, 1 Mar 2017 07:05:40 +0100
Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld.

With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) requires
explicit load of nf_conntrack_pptp kernel module to achieve the operating state of the service itself.
However this is not the case with the PPTP Client (pptp) on a Linux based platform.
What is needed is to apply directly, rule within the firewalld, to grant proto gre,
to achieve the operating state of the client itself.

Ref.
https://bugzilla.redhat.com/show_bug.cgi?id=1187328
https://bugzilla.redhat.com/show_bug.cgi?id=1214643
---
 src/nm-pptp-service.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/nm-pptp-service.c b/src/nm-pptp-service.c
index 1710fd9..6a66386 100644
--- a/src/nm-pptp-service.c
+++ b/src/nm-pptp-service.c
@@ -1113,7 +1113,7 @@ main (int argc, char *argv[])

    GMainLoop *main_loop;
    gboolean persist = FALSE;
    GOptionContext *opt_ctx = NULL;
-   char *conntrack_module[] = { "/sbin/modprobe", "nf_conntrack_pptp", NULL };
+   char *firewalld_grant_proto_gre[] = { "/bin/firewall-cmd", "--direct", "--add-rule", "ipv4", 
"filter", "INPUT", "0", "-p", "gre", "-j", "ACCEPT", NULL };
...
+   if (!g_spawn_sync (NULL, firewalld_grant_proto_gre, NULL, 0, NULL, NULL, NULL, NULL, NULL, &error)) {
+           _LOGW ("granting proto gre by firewalld failed: %s", error->message);
            g_error_free (error);
    }


As Thomas Haller already suggested; we probably should not be removing
the module load. It doesn't seem to have anything to do with a missing
firewall rule.

I'm not sure either whether we should be punching holes in the firewall
automatically or if this is the proper way to do that. I'm especially
not sure if we should be calling firewall-cmd instead of talking D-Bus
and if it's all right that we don't clean up the rule when we tear down
 all PPTP connections.

Adding Thomas Woerner to the loop; hopefully he'll be able to provide
some help.

Lubo

Follow-Ups:
- Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld
  - From: poma

References:
- [PATCH] nm-pptp-service: Grant proto GRE by firewalld
  - From: poma

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]