Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld

Taking this off-list, since it's not constructive.

My actual recomendation is to get Thomas Woerner's opinion; as none of
us seem to be familiar enough with firewalld.

We should eventually fix this; thanks for pointing it out. I just feel
uncomfortable about the current patch and feel that it needs


On Fri, 2017-03-03 at 10:24 +0100, poma wrote:
On 02.03.2017 20:32, Lubomir Rintel wrote:
On Wed, 2017-03-01 at 08:07 +0100, poma wrote:
From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00
From: poma <poma gmail com>

Date: Wed, 1 Mar 2017 07:05:40 +0100
Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld.

With recent kernels, the Poptop - The PPTP Server for Linux
(pptpd) requires
explicit load of nf_conntrack_pptp kernel module to achieve the
operating state of the service itself.
However this is not the case with the PPTP Client (pptp) on a
Linux based platform.
What is needed is to apply directly, rule within the firewalld,
to grant proto gre,
to achieve the operating state of the client itself.

 src/nm-pptp-service.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/nm-pptp-service.c b/src/nm-pptp-service.c
index 1710fd9..6a66386 100644
--- a/src/nm-pptp-service.c
+++ b/src/nm-pptp-service.c
@@ -1113,7 +1113,7 @@ main (int argc, char *argv[])
        GMainLoop *main_loop;
        gboolean persist = FALSE;
        GOptionContext *opt_ctx = NULL;
-       char *conntrack_module[] = { "/sbin/modprobe",
"nf_conntrack_pptp", NULL };
+       char *firewalld_grant_proto_gre[] = { "/bin/firewall-
cmd", "--direct", "--add-rule", "ipv4", "filter", "INPUT", "0",
"-p", "gre", "-j", "ACCEPT", NULL };
+       if (!g_spawn_sync (NULL, firewalld_grant_proto_gre,
NULL, 0, NULL, NULL, NULL, NULL, NULL, &error)) {
+               _LOGW ("granting proto gre by firewalld
failed: %s", error->message);
                g_error_free (error);

As Thomas Haller already suggested; we probably should not be
the module load. It doesn't seem to have anything to do with a
firewall rule.

With only loaded modules it will not work if:
$ sysctl net.netfilter.nf_conntrack_helper
net.netfilter.nf_conntrack_helper = 0
$ cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper

The correct firewall(s) rule(s) should replace both.

I'm not sure either whether we should be punching holes in the
automatically or if this is the proper way to do that. I'm
not sure if we should be calling firewall-cmd instead of talking D-
and if it's all right that we don't clean up the rule when we tear
 all PPTP connections.

Adding Thomas Woerner to the loop; hopefully he'll be able to
some help.


I wrote about firewalld because I use it.
No one's stopping NM to talk via D-BUS with any implementation of a
firewall that is used.

So, what is your actual recommendation, in this particular case?

- Secure use of iptables and connection tracking helpers
- iptables connection tracking helpers
- Automatic Helper Assignment
- Netfilter Helpers

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]