On 01.03.2017 08:07, poma wrote: > From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00 2001 > From: poma <[email protected]> > Date: Wed, 1 Mar 2017 07:05:40 +0100 > Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld. > > With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) requires > explicit load of nf_conntrack_pptp kernel module to achieve the operating > state of the service itself. > However this is not the case with the PPTP Client (pptp) on a Linux based > platform. > What is needed is to apply directly, rule within the firewalld, to grant > proto gre, > to achieve the operating state of the client itself. > > Ref. > https://bugzilla.redhat.com/show_bug.cgi?id=1187328 > https://bugzilla.redhat.com/show_bug.cgi?id=1214643 > --- > src/nm-pptp-service.c | 16 ++++++++++------ > 1 file changed, 10 insertions(+), 6 deletions(-) > > diff --git a/src/nm-pptp-service.c b/src/nm-pptp-service.c > index 1710fd9..6a66386 100644 > --- a/src/nm-pptp-service.c > +++ b/src/nm-pptp-service.c > @@ -1113,7 +1113,7 @@ main (int argc, char *argv[]) > GMainLoop *main_loop; > gboolean persist = FALSE; > GOptionContext *opt_ctx = NULL; > - char *conntrack_module[] = { "/sbin/modprobe", "nf_conntrack_pptp", > NULL }; > + char *firewalld_grant_proto_gre[] = { "/bin/firewall-cmd", "--direct", > "--add-rule", "ipv4", "filter", "INPUT", "0", "-p", "gre", "-j", "ACCEPT", > NULL }; > GError *error = NULL; > gs_free char *bus_name_free = NULL; > const char *bus_name; > @@ -1178,13 +1178,17 @@ main (int argc, char *argv[]) > if (!persist) > g_signal_connect (plugin, "quit", G_CALLBACK (quit_mainloop), > main_loop); > > - /* Newer kernels require nf_conntrack_pptp kernel module so that PPTP > - * worked correctly. Load the module now. Ignore errors, the module > - * might not exist (older kernels). > + /* With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) > requires > + * explicit load of nf_conntrack_pptp kernel module to achieve the > operating state of the service itself. > + * However this is not the case with the PPTP Client (pptp) on a Linux. > + * What is needed is to apply directly, rule within the firewalld, to > grant proto gre, > + * to achieve the operating state of the client itself. > + * Apply the rule now. Ignore errors, the rule may already be enabled. > * https://bugzilla.redhat.com/show_bug.cgi?id=1187328 > + * https://bugzilla.redhat.com/show_bug.cgi?id=1214643 > */ > - if (!g_spawn_sync (NULL, conntrack_module, NULL, 0, NULL, NULL, NULL, > NULL, NULL, &error)) { > - _LOGW ("modprobing nf_conntrack_pptp failed: %s", > error->message); > + if (!g_spawn_sync (NULL, firewalld_grant_proto_gre, NULL, 0, NULL, > NULL, NULL, NULL, NULL, &error)) { > + _LOGW ("granting proto gre by firewalld failed: %s", > error->message); > g_error_free (error); > } > >
For PPTP Server see: https://lists.fedorahosted.org/archives/list/firewalld-users%40lists.fedorahosted.org/message/JZAOCCL3UKGE64E5PCOTTLHJJSRRQWMT _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
