On 01.03.2017 18:14, poma wrote: > On 01.03.2017 17:11, Thomas Haller wrote: >> On Wed, 2017-03-01 at 08:07 +0100, poma wrote: >>> From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00 >>> 2001 >>> From: poma <[email protected]> >>> Date: Wed, 1 Mar 2017 07:05:40 +0100 >>> Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld. >>> >>> With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) >>> requires >>> explicit load of nf_conntrack_pptp kernel module to achieve the >>> operating state of the service itself. >>> However this is not the case with the PPTP Client (pptp) on a Linux >>> based platform. >>> What is needed is to apply directly, rule within the firewalld, to >>> grant proto gre, >>> to achieve the operating state of the client itself. >>> >>> Ref. >>> https://bugzilla.redhat.com/show_bug.cgi?id=1187328 >>> https://bugzilla.redhat.com/show_bug.cgi?id=1214643 >> >> Hi poma, >> >> the patch does two things. I think there should be two patches for it. >> >> 1) drop loading the kernel module "nf_conntrack_pptp". The patch >> basically reverts >> https://git.gnome.org/browse/network-manager-pptp/commit/?id=695d4f2f3d1003e18be6f97bbb103e44f75d3c2b >> but it's not explained why that is correct beyond "this is not the case >> with...". It should be explained better whats wrong with 695d4f2f >> and how that affects the two bugs that were closed by it. Will the issue >> reapar, or was there a different issue in the first place? >> > > Here, just for you, once again ;) > > by By Ryan Roth > 6/07/2005 > "Troubleshooting 'GRE: Protocol not available' errors" > http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml > #1. Client firewall: > "Make sure your client is not running a software firewall. If it is make sure > port 1723 and protocol 47 are allowed." > > Port 1723 is not a problem, but proto GRE is, meaning, > to achieve the operating state of the client itself, > "protocol 47 must be allowed" i.e. "grant proto gre". > >> 2) call to firewallcmd. firewalld is commonly only available on >> Fedora/RHEL, thus patch would cause a warning on Debian systems... >> You would at least need to check whether such a binary file exists and >> only call it if necessary. >> > > I am a user of the Fedora - a Linux based operating system. > "Choose Freedom. Choose Fedora." > >
= Brief analysis and diagnosis, Point-to-Point Tunneling Protocol (PPTP) Client Commands and outputs speak for themselves. $ uname -r 4.10.1-1.fc24.x86_64 $ cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper N $ dmesg -t | grep conntrack nf_conntrack version 0.5.0 (16384 buckets, 65536 max) $ lsmod | grep gre $ firewall-cmd --version 0.4.4.3 $ firewall-cmd --get-automatic-helpers system $ firewall-cmd --direct --get-all-rules $ rpm -q --changelog NetworkManager-pptp | head -2 * Thu Mar 02 2017 poma <[email protected]> - 1.2.4-3 - nm-pptp-service: rm modprobe $ nmcli --version nmcli tool, version 1.7.1-0.9.20170224git9138967.fc24 $ nmcli connection up pptp ifname enp2s5 Error: Connection activation failed: the VPN service stopped unexpectedly. $ dmesg -t | grep conntrack nf_conntrack version 0.5.0 (16384 buckets, 65536 max) conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. $ su Password: # journalctl -b -u NetworkManager -o cat | grep LCP LCP: timeout sending Config-Requests LCP: timeout sending Config-Requests # modprobe -v nf_conntrack_pptp insmod /lib/modules/4.10.1-1.fc24.x86_64/kernel/net/netfilter/nf_conntrack_proto_gre.ko.xz insmod /lib/modules/4.10.1-1.fc24.x86_64/kernel/net/netfilter/nf_conntrack_pptp.ko.xz # lsmod | grep pptp nf_conntrack_pptp 16384 0 nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp nf_conntrack 131072 8 nf_conntrack_ipv6,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_nat_ipv6,xt_conntrack,nf_nat_ipv4,nf_nat # exit exit $ nmcli connection up pptp ifname enp2s5 Error: Connection activation failed: the VPN service stopped unexpectedly. $ dmesg -t | grep conntrack nf_conntrack version 0.5.0 (16384 buckets, 65536 max) conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. $ su Password: # modprobe -vr nf_conntrack_pptp rmmod nf_conntrack_pptp rmmod nf_conntrack_proto_gre # lsmod | grep pptp # exit exit $ firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT success $ firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p gre -j ACCEPT $ nmcli connection up pptp ifname enp2s5 VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4) For additional questions, developers Eric Leblond and Pablo Neira Ayuso, can be contacted at: The netfilter user mailinglist http://www.netfilter.org/mailinglists.html#ml-user _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
