On Wed, 2017-03-01 at 08:07 +0100, poma wrote: > From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00 2001 > > From: poma <[email protected]> > Date: Wed, 1 Mar 2017 07:05:40 +0100 > Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld. > > With recent kernels, the Poptop - The PPTP Server for Linux (pptpd) requires > explicit load of nf_conntrack_pptp kernel module to achieve the operating > state of the service itself. > However this is not the case with the PPTP Client (pptp) on a Linux based > platform. > What is needed is to apply directly, rule within the firewalld, to grant > proto gre, > to achieve the operating state of the client itself. > > Ref. > https://bugzilla.redhat.com/show_bug.cgi?id=1187328 > https://bugzilla.redhat.com/show_bug.cgi?id=1214643 > --- > src/nm-pptp-service.c | 16 ++++++++++------ > 1 file changed, 10 insertions(+), 6 deletions(-) > > diff --git a/src/nm-pptp-service.c b/src/nm-pptp-service.c > index 1710fd9..6a66386 100644 > --- a/src/nm-pptp-service.c > +++ b/src/nm-pptp-service.c > @@ -1113,7 +1113,7 @@ main (int argc, char *argv[]) > > GMainLoop *main_loop; > > gboolean persist = FALSE; > > GOptionContext *opt_ctx = NULL; > > - char *conntrack_module[] = { "/sbin/modprobe", "nf_conntrack_pptp", > > NULL }; > > + char *firewalld_grant_proto_gre[] = { "/bin/firewall-cmd", "--direct", > > "--add-rule", "ipv4", "filter", "INPUT", "0", "-p", "gre", "-j", "ACCEPT", > > NULL }; > > ... > > + if (!g_spawn_sync (NULL, firewalld_grant_proto_gre, NULL, 0, NULL, > > NULL, NULL, NULL, NULL, &error)) { > > + _LOGW ("granting proto gre by firewalld failed: %s", > > error->message); > > g_error_free (error); > > }
As Thomas Haller already suggested; we probably should not be removing the module load. It doesn't seem to have anything to do with a missing firewall rule. I'm not sure either whether we should be punching holes in the firewall automatically or if this is the proper way to do that. I'm especially not sure if we should be calling firewall-cmd instead of talking D-Bus and if it's all right that we don't clean up the rule when we tear down all PPTP connections. Adding Thomas Woerner to the loop; hopefully he'll be able to provide some help. Lubo _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
