Bug#507313: linux-igd: Entries get appended to the PREROUTING table behind a catchall DNAT entry

2010-05-14 Thread Nick Leverton 
On Sat, Nov 29, 2008 at 11:51:29PM +0100, Daniel Tryba wrote:
 
 Entries get appended to the PREROUTING table, the problem is I have a
 catchall to create a DMZ. The result is that the upnp rules aren't reachable.
 
 The solution is pretty simple with the following patch:
 
 Using the forward_rules_append config option to determine if the PREROUTING
 rule should be inserted at the beginning (-I) or appended (-A) to the table.
 
 Sure there is a security risk involved, but so does the prepending of FORWARD
 rules. Defining a seperate config option to determine the PREROUTING behavior
 would be a better solution, but this works fine for me (tm).

Thanks for the suggestion.  I'm going to include this patch on an
experimental basis in the version which I'll be uploading soon.

If you do need control over where your upnp entries are placed in
PREROUTING and FORWARD, though, the suggested way is to create a new chain
(forwardUPnP or prerouteUPnP, for instance), which you can then invoke
from the appropriate place in the main chains.  I'm also updating the
docs to make explicit mention of PREROUTING in this suggestion.

Nick



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#507313: linux-igd: Entries get appended to the PREROUTING table behind a catchall DNAT entry

2008-11-29 Thread Daniel Tryba 
Package: linux-igd
Version: 1.0+cvs20070630-2
Severity: wishlist
Tags: patch


Entries get appended to the PREROUTING table, the problem is I have a
catchall to create a DMZ. The result is that the upnp rules aren't reachable.

The solution is pretty simple with the following patch:

Using the forward_rules_append config option to determine if the PREROUTING
rule should be inserted at the beginning (-I) or appended (-A) to the table.

Sure there is a security risk involved, but so does the prepending of FORWARD
rules. Defining a seperate config option to determine the PREROUTING behavior
would be a better solution, but this works fine for me (tm).

===8===
--- pmlist.c.orig   2008-11-29 23:08:48.0 +0100
+++ pmlist.c2008-11-29 23:09:29.0 +0100
@@ -271,10 +271,10 @@
}

{
- char *args[] = {g_vars.iptables, -t, nat, -A, 
g_vars.preroutingChainName, -i, g_vars.extInterfaceName, -p, protocol, 
--dport, externalPort, -j, DNAT, --to, dest, NULL};
+ char *args[] = {g_vars.iptables, -t, nat, 
g_vars.forwardRulesAppend ? -A : -I, g_vars.preroutingChainName, -i, 
g_vars.extInterfaceName, -p, protocol, --dport, externalPort, -j, DNAT, 
--to, dest, NULL};

- trace(3, %s -t nat -A %s -i %s -p %s --dport %s -j DNAT --to %s,
-   g_vars.iptables, g_vars.preroutingChainName, 
g_vars.extInterfaceName, protocol, externalPort, dest);
+ trace(3, %s -t nat %s %s -i %s -p %s --dport %s -j DNAT --to %s,
+   g_vars.iptables, g_vars.forwardRulesAppend ? -A : -I, 
g_vars.preroutingChainName, g_vars.extInterfaceName, protocol, externalPort, 
dest);
  if (!fork()) {
int rc = execv(g_vars.iptables, args);
exit(rc);
===8===



-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages linux-igd depends on:
ii  iptables  1.4.1.1-3  administration tools for packet fi
ii  libc6 2.7-16 GNU C Library: Shared libraries
ii  libupnp3  1:1.6.6-3  Portable SDK for UPnP Devices (sha
ii  lsb-base  3.2-20 Linux Standard Base 3.2 init scrip

linux-igd recommends no packages.

linux-igd suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]