PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000325PacketFence 1.7public2008-05-21 15:392008-05-22 07:54
Reporterjsnapp 
Assigned Touser4 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0000325: Using pf/conf/iptables.post causes all standard PF iptables to be flushed
DescriptionMy post to the packetfence-devel mailing list about this can be found at http://sourceforge.net/mailarchive/message.php?msg_id=fc.000f619a04653804000f619a04653804.46539d4%40asburyseminary.edu [^]

The problem is at the end of the /usr/local/pf/lib/pf/iptables.pm file in the function "restore_iptables". It calls `/sbin/iptables-restore < $restore_file`. The "iptables-restore" command inherently flushes all iptables entries before applying (restoring) the entries in $restore_file. "iptables-restore" is capable of not flushing if it is passed the "-n" or "--noflush" parameter but we don't see that in this code.

I simply added the "-n" parameter `/sbin/iptables-restore -n < $restore_file` and tested both iptables.pre and iptables.post and they work fine now.

Can we get this fixed?
TagsNo tags attached.
fixed in mtn revision
Attached Files

- Relationships

-  Notes
(0000716)
jsnapp (reporter)
2008-05-21 15:56
edited on: 2008-05-21 16:57

Sorry, I just realized there are three other times the "restore_iptables" function gets called. It's called from pf/bin/start, pf/bin/stop and pf/bin/pfcmd. These calls are used to restore_iptables($install_dir.'/var/iptables.bak');

These calls need to flush iptables which means the fix I suggested above won't work.

However, it doesn't seem like it would be very complicated to get iptables.post to work since restore_iptables function is called 4 times for flushing requests and 1 time for non-flushing.

Can we simply add a parameter to restore_iptables such as $noflush and set it true or false as needed?

The following code seems to work fine on my install:


--- iptables.pm.old 2008-05-21 16:50:39.000000000 -0400
+++ iptables.pm 2008-05-21 16:40:31.000000000 -0400
@@ -566,7 +566,7 @@
     die "IPTables filter table commit error: $!n";
   }
   if (-r $post_file) {
- restore_iptables($post_file);
+ restore_iptables($post_file, 1);
   }
 }

@@ -678,10 +678,16 @@
 }

 sub restore_iptables {
- my ($restore_file) = @_;
+ my ($restore_file, $noflush) = @_;
   if (-r $restore_file) {
- pflogger("restoring iptables from ".$restore_file, 8);
+ if (defined $noflush && $noflush) {
+ `/sbin/iptables-restore -n < $restore_file`;
+ pflogger("restoring iptables without flush from ".$restore_file, 8);
+ }
+ else {
     `/sbin/iptables-restore < $restore_file`;
+ pflogger("restoring iptables with flush from ".$restore_file, 8);
+ }
   }
 }

(0000717)
user4
2008-05-22 07:52

--- pf/lib/pf/iptables.pm 654ee434232839303af5867a6ae1abbaa7205dab
+++ pf/lib/pf/iptables.pm 080d3ba2f71c1aff5d059bf741611e787cc660e9
@@ -566,7 +566,7 @@ sub generate_iptables {
     die "IPTables filter table commit error: $!n";
   }
   if (-r $post_file) {
- restore_iptables($post_file);
+ restore_iptables_noflush($post_file);
   }
 }
 
@@ -685,4 +685,11 @@ sub restore_iptables {
   }
 }
 
+sub restore_iptables_noflush {
+ my ($restore_file) = @_;
+ if (-r $restore_file) {
+ pflogger("restoring iptables (no flush) from ".$restore_file, 8);
+ `/sbin/iptables-restore -n < $restore_file`;
+ }
+}
 1
(0000718)
user4
2008-05-22 07:54

fixed in mtn revision ef26a4798bb3dd8e633aaa4a151ff237d9475aa0

- Issue History
Date Modified Username Field Change
2008-05-21 15:39 jsnapp New Issue
2008-05-21 15:49 user4 Status new => assigned
2008-05-21 15:49 user4 Assigned To => user4
2008-05-21 15:56 jsnapp Note Added: 0000716
2008-05-21 16:57 jsnapp Note Edited: 0000716
2008-05-22 07:52 user4 Note Added: 0000717
2008-05-22 07:54 user4 Status assigned => closed
2008-05-22 07:54 user4 Note Added: 0000718
2008-05-22 07:54 user4 Resolution open => fixed


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker