PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001334 | PacketFence | configuration | public | 2011-11-15 08:40 | 2012-10-23 14:38 |
|
| Reporter | qzx | |
| Assigned To | fgaudreault | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | 3.0.1 | |
| Target Version | | Fixed in Version | | |
| fixed in git revision | |
| fixed in mtn revision | |
|
| Summary | 0001334: Routed mode DNS entry duplication in iptables |
| Description | During launch packetfence generates the iptables rules before sending them to iptables. During this generation it goes through all the routed networks managed by packetfence. In my case I have 300 routed networks, all of them need to be defined with DNS so that clients also get the address via DHCP. For all my networks the name servers are the same; however packetfence generates 300(*2) lines in iptables to allow domain lookup from the internet. Instead of only allowing each permitted nameserver once. |
| Steps To Reproduce | |
| Additional Information | I had this sorted alright in the beta before upgrading to 3.0.1 release, but it was a very sloppy hack to verify the DNS ips for each network and omitting the line if it matched. |
| Tags | No tags attached. |
| Relationships | |
| Attached Files |  iptables.conf (131,248) 2011-11-16 07:42
https://www.packetfence.org/bugs/file_download.php?file_id=122&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2011-11-15 08:40 | qzx | New Issue | |
| 2011-11-15 09:02 | obilodeau | Note Added: 0002443 | |
| 2011-11-16 07:42 | qzx | File Added: iptables.conf | |
| 2011-11-16 07:47 | qzx | Note Added: 0002446 | |
| 2012-10-19 12:45 | fgaudreault | Target Version | => investigate |
| 2012-10-23 14:38 | fgaudreault | Note Added: 0003230 | |
| 2012-10-23 14:38 | fgaudreault | Status | new => resolved |
| 2012-10-23 14:38 | fgaudreault | Resolution | open => fixed |
| 2012-10-23 14:38 | fgaudreault | Assigned To | => fgaudreault |
| 2012-10-23 14:38 | fgaudreault | Target Version | investigate => |
|
Notes |
|
|
|
|
Can you post your iptables config? The generated iptables config is in /usr/local/pf/var/conf/iptables.conf. |
|
|
|
(0002446)
|
|
qzx
|
|
2011-11-16 07:47
|
|
I've uploaded the iptables.conf as it used to look like. I have modified the iptables template configuration file to be more efficient and include the necessary rules.
This one looks like it used to but is not directly generated by the iptables library. This could probably be solved with a slight modification of /usr/local/pf/lib/pf/iptables.pm I reckon. Empty hash, attempt to match dns statement to hash, add it if it doesn't match, ignore if it does; generate forward rules after processing all routed networks in network configuration? |
|
|
|
(0003230)
|
|
fgaudreault
|
|
2012-10-23 14:38
|
|
|
This was fixed at some point. I cannot reproduced using 3.6.0-devel. |
|