PacketFence - BTS - PacketFence
View Issue Details
0001387PacketFenceinlinepublic2012-02-29 11:082012-04-18 10:00
0001387: iptables forward filter customization
currently the forward filter is generated in one block:
### FORWARD ###
:forward-internal-inline-if - [0:0]

which renders like:
### FORWARD ###
:forward-internal-inline-if - [0:0]
-A forward-internal-inline-if --protocol udp --destination --destination-port 53 --jump ACCEPT

-A forward-internal-inline-if --match mark --mark 0x1 --jump ACCEPT

This prevent customization like the following (unless you insert and hardcode rules Id which is not future proof):
- deny access to LAN

which need to be introduced after allowing DNS but before allowing all marked users through..
No tags attached.
related to 0001374closed dwuelfrath Inline mode should work as VLAN mode regarding DNS blackholing 
Issue History
2012-02-29 11:08obilodeauNew Issue
2012-02-29 11:08obilodeauStatusnew => assigned
2012-02-29 11:08obilodeauAssigned To => obilodeau
2012-02-29 11:10obilodeauNote Added: 0002595
2012-02-29 11:10obilodeauRelationship addedrelated to 0001374
2012-04-12 13:12dwuelfrathStatusassigned => resolved
2012-04-12 13:12dwuelfrathResolutionopen => fixed
2012-04-12 13:12dwuelfrathFixed in Version => trunk
2012-04-18 09:49obilodeauTarget Version+1 => 3.3.0
2012-04-18 09:50obilodeauFixed in Versiontrunk => 3.3.0
2012-04-18 09:59obilodeauNote Added: 0002659
2012-04-18 10:00obilodeauStatusresolved => closed

2012-02-29 11:10   
Thinking about this I originally thought splitting the forward filter in two groups: DNS allow and users allow so that one can insert custom rules in between but when I realized we are getting rid of the DNS statements (see 0001374) and we are planning to do so in the next cycle, then I think we should simply wait and do nothing as it will be fixed by itself.
2012-04-18 09:59   
fix released in 3.3.0 last friday