#308 pglcmd(.lib) fails to handle INTERFACES correctly

PeerGuardian_Linux
closed
jre-phoenix
Settings (19)
5
2012-11-11
2010-09-01
Athanasius
No

If you set INTERFACES in /etc/pgl/pglcmd.conf to something explicit it results in pglcmd.lib code trying to do '-i $INTERFACE -o $INTERFACE' which is stupid because if it's forwarding then the traffic is highly unlikely to have come in on the interface it wants to go out on!

It really needs two separate iptables rules adding instead. This can be simplified by only doubling up on the rules added in INPUT, OUTPUT and FORWARD that redirect to the pgl_{in,out,fwd} chains. And, yes, that's per interface specified.

It's late now, I'll see if I can cook up some patches for this tomorrow.

Discussion

  • Athanasius
    Athanasius
    2010-09-01

    Oops, forgot to set Category and Group.

     
  • jre-phoenix
    jre-phoenix
    2010-09-05

    Confirmed, we need 2 separate rules in FORWARD for each specified INTERFACE (but not in INPUT or OUTPUT where we only specify "-i $INTERFACE" or "-o $INTERFACE"). Right!?

    I'll fix that and then release pgl 2.0.3 the next days.

     
  • Athanasius
    Athanasius
    2010-09-05

    Yup, that's what I had in mind for a fix. Shame it breaks the nice neat loops, but forward really is a different case.

    If a user wants to get more complicated with only having some interfaces affected on input, and others only on output, then I guess they just get to set the option to not have pglcmd do any iptables rules, they can set it up themselves instead.

    Now I'll make sure I'm subscribed to whatever to know when 2.0.3 is pushed out. I may find time to check what's in git now before then, no promises though.

     
  • jre-phoenix
    jre-phoenix
    2010-09-07

    I just pushed the fix to the git repository. I'm quite sure I will release this week, but I'd be very happy to hear from you whether my fixes work for you.

    This RSS feed should notice you of pgl file releases: https://sourceforge.net/api/file/index/project-id/131687/mtime/desc/rss?path=%2FPeerGuardian%20Linux

    Oh, just one last note: please avoid words like "stupid" in mails or bug reports, even if something is stupid. People might quite easily be offended. So better just say "wrong".

    Thanks for your reports!

     
  • Athanasius
    Athanasius
    2010-09-12

    Right, re-testing this with 2.0.3. I already updated to having my ranges I want forwarding listed in WHITE_IP_FWD, but have no uncommented

    INTERFACES="ethpub" as well. This results in:

    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    31 1847 pgl_in all -- ethpub * 0.0.0.0/0 0.0.0.0/0 state NEW mark match !0x14

    Chain OUTPUT (policy ACCEPT 1137K packets, 1294M bytes)
    pkts bytes target prot opt in out source destination
    4 296 pgl_out all -- * ethpub 0.0.0.0/0 0.0.0.0/0 state NEW mark match !0x14

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    9 556 pgl_fwd all -- * ethpub 0.0.0.0/0 0.0.0.0/0 state NEW mark match !0x14
    2 96 pgl_fwd all -- ethpub * 0.0.0.0/0 0.0.0.0/0 state NEW mark match !0x14

    (other rules in those chains too, but as pgl ones come first they're irrelevant for this bug report).

    That looks correct to me, thanks! I should now have free communication on my local LAN where ethpub isn't used at all :).

    Sorry for the 'stupid', it was directed at the code, not the person behind it ;).

     
  • jre-phoenix
    jre-phoenix
    2010-09-13

    Glad to hear.

    No problem with the stupid, if I took it personally I wouldn't have bothered to answer at all. I just wanted to make you aware of possible misunderstandings in electronic communication.