PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001387PacketFenceinlinepublic2012-02-29 11:082012-04-18 10:00
Reporterobilodeau 
Assigned Toobilodeau 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.0.0 
Target Version3.3.0Fixed in Version3.3.0 
fixed in git revision
fixed in mtn revision
Summary0001387: iptables forward filter customization
Descriptioncurrently the forward filter is generated in one block: 
### FORWARD ###
:FORWARD DROP [0:0]
:forward-internal-inline-if - [0:0]
%%filter_forward_inline%%


which renders like:
### FORWARD ###
:FORWARD DROP [0:0]
:forward-internal-inline-if - [0:0]
-A forward-internal-inline-if --protocol udp --destination 4.2.2.1 --destination-port 53 --jump ACCEPT

-A forward-internal-inline-if --match mark --mark 0x1 --jump ACCEPT


This prevent customization like the following (unless you insert and hardcode rules Id which is not future proof):
- deny access to LAN

which need to be introduced after allowing DNS but before allowing all marked users through..
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
related to 0001374closed dwuelfrath Inline mode should work as VLAN mode regarding DNS blackholing 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2012-02-29 11:08obilodeauNew Issue
2012-02-29 11:08obilodeauStatusnew => assigned
2012-02-29 11:08obilodeauAssigned To => obilodeau
2012-02-29 11:10obilodeauNote Added: 0002595
2012-02-29 11:10obilodeauRelationship addedrelated to 0001374
2012-04-12 13:12dwuelfrathStatusassigned => resolved
2012-04-12 13:12dwuelfrathResolutionopen => fixed
2012-04-12 13:12dwuelfrathFixed in Version => trunk
2012-04-18 09:49obilodeauTarget Version+1 => 3.3.0
2012-04-18 09:50obilodeauFixed in Versiontrunk => 3.3.0
2012-04-18 09:59obilodeauNote Added: 0002659
2012-04-18 10:00obilodeauStatusresolved => closed

Notes
(0002595)
obilodeau   
2012-02-29 11:10   
Thinking about this I originally thought splitting the forward filter in two groups: DNS allow and users allow so that one can insert custom rules in between but when I realized we are getting rid of the DNS statements (see 0001374) and we are planning to do so in the next cycle, then I think we should simply wait and do nothing as it will be fixed by itself.
(0002659)
obilodeau   
2012-04-18 09:59   
fix released in 3.3.0 last friday