Bug#434137: pppoeconf: incorrectly removes MSS rules from iptables

Sat, 21 Jul 2007 13:06:38 -0700 

Package: pppoeconf
Version: 1.7
Severity: important
Tags: patch

Removing MSS rules by calling
iptables -t mangle -L -n -v --line-numbers | grep "TCPMSS.*$PPP_IFACE.*clamp" | 
cut -f1 -d " " | xargs -n1 -r iptables -t mangle -D FORWARD
is incorrect because each of every non-first rule number passed to xargs refers 
to old
rule number, before the first deletion. This involves removing of user
defined iptables rules.


Patch to latest stable 1.13 which solves this problem:

diff -urN pppoeconf-1.13.orig/pppoeconf pppoeconf-1.13/pppoeconf
--- pppoeconf-1.13.orig/pppoeconf       2006-08-31 03:35:29.000000000 +0400
+++ pppoeconf-1.13/pppoeconf    2007-07-21 23:37:08.481968896 +0400
@@ -388,7 +388,7 @@
      0)
      if [ "$kernel_pppoe" ]; then
         printf '#!/bin/sh\n# Enable MSS clamping (autogenerated by 
pppoeconf)\n\niptables -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp 
--tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS 
--clamp-mss-to-pmtu\n' > /etc/ppp/ip-up.d/0clampmss
-        printf '#!/bin/sh\n# Disable MSS clamping (autogenerated by 
pppoeconf)\n\niptables -t mangle -L -n -v --line-numbers | grep 
"TCPMSS.*$PPP_IFACE.*clamp" | cut -f1 -d " " | xargs -n1 -r iptables -t mangle 
-D FORWARD\n' > /etc/ppp/ip-down.d/0clampmss
+        printf '#!/bin/sh\n# Disable MSS clamping (autogenerated by 
pppoeconf)\n\niptables -t mangle -L -n -v --line-numbers | grep 
"TCPMSS.*$PPP_IFACE.*clamp" | cut -f1 -d " " | sort -nr | xargs -n1 -r iptables 
-t mangle -D FORWARD\n' > /etc/ppp/ip-down.d/0clampmss
         chmod 755 /etc/ppp/ip-up.d/0clampmss /etc/ppp/ip-down.d/0clampmss
      else
         # disable the old line


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages pppoeconf depends on:
ii  gettext-base            0.14.4-2         GNU Internationalization utilities
ii  ppp                     2.4.3-20050321+2 Point-to-Point Protocol (PPP) daem
ii  pppoe                   3.5-4            PPP over Ethernet driver
ii  sed                     4.1.2-8          The GNU sed stream editor
ii  whiptail [whiptail-prov 0.51.6-20        Displays user-friendly dialog boxe

-- no debconf information




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to