Bug#507313: linux-igd: Entries get appended to the PREROUTING table behind a catchall DNAT entry

Sat, 29 Nov 2008 14:55:23 -0800 

Package: linux-igd
Version: 1.0+cvs20070630-2
Severity: wishlist
Tags: patch


Entries get appended to the PREROUTING table, the problem is I have a
catchall to create a DMZ. The result is that the upnp rules aren't reachable.

The solution is pretty simple with the following patch:

Using the "forward_rules_append" config option to determine if the PREROUTING
rule should be inserted at the beginning (-I) or appended (-A) to the table.

Sure there is a security risk involved, but so does the prepending of FORWARD
rules. Defining a seperate config option to determine the PREROUTING behavior
would be a better solution, but this works fine for me (tm).

=======8<=======
--- pmlist.c.orig       2008-11-29 23:08:48.000000000 +0100
+++ pmlist.c    2008-11-29 23:09:29.000000000 +0100
@@ -271,10 +271,10 @@
        }

        {
-         char *args[] = {g_vars.iptables, "-t", "nat", "-A", 
g_vars.preroutingChainName, "-i", g_vars.extInterfaceName, "-p", protocol, 
"--dport", externalPort, "-j", "DNAT", "--to", dest, NULL};
+         char *args[] = {g_vars.iptables, "-t", "nat", 
g_vars.forwardRulesAppend ? "-A" : "-I", g_vars.preroutingChainName, "-i", 
g_vars.extInterfaceName, "-p", protocol, "--dport", externalPort, "-j", "DNAT", 
"--to", dest, NULL};

-         trace(3, "%s -t nat -A %s -i %s -p %s --dport %s -j DNAT --to %s",
-               g_vars.iptables, g_vars.preroutingChainName, 
g_vars.extInterfaceName, protocol, externalPort, dest);
+         trace(3, "%s -t nat %s %s -i %s -p %s --dport %s -j DNAT --to %s",
+               g_vars.iptables, g_vars.forwardRulesAppend ? "-A" : "-I", 
g_vars.preroutingChainName, g_vars.extInterfaceName, protocol, externalPort, 
dest);
          if (!fork()) {
            int rc = execv(g_vars.iptables, args);
            exit(rc);
=======8<=======



-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages linux-igd depends on:
ii  iptables                      1.4.1.1-3  administration tools for packet fi
ii  libc6                         2.7-16     GNU C Library: Shared libraries
ii  libupnp3                      1:1.6.6-3  Portable SDK for UPnP Devices (sha
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip

linux-igd recommends no packages.

linux-igd suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to