Mail archive
alpine-devel

[alpine-devel] 1.7.28 issues

From: Harry Lachanas <grharry_at_freemail.gr>
Date: Mon, 08 Dec 2008 08:34:03 +0200

Hi all,

I salute the 1.7.28 release and found the following little problems ...

xtables-addons + iptables 1.4.2

a) xtables-addons misses the ipp2p component
b) the old ipp2p component is still compiled in the Kernel
but since iptables version 1.4.2 is implied it cannot be used,

The ipp2p component from xtables-addons has to be enabled.

Shorewall incompatibilities.
----------------------------------------------
Xtables-addons maintainer changed the code in the ipp2p component,
so the module does not include the options
iptables -m ipp2p --ipp2p

the reason why he did this in his own words is this ...
I quote

"............................................................................
> Dear Sir,
> >
> > There seems to be a problem for some of us trying to combine
> > xtables-addons and shorewall .... in your code of ipp2p support you
> > have exluded the command line option -m ipp2p --ipp2p as it is used
> > in shorewall and as I presume in many other sh netfilter
> > applications as a result shorewall is unable to detect the
> > existence of ipp2p support in the kernel and also the combined
> > command if --ipp2p now must be specified for all separate protocols
> > ( --kaza, --bit ... etc )....
>

Correct. I felt that --ipp2p is a very ambiguous option —
“does it include protocol XYZ or not?” — so it has been removed.
Any scripts should be adjusted. There is no workaround other
than to modify libxt_ipp2p.c and add it back, but I will not
be making this change in the repository.


> > Please advise as to whether there are
> > workarounds regarding this problem .... !!!
>

If you merely need the detection, add

        {.name = "ipp2p", .has_arg = false, .val = 0x1234},

This alone makes --ipp2p a no-op, but at least it is not rejected.
...................................................................."


Shorewall ipp2p usage

shorewall detects the ipp2p module in /usr/share/shorewall/lib.base (
line 1026 )
using this command.

qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT &&
IPP2P_MATCH=Yes

obviously this breaks down because option -m ipp2p --ipp2p is not
supported anymore.


I've contacted the shorewall list and they provided patches for the
shorewall version 4+
for further details please have a look at www.shorewall.net

shorewall version 3.4.8 is not supported anymore.

For those of us that want to stay with the 3.4.8 version we have to play
with the code a bit ...

that is
Replace the above line with
.............................
qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
.............................

with xtables-addons module ipp2p enabled + iptables-1.4.2
shorewall now will detect correctly the support of the new ipp2p module.

save
and
now include this file in
/etc/lbu/include
with

#echo "/usr/share/shorewall/lib.base" >> /etc/lbu/include
#lbu commit


Now in order to drop shape or whatever U like to do with p2p protocols
you have to indicate them in one of shorewall control files
separately for each p2p protocol edk, bit, kazaa, .... etc.

Further howtos on this can be found in www.shorewall.net



In order of all of the above to happen the maintainers of alpine should
provide first the xtables-addons with the ipp2p module enabled
and remove the old ipp2p from kernel ....

Kind Regards,
Harry Lachanas.




---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Mon Dec 08 2008 - 08:34:03 UTC