[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Lee Sharp" <leesharp at hal dash pc dot org>, <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Captive Portal - Allowed Ip Addresses
 Date:  Tue, 28 Mar 2006 20:38:14 +0200
> Two questions...
> First, what "bad thing" can happen when I don't reboot? 

When you don't reboot after adding new entries, you could have a mixup
of ruleno between your client and the allowed-ip-address getting nasty
(client login not working) results only in the following conditions:

Current (=<1.21):
Everytime the system ruleno wraps and you have allowed-ip-address in
there (you even don't have to add new ones), but you will need to have
lots of sessions (9899 to be precise/+depending on the rulen0 you had
when adding a new one ;) )

1.22:
Everytime the system ruleno wraps and you have ADDED a new
allowed-ip-address without rebooting. (depending on the rulen0 you had
when adding a new one)


>=1.23:
Not anymore ;) (even the situation: old user fw ruleno 10001 still
logged-in after wrap shouldn't give any problems anymore)


I am going to fix this in a good way for the 1.23 (or whatever number)
release by verifying if the specified rulen0 already is in use and using
the first free next number.


> I can't think how
> many times I do this quick during the day to solve a problem (usually
an
> AOL
> browser) and could not reboot.
Will happen only after at least 9899 sessions

> Second, what is the symptom of a wrap?  I think I actually had one in
the
> wield the other day.  It was a hotel I have behind m0n0wall running
1.21
> since the day of release without a reboot.  Between 10 - 50 users a
day.
> Suddenly no one could log in to the CP but the old allowed IPs were
fine.
> It was a busy time, so I had to reboot after very little
troubleshooting,
> and it worked fine.

You get firewall collision with the above effect. (IIRC the new rule
won't be added because there already exists an old one)

> 
> One comment...
> If there was some way to reorder the table without login off everyone,
> that
> would be good.  I can not log people off in production, and often need
to
> add ip addresses.

I know, thats why I will fix it for +=1.23

I'm surprised almost nobody noticed it. University networks certainly
would have this issue with lots of users logging in on daily basis.

J.