[ previous ] [ next ] [ threads ]
 
 From:  Kolia <nika at hotmail dot ge>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Transparent bridge
 Date:  Thu, 15 Jul 2004 18:06:53 +0400
You are right, Manuel, there's no ip address associated with WAN 
interface because I needed transparent bridging between WAN and OPT1:

                  bridging
        +------------------------+
        |                        |
inet <-------> WAN [m0n0] OPT1 <------> customers
                    LAN
                     ^
                     |
                 management

It seems that such a scheme wasn't anticipated so my patch just fixes 
problem partially and 'filter_rules_spoofcheck_generate' should check 
for empty fields to avoid incorrect rules to be inserted in the 
$ipfrules. By the way, it will be good if we feed 'ipftest' with 
$ipfrules before we actually send it to 'ipf' and if something is wrong 
just apply default (safe) rules not to lock the m0n0's WebGUI.

Kolia

Manuel Kasper wrote:

>On 15.07.2004 17:00 +0400, Kolia wrote:
>
>  
>
>>Finally I found the bug in the '/etc/inc/filter.inc' that was
>>causing lock-up of m0n0wall while putting OPT1 interface in the
>>bridge mode. Look at this code in the 'filter_rules_generate()'
>>function:
>>......
>>       /* OPT spoof check */
>>       foreach ($optcfg as $on => $oc) {
>>               $ipfrules .=
>>filter_rules_spoofcheck_generate($on,$oc['if'], $oc['sa'],
>>$oc['sn'], $log);
>>       }
>>......
>>    
>>
>
>Wait, it's not that easy. Have a look at the code in
>filter_rules_generate() that fills in $optcfg. For bridged
>interfaces, the IP address/subnet mask of the interface that the
>interface is bridged to is filled in 'ip'/'sn'. If you get empty
>values for 'ip'/'sn', that means that the bridge target interface
>itself isn't configured properly with an IP address/subnet mask. This
>can only happen if it is also bridged, or simply disabled. The former
>case is checked by the webGUI, but not the latter.
>
>So that would mean that you probably bridged an interface to another
>interface that was currently disabled? Is that possible?
>
>  
>
>>......
>>/* OPT spoof check */
>>       foreach ($optcfg as $on => $oc) {
>>               if ( !$oc['bridge']) //No spoof check is necessary
>>for bridged interfaces
>>                       $ipfrules .=
>>filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'],
>>$oc['sn'], $log);
>>       }
>>......
>>    
>>
>
>...which would probably break the filtered bridging. Instead the code
>should check to make sure that the bridge target interface is
>actually enabled. I'll add that to the next release.
>
>Thanks for giving me a hint there!
>
>- Manuel
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>
>
>  
>