[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  pb24r584 broken!
 Date:  Sun, 11 Jan 2004 21:54:27 +0100
I've been able to verify the problems with the DNS forwarder in 
pb24r584 on another system with a different filter rule configuration 
(it didn't show up on mine). It's related to the fact that ipfilter 
3.4.33pre2, which was imported in pb24, does not continue adding rules 
if a duplicate rule is found - it simply aborts. That duplicate was 
present whenever at least one optional interface was activated. Fixing 
that problem (the duplicate rule) alone isn't the complete solution, 
though, as there's nothing to prevent the user from adding a duplicate 
rule via the webGUI, thus causing ipf to abort the rule adding process 
at the first dupe - very bad! Also, it's difficult for the webGUI to 
verify if duplicate rules are present (e.g. with rules that use aliases 
- the alias could resolve to a non-conflicting address when the rule is 
added, but later be changed and create a duplicate rule).

I'll revert to ipfilter 3.4.31 and released a working version 
(pb24r585) as soon as possible. Meanwhile, pb24r584 has been removed 
and everybody who already runs pb24r584 is STRONGLY URGED TO UPGRADE 
because some other rules are missing due to this bug as well.

Sorry, folks. Looks like I'll have to patch ipfilter in the future to 
just skip duplicate rules instead of breaking down.

- Manuel