[ previous ] [ next ] [ threads ]
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] pb24r584 broken!
 Date:  Sun, 11 Jan 2004 15:59:43 -0500
Manuel Kasper wrote:

> I've been able to verify the problems with the DNS forwarder in 
> pb24r584 on another system with a different filter rule configuration 
> (it didn't show up on mine). It's related to the fact that ipfilter 
> 3.4.33pre2, which was imported in pb24, does not continue adding rules 
> if a duplicate rule is found - it simply aborts. That duplicate was 
> present whenever at least one optional interface was activated. Fixing 
> that problem (the duplicate rule) alone isn't the complete solution, 
> though, as there's nothing to prevent the user from adding a duplicate 
> rule via the webGUI, thus causing ipf to abort the rule adding process 
> at the first dupe - very bad! Also, it's difficult for the webGUI to 
> verify if duplicate rules are present (e.g. with rules that use 
> aliases - the alias could resolve to a non-conflicting address when 
> the rule is added, but later be changed and create a duplicate rule).
> I'll revert to ipfilter 3.4.31 and released a working version 
> (pb24r585) as soon as possible. Meanwhile, pb24r584 has been removed 
> and everybody who already runs pb24r584 is STRONGLY URGED TO UPGRADE 
> because some other rules are missing due to this bug as well.
> Sorry, folks. Looks like I'll have to patch ipfilter in the future to 
> just skip duplicate rules instead of breaking down.
> - Manuel


I tried to send you my status.php (the one after the upgrade) along with 
an explanation of what happened to me when upgrading to pb24r584, but 
the server wouldn't accept it because it was too large.  Anyway, my 
router also has an optional interface, and upon upgrading, all routing 
was totally dead.  And downgrading to pb23 gracefully couldn't be done 
because of the upgrades to the XML file.  I can email you my status.php 
privately if you wish, but it looks like you already have the problem 
figured out.  Let me know if you want it.