[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall dash announce at lists dot m0n0 dot ch
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Fixed pb24 available
 Date:  Sun, 11 Jan 2004 23:13:50 +0100
pb24r585, which fixes a bug related to the import of ipfilter 
3.4.33pre2 into m0n0wall that manifested itself in problems with the 
DNS forwarder when at least one optional interface was enabled, has 
been uploaded.

*** EVERYBODY WHO ALREADY RUNS pb24r584 IS STRONGLY URGED TO UPGRADE! 
***

The problem was due to ipfilter 3.4.33pre2 aborting processing of the 
ruleset when a duplicate rule was encountered, instead of just skipping 
it and continuing as before. Even with the filter rule generator fixed 
not to generate any duplicate default rules anymore, there is still the 
possibility for a user to add duplicate rules via the webGUI (and thus 
completely screwing up the ruleset). These may be hard to detect by the 
webGUI code (take for example a rule with an alias that resolves to a 
non-conflicting IP address when the rule is added, but the alias is 
changed later on to create a duplicate rule - or simply a user-defined 
rule that conflicts with an automatically generated one). As such, if 
further ipfilter versions retain this behavior, they will be modified 
for use in m0n0wall. As for now, we're back to ipfilter 3.4.31 (as in 
pb23). I personally believe that it is very stupid to abort processing 
a filter ruleset because of a problem with one single rule, and then 
fail with only a part of the ruleset installed (instead of failing by 
completely blocking everything).

Sorry for the inconvenience. Blame it on ipfilter. ;)

- Manuel