Project

General

Profile

Bug #324

OpenVPN upgrade code should put an allow all rule for migrations from 1.2.x

Added by Jim Pingle over 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
01/26/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Since OpenVPN does not filter on 1.2.x, upgrades from 1.2.x -> 2.0 should place an "Allow All" style rule on the OpenVPN interface rules, to avoid a POLA violation.

This way, the non-filtered behavior is retained for those upgrading from 1.2.3, but new installs of 2.0 can be filtered by default.

Less clear is how we should handle upgrades where a tun was assigned as an opt for filtering. (Or is that already handled?)

Associated revisions

Revision c73bd8f0 (diff)
Added by Ermal Luçi over 9 years ago

Ticket #324. Add allow all rule during upgrade.

History

#1 Updated by Ermal Luçi over 9 years ago

  • Priority changed from Normal to Very Low

I do not much agree with this.
Since we do not do this for IPsec and 2.0 is going to be a new release and on the release notes this can be mentioned.

#2 Updated by Jim Pingle over 9 years ago

The difference is that IPsec had rules in 1.2.x, so people expect it to work that way already.

If someone does a remote upgrade via their OpenVPN connection, they could end up locked out because OpenVPN now requires rules where it did not do so previously, and there is no way to prevent that scenario.

I do agree that it should not have rules on a fresh install, but upgrades are a different matter.

#3 Updated by Chris Buechler over 9 years ago

Yeah, this needs to be done. For 1.2.x upgraded configs auto-adding an allow all rule for OpenVPN is the sensible course of action, as we always want to retain the previous behavior. Nothing should work differently after upgrade than it did before the upgrade.

#4 Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Feedback

#5 Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

confirmed fixed

Also available in: Atom PDF