How to submit patch / pull request against tools repo?
-
What's the procedure for getting changes into the tools repo? Looking to get the following change in:
diff --git a/builder_scripts/conf/pfPorts/make.conf b/builder_scripts/conf/pfPorts/make.conf index ec27b37..f5c7638 100644 --- a/builder_scripts/conf/pfPorts/make.conf +++ b/builder_scripts/conf/pfPorts/make.conf @@ -11,7 +11,7 @@ ipsec-tools_UNSET_FORCE=DEBUG lighttpd_SET_FORCE= NODELAY -miniupnpd_SET_FORCE= PF_ENABLE_FILTER_RULES +miniupnpd_SET_FORCE= PF_ENABLE_FILTER_RULES CHECK_PORTINUSE IPV6 UPNP_IGDV2 openssl_SET_FORCE= PADLOCKIn particular the "CHECK_PORTINUSE" prevents the issue where UPnP clients can snap up ports that are used by the firewall itself, which can lead to all sorts of mysterious breakage (like Macs on the LAN side adding mappings for port 4500, breaking IPSec in the process).
-
Can't you just inline it to a bug report? Certainly would not waste my time with pull requests oneliner patches.
-
-
On the "bug" itself… You really should severely limit what can be done via UPnP. Stuff like 1024-65534 is definitely EVIL.
-
Huh? Care to explain? Perhaps I just misunderstand what you're trying to say, but what other ports would you have UPnP use?
-
Only limit things to what's needed. No, the entire high ports range certainly is not needed by anything. Say, you have a BT client somewhere, you only need a single port for DHT. And yes, I realize you could just as well just have forwarded that via NAT - Port Forwarding. Which is pretty much exactly what you should do with anything that has static IP assigned. :P
UPnP -> evil. >:(
-
So you don't like UPnP – fair enough. I happen to find it useful for a bunch of dynamic stuff (mostly Mac clients -- BTMM etc.), but I also don't have untrusted clients on my network.
In any case, whatever your opinion about it may be, miniupnpd is included in the pfSense base install, and IMO it quite simply makes sense to perform this check, given how trivial this is to enable (port option).