From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. cda384a280b11461f4114faf4c86c8589df15eb0
Date: Fri, 24 Mar 2017 12:26:58 +0000 [thread overview]
Message-ID: <20170324122658.F290710853C3@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4142 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via cda384a280b11461f4114faf4c86c8589df15eb0 (commit)
from e89b407f8894a1378ef9afbdd79180ed3d99a89c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cda384a280b11461f4114faf4c86c8589df15eb0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 24 13:24:42 2017 +0100
ipsec: Do not reject connections in on-demand mode
When an on-demand VPN connection is not up, the packets will
traverse the firewall and be rejected by the IPSECBLOCK chain
which will cause that an ICMP error message will be sent to
the client. If that does not happen and the packet is being
silently dropped, the client will retransmit and by then
the VPN connection will hopefully be up.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/firewall/ipsec-block | 41 ++++++++++++++++++++++++++-----
config/rootfiles/core/110/filelists/files | 1 +
2 files changed, 36 insertions(+), 6 deletions(-)
Difference in files:
diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-block
index 9fa8e1a..96682b8 100644
--- a/config/firewall/ipsec-block
+++ b/config/firewall/ipsec-block
@@ -23,23 +23,43 @@ VPN_CONFIG="/var/ipfire/vpn/config"
block_subnet() {
local subnet="${1}"
+ local action="${2}"
# Don't block a wildcard subnet
if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
return 0
fi
- iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
+ case "${action}" in
+ reject)
+ iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
+ ;;
+ drop)
+ iptables -A IPSECBLOCK -d "${subnet}" -j DROP
+ ;;
+ *)
+ return 1
+ ;;
+ esac
+
+ return 0
}
block_ipsec() {
# Flush all exists rules
iptables -F IPSECBLOCK
- local id status name lefthost type ctype unknown1 unknown2 unknown3
- local leftsubnets unknown4 righthost rightsubnets rest
- while IFS="," read -r id status name lefthost type ctype unkown1 unknown2 unknown3 \
- leftsubnets unknown4 righthost rightsubnets rest; do
+ local action
+
+ local vars="id status name lefthost type ctype x1 x2 x3 leftsubnets"
+ vars="${vars} x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12"
+ vars="${vars} x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24"
+ vars="${vars} route rest"
+
+ # Register local variables
+ local ${vars}
+
+ while IFS="," read -r ${vars}; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
@@ -49,9 +69,18 @@ block_ipsec() {
# Split multiple subnets
rightsubnets="${rightsubnets//\|/ }"
+ case "${route}" in
+ route)
+ action="drop"
+ ;;
+ *)
+ action="reject"
+ ;;
+ esac
+
local rightsubnet
for rightsubnet in ${rightsubnets}; do
- block_subnet "${rightsubnet}"
+ block_subnet "${rightsubnet}" "${action}"
done
done < "${VPN_CONFIG}"
}
diff --git a/config/rootfiles/core/110/filelists/files b/config/rootfiles/core/110/filelists/files
index 5816027..c6d15d6 100644
--- a/config/rootfiles/core/110/filelists/files
+++ b/config/rootfiles/core/110/filelists/files
@@ -13,6 +13,7 @@ srv/web/ipfire/cgi-bin/vpnmain.cgi
srv/web/ipfire/html/themes/darkdos/include/style.css
srv/web/ipfire/html/themes/ipfire/include/css/style.css
srv/web/ipfire/html/themes/maniac/include/style.css
+usr/lib/firewall/ipsec-block
usr/lib/libssp.so.0
usr/lib/libssp.so.0.0.0
usr/local/bin/xt_geoip_update
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2017-03-24 12:26 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170324122658.F290710853C3@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox