From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ipfire-scm+bounces-47-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZkWth3Sp3z331C
	for <archive@lists.ipfire.org>; Fri, 25 Apr 2025 12:12:28 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZkWth3BKWz32dy
	for <ipfire-scm@lists.ipfire.org>; Fri, 25 Apr 2025 12:12:28 +0000 (UTC)
Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "people01.haj.ipfire.org", Issuer "E6" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4ZkWtg4FRKz16N
	for <ipfire-scm@lists.ipfire.org>; Fri, 25 Apr 2025 12:12:27 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1745583147;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc; bh=NkmUGhEGeJSEoBMV/u89F0cPmtteSM3ZXrhu9p4PvqU=;
	b=4EeRprbA8sNS5o2fpTADxyyJQoZzmje0FKmanDfAYXSgGxTr2ObWpSz71t4M6898XamwNV
	9gEQX0/XSBvsToAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1745583147;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc; bh=NkmUGhEGeJSEoBMV/u89F0cPmtteSM3ZXrhu9p4PvqU=;
	b=E6ArO3gjHd863kE1EgZu16zMrIAFdkknJHdN3v44aWpGeHWPYoqj3TPQxx84AfGAEzgm7Z
	LTc1mtxJue+mNnunF8vJ0yJPMPCcHPQpRhG2TrPyRfcKeRa5Pl1eO7pMUH6hfg7STmJVlV
	Apm1SPeR85hjqcFWQ7ZoYIaXVa7zRNsPH1DYMTL1Bfjgccec3MI5U4uMPhXeksfFIeDsYa
	pAm1z8MpAObbi6zCiqVtnB0YwqkxSZQd5sCxGTAxX6UEgrv4rnjLO65SbItBIy6B8ApSEV
	m8Tv2ThkU0mn2cjYNyYz9pjSliz5oUYVWNdyIs2MFhvt3NN+7PVXfKyG+Apsnw==
Received: by people01.haj.ipfire.org (Postfix, from userid 1000)
	id 4ZkWtg2mmwz2y6T; Fri, 25 Apr 2025 12:12:27 +0000 (UTC)
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. f4fa8b317d41fa5650ddcad5d42cdee1affc51e5
X-Git-Refname: refs/heads/next
X-Git-Reftype: branch
X-Git-Oldrev: 25ac8dbdcf88184daa9e41bcc4cc489a5d3a5f11
X-Git-Newrev: f4fa8b317d41fa5650ddcad5d42cdee1affc51e5
Message-Id: <4ZkWtg2mmwz2y6T@people01.haj.ipfire.org>
Date: Fri, 25 Apr 2025 12:12:27 +0000 (UTC)
From: Michael Tremer <git@ipfire.org>
Precedence: list
List-Id: <ipfire-scm.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:ipfire-scm+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:ipfire-scm+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:ipfire-scm@lists.ipfire.org>
List-Help: <mailto:ipfire-scm+help@lists.ipfire.org?subject=help>
Sender: <ipfire-scm@lists.ipfire.org>
Mail-Followup-To: <ipfire-scm@lists.ipfire.org>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  f4fa8b317d41fa5650ddcad5d42cdee1affc51e5 (commit)
       via  3948ba05ec12cddf75a70174baa75097107c407b (commit)
      from  25ac8dbdcf88184daa9e41bcc4cc489a5d3a5f11 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f4fa8b317d41fa5650ddcad5d42cdee1affc51e5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Fri Apr 25 14:11:49 2025 +0200

    wireguard: Don't block RW peer traffic
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 3948ba05ec12cddf75a70174baa75097107c407b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Fri Apr 25 14:06:36 2025 +0200

    wireguard-functions.pl: Fix collecting used IP addresses
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/cfgroot/wireguard-functions.pl | 9 +++++----
 src/initscripts/system/wireguard      | 6 ++++++
 2 files changed, 11 insertions(+), 4 deletions(-)

Difference in files:
diff --git a/config/cfgroot/wireguard-functions.pl b/config/cfgroot/wireguard-functions.pl
index 219f9282d..c8af939b5 100644
--- a/config/cfgroot/wireguard-functions.pl
+++ b/config/cfgroot/wireguard-functions.pl
@@ -340,13 +340,14 @@ sub free_pool_addresses($$) {
 
 	# Collect all used addresses
 	foreach my $key (keys %peers) {
-		my $type    = $peers{$key}[1];
-		my $address = $peers{$key}[6];
+		my $peer = &load_peer($key);
 
 		# Only check hosts
-		next if ($type ne "host");
+		next if ($peer->{"TYPE"} ne "host");
 
-		push(@used_addresses, &Network::ip2bin($address));
+		foreach my $address (@{ $peer->{"CLIENT_ADDRESS"} }) {
+			push(@used_addresses, &Network::ip2bin($address));
+		}
 	}
 
 	# Fetch the first address
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index 7632d6114..9321b09c4 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -285,6 +285,12 @@ reload_firewall() {
 
 	iptables -F WGBLOCK
 
+	# Don't block any traffic from Roadwarrior peers
+	if [ -n "${CLIENT_POOL}" ]; then
+		iptables -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
+		iptables -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
+	fi
+
 	# Block all other traffic
 	iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
 }


hooks/post-receive
--
IPFire 2.x development tree