diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2015-09-21 10:12:17 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2015-09-21 10:12:17 +0200 |
| commit | 382f8a334a1c47bde577d95870de6f557748cb85 (patch) | |
| tree | 139e819b91dfbfc502f99f4dc997b6a79d185742 | |
| parent | 08afc33e5259399a682bb62ef253b3155e68461e (diff) | |
| download | strongswan-382f8a334a1c47bde577d95870de6f557748cb85.tar.bz2 strongswan-382f8a334a1c47bde577d95870de6f557748cb85.tar.xz | |
updown: Add rules to allow IP6IP6 traffic used for uncompressed small packets
| -rw-r--r-- | src/_updown/_updown.in | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 6e7abca09..e549e9597 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -427,6 +427,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -451,6 +459,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -490,6 +505,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -533,6 +557,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then |