testing: Speed up ifdown calls in ikev2/mobike scenarios

ifdown calls bind's rndc, which tries to access TCP port 953 on lo. If these packets are dropped by the firewall we have to wait for the TCP connections to time out, which takes quite a while.
author: Tobias Brunner <tobias@strongswan.org> 2015-11-05 14:59:34 +0100
committer: Tobias Brunner <tobias@strongswan.org> 2015-11-09 15:18:35 +0100
commit: 0ee4a333a8202f4bf176c87b17aa640685ec5ada (patch)
tree: 0da05673906970a14b1a9dae48c94ccfeeb2336a /testing/tests/ikev2
parent: cbaafa03c7ed75df3887788fc69fa4ed2d3abb9c (diff)
download: strongswan-0ee4a333a8202f4bf176c87b17aa640685ec5ada.tar.bz2
strongswan-0ee4a333a8202f4bf176c87b17aa640685ec5ada.tar.xz
3 files changed, 13 insertions, 1 deletions
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
index 6dd261f20..450e7cef6 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
@@ -5,11 +5,15 @@
 -P OUTPUT DROP
 -P FORWARD DROP
 
+# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
 # allow IPsec tunnel traffic
 -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
 -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
 
-# allow ESP 
+# allow ESP
 -A INPUT  -i eth0 -p 50 -j ACCEPT
 -A INPUT  -i eth1 -p 50 -j ACCEPT
 -A OUTPUT -o eth0 -p 50 -j ACCEPT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
index a238c8d19..450e7cef6 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
@@ -5,6 +5,10 @@
 -P OUTPUT DROP
 -P FORWARD DROP
 
+# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
 # allow IPsec tunnel traffic
 -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
 -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
index a238c8d19..450e7cef6 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
@@ -5,6 +5,10 @@
 -P OUTPUT DROP
 -P FORWARD DROP
 
+# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
 # allow IPsec tunnel traffic
 -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
 -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
author	Tobias Brunner <tobias@strongswan.org>	2015-11-05 14:59:34 +0100
committer	Tobias Brunner <tobias@strongswan.org>	2015-11-09 15:18:35 +0100
commit	0ee4a333a8202f4bf176c87b17aa640685ec5ada (patch)
tree	0da05673906970a14b1a9dae48c94ccfeeb2336a /testing/tests/ikev2
parent	cbaafa03c7ed75df3887788fc69fa4ed2d3abb9c (diff)
download	strongswan-0ee4a333a8202f4bf176c87b17aa640685ec5ada.tar.bz2 strongswan-0ee4a333a8202f4bf176c87b17aa640685ec5ada.tar.xz