bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-19 07:23:03 +02:00

Author	SHA1	Message	Date
Michael Tremer	80fbd89949	ipsec: Add block rules to avoid conntrack entries If an IPsec VPN connections is not established, there are rare cases when packets are supposed to be sent through that said tunnel and incorrectly handled. Those packets are sent to the default gateway an entry for this connection is created in the connection tracking table (usually only happens to UDP). All following packets are sent the same route even after the tunnel has been brought up. That leads to SIP phones not being able to register among other things. This patch adds firewall rules that these packets are rejected. That will sent a notification to the client that the tunnel is not up and avoid the connection to be added to the connection tracking table. Apart from a small performance penalty there should be no other side-effects. Fixes: #10908 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Cc: tomvend@rymes.com Cc: daniel.weismueller@ipfire.org Cc: morlix@morlix.de Reviewed-by: Timo Eissler <timo.eissler@ipfire.org>	2015-10-15 22:44:47 +01:00
Michael Tremer	a9600358d8	ipsecctrl: Use --wait switch for all iptables commands	2015-05-07 21:06:44 +02:00
Michael Tremer	d9e80e0b09	ipsecctrl: Remove unused code block	2015-05-07 21:05:50 +02:00
Michael Tremer	8fcb92530e	ipsecctrl: Fix compiler warning.	2014-03-26 23:47:14 +01:00
Michael Tremer	52e54c1c9a	misc-progs: Move network stuff to own header file.	2013-10-12 18:22:51 +02:00
Michael Tremer	8e2683f70d	ipsecctrl: Re-read everything when configuration is reloaded.	2013-07-23 13:24:15 +02:00
Michael Tremer	ba890f6584	ipsecctrl: Don't shout when we have found an interface.	2012-08-08 00:40:43 +02:00
Michael Tremer	9f0b5c9f4d	ipsec: Improve connection reloading. As pluto is no longer present, there is a lot to clean up. The connection rename hack is no longer needed and the whole ipsec stack can be controlled with the "ipsec" command.	2012-07-19 16:46:00 +02:00
Arne Fitzenreiter	6e2ba31bff	ipsec: change ipsecctrl and vpn-watch to restart a single tunnel.	2011-08-22 20:47:35 +02:00
Arne Fitzenreiter	85cbc0a08f	ipsec: fix ike firewall rule to support nat traversal.	2011-07-04 23:09:05 +02:00
Arne Fitzenreiter	3e077ef345	ipsec: add ikev2 down to ipseccrtl.	2011-07-03 11:21:49 +02:00
Arne Fitzenreiter	0d181206ca	ipsec: change ipsecctrl for status and reload of charon.	2011-06-26 15:15:12 +02:00
Arne Fitzenreiter	44b5666bc7	Fix ipseccrtl, add 10min restart of unrouted connections to vpn-watch.	2010-06-25 22:52:43 +02:00
Arne Fitzenreiter	16295ef4a0	ipsecctrl: fix compile error.	2010-06-25 07:36:39 +02:00
Arne Fitzenreiter	734b67d20d	ipsecctrl: use ipsec restart to turn connection on.	2010-06-25 00:00:51 +02:00
Arne Fitzenreiter	1f324fd71d	ipsecctrl: remove fw-rules clear because strongswan try to do this also.	2010-06-24 23:35:40 +02:00
Arne Fitzenreiter	798023e9a6	ipsecctrl: increase delay after ipsec reload.	2010-06-24 20:44:37 +02:00
Arne Fitzenreiter	90070fc927	Fix ipsecctrl hang at start of a connection. Fixes bug #0000663	2010-06-21 23:13:06 +02:00
Arne Fitzenreiter	ba149d470b	Fix ipsectrl I and ipsectrl R terminate vpn-watch.	2010-05-29 14:24:47 +02:00
Arne Fitzenreiter	64dc6c92f1	Remove output of "ipsecctrl R". :	2010-05-10 21:33:51 +02:00
Arne Fitzenreiter	98065e83ed	Change ipsec up/down of a tunnel.	2010-05-08 15:35:11 +02:00
Arne Fitzenreiter	331699d576	Change ipsecctrl Tunnel up and down.	2010-04-22 07:41:28 +02:00
Arne Fitzenreiter	db073a101e	Some changes for strongswan. Still need a replacement for ipsec auto --replace	2010-03-27 21:15:46 +01:00
Arne Fitzenreiter	6652626c88	Add strongswan (4.3.6) for testing.	2010-03-20 22:31:43 +01:00
maniacikarus	05882fff6b	Fixes an MPFire Syntaxfix am ipsec git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@757 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-08-11 12:40:01 +00:00
maniacikarus	0f57633b02	IPSec Ctrl nochmal geändert damit VPN Watch ordentlich gestartet wird git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@660 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-07-05 05:55:40 +00:00
maniacikarus	69dcc42551	commit und geh weg git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@648 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-06-27 17:31:30 +00:00
maniacikarus	7dbf47dcc7	ipsecctrl gefixt und connections.cgi gefixt git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@645 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-06-22 13:24:43 +00:00
maniacikarus	fe6cda9204	Einige CGI Fixes git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@643 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-06-21 18:14:48 +00:00
maniacikarus	ad60e3ead1	kleine Anpassung an ipsec git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@640 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-06-20 19:19:00 +00:00
maniacikarus	dced81b20b	IPSecctrl fuer vpnwatch angepasst git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@637 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-06-18 20:57:57 +00:00
ms	99f3c72fc2	Ein Alsa-Initscript gebaut, was beim Herunterfahren die Lautstaerke speichert. git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@636 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-06-18 20:20:21 +00:00
ms	341ff36cfb	Das IPSec-Modul laesst sich nun laden. Einige Bugs der Alpha 2 behoben. git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@571 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-05-22 14:02:38 +00:00
ms	5fd302326d	upnp.cgi und status.cgi von Maniac eingebaut IPSec aktualisiert git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@453 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-03-24 13:30:47 +00:00
ms	05207d6927	FritzCard-Module installiert. OpenSwan2 fit gemacht. Ueberfluessige Modem-Treiber entfernt. git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@383 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2007-01-07 12:15:14 +00:00
ipfire	cd1a292722	git-svn-id: http://svn.ipfire.org/svn/ipfire/IPFire/source@16 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8	2006-02-15 21:15:54 +00:00

36 Commits