Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
It could happen that the remote peer re-established the connection
before "ipsec reload" removed it from the daemon.
Now, we write the configuration files first, reload them
and then bring down any connections that are still established.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a more general name for a script that will be extended
soon to do more than just add blocking rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When the firewall policy is blocked, no outgoing IPsec connections
can be established. That is slightly counter-intuitive since we
open ports in the incoming direction automatically.
Fixes: #11704
Reported-by: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If an IPsec VPN connections is not established, there are
rare cases when packets are supposed to be sent through
that said tunnel and incorrectly handled.
Those packets are sent to the default gateway an entry
for this connection is created in the connection tracking
table (usually only happens to UDP). All following packets
are sent the same route even after the tunnel has been
brought up. That leads to SIP phones not being able to
register among other things.
This patch adds firewall rules that these packets are
rejected. That will sent a notification to the client
that the tunnel is not up and avoid the connection to
be added to the connection tracking table.
Apart from a small performance penalty there should
be no other side-effects.
Fixes: #10908
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: tomvend@rymes.com
Cc: daniel.weismueller@ipfire.org
Cc: morlix@morlix.de
Reviewed-by: Timo Eissler <timo.eissler@ipfire.org>
As pluto is no longer present, there is a lot to
clean up. The connection rename hack is no longer needed
and the whole ipsec stack can be controlled with
the "ipsec" command.
