updown: Add rules to allow IP6IP6 traffic used for uncompressed small packets
This commit is contained in:
Tobias Brunner
parent
08afc33e52
commit
382f8a334a
|
|
@ -427,6 +427,14 @@ up-host-v6:iptables)
|
|||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||
#
|
||||
# allow IP6IP6 traffic because of the implicit SA created by the kernel if
|
||||
# IPComp is used (for small inbound packets that are not compressed)
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec host connection setup
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
|
@ -451,6 +459,13 @@ down-host-v6:iptables)
|
|||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||
#
|
||||
# IP6IP6 exception teardown
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec host connection teardown
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
|
@ -490,6 +505,15 @@ up-client-v6:iptables)
|
|||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# allow IP6IP6 traffic because of the implicit SA created by the kernel if
|
||||
# IPComp is used (for small inbound packets that are not compressed).
|
||||
# INPUT is correct here even for forwarded traffic.
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec client connection setup
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
|
@ -533,6 +557,13 @@ down-client-v6:iptables)
|
|||
$IPSEC_POLICY_OUT -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# IP6IP6 exception teardown
|
||||
if [ -n "$PLUTO_IPCOMP" ]
|
||||
then
|
||||
ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
|
||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# log IPsec client connection teardown
|
||||
if [ $VPN_LOGGING ]
|
||||
then
|
||||
|
|
|
|||
Loading…
Reference in New Issue