]> git.ipfire.org Git - ipfire-2.x.git/commit
projects / ipfire-2.x.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5d957b0) | patch
avoid emitting VPN traffic to the internet if the IPS crashed
authorPeter Müller <peter.mueller@ipfire.org>
Mon, 27 Jan 2020 15:04:00 +0000 (15:04 +0000)
committerArne Fitzenreiter <arne_f@ipfire.org>
Thu, 26 Mar 2020 17:49:43 +0000 (17:49 +0000)
commit5dba838282f23954a1cfeb4586b1cabc294a9b32
tree2477047e488b58cce3a2e8a12c80becd1ac4580ctree | snapshot
parent5d957b01c98157e29675d61c2d3118d0be18a00fcommit | diff
avoid emitting VPN traffic to the internet if the IPS crashed

Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.

This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.

Thanks to Michael for his debugging effort.

Partially fixes #12257

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
src/initscripts/system/firewall diff | blob | blame | history
IPFire 2.x development tree