ipsec: Do not reject connections in on-demand mode

When an on-demand VPN connection is not up, the packets will
traverse the firewall and be rejected by the IPSECBLOCK chain
which will cause that an ICMP error message will be sent to
the client. If that does not happen and the packet is being
silently dropped, the client will retransmit and by then
the VPN connection will hopefully be up.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-block
index 9fa8e1a466002dcd43d7734bf7d560c30339b939..96682b8943e3c24ed4fd2ef9afee81eca0fd3e26 100644 (file)
--- a/config/firewall/ipsec-block
+++ b/config/firewall/ipsec-block
@@ -23,23 +23,43 @@ VPN_CONFIG="/var/ipfire/vpn/config"
 
 block_subnet() {
        local subnet="${1}"
+       local action="${2}"
 
        # Don't block a wildcard subnet
        if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
                return 0
        fi
 
-       iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
+       case "${action}" in
+               reject)
+                       iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable
+                       ;;
+               drop)
+                       iptables -A IPSECBLOCK -d "${subnet}" -j DROP
+                       ;;
+               *)
+                       return 1
+                       ;;
+       esac
+
+       return 0
 }
 
 block_ipsec() {
        # Flush all exists rules
        iptables -F IPSECBLOCK
 
-       local id status name lefthost type ctype unknown1 unknown2 unknown3
-       local leftsubnets unknown4 righthost rightsubnets rest
-       while IFS="," read -r id status name lefthost type ctype unkown1 unknown2 unknown3 \
-                       leftsubnets unknown4 righthost rightsubnets rest; do
+       local action
+
+       local vars="id status name lefthost type ctype x1 x2 x3 leftsubnets"
+       vars="${vars} x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12"
+       vars="${vars} x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24"
+       vars="${vars} route rest"
+
+       # Register local variables
+       local ${vars}
+
+       while IFS="," read -r ${vars}; do
                # Check if the connection is enabled
                [ "${status}" = "on" ] || continue
 
@@ -49,9 +69,18 @@ block_ipsec() {
                # Split multiple subnets
                rightsubnets="${rightsubnets//\|/ }"
 
+               case "${route}" in
+                       route)
+                               action="drop"
+                               ;;
+                       *)
+                               action="reject"
+                               ;;
+               esac
+
                local rightsubnet
                for rightsubnet in ${rightsubnets}; do
-                       block_subnet "${rightsubnet}"
+                       block_subnet "${rightsubnet}" "${action}"
                done
        done < "${VPN_CONFIG}"
 }

diff --git a/config/rootfiles/core/110/filelists/files b/config/rootfiles/core/110/filelists/files
index 581602710014a9dcf781ac03e10980410cd387f7..c6d15d637c2cb8d2a0a8b2fd1606ae50afb54b7f 100644 (file)
--- a/config/rootfiles/core/110/filelists/files
+++ b/config/rootfiles/core/110/filelists/files
@@ -13,6 +13,7 @@ srv/web/ipfire/cgi-bin/vpnmain.cgi
 srv/web/ipfire/html/themes/darkdos/include/style.css
 srv/web/ipfire/html/themes/ipfire/include/css/style.css
 srv/web/ipfire/html/themes/maniac/include/style.css
+usr/lib/firewall/ipsec-block
 usr/lib/libssp.so.0
 usr/lib/libssp.so.0.0.0
 usr/local/bin/xt_geoip_update