Merge remote-tracking branch 'alfh/feature_firewalllogcountry' into beyond-next

[people/teissler/ipfire-2.x.git] / src / misc-progs / openvpnctrl.c

diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
index 272db0faade2dc3abb79687ad1d077c7308b4175..462ce77cce0b99019a09cc8c3df75161b5e94924 100644 (file)
--- a/src/misc-progs/openvpnctrl.c
+++ b/src/misc-progs/openvpnctrl.c
@@ -365,6 +365,7 @@ ERROR:
 }
 
 void setFirewallRules(void) {
+       char command[STRING_SIZE];
        char protocol[STRING_SIZE] = "";
        char dport[STRING_SIZE] = "";
        char dovpnip[STRING_SIZE] = "";
@@ -405,11 +406,15 @@ void setFirewallRules(void) {
        if (!strcmp(enableorange, "on") && strlen(orangeif))
                addRule(OVPNINPUT, orangeif, protocol, dport);
 
+       /* Allow ICMP error messages to pass. */
+       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp"
+               " -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK);
+       executeCommand(command);
+
        // read connection configuration
        connection *conn = getConnections();
 
        // set firewall rules for n2n connections
-       char command[STRING_SIZE];
        char *local_subnet_address = NULL;
        char *transfer_subnet_address = NULL;
        while (conn != NULL) {