From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 1 Mar 2014 15:51:03 +0000 (+0100)
Subject: openvpnctrl: Allow ICMP error messages to pass the transfer net.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=5c3de120aabfaf150aa7303c4c3c92e3072da809

openvpnctrl: Allow ICMP error messages to pass the transfer net.
---

diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
index 272db0faa..462ce77cc 100644
--- a/src/misc-progs/openvpnctrl.c
+++ b/src/misc-progs/openvpnctrl.c
@@ -365,6 +365,7 @@ ERROR:
 }
 
 void setFirewallRules(void) {
+	char command[STRING_SIZE];
 	char protocol[STRING_SIZE] = "";
 	char dport[STRING_SIZE] = "";
 	char dovpnip[STRING_SIZE] = "";
@@ -405,11 +406,15 @@ void setFirewallRules(void) {
 	if (!strcmp(enableorange, "on") && strlen(orangeif))
 		addRule(OVPNINPUT, orangeif, protocol, dport);
 
+	/* Allow ICMP error messages to pass. */
+	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp"
+		" -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK);
+	executeCommand(command);
+
 	// read connection configuration
 	connection *conn = getConnections();
 
 	// set firewall rules for n2n connections
-	char command[STRING_SIZE];
 	char *local_subnet_address = NULL;
 	char *transfer_subnet_address = NULL;
 	while (conn != NULL) {