2 files changed, 6 insertions, 6 deletions

diff --git a/group_vars/all.yml b/group_vars/all.yml
index c7900a6..9458dc0 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,25 +1,25 @@
 ---
 postfix_instance:
   # The keys are the group names associated with a Postfix role, and the
   # values are the name and group (optional) of the instance dedicated
   # to that role.
   IMAP:    { name: mda,             port: 2526 }
   MX:      { name: mx,  group: mta             }
   out:     { name: out, group: mta, port: 2525 }
   MSA:     { name: msa                         }
   lists:   { name: lists,           port: 2527 }
 
 
 # Virtual (non-routable) IPv4 subnet for IPSec.  It is always nullrouted
-# on in the absence of xfrm lookup (i.e., when there is no matching
-# IPSec Security Association) to avoid data leaks.
+# in the absence of xfrm lookup (i.e., when there is no matching IPSec
+# Security Association) to avoid data leaks.
 ipsec_subnet: 172.16.0.0/24
 ipsec:
   # Virtual (non-routable) addresses for IPSec.  They all need to be
   # distinct and belong to the above subnet 'ipsec_subnet'.
   antilop:  172.16.0.1
   benjamin: 172.16.0.2
   civett:   172.16.0.3
   elefant:  172.16.0.4
   giraff:   172.16.0.5
   mistral:  172.16.0.6
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 065bae2..d5e2238 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -247,44 +247,44 @@ run() {
             iptables -A INPUT -i $if -d "$ip" -j DROP
         done
     fi
 
     # DROP INVALID packets immediately.
     iptables -A INPUT  -m state --state INVALID -j DROP
     iptables -A OUTPUT -m state --state INVALID -j DROP
 
     # DROP bogus TCP packets.
     iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
     iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
     iptables -A INPUT -p tcp \! --syn -m state --state NEW      -j DROP
 
     # Allow all input/output to/from the loopback interface.
     local localhost=$(inet46 $f '127.0.0.1/8' '::1/128')
     iptables -A INPUT  -i lo -s "$localhost" -d "$localhost" -j ACCEPT
     iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT
     if [ "$f" = 4 -a "$ipsec" = y ]; then
         # Allow local access to our virtual IP
         /bin/ip -4 -o route show table 220 dev $if \
-        | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?/\1/p' \
-        | while read ipsec; do
-            iptables -A INPUT  -i lo -s "$ipsec" -d "$ipsec" -j ACCEPT
-            iptables -A OUTPUT -o lo -s "$ipsec" -d "$ipsec" -j ACCEPT
+        | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?$/\1/p' \
+        | while read ips; do
+            iptables -A INPUT  -i lo -s "$ips" -d "$ips" -j ACCEPT
+            iptables -A OUTPUT -o lo -s "$ips" -d "$ips" -j ACCEPT
         done
     fi
 
     # Prepare fail2ban.  We make fail2ban insert its rules in a
     # dedicated chain, so that it doesn't mess up the existing rules.
     [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban
 
     if [ "$f" = 4 ]; then
         # Allow only ICMP of type 0, 3 and 8.  The rate-limiting is done
         # directly by the kernel (net.ipv4.icmp_ratelimit and
         # net.ipv4.icmp_ratemask runtime options).  See icmp(7).
         local t
         for t in  'echo-reply' 'destination-unreachable' 'echo-request'; do
             iptables -A INPUT  -p icmp -m icmp --icmp-type $t -j ACCEPT
             iptables -A OUTPUT -p icmp -m icmp --icmp-type $t -j ACCEPT
         done
     elif [ $f = 6 ]; then
         iptables -A INPUT  -p icmpv6 -j ACCEPT
         iptables -A OUTPUT -p icmpv6 -j ACCEPT
     fi