diff options
| -rw-r--r-- | group_vars/all.yml | 4 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 8 |
2 files changed, 6 insertions, 6 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index c7900a6..9458dc0 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -11,8 +11,8 @@ postfix_instance: # Virtual (non-routable) IPv4 subnet for IPSec. It is always nullrouted -# on in the absence of xfrm lookup (i.e., when there is no matching -# IPSec Security Association) to avoid data leaks. +# in the absence of xfrm lookup (i.e., when there is no matching IPSec +# Security Association) to avoid data leaks. ipsec_subnet: 172.16.0.0/24 ipsec: # Virtual (non-routable) addresses for IPSec. They all need to be diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 065bae2..d5e2238 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -264,10 +264,10 @@ run() { if [ "$f" = 4 -a "$ipsec" = y ]; then # Allow local access to our virtual IP /bin/ip -4 -o route show table 220 dev $if \ - | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?/\1/p' \ - | while read ipsec; do - iptables -A INPUT -i lo -s "$ipsec" -d "$ipsec" -j ACCEPT - iptables -A OUTPUT -o lo -s "$ipsec" -d "$ipsec" -j ACCEPT + | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?$/\1/p' \ + | while read ips; do + iptables -A INPUT -i lo -s "$ips" -d "$ips" -j ACCEPT + iptables -A OUTPUT -o lo -s "$ips" -d "$ips" -j ACCEPT done fi |