alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix FORWARD rules: wait for Cisco chains, then delete+reinsert at pos 1
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source 
After VPN reconnects, Cisco agent creates its chains asynchronously,
pushing our ACCEPT rules down where they're ineffective. Fix:
1. Wait up to 30s for ciscovpn chain to exist
2. Delete any existing rules (they may be in wrong position)
3. Insert fresh rules at position 1

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Alex Zaw
2026-01-17 09:26:18 +00:00
parent 0dca06fbc8
commit 7c76016fcf
1 changed files with 23 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
apps/rego-tunnel/shared/cisco-vpn
View File

@@ -341,32 +341,34 @@ setup_forwarding() {
log DEBUG "NAT masquerade for container network already exists" log DEBUG "NAT masquerade for container network already exists"
fi fi
# Forward rules - MUST be inserted at position 1 to run BEFORE cisco VPN chains # Forward rules - MUST be at position 1 to run BEFORE cisco VPN chains
# The cisco VPN chains have catch-all DROP rules that would block our traffic # The cisco VPN chains have catch-all DROP rules that would block our traffic
if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT # Wait for Cisco to create its chains (they appear after VPN connects)
local wait_count=0
while ! iptables -L ciscovpn -n &>/dev/null && [ $wait_count -lt 30 ]; do
log DEBUG "Waiting for Cisco VPN chains to be created..."
sleep 1
((wait_count++))
done
if iptables -L ciscovpn -n &>/dev/null; then
log DEBUG "Cisco VPN chains detected"
else else
log DEBUG "Forward rule (to target) already exists" log WARN "Cisco VPN chains not created after ${wait_count}s - proceeding anyway"
fi fi
if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then # Remove any existing rules first (ignore errors if they don't exist)
run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT iptables -D FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
else iptables -D FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null || true
log DEBUG "Forward rule (from target) already exists" iptables -D FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
fi iptables -D FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
# Accept forwarding from container network # Insert at position 1 (reverse order so they end up in correct order)
if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT
run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT
else run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT
log DEBUG "Forward rule (from container network) already exists" run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT
fi
if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT
else
log DEBUG "Forward rule (to container network) already exists"
fi
# Cisco VPN chain bypass (insert at top if chain exists) # Cisco VPN chain bypass (insert at top if chain exists)
if iptables -L ciscovpn -n &>/dev/null; then if iptables -L ciscovpn -n &>/dev/null; then