Fix FORWARD rules: wait for Cisco chains, then delete+reinsert at pos 1
Some checks failed
Test / test (push) Has been cancelled
Some checks failed
Test / test (push) Has been cancelled
After VPN reconnects, Cisco agent creates its chains asynchronously, pushing our ACCEPT rules down where they're ineffective. Fix: 1. Wait up to 30s for ciscovpn chain to exist 2. Delete any existing rules (they may be in wrong position) 3. Insert fresh rules at position 1 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -341,32 +341,34 @@ setup_forwarding() {
|
||||
log DEBUG "NAT masquerade for container network already exists"
|
||||
fi
|
||||
|
||||
# Forward rules - MUST be inserted at position 1 to run BEFORE cisco VPN chains
|
||||
# Forward rules - MUST be at position 1 to run BEFORE cisco VPN chains
|
||||
# The cisco VPN chains have catch-all DROP rules that would block our traffic
|
||||
if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT
|
||||
|
||||
# Wait for Cisco to create its chains (they appear after VPN connects)
|
||||
local wait_count=0
|
||||
while ! iptables -L ciscovpn -n &>/dev/null && [ $wait_count -lt 30 ]; do
|
||||
log DEBUG "Waiting for Cisco VPN chains to be created..."
|
||||
sleep 1
|
||||
((wait_count++))
|
||||
done
|
||||
|
||||
if iptables -L ciscovpn -n &>/dev/null; then
|
||||
log DEBUG "Cisco VPN chains detected"
|
||||
else
|
||||
log DEBUG "Forward rule (to target) already exists"
|
||||
log WARN "Cisco VPN chains not created after ${wait_count}s - proceeding anyway"
|
||||
fi
|
||||
|
||||
if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (from target) already exists"
|
||||
fi
|
||||
# Remove any existing rules first (ignore errors if they don't exist)
|
||||
iptables -D FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
|
||||
iptables -D FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null || true
|
||||
iptables -D FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
|
||||
iptables -D FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
|
||||
|
||||
# Accept forwarding from container network
|
||||
if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (from container network) already exists"
|
||||
fi
|
||||
|
||||
if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
# Insert at position 1 (reverse order so they end up in correct order)
|
||||
run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (to container network) already exists"
|
||||
fi
|
||||
run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT
|
||||
run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT
|
||||
run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT
|
||||
|
||||
# Cisco VPN chain bypass (insert at top if chain exists)
|
||||
if iptables -L ciscovpn -n &>/dev/null; then
|
||||
|
||||
Reference in New Issue
Block a user