From b48955cc85b998e387c5de75ed60ce432993f2bb Mon Sep 17 00:00:00 2001
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Fri, 24 Feb 2012 11:40:25 +0100
Subject: Last correction to the send_redirects patch.

Also added a note on the new init.d script behaviour regarding
all.send_redirects.
---
 debian/README.Debian  | 13 ++++++++++++-
 debian/openvpn.init.d |  7 +++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

(limited to 'debian')

diff --git a/debian/README.Debian b/debian/README.Debian
index 1523586..592cdf9 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -10,6 +10,7 @@ In this file:
 - Out of memory issues
 - LDAP+TLS authentication runs into file exhaustion
 - Possible consequences of the 'chroot' option
+- Disabling all.send_redirects on tun + topology subnet setups
 
 
 openvpn for Debian
@@ -216,4 +217,14 @@ Create an additional "dev/log" socket in the jail by "-a" option to sysklogd or
 
 Kudos to him, for finding out and proposing a solution.
 
- -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 09 Jul 2010 12:46:30 +0200
+
+Disabling all.send_redirects on tun + topology subnet setups
+------------------------------------------------------------
+
+If any of your VPNs uses "dev tun" and "topology subnet" but does not use
+"client-to-client", OpenVPN's init.d script will disable all.send_redirects
+(set it to 0) to avoid sending ICMP redirects trough the tun interfaces (and
+confusing clients).
+
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 24 Feb 2012 11:03:50 +0100
diff --git a/debian/openvpn.init.d b/debian/openvpn.init.d
index 62a6bc5..cb326bf 100644
--- a/debian/openvpn.init.d
+++ b/debian/openvpn.init.d
@@ -70,7 +70,10 @@ start_vpn () {
             # Save the default value for send_redirects before disabling it
             # to make sure the tun device is created with send_redirects disabled
             SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects)
-            sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null
+
+            if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then
+              sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null
+            fi
         fi
     fi
 
@@ -86,7 +89,7 @@ start_vpn () {
     [ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /var/run/openvpn.$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid
 
     # Set the back the original default value of send_redirects if it was changed
-    if [ -n "$SAVED_DEFAULT_SEND_REDIRECTS" ]; then
+    if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then
       sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null
     fi
 }
-- 
cgit v1.2.3