aboutsummaryrefslogtreecommitdiffstats
path: root/package/strongswan/patches/210-updown.patch
diff options
context:
space:
mode:
authorFlorian Fainelli <florian@openwrt.org>2007-02-28 13:30:51 +0000
committerFlorian Fainelli <florian@openwrt.org>2007-02-28 13:30:51 +0000
commit5ee1f53cb1190bae51e43e1469a3c89f380376ee (patch)
tree9651a517795b0064548993905ffe2979e28fdd7a /package/strongswan/patches/210-updown.patch
parent96c42dce806b42e947a743453e09dbff20c804d7 (diff)
downloadupstream-5ee1f53cb1190bae51e43e1469a3c89f380376ee.tar.gz
upstream-5ee1f53cb1190bae51e43e1469a3c89f380376ee.tar.bz2
upstream-5ee1f53cb1190bae51e43e1469a3c89f380376ee.zip
Add strongswan (#1330)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@6429 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/strongswan/patches/210-updown.patch')
-rw-r--r--package/strongswan/patches/210-updown.patch660
1 files changed, 660 insertions, 0 deletions
diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch
new file mode 100644
index 0000000000..9361f43481
--- /dev/null
+++ b/package/strongswan/patches/210-updown.patch
@@ -0,0 +1,660 @@
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
+--- strongswan-2.8.2-orig/programs/_updown/_updown.8 2006-04-17 02:48:49.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500
+@@ -8,8 +8,23 @@
+ .I _updown
+ is invoked by pluto when it has brought up a new connection. This script
+ is used to insert the appropriate routing entries for IPsec operation.
+-It can also be used to insert and delete dynamic iptables firewall rules.
+-The interface to the script is documented in the pluto man page.
++It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
++By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
++tables. Most distributions will want to change that to provide more
++flexibility in their firewall configuration.
++The script looks for the environment variables
++.B IPSEC_UPDOWN_RULE_IN
++for the iptables table it should insert into,
++.B IPSEC_UPDOWN_DEST_IN
++for where the rule should -j jump to,
++.B IPSEC_UPDOWN_RULE_OUT
++.B IPSEC_UPDOWN_DEST_OUT
++for the same on outgoing packets, and
++.B IPSEC_UPDOWN_FWD_RULE_IN
++.B IPSEC_UPDOWN_FWD_DEST_IN
++.B IPSEC_UPDOWN_FWD_RULE_OUT
++.B IPSEC_UPDOWN_FWD_DEST_OUT
++respectively for packets being forwarded to/from the local networks.
+ .SH "SEE ALSO"
+ ipsec(8), ipsec_pluto(8).
+ .SH HISTORY
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
+--- strongswan-2.8.2-orig/programs/_updown/_updown.in 2006-04-17 11:06:29.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.in 2007-02-05 02:08:24.969100428 -0500
+@@ -5,6 +5,7 @@
+ # Copyright (C) 2003-2004 Tuomo Soini
+ # Copyright (C) 2002-2004 Michael Richardson
+ # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
++# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
+ #
+ # This program is free software; you can redistribute it and/or modify it
+ # under the terms of the GNU General Public License as published by the
+@@ -118,20 +119,61 @@
+ # restricted on the peer side.
+ #
+
+-# uncomment to log VPN connections
+-VPN_LOGGING=1
+-#
++# set to /bin/true to silence log messages
++LOGGER=logger
++
+ # tag put in front of each log entry:
+ TAG=vpn
+-#
++
+ # syslog facility and priority used:
+-FAC_PRIO=local0.notice
+-#
+-# to create a special vpn logging file, put the following line into
+-# the syslog configuration file /etc/syslog.conf:
+-#
+-# local0.notice -/var/log/vpn
+-#
++FAC_PRIO=authpriv.info
++
++
++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
++ IPSEC_POLICY_IN=""
++ IPSEC_POLICY_OUT=""
++else
++ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
++ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
++ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
++fi
++
++# are there port numbers?
++if [ "$PLUTO_MY_PORT" != 0 ] ; then
++ S_MY_PORT="--sport $PLUTO_MY_PORT"
++ D_MY_PORT="--dport $PLUTO_MY_PORT"
++fi
++
++if [ "$PLUTO_PEER_PORT" != 0 ] ; then
++ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
++ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
++fi
++
++# import firewall behavior
++IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
++IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
++IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
++IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
++
++# import forwarding behavior
++FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
++FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
++FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
++FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
++
++# default firewall behavior
++[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
++[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
++[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
++[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
++
++# default forwarding behavior
++[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
++[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
++[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
++[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
++
+
+ # check interface version
+ case "$PLUTO_VERSION" in
+@@ -150,8 +192,6 @@
+ case "$1:$*" in
+ ':') # no parameters
+ ;;
+-iptables:iptables) # due to (left/right)firewall; for default script only
+- ;;
+ custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+ *) echo "$0: unknown parameters \`$*'" >&2
+@@ -159,345 +199,307 @@
+ ;;
+ esac
+
++
+ # utility functions for route manipulation
+ # Meddling with this stuff should not be necessary and requires great care.
++
+ uproute() {
+ doroute add
+ ip route flush cache
+ }
++
+ downroute() {
+ doroute delete
+ ip route flush cache
+ }
+
++upfirewall() {
++ in_rule=$1
++ in_dest=$2
++ out_rule=$3
++ out_dest=$4
++
++ [ -n "$in_rule" -a -n "$in_dest" ] && \
++ iptables -I $in_rule 1 \
++ -i $PLUTO_INTERFACE \
++ -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN \
++ -j $in_dest
++
++ [ -n "$out_rule" -a -n "$out_dest" ] && \
++ iptables -I $out_rule 1 \
++ -o $PLUTO_INTERFACE \
++ -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT \
++ -j $out_dest
++
++}
++
++downfirewall() {
++ in_rule=$1
++ in_dest=$2
++ out_rule=$3
++ out_dest=$4
++
++ [ -n "$in_rule" -a -n "$in_dest" ] && \
++ iptables -D $in_rule \
++ -i $PLUTO_INTERFACE \
++ -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN \
++ -j $in_dest
++
++ [ -n "$out_rule" -a -n "$out_dest" ] && \
++ iptables -D $out_rule \
++ -o $PLUTO_INTERFACE \
++ -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT \
++ -j $out_dest
++
++}
++
+ addsource() {
+ st=0
+- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+- then
++
++ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
++
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
+ oops="silent error, exit status $st"
+ fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
++
+ return $st
+ }
+
+ doroute() {
+ st=0
+ parms="$PLUTO_PEER_CLIENT"
++ parms2="dev $PLUTO_INTERFACE"
+
+- parms2=
+- if [ -n "$PLUTO_NEXT_HOP" ]
+- then
+- parms2="via $PLUTO_NEXT_HOP"
+- fi
+- parms2="$parms2 dev $PLUTO_INTERFACE"
+-
+- if [ -z "$PLUTO_MY_SOURCEIP" ]
+- then
+- if [ -f /etc/sysconfig/defaultsource ]
+- then
+- . /etc/sysconfig/defaultsource
+- fi
++ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
+
+- if [ -f /etc/conf.d/defaultsource ]
+- then
+- . /etc/conf.d/defaultsource
+- fi
++ [ -f /etc/sysconfig/defaultsource ] && \
++ . /etc/sysconfig/defaultsource
++
++ [ -f /etc/conf.d/defaultsource ] && \
++ . /etc/conf.d/defaultsource
++
++ [ -n "$DEFAULTSOURCE" ] && \
++ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+
+- if [ -n "$DEFAULTSOURCE" ]
+- then
+- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+- fi
+ fi
+
+ parms3=
+- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
+- then
++ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
+ addsource
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
+ fi
+
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++ "0.0.0.0/0.0.0.0" ] ; then
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+- ip route $1 128.0.0.0/1 $parms2 $parms3"
+- ;;
+- *) it="ip route $1 $parms $parms2 $parms3"
+- ;;
+- esac
++ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
++ ip route $1 128.0.0.0/1 $parms2 $parms3"
++ else
++ it="ip route $1 $parms $parms2 $parms3"
++ fi
++
+ oops="`eval $it 2>&1`"
+ st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
+- oops="silent error, exit status $st"
+- fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
+- echo "$0: doroute \`$it' failed ($oops)" >&2
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
++ oops="silent error, exit status $st"
+ fi
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
++ echo "$0: doroute \`$it' failed ($oops)" >&2
++ fi
++
+ return $st
+ }
+-
+-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+-then
+- IPSEC_POLICY_IN=""
+- IPSEC_POLICY_OUT=""
+-else
+- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+-fi
+
+-# are there port numbers?
+-if [ "$PLUTO_MY_PORT" != 0 ]
+-then
+- S_MY_PORT="--sport $PLUTO_MY_PORT"
+- D_MY_PORT="--dport $PLUTO_MY_PORT"
+-fi
+-if [ "$PLUTO_PEER_PORT" != 0 ]
+-then
+- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+-fi
++dologentry() {
++ action=$1
++
++ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
++ rem="$PLUTO_PEER"
++ else
++ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
++ fi
++
++ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
++ loc="$PLUTO_ME"
++ else
++ loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++
++ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
++}
++
+
+ # the big choice
++
+ case "$PLUTO_VERB:$1" in
+ prepare-host:*|prepare-client:*)
+ # delete possibly-existing route (preliminary to adding a route)
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
+- # need to provide route that eclipses default, without
++
++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++ "0.0.0.0/0.0.0.0" ] ; then
++ # need to remove the route that eclipses default, without
+ # replacing it.
+- parms1="0.0.0.0/1"
+- parms2="128.0.0.0/1"
+- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+- ;;
+- *)
+- parms="$PLUTO_PEER_CLIENT"
+- it="ip route delete $parms 2>&1"
+- oops="`ip route delete $parms 2>&1`"
+- ;;
+- esac
+- status="$?"
+- if test " $oops" = " " -a " $status" != " 0"
+- then
+- oops="silent error, exit status $status"
++ it="( ip route delete 0.0.0.0/1 ;
++ ip route delete 128.0.0.0/1 )"
++ else
++ it="ip route delete $PLUTO_PEER_CLIENT"
++ fi
++
++ oops="`$it 2>&1`"
++ st="$?"
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
++ oops="silent error, exit status $st"
+ fi
++
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+- status=0
++ st=0
+ ;;
+ esac
+- if test " $oops" != " " -o " $status" != " 0"
+- then
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+- exit $status
++
++ exit $st
++
+ ;;
+ route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
++
++ ipsec _showstatus valid
+ uproute
++
+ ;;
+ unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
++
++ ipsec _showstatus invalid
+ downroute
++
+ ;;
+-up-host:)
++up-host:*)
+ # connection to me coming up
+- # If you are doing a custom version, firewall commands go here.
++
++ ipsec _showstatus up
++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ dologentry "VPN-UP"
++
+ ;;
+-down-host:)
++down-host:*)
+ # connection to me going down
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-up-client:)
+- # connection to my client subnet coming up
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-down-client:)
+- # connection to my client subnet going down
+- # If you are doing a custom version, firewall commands go here.
++
++ ipsec _showstatus down
++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ dologentry "VPN-DN"
++
+ ;;
+-up-host:iptables)
+- # connection to me, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-down-host:iptables)
+- # connection to me, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-up-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
++up-client:*)
++ # connection to client subnet coming up
++
++ ipsec _showstatus up
++
++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ fi
+- #
++
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+- ;;
+-down-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ fi
++
++ dologentry "VPN-UP"
++
++ ;;
++down-client:*)
++ # connection to client subnet going down
++
++ ipsec _showstatus down
++
++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ fi
+- #
++
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+ fi
++
++ dologentry "VPN-DN"
++
+ ;;
+-#
+-# IPv6
+-#
+ prepare-host-v6:*|prepare-client-v6:*)
++
+ ;;
+ route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
++
+ #uproute_v6
++
+ ;;
+ unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
++
+ #downroute_v6
++
+ ;;
+ up-host-v6:*)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ down-host-v6:*)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
++*)
++ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
++
+ ;;
+ esac
++