aboutsummaryrefslogtreecommitdiffstats
path: root/package/strongswan/patches
diff options
context:
space:
mode:
Diffstat (limited to 'package/strongswan/patches')
-rw-r--r--package/strongswan/patches/100-ar-fixes.patch81
-rw-r--r--package/strongswan/patches/110-make-ipsec.patch11
-rw-r--r--package/strongswan/patches/120-make-pluto.patch13
-rw-r--r--package/strongswan/patches/130-make-starter.patch21
-rw-r--r--package/strongswan/patches/200-wakeup-showstatus.patch234
-rw-r--r--package/strongswan/patches/210-updown.patch662
-rw-r--r--package/strongswan/patches/300-openwrt.patch26
-rw-r--r--package/strongswan/patches/310-make-ipsec-alg.patch19
-rw-r--r--package/strongswan/patches/320-no-modprobe.patch108
-rw-r--r--package/strongswan/patches/350-make-programs.patch21
10 files changed, 0 insertions, 1196 deletions
diff --git a/package/strongswan/patches/100-ar-fixes.patch b/package/strongswan/patches/100-ar-fixes.patch
deleted file mode 100644
index 2e9d7800eb..0000000000
--- a/package/strongswan/patches/100-ar-fixes.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-Index: strongswan-2.8.2/lib/libcrypto/libaes/Makefile
-===================================================================
---- strongswan-2.8.2.orig/lib/libcrypto/libaes/Makefile 2007-06-04 13:23:04.777007680 +0200
-+++ strongswan-2.8.2/lib/libcrypto/libaes/Makefile 2007-06-04 13:23:04.873992936 +0200
-@@ -25,10 +25,8 @@
-
- $(BLIB): $(LIBOBJ)
- /bin/rm -f $(BLIB)
-- ar cr $(BLIB) $(LIBOBJ)
-- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-- else exit 0; fi; fi
-+ $(AR) cr $(BLIB) $(LIBOBJ)
-+ $(RANLIB) $(BLIB)
-
- testx: test_main_mac.o $(BLIB)
- $(CC) -o $@ $^
-Index: strongswan-2.8.2/lib/libcrypto/libblowfish/Makefile
-===================================================================
---- strongswan-2.8.2.orig/lib/libcrypto/libblowfish/Makefile 2007-06-04 13:23:04.783006768 +0200
-+++ strongswan-2.8.2/lib/libcrypto/libblowfish/Makefile 2007-06-04 13:23:04.873992936 +0200
-@@ -58,7 +58,7 @@
- lib: $(LIB)
-
- $(LIB): $(LIBOBJ)
-- $(AR) $(LIB) $(LIBOBJ)
-+ $(AR) -r $(LIB) $(LIBOBJ)
- $(RANLIB) $(LIB)
-
- # elf
-Index: strongswan-2.8.2/lib/libcrypto/libserpent/Makefile
-===================================================================
---- strongswan-2.8.2.orig/lib/libcrypto/libserpent/Makefile 2007-06-04 13:23:04.790005704 +0200
-+++ strongswan-2.8.2/lib/libcrypto/libserpent/Makefile 2007-06-04 13:23:04.873992936 +0200
-@@ -8,10 +8,8 @@
-
- $(BLIB): $(LIBOBJ)
- /bin/rm -f $(BLIB)
-- ar cr $(BLIB) $(LIBOBJ)
-- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-- else exit 0; fi; fi
-+ $(AR) cr $(BLIB) $(LIBOBJ)
-+ $(RANLIB) $(BLIB)
-
- test: test_main.o $(BLIB)
- $(CC) -o $@ $^
-Index: strongswan-2.8.2/lib/libcrypto/libsha2/Makefile
-===================================================================
---- strongswan-2.8.2.orig/lib/libcrypto/libsha2/Makefile 2007-06-04 13:23:04.796004792 +0200
-+++ strongswan-2.8.2/lib/libcrypto/libsha2/Makefile 2007-06-04 13:23:04.874992784 +0200
-@@ -9,10 +9,8 @@
-
- $(BLIB): $(LIBOBJ)
- /bin/rm -f $(BLIB)
-- ar cr $(BLIB) $(LIBOBJ)
-- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-- else exit 0; fi; fi
-+ $(AR) cr $(BLIB) $(LIBOBJ)
-+ $(RANLIB) $(BLIB)
-
- test: test_main.o $(BLIB)
- $(CC) -o $@ $^
-Index: strongswan-2.8.2/lib/libcrypto/libtwofish/Makefile
-===================================================================
---- strongswan-2.8.2.orig/lib/libcrypto/libtwofish/Makefile 2007-06-04 13:23:04.804003576 +0200
-+++ strongswan-2.8.2/lib/libcrypto/libtwofish/Makefile 2007-06-04 13:23:04.874992784 +0200
-@@ -9,10 +9,8 @@
-
- $(BLIB): $(LIBOBJ)
- /bin/rm -f $(BLIB)
-- ar cr $(BLIB) $(LIBOBJ)
-- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-- else exit 0; fi; fi
-+ $(AR) cr $(BLIB) $(LIBOBJ)
-+ $(RANLIB) $(BLIB)
-
- test: test_main.o $(BLIB)
- $(CC) -o $@ $^
diff --git a/package/strongswan/patches/110-make-ipsec.patch b/package/strongswan/patches/110-make-ipsec.patch
deleted file mode 100644
index 0d2a4e6fb1..0000000000
--- a/package/strongswan/patches/110-make-ipsec.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-Index: strongswan-2.8.2/programs/ipsec/Makefile
-===================================================================
---- strongswan-2.8.2.orig/programs/ipsec/Makefile 2007-06-04 13:23:04.756010872 +0200
-+++ strongswan-2.8.2/programs/ipsec/Makefile 2007-06-04 13:23:05.227939128 +0200
-@@ -24,5 +24,5 @@
- include ../Makefile.program
-
- install:: ipsec
-- @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec
-+ @$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec
-
diff --git a/package/strongswan/patches/120-make-pluto.patch b/package/strongswan/patches/120-make-pluto.patch
deleted file mode 100644
index e0dd813bb7..0000000000
--- a/package/strongswan/patches/120-make-pluto.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: strongswan-2.8.2/programs/pluto/alg/Makefile
-===================================================================
---- strongswan-2.8.2.orig/programs/pluto/alg/Makefile 2007-06-04 13:23:04.734014216 +0200
-+++ strongswan-2.8.2/programs/pluto/alg/Makefile 2007-06-04 13:23:05.416910400 +0200
-@@ -20,7 +20,7 @@
- include Config.ike_alg
-
- LIBCRYPTO:=../../../lib/libcrypto
--ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO)
-+ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE)
- LIBALG := libalg.o
-
- all : $(LIBALG)
diff --git a/package/strongswan/patches/130-make-starter.patch b/package/strongswan/patches/130-make-starter.patch
deleted file mode 100644
index 93888ab6b6..0000000000
--- a/package/strongswan/patches/130-make-starter.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Index: strongswan-2.8.2/programs/starter/Makefile
-===================================================================
---- strongswan-2.8.2.orig/programs/starter/Makefile 2007-06-04 13:23:04.711017712 +0200
-+++ strongswan-2.8.2/programs/starter/Makefile 2007-06-04 13:23:06.227787128 +0200
-@@ -16,7 +16,6 @@
- FREESWANSRCDIR?=$(shell cd ../..; pwd)
- include ${FREESWANSRCDIR}/Makefile.inc
-
--LD=$(CC)
- RM=rm
- LEX=flex
- BISON=bison
-@@ -59,7 +58,7 @@
- all: starter
-
- starter: $(OBJS) $(FREESWANLIB)
-- $(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
-+ $(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
-
- lex.yy.c: parser.tab.c parser.l parser.y parser.h
- $(LEX) parser.l
diff --git a/package/strongswan/patches/200-wakeup-showstatus.patch b/package/strongswan/patches/200-wakeup-showstatus.patch
deleted file mode 100644
index 731f83c2e0..0000000000
--- a/package/strongswan/patches/200-wakeup-showstatus.patch
+++ /dev/null
@@ -1,234 +0,0 @@
-Index: strongswan-2.8.2/programs/Makefile
-===================================================================
---- strongswan-2.8.2.orig/programs/Makefile 2007-06-04 13:23:04.661025312 +0200
-+++ strongswan-2.8.2/programs/Makefile 2007-06-04 13:23:06.414758704 +0200
-@@ -22,7 +22,7 @@
- SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
- SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
- SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
--SUBDIRS+=ikeping examples openac scepclient
-+SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
-
- ifeq ($(USE_LWRES),true)
- SUBDIRS+=lwdnsq
-Index: strongswan-2.8.2/programs/_showstatus/Makefile
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ strongswan-2.8.2/programs/_showstatus/Makefile 2007-06-04 13:23:06.414758704 +0200
-@@ -0,0 +1,22 @@
-+# Makefile for miscelaneous programs
-+# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
-+#
-+# This program is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 2 of the License, or (at your
-+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-+#
-+# This program is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# for more details.
-+#
-+# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
-+
-+FREESWANSRCDIR=../..
-+include ${FREESWANSRCDIR}/Makefile.inc
-+
-+PROGRAM=_showstatus
-+PROGRAMDIR=${LIBDIR}
-+
-+include ../Makefile.program
-Index: strongswan-2.8.2/programs/_showstatus/_showstatus.8
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ strongswan-2.8.2/programs/_showstatus/_showstatus.8 2007-06-04 13:23:06.414758704 +0200
-@@ -0,0 +1,23 @@
-+.TH _showstatus 8 "03 Feb 2007"
-+.\"
-+.\" RCSID $Id: _showstatus.8
-+.\"
-+.SH NAME
-+ipsec _showstatus \- give state feedback via led or other method
-+.SH SYNOPSIS
-+.I _showstatus
-+is invoked by _updown to trigger led's, or other distribution
-+or platform specific behavior. Presently, the SES button is
-+supported as a status light on OpenWRT platforms. The button
-+is configurable by environment variable:
-+-B IPSEC_STATUS_LED_START
-+defaults to ses_orange, and
-+-B IPSEC_STATUS_LED_VALID
-+defaults to ses_white.
-+.SH "SEE ALSO"
-+ipsec(8), ipsec_updown(8).
-+.SH HISTORY
-+Man page written for the Linux strongSwan project <http://www.strongswan.org/>
-+by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
-+Original program written by Henry Spencer. Extended for the Linux strongSwan
-+project <http://www.strongswan.org/> by Andreas Steffen.
-Index: strongswan-2.8.2/programs/_showstatus/_showstatus.in
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ strongswan-2.8.2/programs/_showstatus/_showstatus.in 2007-06-04 13:23:06.414758704 +0200
-@@ -0,0 +1,70 @@
-+#! /bin/sh
-+#
-+# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
-+#
-+# This program is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 2 of the License, or (at your
-+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-+#
-+# This program is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# for more details.
-+#
-+# RCSID $Id: _showstatus.in
-+
-+
-+LED_START=$IPSEC_STATUS_LED_START
-+LED_VALID=$IPSEC_STATUS_LED_VALID
-+
-+[ -z "$LED_START" ] && LED_START="ses_orange"
-+[ -z "$LED_VALID" ] && LED_VALID="ses_white"
-+
-+
-+setled() {
-+ led=$1
-+ st=$2
-+
-+ [ -n "$led" -a -n "$st" ] || return
-+
-+ if [ -w "/proc/diag/led/$led" ] ; then
-+ echo "$st" > "/proc/diag/led/$led"
-+ fi
-+
-+ # integrate other led control methods here
-+
-+}
-+
-+
-+case "$1" in
-+ 'start')
-+ [ -n "$LED_VALID" ] && setled "$LED_START" 1
-+ [ -z "$LED_VALID" ] && setled "$LED_START" f
-+ setled "$LED_VALID" 0
-+ ;;
-+ 'stop')
-+ setled "$LED_START" 0
-+ setled "$LED_VALID" 0
-+ ;;
-+ 'valid')
-+ setled "$LED_VALID" 1
-+ ;;
-+ 'invalid')
-+ setled "$LED_VALID" 0
-+ ;;
-+ 'up')
-+ [ -n "$LED_VALID" ] && setled "$LED_START" 0
-+ [ -z "$LED_VALID" ] && setled "$LED_START" 1
-+ setled "$LED_VALID" 1
-+ ;;
-+ 'down')
-+ [ -n "$LED_VALID" ] && setled "$LED_START" 1
-+ [ -z "$LED_VALID" ] && setled "$LED_START" f
-+ setled "$LED_VALID" f
-+ ;;
-+ *)
-+ echo "$0: unknown status $status" >&2
-+ ;;
-+esac
-+
-Index: strongswan-2.8.2/programs/wakeup/Makefile
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ strongswan-2.8.2/programs/wakeup/Makefile 2007-06-04 13:23:06.415758552 +0200
-@@ -0,0 +1,22 @@
-+# Makefile for miscelaneous programs
-+# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
-+#
-+# This program is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 2 of the License, or (at your
-+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-+#
-+# This program is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# for more details.
-+#
-+# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
-+
-+FREESWANSRCDIR=../..
-+include ${FREESWANSRCDIR}/Makefile.inc
-+
-+PROGRAM=wakeup
-+PROGRAMDIR=${LIBDIR}
-+
-+include ../Makefile.program
-Index: strongswan-2.8.2/programs/wakeup/wakeup.8
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ strongswan-2.8.2/programs/wakeup/wakeup.8 2007-06-04 13:23:06.415758552 +0200
-@@ -0,0 +1,16 @@
-+.TH wakeup 8 "03 Feb 2007"
-+.\"
-+.\" RCSID $Id: wakeup.8
-+.\"
-+.SH NAME
-+ipsec wakeup \- stalled and down connection detection
-+.SH SYNOPSIS
-+.I wakeup
-+is invoked by cron and checks ipsec status, whacking as necessary.
-+.SH "SEE ALSO"
-+ipsec(8), ipsec_whack(8).
-+.SH HISTORY
-+Man page written for the Linux strongSwan project <http://www.strongswan.org/>
-+by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
-+Original program written by Henry Spencer. Extended for the Linux strongSwan
-+project <http://www.strongswan.org/> by Andreas Steffen.
-Index: strongswan-2.8.2/programs/wakeup/wakeup.in
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ strongswan-2.8.2/programs/wakeup/wakeup.in 2007-06-04 13:23:06.415758552 +0200
-@@ -0,0 +1,38 @@
-+#! /bin/sh
-+# wakeup script
-+#
-+# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
-+#
-+# This program is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 2 of the License, or (at your
-+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-+#
-+# This program is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-+# for more details.
-+#
-+
-+# only applicable when ipsec is running
-+[ -e /var/run/pluto.pid ] || exit
-+
-+# loop through any erouted tunnels in the HOLD state
-+for f in `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do
-+
-+ # only whack if no pending events at all exists
-+ ipsec status | grep STATE | grep -q $f ||
-+ ipsec whack --name $f --initiate --asynchronous
-+
-+done
-+
-+# loop through any tunnels that don't quite exist
-+for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do
-+
-+ ipsec status | grep STATE_QUICK | grep -q $f || {
-+ ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f
-+ ipsec up $f
-+ }
-+
-+done
-+
diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch
deleted file mode 100644
index d546625316..0000000000
--- a/package/strongswan/patches/210-updown.patch
+++ /dev/null
@@ -1,662 +0,0 @@
-Index: strongswan-2.8.2/programs/_updown/_updown.8
-===================================================================
---- strongswan-2.8.2.orig/programs/_updown/_updown.8 2007-06-04 13:23:04.632029720 +0200
-+++ strongswan-2.8.2/programs/_updown/_updown.8 2007-06-04 13:23:06.656721920 +0200
-@@ -8,8 +8,23 @@
- .I _updown
- is invoked by pluto when it has brought up a new connection. This script
- is used to insert the appropriate routing entries for IPsec operation.
--It can also be used to insert and delete dynamic iptables firewall rules.
--The interface to the script is documented in the pluto man page.
-+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
-+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
-+tables. Most distributions will want to change that to provide more
-+flexibility in their firewall configuration.
-+The script looks for the environment variables
-+.B IPSEC_UPDOWN_RULE_IN
-+for the iptables table it should insert into,
-+.B IPSEC_UPDOWN_DEST_IN
-+for where the rule should -j jump to,
-+.B IPSEC_UPDOWN_RULE_OUT
-+.B IPSEC_UPDOWN_DEST_OUT
-+for the same on outgoing packets, and
-+.B IPSEC_UPDOWN_FWD_RULE_IN
-+.B IPSEC_UPDOWN_FWD_DEST_IN
-+.B IPSEC_UPDOWN_FWD_RULE_OUT
-+.B IPSEC_UPDOWN_FWD_DEST_OUT
-+respectively for packets being forwarded to/from the local networks.
- .SH "SEE ALSO"
- ipsec(8), ipsec_pluto(8).
- .SH HISTORY
-Index: strongswan-2.8.2/programs/_updown/_updown.in
-===================================================================
---- strongswan-2.8.2.orig/programs/_updown/_updown.in 2007-06-04 13:23:04.642028200 +0200
-+++ strongswan-2.8.2/programs/_updown/_updown.in 2007-06-04 13:23:06.657721768 +0200
-@@ -5,6 +5,7 @@
- # Copyright (C) 2003-2004 Tuomo Soini
- # Copyright (C) 2002-2004 Michael Richardson
- # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
-+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
- #
- # This program is free software; you can redistribute it and/or modify it
- # under the terms of the GNU General Public License as published by the
-@@ -118,20 +119,61 @@
- # restricted on the peer side.
- #
-
--# uncomment to log VPN connections
--VPN_LOGGING=1
--#
-+# set to /bin/true to silence log messages
-+LOGGER=logger
-+
- # tag put in front of each log entry:
- TAG=vpn
--#
-+
- # syslog facility and priority used:
--FAC_PRIO=local0.notice
--#
--# to create a special vpn logging file, put the following line into
--# the syslog configuration file /etc/syslog.conf:
--#
--# local0.notice -/var/log/vpn
--#
-+FAC_PRIO=authpriv.info
-+
-+
-+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
-+ IPSEC_POLICY_IN=""
-+ IPSEC_POLICY_OUT=""
-+else
-+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-+fi
-+
-+# are there port numbers?
-+if [ "$PLUTO_MY_PORT" != 0 ] ; then
-+ S_MY_PORT="--sport $PLUTO_MY_PORT"
-+ D_MY_PORT="--dport $PLUTO_MY_PORT"
-+fi
-+
-+if [ "$PLUTO_PEER_PORT" != 0 ] ; then
-+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-+fi
-+
-+# import firewall behavior
-+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
-+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
-+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
-+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
-+
-+# import forwarding behavior
-+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
-+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
-+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
-+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
-+
-+# default firewall behavior
-+[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
-+[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
-+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
-+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
-+
-+# default forwarding behavior
-+[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
-+[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
-+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
-+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
-+
-
- # check interface version
- case "$PLUTO_VERSION" in
-@@ -150,8 +192,6 @@
- case "$1:$*" in
- ':') # no parameters
- ;;
--iptables:iptables) # due to (left/right)firewall; for default script only
-- ;;
- custom:*) # custom parameters (see above CAUTION comment)
- ;;
- *) echo "$0: unknown parameters \`$*'" >&2
-@@ -159,345 +199,307 @@
- ;;
- esac
-
-+
- # utility functions for route manipulation
- # Meddling with this stuff should not be necessary and requires great care.
-+
- uproute() {
- doroute add
- ip route flush cache
- }
-+
- downroute() {
- doroute delete
- ip route flush cache
- }
-
-+upfirewall() {
-+ in_rule=$1
-+ in_dest=$2
-+ out_rule=$3
-+ out_dest=$4
-+
-+ [ -n "$in_rule" -a -n "$in_dest" ] && \
-+ iptables -I $in_rule 1 \
-+ -i $PLUTO_INTERFACE \
-+ -p $PLUTO_MY_PROTOCOL \
-+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
-+ $IPSEC_POLICY_IN \
-+ -j $in_dest
-+
-+ [ -n "$out_rule" -a -n "$out_dest" ] && \
-+ iptables -I $out_rule 1 \
-+ -o $PLUTO_INTERFACE \
-+ -p $PLUTO_PEER_PROTOCOL \
-+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-+ $IPSEC_POLICY_OUT \
-+ -j $out_dest
-+
-+}
-+
-+downfirewall() {
-+ in_rule=$1
-+ in_dest=$2
-+ out_rule=$3
-+ out_dest=$4
-+
-+ [ -n "$in_rule" -a -n "$in_dest" ] && \
-+ iptables -D $in_rule \
-+ -i $PLUTO_INTERFACE \
-+ -p $PLUTO_MY_PROTOCOL \
-+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
-+ $IPSEC_POLICY_IN \
-+ -j $in_dest
-+
-+ [ -n "$out_rule" -a -n "$out_dest" ] && \
-+ iptables -D $out_rule \
-+ -o $PLUTO_INTERFACE \
-+ -p $PLUTO_PEER_PROTOCOL \
-+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-+ $IPSEC_POLICY_OUT \
-+ -j $out_dest
-+
-+}
-+
- addsource() {
- st=0
-- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-- then
-+
-+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
-+
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
-- if test " $oops" = " " -a " $st" != " 0"
-- then
-+
-+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
- oops="silent error, exit status $st"
- fi
-- if test " $oops" != " " -o " $st" != " 0"
-- then
-+
-+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
-+
- return $st
- }
-
- doroute() {
- st=0
- parms="$PLUTO_PEER_CLIENT"
-+ parms2="dev $PLUTO_INTERFACE"
-
-- parms2=
-- if [ -n "$PLUTO_NEXT_HOP" ]
-- then
-- parms2="via $PLUTO_NEXT_HOP"
-- fi
-- parms2="$parms2 dev $PLUTO_INTERFACE"
--
-- if [ -z "$PLUTO_MY_SOURCEIP" ]
-- then
-- if [ -f /etc/sysconfig/defaultsource ]
-- then
-- . /etc/sysconfig/defaultsource
-- fi
-+ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
-
-- if [ -f /etc/conf.d/defaultsource ]
-- then
-- . /etc/conf.d/defaultsource
-- fi
-+ [ -f /etc/sysconfig/defaultsource ] && \
-+ . /etc/sysconfig/defaultsource
-+
-+ [ -f /etc/conf.d/defaultsource ] && \
-+ . /etc/conf.d/defaultsource
-+
-+ [ -n "$DEFAULTSOURCE" ] && \
-+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-
-- if [ -n "$DEFAULTSOURCE" ]
-- then
-- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-- fi
- fi
-
- parms3=
-- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
-- then
-+ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
- addsource
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
- fi
-
-- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-- "0.0.0.0/0.0.0.0")
-+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
-+ "0.0.0.0/0.0.0.0" ] ; then
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
-- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-- ip route $1 128.0.0.0/1 $parms2 $parms3"
-- ;;
-- *) it="ip route $1 $parms $parms2 $parms3"
-- ;;
-- esac
-+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-+ ip route $1 128.0.0.0/1 $parms2 $parms3"
-+ else
-+ it="ip route $1 $parms $parms2 $parms3"
-+ fi
-+
- oops="`eval $it 2>&1`"
- st=$?
-- if test " $oops" = " " -a " $st" != " 0"
-- then
-- oops="silent error, exit status $st"
-- fi
-- if test " $oops" != " " -o " $st" != " 0"
-- then
-- echo "$0: doroute \`$it' failed ($oops)" >&2
-+
-+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
-+ oops="silent error, exit status $st"
- fi
-+
-+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
-+ echo "$0: doroute \`$it' failed ($oops)" >&2
-+ fi
-+
- return $st
- }
--
--# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
--if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
--then
-- IPSEC_POLICY_IN=""
-- IPSEC_POLICY_OUT=""
--else
-- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
--fi
-
--# are there port numbers?
--if [ "$PLUTO_MY_PORT" != 0 ]
--then
-- S_MY_PORT="--sport $PLUTO_MY_PORT"
-- D_MY_PORT="--dport $PLUTO_MY_PORT"
--fi
--if [ "$PLUTO_PEER_PORT" != 0 ]
--then
-- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
--fi
-+dologentry() {
-+ action=$1
-+
-+ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
-+ rem="$PLUTO_PEER"
-+ else
-+ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
-+ fi
-+
-+ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
-+ loc="$PLUTO_ME"
-+ else
-+ loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
-+ fi
-+
-+ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
-+}
-+
-
- # the big choice
-+
- case "$PLUTO_VERB:$1" in
- prepare-host:*|prepare-client:*)
- # delete possibly-existing route (preliminary to adding a route)
-- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-- "0.0.0.0/0.0.0.0")
-- # need to provide route that eclipses default, without
-+
-+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
-+ "0.0.0.0/0.0.0.0" ] ; then
-+ # need to remove the route that eclipses default, without
- # replacing it.
-- parms1="0.0.0.0/1"
-- parms2="128.0.0.0/1"
-- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-- ;;
-- *)
-- parms="$PLUTO_PEER_CLIENT"
-- it="ip route delete $parms 2>&1"
-- oops="`ip route delete $parms 2>&1`"
-- ;;
-- esac
-- status="$?"
-- if test " $oops" = " " -a " $status" != " 0"
-- then
-- oops="silent error, exit status $status"
-+ it="( ip route delete 0.0.0.0/1 ;
-+ ip route delete 128.0.0.0/1 )"
-+ else
-+ it="ip route delete $PLUTO_PEER_CLIENT"
-+ fi
-+
-+ oops="`$it 2>&1`"
-+ st="$?"
-+
-+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
-+ oops="silent error, exit status $st"
- fi
-+
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
-- status=0
-+ st=0
- ;;
- esac
-- if test " $oops" != " " -o " $status" != " 0"
-- then
-+
-+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
-- exit $status
-+
-+ exit $st
-+
- ;;
- route-host:*|route-client:*)
- # connection to me or my client subnet being routed
-+
-+ ipsec _showstatus valid
- uproute
-+
- ;;
- unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
-+
-+ ipsec _showstatus invalid
- downroute
-+
- ;;
--up-host:)
-+up-host:*)
- # connection to me coming up
-- # If you are doing a custom version, firewall commands go here.
-+
-+ ipsec _showstatus up
-+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
-+ dologentry "VPN-UP"
-+
- ;;
--down-host:)
-+down-host:*)
- # connection to me going down
-- # If you are doing a custom version, firewall commands go here.
-- ;;
--up-client:)
-- # connection to my client subnet coming up
-- # If you are doing a custom version, firewall commands go here.
-- ;;
--down-client:)
-- # connection to my client subnet going down
-- # If you are doing a custom version, firewall commands go here.
-+
-+ ipsec _showstatus down
-+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
-+ dologentry "VPN-DN"
-+
- ;;
--up-host:iptables)
-- # connection to me, with (left/right)firewall=yes, coming up
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-- #
-- # log IPsec host connection setup
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-- fi
-- fi
-- ;;
--down-host:iptables)
-- # connection to me, with (left/right)firewall=yes, going down
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-- #
-- # log IPsec host connection teardown
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-- else
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-- fi
-- fi
-- ;;
--up-client:iptables)
-- # connection to client subnet, with (left/right)firewall=yes, coming up
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-- then
-- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-+up-client:*)
-+ # connection to client subnet coming up
-+
-+ ipsec _showstatus up
-+
-+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
-+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
-+ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
- fi
-- #
-+
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
-- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-- then
-- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- fi
-- #
-- # log IPsec client connection setup
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- fi
-- fi
-- ;;
--down-client:iptables)
-- # connection to client subnet, with (left/right)firewall=yes, going down
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-- then
-- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
-+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
-+ fi
-+
-+ dologentry "VPN-UP"
-+
-+ ;;
-+down-client:*)
-+ # connection to client subnet going down
-+
-+ ipsec _showstatus down
-+
-+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
-+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
-+ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
- fi
-- #
-+
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
-- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-- then
-- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- fi
-- #
-- # log IPsec client connection teardown
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- else
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- fi
-+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
-+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
- fi
-+
-+ dologentry "VPN-DN"
-+
- ;;
--#
--# IPv6
--#
- prepare-host-v6:*|prepare-client-v6:*)
-+
- ;;
- route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
-+
- #uproute_v6
-+
- ;;
- unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
-+
- #downroute_v6
-+
- ;;
- up-host-v6:*)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
- down-host-v6:*)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
- up-client-v6:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
- down-client-v6:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
--*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-+*)
-+ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
-+
- ;;
- esac
-+
diff --git a/package/strongswan/patches/300-openwrt.patch b/package/strongswan/patches/300-openwrt.patch
deleted file mode 100644
index e249a8d613..0000000000
--- a/package/strongswan/patches/300-openwrt.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Index: strongswan-2.8.2/Makefile.inc
-===================================================================
---- strongswan-2.8.2.orig/Makefile.inc 2007-06-04 13:23:04.604033976 +0200
-+++ strongswan-2.8.2/Makefile.inc 2007-06-04 13:23:06.855691672 +0200
-@@ -123,7 +123,7 @@
- # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
- # INC_RCDIRS directories has been pre-created under DESTDIR.
- INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
--INC_RCDEFAULT=/etc/rc.d/init.d
-+INC_RCDEFAULT=/etc/init.d
-
- # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
- # will finally be (so utils/Makefile can create a symlink in BINDIR to the
-Index: strongswan-2.8.2/programs/showhostkey/showhostkey.in
-===================================================================
---- strongswan-2.8.2.orig/programs/showhostkey/showhostkey.in 2007-06-04 13:23:04.612032760 +0200
-+++ strongswan-2.8.2/programs/showhostkey/showhostkey.in 2007-06-04 13:23:06.855691672 +0200
-@@ -62,7 +62,7 @@
- exit 1
- fi
-
--host="`hostname --fqdn`"
-+host="`cat /proc/sys/kernel/hostname`"
-
- awk ' BEGIN {
- inkey = 0
diff --git a/package/strongswan/patches/310-make-ipsec-alg.patch b/package/strongswan/patches/310-make-ipsec-alg.patch
deleted file mode 100644
index d5fad3d3e0..0000000000
--- a/package/strongswan/patches/310-make-ipsec-alg.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Index: strongswan-2.8.2/linux/net/ipsec/alg/Makefile.alg_cryptoapi
-===================================================================
---- strongswan-2.8.2.orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-06-04 13:23:04.583037168 +0200
-+++ strongswan-2.8.2/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-06-04 13:23:07.053661576 +0200
-@@ -1,10 +1,10 @@
- MOD_CRYPTOAPI := ipsec_cryptoapi.o
-
- ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
--ALG_MODULES += $(MOD_CRYPTOAPI)
--obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
--static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
--alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
-+#ALG_MODULES += $(MOD_CRYPTOAPI)
-+#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
-+#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
-+#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
- else
- $(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
- endif
diff --git a/package/strongswan/patches/320-no-modprobe.patch b/package/strongswan/patches/320-no-modprobe.patch
deleted file mode 100644
index d8c3648baf..0000000000
--- a/package/strongswan/patches/320-no-modprobe.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-Index: strongswan-2.8.2/programs/starter/klips.c
-===================================================================
---- strongswan-2.8.2.orig/programs/starter/klips.c 2007-06-04 13:23:04.544043096 +0200
-+++ strongswan-2.8.2/programs/starter/klips.c 2007-06-04 13:23:07.238633456 +0200
-@@ -44,7 +44,7 @@
- unsetenv("MODPATH");
- unsetenv("MODULECONF");
- system("depmod -a >/dev/null 2>&1");
-- system("modprobe -qv ipsec");
-+ system("insmod -qv ipsec");
- }
- if (stat(PROC_IPSECVERSION, &stb) == 0)
- {
-@@ -62,11 +62,11 @@
- /* make sure that all available crypto algorithms are loaded */
- if (stat(PROC_MODULES, &stb) == 0)
- {
-- system("modprobe -qv ipsec_aes");
-- system("modprobe -qv ipsec_serpent");
-- system("modprobe -qv ipsec_twofish");
-- system("modprobe -qv ipsec_blowfish");
-- system("modprobe -qv ipsec_sha2");
-+ system("insmod -qv ipsec_aes");
-+ system("insmod -qv ipsec_serpent");
-+ system("insmod -qv ipsec_twofish");
-+ system("insmod -qv ipsec_blowfish");
-+ system("insmod -qv ipsec_sha2");
- }
-
- starter_klips_clear();
-Index: strongswan-2.8.2/programs/starter/netkey.c
-===================================================================
---- strongswan-2.8.2.orig/programs/starter/netkey.c 2007-06-04 13:23:04.551042032 +0200
-+++ strongswan-2.8.2/programs/starter/netkey.c 2007-06-04 13:23:07.238633456 +0200
-@@ -36,7 +36,7 @@
- /* af_key module makes the netkey proc interface visible */
- if (stat(PROC_MODULES, &stb) == 0)
- {
-- system("modprobe -qv af_key");
-+ system("insmod -qv af_key");
- }
-
- /* now test again */
-@@ -52,11 +52,11 @@
- /* make sure that all required IPsec modules are loaded */
- if (stat(PROC_MODULES, &stb) == 0)
- {
-- system("modprobe -qv ah4");
-- system("modprobe -qv esp4");
-- system("modprobe -qv ipcomp");
-- system("modprobe -qv xfrm4_tunnel");
-- system("modprobe -qv xfrm_user");
-+ system("insmod -qv ah4");
-+ system("insmod -qv esp4");
-+ system("insmod -qv ipcomp");
-+ system("insmod -qv xfrm4_tunnel");
-+ system("insmod -qv xfrm_user");
- }
-
- DBG(DBG_CONTROL,
-Index: strongswan-2.8.2/programs/_startklips/_startklips.in
-===================================================================
---- strongswan-2.8.2.orig/programs/_startklips/_startklips.in 2007-06-04 13:23:04.560040664 +0200
-+++ strongswan-2.8.2/programs/_startklips/_startklips.in 2007-06-04 13:23:07.238633456 +0200
-@@ -249,7 +249,7 @@
-
- if test ! -f $ipsecversion && test ! -f $netkey
- then
-- modprobe -v af_key
-+ insmod -v af_key
- fi
-
- if test -f $netkey
-@@ -257,11 +257,11 @@
- klips=false
- if test -f $modules
- then
-- modprobe -qv ah4
-- modprobe -qv esp4
-- modprobe -qv ipcomp
-- modprobe -qv xfrm4_tunnel
-- modprobe -qv xfrm_user
-+ insmod -qv ah4
-+ insmod -qv esp4
-+ insmod -qv ipcomp
-+ insmod -qv xfrm4_tunnel
-+ insmod -qv xfrm_user
- fi
- fi
-
-@@ -272,7 +272,7 @@
- setmodule
- unset MODPATH MODULECONF # no user overrides!
- depmod -a >/dev/null 2>&1
-- modprobe -v ipsec
-+ insmod -v ipsec
- fi
- if test ! -f $ipsecversion
- then
-@@ -288,7 +288,7 @@
- do
- if test -f $moduleinstplace/alg/ipsec_$alg.o
- then
-- modprobe ipsec_$alg
-+ insmod ipsec_$alg
- fi
- done
- fi
diff --git a/package/strongswan/patches/350-make-programs.patch b/package/strongswan/patches/350-make-programs.patch
deleted file mode 100644
index aba957754f..0000000000
--- a/package/strongswan/patches/350-make-programs.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Index: strongswan-2.8.2/programs/Makefile
-===================================================================
---- strongswan-2.8.2.orig/programs/Makefile 2007-06-04 13:23:06.414758704 +0200
-+++ strongswan-2.8.2/programs/Makefile 2007-06-04 13:23:07.444602144 +0200
-@@ -17,12 +17,10 @@
- FREESWANSRCDIR=..
- include ${FREESWANSRCDIR}/Makefile.inc
-
--SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto
--SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun
--SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
--SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
--SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
--SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
-+SUBDIRS=_copyright _updown _showstatus wakeup examples
-+SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual
-+SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets
-+SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec
-
- ifeq ($(USE_LWRES),true)
- SUBDIRS+=lwdnsq