diff options
Diffstat (limited to 'package/strongswan/patches/210-updown.patch')
-rw-r--r-- | package/strongswan/patches/210-updown.patch | 660 |
1 files changed, 660 insertions, 0 deletions
diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch new file mode 100644 index 0000000000..9361f43481 --- /dev/null +++ b/package/strongswan/patches/210-updown.patch @@ -0,0 +1,660 @@ +diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8 +--- strongswan-2.8.2-orig/programs/_updown/_updown.8 2006-04-17 02:48:49.000000000 -0400 ++++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500 +@@ -8,8 +8,23 @@ + .I _updown + is invoked by pluto when it has brought up a new connection. This script + is used to insert the appropriate routing entries for IPsec operation. +-It can also be used to insert and delete dynamic iptables firewall rules. +-The interface to the script is documented in the pluto man page. ++It also inserts and deletes dynamic iptables firewall rules. IMPORTANT! ++By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD ++tables. Most distributions will want to change that to provide more ++flexibility in their firewall configuration. ++The script looks for the environment variables ++.B IPSEC_UPDOWN_RULE_IN ++for the iptables table it should insert into, ++.B IPSEC_UPDOWN_DEST_IN ++for where the rule should -j jump to, ++.B IPSEC_UPDOWN_RULE_OUT ++.B IPSEC_UPDOWN_DEST_OUT ++for the same on outgoing packets, and ++.B IPSEC_UPDOWN_FWD_RULE_IN ++.B IPSEC_UPDOWN_FWD_DEST_IN ++.B IPSEC_UPDOWN_FWD_RULE_OUT ++.B IPSEC_UPDOWN_FWD_DEST_OUT ++respectively for packets being forwarded to/from the local networks. + .SH "SEE ALSO" + ipsec(8), ipsec_pluto(8). + .SH HISTORY +diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in +--- strongswan-2.8.2-orig/programs/_updown/_updown.in 2006-04-17 11:06:29.000000000 -0400 ++++ strongswan-2.8.2/programs/_updown/_updown.in 2007-02-05 02:08:24.969100428 -0500 +@@ -5,6 +5,7 @@ + # Copyright (C) 2003-2004 Tuomo Soini + # Copyright (C) 2002-2004 Michael Richardson + # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org> ++# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com> + # + # This program is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by the +@@ -118,20 +119,61 @@ + # restricted on the peer side. + # + +-# uncomment to log VPN connections +-VPN_LOGGING=1 +-# ++# set to /bin/true to silence log messages ++LOGGER=logger ++ + # tag put in front of each log entry: + TAG=vpn +-# ++ + # syslog facility and priority used: +-FAC_PRIO=local0.notice +-# +-# to create a special vpn logging file, put the following line into +-# the syslog configuration file /etc/syslog.conf: +-# +-# local0.notice -/var/log/vpn +-# ++FAC_PRIO=authpriv.info ++ ++ ++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY ++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then ++ IPSEC_POLICY_IN="" ++ IPSEC_POLICY_OUT="" ++else ++ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" ++ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" ++ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" ++fi ++ ++# are there port numbers? ++if [ "$PLUTO_MY_PORT" != 0 ] ; then ++ S_MY_PORT="--sport $PLUTO_MY_PORT" ++ D_MY_PORT="--dport $PLUTO_MY_PORT" ++fi ++ ++if [ "$PLUTO_PEER_PORT" != 0 ] ; then ++ S_PEER_PORT="--sport $PLUTO_PEER_PORT" ++ D_PEER_PORT="--dport $PLUTO_PEER_PORT" ++fi ++ ++# import firewall behavior ++IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN ++IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN ++IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT ++IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT ++ ++# import forwarding behavior ++FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN ++FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN ++FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT ++FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT ++ ++# default firewall behavior ++[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT ++[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT ++[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT ++[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT ++ ++# default forwarding behavior ++[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD ++[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT ++[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD ++[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT ++ + + # check interface version + case "$PLUTO_VERSION" in +@@ -150,8 +192,6 @@ + case "$1:$*" in + ':') # no parameters + ;; +-iptables:iptables) # due to (left/right)firewall; for default script only +- ;; + custom:*) # custom parameters (see above CAUTION comment) + ;; + *) echo "$0: unknown parameters \`$*'" >&2 +@@ -159,345 +199,307 @@ + ;; + esac + ++ + # utility functions for route manipulation + # Meddling with this stuff should not be necessary and requires great care. ++ + uproute() { + doroute add + ip route flush cache + } ++ + downroute() { + doroute delete + ip route flush cache + } + ++upfirewall() { ++ in_rule=$1 ++ in_dest=$2 ++ out_rule=$3 ++ out_dest=$4 ++ ++ [ -n "$in_rule" -a -n "$in_dest" ] && \ ++ iptables -I $in_rule 1 \ ++ -i $PLUTO_INTERFACE \ ++ -p $PLUTO_MY_PROTOCOL \ ++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ++ -d $PLUTO_MY_CLIENT $D_MY_PORT \ ++ $IPSEC_POLICY_IN \ ++ -j $in_dest ++ ++ [ -n "$out_rule" -a -n "$out_dest" ] && \ ++ iptables -I $out_rule 1 \ ++ -o $PLUTO_INTERFACE \ ++ -p $PLUTO_PEER_PROTOCOL \ ++ -s $PLUTO_MY_CLIENT $S_MY_PORT \ ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ++ $IPSEC_POLICY_OUT \ ++ -j $out_dest ++ ++} ++ ++downfirewall() { ++ in_rule=$1 ++ in_dest=$2 ++ out_rule=$3 ++ out_dest=$4 ++ ++ [ -n "$in_rule" -a -n "$in_dest" ] && \ ++ iptables -D $in_rule \ ++ -i $PLUTO_INTERFACE \ ++ -p $PLUTO_MY_PROTOCOL \ ++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ++ -d $PLUTO_MY_CLIENT $D_MY_PORT \ ++ $IPSEC_POLICY_IN \ ++ -j $in_dest ++ ++ [ -n "$out_rule" -a -n "$out_dest" ] && \ ++ iptables -D $out_rule \ ++ -o $PLUTO_INTERFACE \ ++ -p $PLUTO_PEER_PROTOCOL \ ++ -s $PLUTO_MY_CLIENT $S_MY_PORT \ ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ++ $IPSEC_POLICY_OUT \ ++ -j $out_dest ++ ++} ++ + addsource() { + st=0 +- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local +- then ++ ++ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then ++ + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? +- if test " $oops" = " " -a " $st" != " 0" +- then ++ ++ if [ " $oops" = " " -a " $st" != " 0" ] ; then + oops="silent error, exit status $st" + fi +- if test " $oops" != " " -o " $st" != " 0" +- then ++ ++ if [ " $oops" != " " -o " $st" != " 0" ] ; then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi ++ + return $st + } + + doroute() { + st=0 + parms="$PLUTO_PEER_CLIENT" ++ parms2="dev $PLUTO_INTERFACE" + +- parms2= +- if [ -n "$PLUTO_NEXT_HOP" ] +- then +- parms2="via $PLUTO_NEXT_HOP" +- fi +- parms2="$parms2 dev $PLUTO_INTERFACE" +- +- if [ -z "$PLUTO_MY_SOURCEIP" ] +- then +- if [ -f /etc/sysconfig/defaultsource ] +- then +- . /etc/sysconfig/defaultsource +- fi ++ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then + +- if [ -f /etc/conf.d/defaultsource ] +- then +- . /etc/conf.d/defaultsource +- fi ++ [ -f /etc/sysconfig/defaultsource ] && \ ++ . /etc/sysconfig/defaultsource ++ ++ [ -f /etc/conf.d/defaultsource ] && \ ++ . /etc/conf.d/defaultsource ++ ++ [ -n "$DEFAULTSOURCE" ] && \ ++ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + +- if [ -n "$DEFAULTSOURCE" ] +- then +- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE +- fi + fi + + parms3= +- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" +- then ++ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then + addsource + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" + fi + +- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in +- "0.0.0.0/0.0.0.0") ++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ ++ "0.0.0.0/0.0.0.0" ] ; then + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. +- it="ip route $1 0.0.0.0/1 $parms2 $parms3 && +- ip route $1 128.0.0.0/1 $parms2 $parms3" +- ;; +- *) it="ip route $1 $parms $parms2 $parms3" +- ;; +- esac ++ it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ++ ip route $1 128.0.0.0/1 $parms2 $parms3" ++ else ++ it="ip route $1 $parms $parms2 $parms3" ++ fi ++ + oops="`eval $it 2>&1`" + st=$? +- if test " $oops" = " " -a " $st" != " 0" +- then +- oops="silent error, exit status $st" +- fi +- if test " $oops" != " " -o " $st" != " 0" +- then +- echo "$0: doroute \`$it' failed ($oops)" >&2 ++ ++ if [ " $oops" = " " -a " $st" != " 0" ] ; then ++ oops="silent error, exit status $st" + fi ++ ++ if [ " $oops" != " " -o " $st" != " 0" ] ; then ++ echo "$0: doroute \`$it' failed ($oops)" >&2 ++ fi ++ + return $st + } +- +-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +-then +- IPSEC_POLICY_IN="" +- IPSEC_POLICY_OUT="" +-else +- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" +- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +-fi + +-# are there port numbers? +-if [ "$PLUTO_MY_PORT" != 0 ] +-then +- S_MY_PORT="--sport $PLUTO_MY_PORT" +- D_MY_PORT="--dport $PLUTO_MY_PORT" +-fi +-if [ "$PLUTO_PEER_PORT" != 0 ] +-then +- S_PEER_PORT="--sport $PLUTO_PEER_PORT" +- D_PEER_PORT="--dport $PLUTO_PEER_PORT" +-fi ++dologentry() { ++ action=$1 ++ ++ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then ++ rem="$PLUTO_PEER" ++ else ++ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER" ++ fi ++ ++ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then ++ loc="$PLUTO_ME" ++ else ++ loc="$PLUTO_ME == $PLUTO_MY_CLIENT" ++ fi ++ ++ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)" ++} ++ + + # the big choice ++ + case "$PLUTO_VERB:$1" in + prepare-host:*|prepare-client:*) + # delete possibly-existing route (preliminary to adding a route) +- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in +- "0.0.0.0/0.0.0.0") +- # need to provide route that eclipses default, without ++ ++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ ++ "0.0.0.0/0.0.0.0" ] ; then ++ # need to remove the route that eclipses default, without + # replacing it. +- parms1="0.0.0.0/1" +- parms2="128.0.0.0/1" +- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" +- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" +- ;; +- *) +- parms="$PLUTO_PEER_CLIENT" +- it="ip route delete $parms 2>&1" +- oops="`ip route delete $parms 2>&1`" +- ;; +- esac +- status="$?" +- if test " $oops" = " " -a " $status" != " 0" +- then +- oops="silent error, exit status $status" ++ it="( ip route delete 0.0.0.0/1 ; ++ ip route delete 128.0.0.0/1 )" ++ else ++ it="ip route delete $PLUTO_PEER_CLIENT" ++ fi ++ ++ oops="`$it 2>&1`" ++ st="$?" ++ ++ if [ " $oops" = " " -a " $st" != " 0" ] ; then ++ oops="silent error, exit status $st" + fi ++ + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= +- status=0 ++ st=0 + ;; + esac +- if test " $oops" != " " -o " $status" != " 0" +- then ++ ++ if [ " $oops" != " " -o " $st" != " 0" ] ; then + echo "$0: \`$it' failed ($oops)" >&2 + fi +- exit $status ++ ++ exit $st ++ + ;; + route-host:*|route-client:*) + # connection to me or my client subnet being routed ++ ++ ipsec _showstatus valid + uproute ++ + ;; + unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted ++ ++ ipsec _showstatus invalid + downroute ++ + ;; +-up-host:) ++up-host:*) + # connection to me coming up +- # If you are doing a custom version, firewall commands go here. ++ ++ ipsec _showstatus up ++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT ++ dologentry "VPN-UP" ++ + ;; +-down-host:) ++down-host:*) + # connection to me going down +- # If you are doing a custom version, firewall commands go here. +- ;; +-up-client:) +- # connection to my client subnet coming up +- # If you are doing a custom version, firewall commands go here. +- ;; +-down-client:) +- # connection to my client subnet going down +- # If you are doing a custom version, firewall commands go here. ++ ++ ipsec _showstatus down ++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT ++ dologentry "VPN-DN" ++ + ;; +-up-host:iptables) +- # connection to me, with (left/right)firewall=yes, coming up +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT +- # +- # log IPsec host connection setup +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" +- fi +- fi +- ;; +-down-host:iptables) +- # connection to me, with (left/right)firewall=yes, going down +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT +- # +- # log IPsec host connection teardown +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" +- else +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" +- fi +- fi +- ;; +-up-client:iptables) +- # connection to client subnet, with (left/right)firewall=yes, coming up +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] +- then +- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT ++up-client:*) ++ # connection to client subnet coming up ++ ++ ipsec _showstatus up ++ ++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ ++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then ++ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT + fi +- # ++ + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed +- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] +- then +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- fi +- # +- # log IPsec client connection setup +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- fi +- fi +- ;; +-down-client:iptables) +- # connection to client subnet, with (left/right)firewall=yes, going down +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] +- then +- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT ++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then ++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT ++ fi ++ ++ dologentry "VPN-UP" ++ ++ ;; ++down-client:*) ++ # connection to client subnet going down ++ ++ ipsec _showstatus down ++ ++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ ++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then ++ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT + fi +- # ++ + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed +- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] +- then +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- fi +- # +- # log IPsec client connection teardown +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- else +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- fi ++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then ++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT + fi ++ ++ dologentry "VPN-DN" ++ + ;; +-# +-# IPv6 +-# + prepare-host-v6:*|prepare-client-v6:*) ++ + ;; + route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed ++ + #uproute_v6 ++ + ;; + unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted ++ + #downroute_v6 ++ + ;; + up-host-v6:*) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. ++ + ;; + down-host-v6:*) + # connection to me going down + # If you are doing a custom version, firewall commands go here. ++ + ;; + up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. ++ + ;; + down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. ++ + ;; +-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 ++*) ++ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 ++ + ;; + esac ++ |