diff options
Diffstat (limited to 'package/strongswan/patches/210-updown.patch')
-rw-r--r-- | package/strongswan/patches/210-updown.patch | 662 |
1 files changed, 0 insertions, 662 deletions
diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch deleted file mode 100644 index d546625..0000000 --- a/package/strongswan/patches/210-updown.patch +++ /dev/null @@ -1,662 +0,0 @@ -Index: strongswan-2.8.2/programs/_updown/_updown.8 -=================================================================== ---- strongswan-2.8.2.orig/programs/_updown/_updown.8 2007-06-04 13:23:04.632029720 +0200 -+++ strongswan-2.8.2/programs/_updown/_updown.8 2007-06-04 13:23:06.656721920 +0200 -@@ -8,8 +8,23 @@ - .I _updown - is invoked by pluto when it has brought up a new connection. This script - is used to insert the appropriate routing entries for IPsec operation. --It can also be used to insert and delete dynamic iptables firewall rules. --The interface to the script is documented in the pluto man page. -+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT! -+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD -+tables. Most distributions will want to change that to provide more -+flexibility in their firewall configuration. -+The script looks for the environment variables -+.B IPSEC_UPDOWN_RULE_IN -+for the iptables table it should insert into, -+.B IPSEC_UPDOWN_DEST_IN -+for where the rule should -j jump to, -+.B IPSEC_UPDOWN_RULE_OUT -+.B IPSEC_UPDOWN_DEST_OUT -+for the same on outgoing packets, and -+.B IPSEC_UPDOWN_FWD_RULE_IN -+.B IPSEC_UPDOWN_FWD_DEST_IN -+.B IPSEC_UPDOWN_FWD_RULE_OUT -+.B IPSEC_UPDOWN_FWD_DEST_OUT -+respectively for packets being forwarded to/from the local networks. - .SH "SEE ALSO" - ipsec(8), ipsec_pluto(8). - .SH HISTORY -Index: strongswan-2.8.2/programs/_updown/_updown.in -=================================================================== ---- strongswan-2.8.2.orig/programs/_updown/_updown.in 2007-06-04 13:23:04.642028200 +0200 -+++ strongswan-2.8.2/programs/_updown/_updown.in 2007-06-04 13:23:06.657721768 +0200 -@@ -5,6 +5,7 @@ - # Copyright (C) 2003-2004 Tuomo Soini - # Copyright (C) 2002-2004 Michael Richardson - # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org> -+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com> - # - # This program is free software; you can redistribute it and/or modify it - # under the terms of the GNU General Public License as published by the -@@ -118,20 +119,61 @@ - # restricted on the peer side. - # - --# uncomment to log VPN connections --VPN_LOGGING=1 --# -+# set to /bin/true to silence log messages -+LOGGER=logger -+ - # tag put in front of each log entry: - TAG=vpn --# -+ - # syslog facility and priority used: --FAC_PRIO=local0.notice --# --# to create a special vpn logging file, put the following line into --# the syslog configuration file /etc/syslog.conf: --# --# local0.notice -/var/log/vpn --# -+FAC_PRIO=authpriv.info -+ -+ -+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then -+ IPSEC_POLICY_IN="" -+ IPSEC_POLICY_OUT="" -+else -+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" -+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -+fi -+ -+# are there port numbers? -+if [ "$PLUTO_MY_PORT" != 0 ] ; then -+ S_MY_PORT="--sport $PLUTO_MY_PORT" -+ D_MY_PORT="--dport $PLUTO_MY_PORT" -+fi -+ -+if [ "$PLUTO_PEER_PORT" != 0 ] ; then -+ S_PEER_PORT="--sport $PLUTO_PEER_PORT" -+ D_PEER_PORT="--dport $PLUTO_PEER_PORT" -+fi -+ -+# import firewall behavior -+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN -+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN -+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT -+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT -+ -+# import forwarding behavior -+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN -+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN -+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT -+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT -+ -+# default firewall behavior -+[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT -+[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT -+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT -+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT -+ -+# default forwarding behavior -+[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD -+[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT -+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD -+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT -+ - - # check interface version - case "$PLUTO_VERSION" in -@@ -150,8 +192,6 @@ - case "$1:$*" in - ':') # no parameters - ;; --iptables:iptables) # due to (left/right)firewall; for default script only -- ;; - custom:*) # custom parameters (see above CAUTION comment) - ;; - *) echo "$0: unknown parameters \`$*'" >&2 -@@ -159,345 +199,307 @@ - ;; - esac - -+ - # utility functions for route manipulation - # Meddling with this stuff should not be necessary and requires great care. -+ - uproute() { - doroute add - ip route flush cache - } -+ - downroute() { - doroute delete - ip route flush cache - } - -+upfirewall() { -+ in_rule=$1 -+ in_dest=$2 -+ out_rule=$3 -+ out_dest=$4 -+ -+ [ -n "$in_rule" -a -n "$in_dest" ] && \ -+ iptables -I $in_rule 1 \ -+ -i $PLUTO_INTERFACE \ -+ -p $PLUTO_MY_PROTOCOL \ -+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -+ -d $PLUTO_MY_CLIENT $D_MY_PORT \ -+ $IPSEC_POLICY_IN \ -+ -j $in_dest -+ -+ [ -n "$out_rule" -a -n "$out_dest" ] && \ -+ iptables -I $out_rule 1 \ -+ -o $PLUTO_INTERFACE \ -+ -p $PLUTO_PEER_PROTOCOL \ -+ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -+ $IPSEC_POLICY_OUT \ -+ -j $out_dest -+ -+} -+ -+downfirewall() { -+ in_rule=$1 -+ in_dest=$2 -+ out_rule=$3 -+ out_dest=$4 -+ -+ [ -n "$in_rule" -a -n "$in_dest" ] && \ -+ iptables -D $in_rule \ -+ -i $PLUTO_INTERFACE \ -+ -p $PLUTO_MY_PROTOCOL \ -+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -+ -d $PLUTO_MY_CLIENT $D_MY_PORT \ -+ $IPSEC_POLICY_IN \ -+ -j $in_dest -+ -+ [ -n "$out_rule" -a -n "$out_dest" ] && \ -+ iptables -D $out_rule \ -+ -o $PLUTO_INTERFACE \ -+ -p $PLUTO_PEER_PROTOCOL \ -+ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -+ $IPSEC_POLICY_OUT \ -+ -j $out_dest -+ -+} -+ - addsource() { - st=0 -- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local -- then -+ -+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then -+ - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? -- if test " $oops" = " " -a " $st" != " 0" -- then -+ -+ if [ " $oops" = " " -a " $st" != " 0" ] ; then - oops="silent error, exit status $st" - fi -- if test " $oops" != " " -o " $st" != " 0" -- then -+ -+ if [ " $oops" != " " -o " $st" != " 0" ] ; then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi -+ - return $st - } - - doroute() { - st=0 - parms="$PLUTO_PEER_CLIENT" -+ parms2="dev $PLUTO_INTERFACE" - -- parms2= -- if [ -n "$PLUTO_NEXT_HOP" ] -- then -- parms2="via $PLUTO_NEXT_HOP" -- fi -- parms2="$parms2 dev $PLUTO_INTERFACE" -- -- if [ -z "$PLUTO_MY_SOURCEIP" ] -- then -- if [ -f /etc/sysconfig/defaultsource ] -- then -- . /etc/sysconfig/defaultsource -- fi -+ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then - -- if [ -f /etc/conf.d/defaultsource ] -- then -- . /etc/conf.d/defaultsource -- fi -+ [ -f /etc/sysconfig/defaultsource ] && \ -+ . /etc/sysconfig/defaultsource -+ -+ [ -f /etc/conf.d/defaultsource ] && \ -+ . /etc/conf.d/defaultsource -+ -+ [ -n "$DEFAULTSOURCE" ] && \ -+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - -- if [ -n "$DEFAULTSOURCE" ] -- then -- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE -- fi - fi - - parms3= -- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" -- then -+ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then - addsource - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" - fi - -- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in -- "0.0.0.0/0.0.0.0") -+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ -+ "0.0.0.0/0.0.0.0" ] ; then - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. -- it="ip route $1 0.0.0.0/1 $parms2 $parms3 && -- ip route $1 128.0.0.0/1 $parms2 $parms3" -- ;; -- *) it="ip route $1 $parms $parms2 $parms3" -- ;; -- esac -+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 && -+ ip route $1 128.0.0.0/1 $parms2 $parms3" -+ else -+ it="ip route $1 $parms $parms2 $parms3" -+ fi -+ - oops="`eval $it 2>&1`" - st=$? -- if test " $oops" = " " -a " $st" != " 0" -- then -- oops="silent error, exit status $st" -- fi -- if test " $oops" != " " -o " $st" != " 0" -- then -- echo "$0: doroute \`$it' failed ($oops)" >&2 -+ -+ if [ " $oops" = " " -a " $st" != " 0" ] ; then -+ oops="silent error, exit status $st" - fi -+ -+ if [ " $oops" != " " -o " $st" != " 0" ] ; then -+ echo "$0: doroute \`$it' failed ($oops)" >&2 -+ fi -+ - return $st - } -- --# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY --if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] --then -- IPSEC_POLICY_IN="" -- IPSEC_POLICY_OUT="" --else -- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" -- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" --fi - --# are there port numbers? --if [ "$PLUTO_MY_PORT" != 0 ] --then -- S_MY_PORT="--sport $PLUTO_MY_PORT" -- D_MY_PORT="--dport $PLUTO_MY_PORT" --fi --if [ "$PLUTO_PEER_PORT" != 0 ] --then -- S_PEER_PORT="--sport $PLUTO_PEER_PORT" -- D_PEER_PORT="--dport $PLUTO_PEER_PORT" --fi -+dologentry() { -+ action=$1 -+ -+ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then -+ rem="$PLUTO_PEER" -+ else -+ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER" -+ fi -+ -+ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then -+ loc="$PLUTO_ME" -+ else -+ loc="$PLUTO_ME == $PLUTO_MY_CLIENT" -+ fi -+ -+ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)" -+} -+ - - # the big choice -+ - case "$PLUTO_VERB:$1" in - prepare-host:*|prepare-client:*) - # delete possibly-existing route (preliminary to adding a route) -- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in -- "0.0.0.0/0.0.0.0") -- # need to provide route that eclipses default, without -+ -+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ -+ "0.0.0.0/0.0.0.0" ] ; then -+ # need to remove the route that eclipses default, without - # replacing it. -- parms1="0.0.0.0/1" -- parms2="128.0.0.0/1" -- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" -- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" -- ;; -- *) -- parms="$PLUTO_PEER_CLIENT" -- it="ip route delete $parms 2>&1" -- oops="`ip route delete $parms 2>&1`" -- ;; -- esac -- status="$?" -- if test " $oops" = " " -a " $status" != " 0" -- then -- oops="silent error, exit status $status" -+ it="( ip route delete 0.0.0.0/1 ; -+ ip route delete 128.0.0.0/1 )" -+ else -+ it="ip route delete $PLUTO_PEER_CLIENT" -+ fi -+ -+ oops="`$it 2>&1`" -+ st="$?" -+ -+ if [ " $oops" = " " -a " $st" != " 0" ] ; then -+ oops="silent error, exit status $st" - fi -+ - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= -- status=0 -+ st=0 - ;; - esac -- if test " $oops" != " " -o " $status" != " 0" -- then -+ -+ if [ " $oops" != " " -o " $st" != " 0" ] ; then - echo "$0: \`$it' failed ($oops)" >&2 - fi -- exit $status -+ -+ exit $st -+ - ;; - route-host:*|route-client:*) - # connection to me or my client subnet being routed -+ -+ ipsec _showstatus valid - uproute -+ - ;; - unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted -+ -+ ipsec _showstatus invalid - downroute -+ - ;; --up-host:) -+up-host:*) - # connection to me coming up -- # If you are doing a custom version, firewall commands go here. -+ -+ ipsec _showstatus up -+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT -+ dologentry "VPN-UP" -+ - ;; --down-host:) -+down-host:*) - # connection to me going down -- # If you are doing a custom version, firewall commands go here. -- ;; --up-client:) -- # connection to my client subnet coming up -- # If you are doing a custom version, firewall commands go here. -- ;; --down-client:) -- # connection to my client subnet going down -- # If you are doing a custom version, firewall commands go here. -+ -+ ipsec _showstatus down -+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT -+ dologentry "VPN-DN" -+ - ;; --up-host:iptables) -- # connection to me, with (left/right)firewall=yes, coming up -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT -- # -- # log IPsec host connection setup -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" -- else -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -- fi -- fi -- ;; --down-host:iptables) -- # connection to me, with (left/right)firewall=yes, going down -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT -- # -- # log IPsec host connection teardown -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" -- else -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -- fi -- fi -- ;; --up-client:iptables) -- # connection to client subnet, with (left/right)firewall=yes, coming up -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] -- then -- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -+up-client:*) -+ # connection to client subnet coming up -+ -+ ipsec _showstatus up -+ -+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ -+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then -+ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT - fi -- # -+ - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed -- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] -- then -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- fi -- # -- # log IPsec client connection setup -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- else -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- fi -- fi -- ;; --down-client:iptables) -- # connection to client subnet, with (left/right)firewall=yes, going down -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] -- then -- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then -+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT -+ fi -+ -+ dologentry "VPN-UP" -+ -+ ;; -+down-client:*) -+ # connection to client subnet going down -+ -+ ipsec _showstatus down -+ -+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ -+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then -+ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT - fi -- # -+ - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed -- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] -- then -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- fi -- # -- # log IPsec client connection teardown -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- else -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- fi -+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then -+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT - fi -+ -+ dologentry "VPN-DN" -+ - ;; --# --# IPv6 --# - prepare-host-v6:*|prepare-client-v6:*) -+ - ;; - route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed -+ - #uproute_v6 -+ - ;; - unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted -+ - #downroute_v6 -+ - ;; - up-host-v6:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. -+ - ;; - down-host-v6:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. -+ - ;; - up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. -+ - ;; - down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. -+ - ;; --*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 -+*) -+ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 -+ - ;; - esac -+ |