summaryrefslogtreecommitdiff
path: root/package/strongswan/patches
diff options
context:
space:
mode:
Diffstat (limited to 'package/strongswan/patches')
-rw-r--r--package/strongswan/patches/100-ar-fixes.patch76
-rw-r--r--package/strongswan/patches/110-make-ipsec.patch10
-rw-r--r--package/strongswan/patches/120-make-pluto.patch12
-rw-r--r--package/strongswan/patches/130-make-starter.patch20
-rw-r--r--package/strongswan/patches/200-wakeup-showstatus.patch227
-rw-r--r--package/strongswan/patches/210-updown.patch660
-rw-r--r--package/strongswan/patches/300-openwrt.patch24
-rw-r--r--package/strongswan/patches/310-make-ipsec-alg.patch18
-rw-r--r--package/strongswan/patches/320-no-modprobe.patch105
-rw-r--r--package/strongswan/patches/350-make-programs.patch20
10 files changed, 1172 insertions, 0 deletions
diff --git a/package/strongswan/patches/100-ar-fixes.patch b/package/strongswan/patches/100-ar-fixes.patch
new file mode 100644
index 0000000..d6ce9f3
--- /dev/null
+++ b/package/strongswan/patches/100-ar-fixes.patch
@@ -0,0 +1,76 @@
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile strongswan-2.8.1/lib/libcrypto/libaes/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libaes/Makefile 2007-01-17 00:48:52.260789653 -0500
+@@ -25,10 +25,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ testx: test_main_mac.o $(BLIB)
+ $(CC) -o $@ $^
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile 2007-01-17 01:40:41.716879761 -0500
+@@ -58,7 +58,7 @@
+ lib: $(LIB)
+
+ $(LIB): $(LIBOBJ)
+- $(AR) $(LIB) $(LIBOBJ)
++ $(AR) -r $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB)
+
+ # elf
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile strongswan-2.8.1/lib/libcrypto/libserpent/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libserpent/Makefile 2007-01-17 00:50:37.692571031 -0500
+@@ -8,10 +8,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ test: test_main.o $(BLIB)
+ $(CC) -o $@ $^
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile strongswan-2.8.1/lib/libcrypto/libsha2/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libsha2/Makefile 2007-01-17 00:50:46.050791555 -0500
+@@ -9,10 +9,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ test: test_main.o $(BLIB)
+ $(CC) -o $@ $^
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile 2004-03-22 16:53:17.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile 2007-01-17 00:50:53.533988997 -0500
+@@ -9,10 +9,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ test: test_main.o $(BLIB)
+ $(CC) -o $@ $^
diff --git a/package/strongswan/patches/110-make-ipsec.patch b/package/strongswan/patches/110-make-ipsec.patch
new file mode 100644
index 0000000..861def4
--- /dev/null
+++ b/package/strongswan/patches/110-make-ipsec.patch
@@ -0,0 +1,10 @@
+diff -ruN strongswan-2.8.1-orig/programs/ipsec/Makefile strongswan-2.8.1/programs/ipsec/Makefile
+--- strongswan-2.8.1-orig/programs/ipsec/Makefile 2006-02-10 06:27:31.000000000 -0500
++++ strongswan-2.8.1/programs/ipsec/Makefile 2007-01-17 02:46:06.027124968 -0500
+@@ -24,5 +24,5 @@
+ include ../Makefile.program
+
+ install:: ipsec
+- @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec
++ @$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec
+
diff --git a/package/strongswan/patches/120-make-pluto.patch b/package/strongswan/patches/120-make-pluto.patch
new file mode 100644
index 0000000..890863f
--- /dev/null
+++ b/package/strongswan/patches/120-make-pluto.patch
@@ -0,0 +1,12 @@
+diff -ruN strongswan-2.8.1-orig/programs/pluto/alg/Makefile strongswan-2.8.1/programs/pluto/alg/Makefile
+--- strongswan-2.8.1-orig/programs/pluto/alg/Makefile 2004-06-23 00:45:20.000000000 -0400
++++ strongswan-2.8.1/programs/pluto/alg/Makefile 2007-01-17 00:19:58.249033414 -0500
+@@ -20,7 +20,7 @@
+ include Config.ike_alg
+
+ LIBCRYPTO:=../../../lib/libcrypto
+-ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO)
++ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE)
+ LIBALG := libalg.o
+
+ all : $(LIBALG)
diff --git a/package/strongswan/patches/130-make-starter.patch b/package/strongswan/patches/130-make-starter.patch
new file mode 100644
index 0000000..9250f01
--- /dev/null
+++ b/package/strongswan/patches/130-make-starter.patch
@@ -0,0 +1,20 @@
+diff -ruN strongswan-2.8.1-orig/programs/starter/Makefile strongswan-2.8.1/programs/starter/Makefile
+--- strongswan-2.8.1-orig/programs/starter/Makefile 2006-02-17 14:34:02.000000000 -0500
++++ strongswan-2.8.1/programs/starter/Makefile 2007-01-17 16:15:30.740490094 -0500
+@@ -16,7 +16,6 @@
+ FREESWANSRCDIR?=$(shell cd ../..; pwd)
+ include ${FREESWANSRCDIR}/Makefile.inc
+
+-LD=$(CC)
+ RM=rm
+ LEX=flex
+ BISON=bison
+@@ -59,7 +58,7 @@
+ all: starter
+
+ starter: $(OBJS) $(FREESWANLIB)
+- $(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
++ $(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
+
+ lex.yy.c: parser.tab.c parser.l parser.y parser.h
+ $(LEX) parser.l
diff --git a/package/strongswan/patches/200-wakeup-showstatus.patch b/package/strongswan/patches/200-wakeup-showstatus.patch
new file mode 100644
index 0000000..2722282
--- /dev/null
+++ b/package/strongswan/patches/200-wakeup-showstatus.patch
@@ -0,0 +1,227 @@
+diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
+--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400
++++ strongswan-2.8.2/programs/Makefile 2007-02-05 00:27:47.214280563 -0500
+@@ -22,7 +22,7 @@
+ SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+ SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+ SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient
++SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
+
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/Makefile strongswan-2.8.2/programs/_showstatus/Makefile
+--- strongswan-2.8.2-orig/programs/_showstatus/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/Makefile 2007-02-05 00:31:11.380714322 -0500
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=_showstatus
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 strongswan-2.8.2/programs/_showstatus/_showstatus.8
+--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.8 2007-02-05 00:36:00.650410824 -0500
+@@ -0,0 +1,23 @@
++.TH _showstatus 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: _showstatus.8
++.\"
++.SH NAME
++ipsec _showstatus \- give state feedback via led or other method
++.SH SYNOPSIS
++.I _showstatus
++is invoked by _updown to trigger led's, or other distribution
++or platform specific behavior. Presently, the SES button is
++supported as a status light on OpenWRT platforms. The button
++is configurable by environment variable:
++-B IPSEC_STATUS_LED_START
++defaults to ses_orange, and
++-B IPSEC_STATUS_LED_VALID
++defaults to ses_white.
++.SH "SEE ALSO"
++ipsec(8), ipsec_updown(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in strongswan-2.8.2/programs/_showstatus/_showstatus.in
+--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.in 2007-02-05 00:55:56.563116192 -0500
+@@ -0,0 +1,70 @@
++#! /bin/sh
++#
++# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: _showstatus.in
++
++
++LED_START=$IPSEC_STATUS_LED_START
++LED_VALID=$IPSEC_STATUS_LED_VALID
++
++[ -z "$LED_START" ] && LED_START="ses_orange"
++[ -z "$LED_VALID" ] && LED_VALID="ses_white"
++
++
++setled() {
++ led=$1
++ st=$2
++
++ [ -n "$led" -a -n "$st" ] || return
++
++ if [ -w "/proc/diag/led/$led" ] ; then
++ echo "$st" > "/proc/diag/led/$led"
++ fi
++
++ # integrate other led control methods here
++
++}
++
++
++case "$1" in
++ 'start')
++ [ -n "$LED_VALID" ] && setled "$LED_START" 1
++ [ -z "$LED_VALID" ] && setled "$LED_START" f
++ setled "$LED_VALID" 0
++ ;;
++ 'stop')
++ setled "$LED_START" 0
++ setled "$LED_VALID" 0
++ ;;
++ 'valid')
++ setled "$LED_VALID" 1
++ ;;
++ 'invalid')
++ setled "$LED_VALID" 0
++ ;;
++ 'up')
++ [ -n "$LED_VALID" ] && setled "$LED_START" 0
++ [ -z "$LED_VALID" ] && setled "$LED_START" 1
++ setled "$LED_VALID" 1
++ ;;
++ 'down')
++ [ -n "$LED_VALID" ] && setled "$LED_START" 1
++ [ -z "$LED_VALID" ] && setled "$LED_START" f
++ setled "$LED_VALID" f
++ ;;
++ *)
++ echo "$0: unknown status $status" >&2
++ ;;
++esac
++
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/Makefile strongswan-2.8.2/programs/wakeup/Makefile
+--- strongswan-2.8.2-orig/programs/wakeup/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/Makefile 2007-02-05 00:28:03.960726309 -0500
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=wakeup
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.8 strongswan-2.8.2/programs/wakeup/wakeup.8
+--- strongswan-2.8.2-orig/programs/wakeup/wakeup.8 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/wakeup.8 2007-02-05 00:36:34.029298760 -0500
+@@ -0,0 +1,16 @@
++.TH wakeup 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: wakeup.8
++.\"
++.SH NAME
++ipsec wakeup \- stalled and down connection detection
++.SH SYNOPSIS
++.I wakeup
++is invoked by cron and checks ipsec status, whacking as necessary.
++.SH "SEE ALSO"
++ipsec(8), ipsec_whack(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.in strongswan-2.8.2/programs/wakeup/wakeup.in
+--- strongswan-2.8.2-orig/programs/wakeup/wakeup.in 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/wakeup.in 2007-02-05 00:28:03.961726336 -0500
+@@ -0,0 +1,38 @@
++#! /bin/sh
++# wakeup script
++#
++# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++
++# only applicable when ipsec is running
++[ -e /var/run/pluto.pid ] || exit
++
++# loop through any erouted tunnels in the HOLD state
++for f in `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do
++
++ # only whack if no pending events at all exists
++ ipsec status | grep STATE | grep -q $f ||
++ ipsec whack --name $f --initiate --asynchronous
++
++done
++
++# loop through any tunnels that don't quite exist
++for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do
++
++ ipsec status | grep STATE_QUICK | grep -q $f || {
++ ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f
++ ipsec up $f
++ }
++
++done
++
diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch
new file mode 100644
index 0000000..9361f43
--- /dev/null
+++ b/package/strongswan/patches/210-updown.patch
@@ -0,0 +1,660 @@
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
+--- strongswan-2.8.2-orig/programs/_updown/_updown.8 2006-04-17 02:48:49.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500
+@@ -8,8 +8,23 @@
+ .I _updown
+ is invoked by pluto when it has brought up a new connection. This script
+ is used to insert the appropriate routing entries for IPsec operation.
+-It can also be used to insert and delete dynamic iptables firewall rules.
+-The interface to the script is documented in the pluto man page.
++It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
++By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
++tables. Most distributions will want to change that to provide more
++flexibility in their firewall configuration.
++The script looks for the environment variables
++.B IPSEC_UPDOWN_RULE_IN
++for the iptables table it should insert into,
++.B IPSEC_UPDOWN_DEST_IN
++for where the rule should -j jump to,
++.B IPSEC_UPDOWN_RULE_OUT
++.B IPSEC_UPDOWN_DEST_OUT
++for the same on outgoing packets, and
++.B IPSEC_UPDOWN_FWD_RULE_IN
++.B IPSEC_UPDOWN_FWD_DEST_IN
++.B IPSEC_UPDOWN_FWD_RULE_OUT
++.B IPSEC_UPDOWN_FWD_DEST_OUT
++respectively for packets being forwarded to/from the local networks.
+ .SH "SEE ALSO"
+ ipsec(8), ipsec_pluto(8).
+ .SH HISTORY
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
+--- strongswan-2.8.2-orig/programs/_updown/_updown.in 2006-04-17 11:06:29.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.in 2007-02-05 02:08:24.969100428 -0500
+@@ -5,6 +5,7 @@
+ # Copyright (C) 2003-2004 Tuomo Soini
+ # Copyright (C) 2002-2004 Michael Richardson
+ # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
++# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
+ #
+ # This program is free software; you can redistribute it and/or modify it
+ # under the terms of the GNU General Public License as published by the
+@@ -118,20 +119,61 @@
+ # restricted on the peer side.
+ #
+
+-# uncomment to log VPN connections
+-VPN_LOGGING=1
+-#
++# set to /bin/true to silence log messages
++LOGGER=logger
++
+ # tag put in front of each log entry:
+ TAG=vpn
+-#
++
+ # syslog facility and priority used:
+-FAC_PRIO=local0.notice
+-#
+-# to create a special vpn logging file, put the following line into
+-# the syslog configuration file /etc/syslog.conf:
+-#
+-# local0.notice -/var/log/vpn
+-#
++FAC_PRIO=authpriv.info
++
++
++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
++ IPSEC_POLICY_IN=""
++ IPSEC_POLICY_OUT=""
++else
++ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
++ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
++ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
++fi
++
++# are there port numbers?
++if [ "$PLUTO_MY_PORT" != 0 ] ; then
++ S_MY_PORT="--sport $PLUTO_MY_PORT"
++ D_MY_PORT="--dport $PLUTO_MY_PORT"
++fi
++
++if [ "$PLUTO_PEER_PORT" != 0 ] ; then
++ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
++ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
++fi
++
++# import firewall behavior
++IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
++IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
++IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
++IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
++
++# import forwarding behavior
++FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
++FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
++FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
++FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
++
++# default firewall behavior
++[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
++[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
++[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
++[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
++
++# default forwarding behavior
++[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
++[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
++[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
++[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
++
+
+ # check interface version
+ case "$PLUTO_VERSION" in
+@@ -150,8 +192,6 @@
+ case "$1:$*" in
+ ':') # no parameters
+ ;;
+-iptables:iptables) # due to (left/right)firewall; for default script only
+- ;;
+ custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+ *) echo "$0: unknown parameters \`$*'" >&2
+@@ -159,345 +199,307 @@
+ ;;
+ esac
+
++
+ # utility functions for route manipulation
+ # Meddling with this stuff should not be necessary and requires great care.
++
+ uproute() {
+ doroute add
+ ip route flush cache
+ }
++
+ downroute() {
+ doroute delete
+ ip route flush cache
+ }
+
++upfirewall() {
++ in_rule=$1
++ in_dest=$2
++ out_rule=$3
++ out_dest=$4
++
++ [ -n "$in_rule" -a -n "$in_dest" ] && \
++ iptables -I $in_rule 1 \
++ -i $PLUTO_INTERFACE \
++ -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN \
++ -j $in_dest
++
++ [ -n "$out_rule" -a -n "$out_dest" ] && \
++ iptables -I $out_rule 1 \
++ -o $PLUTO_INTERFACE \
++ -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT \
++ -j $out_dest
++
++}
++
++downfirewall() {
++ in_rule=$1
++ in_dest=$2
++ out_rule=$3
++ out_dest=$4
++
++ [ -n "$in_rule" -a -n "$in_dest" ] && \
++ iptables -D $in_rule \
++ -i $PLUTO_INTERFACE \
++ -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN \
++ -j $in_dest
++
++ [ -n "$out_rule" -a -n "$out_dest" ] && \
++ iptables -D $out_rule \
++ -o $PLUTO_INTERFACE \
++ -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT \
++ -j $out_dest
++
++}
++
+ addsource() {
+ st=0
+- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+- then
++
++ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
++
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
+ oops="silent error, exit status $st"
+ fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
++
+ return $st
+ }
+
+ doroute() {
+ st=0
+ parms="$PLUTO_PEER_CLIENT"
++ parms2="dev $PLUTO_INTERFACE"
+
+- parms2=
+- if [ -n "$PLUTO_NEXT_HOP" ]
+- then
+- parms2="via $PLUTO_NEXT_HOP"
+- fi
+- parms2="$parms2 dev $PLUTO_INTERFACE"
+-
+- if [ -z "$PLUTO_MY_SOURCEIP" ]
+- then
+- if [ -f /etc/sysconfig/defaultsource ]
+- then
+- . /etc/sysconfig/defaultsource
+- fi
++ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
+
+- if [ -f /etc/conf.d/defaultsource ]
+- then
+- . /etc/conf.d/defaultsource
+- fi
++ [ -f /etc/sysconfig/defaultsource ] && \
++ . /etc/sysconfig/defaultsource
++
++ [ -f /etc/conf.d/defaultsource ] && \
++ . /etc/conf.d/defaultsource
++
++ [ -n "$DEFAULTSOURCE" ] && \
++ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+
+- if [ -n "$DEFAULTSOURCE" ]
+- then
+- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+- fi
+ fi
+
+ parms3=
+- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
+- then
++ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
+ addsource
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
+ fi
+
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++ "0.0.0.0/0.0.0.0" ] ; then
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+- ip route $1 128.0.0.0/1 $parms2 $parms3"
+- ;;
+- *) it="ip route $1 $parms $parms2 $parms3"
+- ;;
+- esac
++ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
++ ip route $1 128.0.0.0/1 $parms2 $parms3"
++ else
++ it="ip route $1 $parms $parms2 $parms3"
++ fi
++
+ oops="`eval $it 2>&1`"
+ st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
+- oops="silent error, exit status $st"
+- fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
+- echo "$0: doroute \`$it' failed ($oops)" >&2
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
++ oops="silent error, exit status $st"
+ fi
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
++ echo "$0: doroute \`$it' failed ($oops)" >&2
++ fi
++
+ return $st
+ }
+-
+-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+-then
+- IPSEC_POLICY_IN=""
+- IPSEC_POLICY_OUT=""
+-else
+- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+-fi
+
+-# are there port numbers?
+-if [ "$PLUTO_MY_PORT" != 0 ]
+-then
+- S_MY_PORT="--sport $PLUTO_MY_PORT"
+- D_MY_PORT="--dport $PLUTO_MY_PORT"
+-fi
+-if [ "$PLUTO_PEER_PORT" != 0 ]
+-then
+- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+-fi
++dologentry() {
++ action=$1
++
++ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
++ rem="$PLUTO_PEER"
++ else
++ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
++ fi
++
++ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
++ loc="$PLUTO_ME"
++ else
++ loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++
++ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
++}
++
+
+ # the big choice
++
+ case "$PLUTO_VERB:$1" in
+ prepare-host:*|prepare-client:*)
+ # delete possibly-existing route (preliminary to adding a route)
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
+- # need to provide route that eclipses default, without
++
++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++ "0.0.0.0/0.0.0.0" ] ; then
++ # need to remove the route that eclipses default, without
+ # replacing it.
+- parms1="0.0.0.0/1"
+- parms2="128.0.0.0/1"
+- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+- ;;
+- *)
+- parms="$PLUTO_PEER_CLIENT"
+- it="ip route delete $parms 2>&1"
+- oops="`ip route delete $parms 2>&1`"
+- ;;
+- esac
+- status="$?"
+- if test " $oops" = " " -a " $status" != " 0"
+- then
+- oops="silent error, exit status $status"
++ it="( ip route delete 0.0.0.0/1 ;
++ ip route delete 128.0.0.0/1 )"
++ else
++ it="ip route delete $PLUTO_PEER_CLIENT"
++ fi
++
++ oops="`$it 2>&1`"
++ st="$?"
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
++ oops="silent error, exit status $st"
+ fi
++
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+- status=0
++ st=0
+ ;;
+ esac
+- if test " $oops" != " " -o " $status" != " 0"
+- then
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+- exit $status
++
++ exit $st
++
+ ;;
+ route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
++
++ ipsec _showstatus valid
+ uproute
++
+ ;;
+ unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
++
++ ipsec _showstatus invalid
+ downroute
++
+ ;;
+-up-host:)
++up-host:*)
+ # connection to me coming up
+- # If you are doing a custom version, firewall commands go here.
++
++ ipsec _showstatus up
++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ dologentry "VPN-UP"
++
+ ;;
+-down-host:)
++down-host:*)
+ # connection to me going down
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-up-client:)
+- # connection to my client subnet coming up
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-down-client:)
+- # connection to my client subnet going down
+- # If you are doing a custom version, firewall commands go here.
++
++ ipsec _showstatus down
++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ dologentry "VPN-DN"
++
+ ;;
+-up-host:iptables)
+- # connection to me, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-down-host:iptables)
+- # connection to me, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-up-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
++up-client:*)
++ # connection to client subnet coming up
++
++ ipsec _showstatus up
++
++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ fi
+- #
++
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+- ;;
+-down-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ fi
++
++ dologentry "VPN-UP"
++
++ ;;
++down-client:*)
++ # connection to client subnet going down
++
++ ipsec _showstatus down
++
++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ fi
+- #
++
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+ fi
++
++ dologentry "VPN-DN"
++
+ ;;
+-#
+-# IPv6
+-#
+ prepare-host-v6:*|prepare-client-v6:*)
++
+ ;;
+ route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
++
+ #uproute_v6
++
+ ;;
+ unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
++
+ #downroute_v6
++
+ ;;
+ up-host-v6:*)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ down-host-v6:*)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
++*)
++ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
++
+ ;;
+ esac
++
diff --git a/package/strongswan/patches/300-openwrt.patch b/package/strongswan/patches/300-openwrt.patch
new file mode 100644
index 0000000..7386af5
--- /dev/null
+++ b/package/strongswan/patches/300-openwrt.patch
@@ -0,0 +1,24 @@
+diff -ruN strongswan-2.8.1-orig/Makefile.inc strongswan-2.8.1/Makefile.inc
+--- strongswan-2.8.1-orig/Makefile.inc 2007-01-11 16:42:11.000000000 -0500
++++ strongswan-2.8.1/Makefile.inc 2007-01-17 02:42:25.961297797 -0500
+@@ -123,7 +123,7 @@
+ # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
+ # INC_RCDIRS directories has been pre-created under DESTDIR.
+ INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
+-INC_RCDEFAULT=/etc/rc.d/init.d
++INC_RCDEFAULT=/etc/init.d
+
+ # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
+ # will finally be (so utils/Makefile can create a symlink in BINDIR to the
+diff -ruN strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in strongswan-2.8.1/programs/showhostkey/showhostkey.in
+--- strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in 2004-03-15 15:35:31.000000000 -0500
++++ strongswan-2.8.1/programs/showhostkey/showhostkey.in 2007-01-17 00:02:35.433150839 -0500
+@@ -62,7 +62,7 @@
+ exit 1
+ fi
+
+-host="`hostname --fqdn`"
++host="`cat /proc/sys/kernel/hostname`"
+
+ awk ' BEGIN {
+ inkey = 0
diff --git a/package/strongswan/patches/310-make-ipsec-alg.patch b/package/strongswan/patches/310-make-ipsec-alg.patch
new file mode 100644
index 0000000..cf4842a
--- /dev/null
+++ b/package/strongswan/patches/310-make-ipsec-alg.patch
@@ -0,0 +1,18 @@
+diff -ruN strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi
+--- strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2004-03-22 16:53:19.000000000 -0500
++++ strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-01-17 02:28:26.835241726 -0500
+@@ -1,10 +1,10 @@
+ MOD_CRYPTOAPI := ipsec_cryptoapi.o
+
+ ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
+-ALG_MODULES += $(MOD_CRYPTOAPI)
+-obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
+-static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
+-alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
++#ALG_MODULES += $(MOD_CRYPTOAPI)
++#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
++#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
++#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
+ else
+ $(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
+ endif
diff --git a/package/strongswan/patches/320-no-modprobe.patch b/package/strongswan/patches/320-no-modprobe.patch
new file mode 100644
index 0000000..cbd720a
--- /dev/null
+++ b/package/strongswan/patches/320-no-modprobe.patch
@@ -0,0 +1,105 @@
+diff -ruN strongswan-2.8.1-orig/programs/starter/klips.c strongswan-2.8.1/programs/starter/klips.c
+--- strongswan-2.8.1-orig/programs/starter/klips.c 2006-02-15 13:33:57.000000000 -0500
++++ strongswan-2.8.1/programs/starter/klips.c 2007-01-16 23:57:19.107972109 -0500
+@@ -44,7 +44,7 @@
+ unsetenv("MODPATH");
+ unsetenv("MODULECONF");
+ system("depmod -a >/dev/null 2>&1");
+- system("modprobe -qv ipsec");
++ system("insmod -qv ipsec");
+ }
+ if (stat(PROC_IPSECVERSION, &stb) == 0)
+ {
+@@ -62,11 +62,11 @@
+ /* make sure that all available crypto algorithms are loaded */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+- system("modprobe -qv ipsec_aes");
+- system("modprobe -qv ipsec_serpent");
+- system("modprobe -qv ipsec_twofish");
+- system("modprobe -qv ipsec_blowfish");
+- system("modprobe -qv ipsec_sha2");
++ system("insmod -qv ipsec_aes");
++ system("insmod -qv ipsec_serpent");
++ system("insmod -qv ipsec_twofish");
++ system("insmod -qv ipsec_blowfish");
++ system("insmod -qv ipsec_sha2");
+ }
+
+ starter_klips_clear();
+diff -ruN strongswan-2.8.1-orig/programs/starter/netkey.c strongswan-2.8.1/programs/starter/netkey.c
+--- strongswan-2.8.1-orig/programs/starter/netkey.c 2006-02-15 13:33:57.000000000 -0500
++++ strongswan-2.8.1/programs/starter/netkey.c 2007-01-16 23:57:28.094204186 -0500
+@@ -36,7 +36,7 @@
+ /* af_key module makes the netkey proc interface visible */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+- system("modprobe -qv af_key");
++ system("insmod -qv af_key");
+ }
+
+ /* now test again */
+@@ -52,11 +52,11 @@
+ /* make sure that all required IPsec modules are loaded */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+- system("modprobe -qv ah4");
+- system("modprobe -qv esp4");
+- system("modprobe -qv ipcomp");
+- system("modprobe -qv xfrm4_tunnel");
+- system("modprobe -qv xfrm_user");
++ system("insmod -qv ah4");
++ system("insmod -qv esp4");
++ system("insmod -qv ipcomp");
++ system("insmod -qv xfrm4_tunnel");
++ system("insmod -qv xfrm_user");
+ }
+
+ DBG(DBG_CONTROL,
+diff -ruN strongswan-2.8.1-orig/programs/_startklips/_startklips.in strongswan-2.8.1/programs/_startklips/_startklips.in
+--- strongswan-2.8.1-orig/programs/_startklips/_startklips.in 2005-05-06 18:11:33.000000000 -0400
++++ strongswan-2.8.1/programs/_startklips/_startklips.in 2007-01-17 00:04:11.189627735 -0500
+@@ -249,7 +249,7 @@
+
+ if test ! -f $ipsecversion && test ! -f $netkey
+ then
+- modprobe -v af_key
++ insmod -v af_key
+ fi
+
+ if test -f $netkey
+@@ -257,11 +257,11 @@
+ klips=false
+ if test -f $modules
+ then
+- modprobe -qv ah4
+- modprobe -qv esp4
+- modprobe -qv ipcomp
+- modprobe -qv xfrm4_tunnel
+- modprobe -qv xfrm_user
++ insmod -qv ah4
++ insmod -qv esp4
++ insmod -qv ipcomp
++ insmod -qv xfrm4_tunnel
++ insmod -qv xfrm_user
+ fi
+ fi
+
+@@ -272,7 +272,7 @@
+ setmodule
+ unset MODPATH MODULECONF # no user overrides!
+ depmod -a >/dev/null 2>&1
+- modprobe -v ipsec
++ insmod -v ipsec
+ fi
+ if test ! -f $ipsecversion
+ then
+@@ -288,7 +288,7 @@
+ do
+ if test -f $moduleinstplace/alg/ipsec_$alg.o
+ then
+- modprobe ipsec_$alg
++ insmod ipsec_$alg
+ fi
+ done
+ fi
diff --git a/package/strongswan/patches/350-make-programs.patch b/package/strongswan/patches/350-make-programs.patch
new file mode 100644
index 0000000..5c2173b
--- /dev/null
+++ b/package/strongswan/patches/350-make-programs.patch
@@ -0,0 +1,20 @@
+diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
+--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400
++++ strongswan-2.8.2/programs/Makefile 2007-02-04 01:24:18.751598552 -0500
+@@ -17,12 +17,10 @@
+ FREESWANSRCDIR=..
+ include ${FREESWANSRCDIR}/Makefile.inc
+
+-SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto
+-SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun
+-SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+-SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+-SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
++SUBDIRS=_copyright _updown _showstatus wakeup examples
++SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual
++SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets
++SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec
+
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq