diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
--- strongswan-2.8.2-orig/programs/_updown/_updown.8	2006-04-17 02:48:49.000000000 -0400
+++ strongswan-2.8.2/programs/_updown/_updown.8	2007-02-05 02:13:05.252612099 -0500
@@ -8,8 +8,23 @@
 .I _updown
 is invoked by pluto when it has brought up a new connection. This script
 is used to insert the appropriate routing entries for IPsec operation.
-It can also be used to insert and delete dynamic iptables firewall rules.
-The interface to the script is documented in the pluto man page.
+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
+tables. Most distributions will want to change that to provide more
+flexibility in their firewall configuration.
+The script looks for the environment variables
+.B IPSEC_UPDOWN_RULE_IN
+for the iptables table it should insert into,
+.B IPSEC_UPDOWN_DEST_IN
+for where the rule should -j jump to,
+.B IPSEC_UPDOWN_RULE_OUT
+.B IPSEC_UPDOWN_DEST_OUT
+for the same on outgoing packets, and
+.B IPSEC_UPDOWN_FWD_RULE_IN
+.B IPSEC_UPDOWN_FWD_DEST_IN
+.B IPSEC_UPDOWN_FWD_RULE_OUT
+.B IPSEC_UPDOWN_FWD_DEST_OUT
+respectively for packets being forwarded to/from the local networks.
 .SH "SEE ALSO"
 ipsec(8), ipsec_pluto(8).
 .SH HISTORY
diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
--- strongswan-2.8.2-orig/programs/_updown/_updown.in	2006-04-17 11:06:29.000000000 -0400
+++ strongswan-2.8.2/programs/_updown/_updown.in	2007-02-05 02:08:24.969100428 -0500
@@ -5,6 +5,7 @@
 # Copyright (C) 2003-2004 Tuomo Soini
 # Copyright (C) 2002-2004 Michael Richardson
 # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
 # 
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -118,20 +119,61 @@
 #              restricted on the peer side.
 #
 
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
+# set to /bin/true to silence log messages
+LOGGER=logger
+
 # tag put in front of each log entry:
 TAG=vpn
-#
+
 # syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice                   -/var/log/vpn
-#
+FAC_PRIO=authpriv.info
+
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ] ; then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+
+if [ "$PLUTO_PEER_PORT" != 0 ] ; then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# import firewall behavior
+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
+
+# import forwarding behavior
+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
+
+# default firewall behavior
+[ -z "$IPT_RULE_IN"  ] && IPT_RULE_IN=INPUT
+[ -z "$IPT_DEST_IN"  ] && IPT_DEST_IN=ACCEPT
+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
+
+# default forwarding behavior
+[ -z "$FWD_RULE_IN"  ] && FWD_RULE_IN=FORWARD
+[ -z "$FWD_DEST_IN"  ] && FWD_DEST_IN=ACCEPT
+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
+
 
 # check interface version
 case "$PLUTO_VERSION" in
@@ -150,8 +192,6 @@
 case "$1:$*" in
 ':')			# no parameters
 	;;
-iptables:iptables)	# due to (left/right)firewall; for default script only
-	;;
 custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 *)	echo "$0: unknown parameters \`$*'" >&2
@@ -159,345 +199,307 @@
 	;;
 esac
 
+
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
+
 uproute() {
 	doroute add
 	ip route flush cache
 }
+
 downroute() {
 	doroute delete
 	ip route flush cache
 }
 
+upfirewall() {
+	in_rule=$1
+	in_dest=$2
+	out_rule=$3
+	out_dest=$4
+
+	[ -n "$in_rule" -a -n "$in_dest" ] &&		\
+	iptables -I $in_rule 1				\
+		-i $PLUTO_INTERFACE			\
+		-p $PLUTO_MY_PROTOCOL			\
+		-s $PLUTO_PEER_CLIENT	$S_PEER_PORT	\
+		-d $PLUTO_MY_CLIENT	$D_MY_PORT	\
+		$IPSEC_POLICY_IN			\
+		-j $in_dest
+
+	[ -n "$out_rule" -a -n "$out_dest" ] &&		\
+	iptables -I $out_rule 1				\
+		-o $PLUTO_INTERFACE			\
+		-p $PLUTO_PEER_PROTOCOL			\
+		-s $PLUTO_MY_CLIENT	$S_MY_PORT	\
+		-d $PLUTO_PEER_CLIENT	$D_PEER_PORT	\
+		$IPSEC_POLICY_OUT			\
+		-j $out_dest
+
+}
+
+downfirewall() {
+	in_rule=$1
+	in_dest=$2
+	out_rule=$3
+	out_dest=$4
+
+	[ -n "$in_rule" -a -n "$in_dest" ] &&		\
+	iptables -D $in_rule				\
+		-i $PLUTO_INTERFACE			\
+		-p $PLUTO_MY_PROTOCOL			\
+		-s $PLUTO_PEER_CLIENT	$S_PEER_PORT	\
+		-d $PLUTO_MY_CLIENT	$D_MY_PORT	\
+		$IPSEC_POLICY_IN			\
+		-j $in_dest
+
+	[ -n "$out_rule" -a -n "$out_dest" ] &&		\
+	iptables -D $out_rule				\
+		-o $PLUTO_INTERFACE			\
+		-p $PLUTO_PEER_PROTOCOL			\
+		-s $PLUTO_MY_CLIENT	$S_MY_PORT	\
+		-d $PLUTO_PEER_CLIENT	$D_PEER_PORT	\
+		$IPSEC_POLICY_OUT			\
+		-j $out_dest
+
+}
+
 addsource() {
 	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
+
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
+
 	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
 	    oops="`eval $it 2>&1`"
 	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
+
+	    if [ " $oops"  = " " -a " $st" != " 0" ] ; then
 		oops="silent error, exit status $st"
 	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
+
+	    if [ " $oops" != " " -o " $st" != " 0" ] ; then
 		echo "$0: addsource \`$it' failed ($oops)" >&2
 	    fi
 	fi
+
 	return $st
 }
 
 doroute() {
 	st=0
 	parms="$PLUTO_PEER_CLIENT"
+	parms2="dev $PLUTO_INTERFACE"
 
-	parms2=
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	   parms2="via $PLUTO_NEXT_HOP"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if [ -f /etc/sysconfig/defaultsource ]
-	    then
-		. /etc/sysconfig/defaultsource
-	    fi
+	if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
 
-	    if [ -f /etc/conf.d/defaultsource ]
-	    then
-		. /etc/conf.d/defaultsource
-	    fi
+		[ -f /etc/sysconfig/defaultsource ] && \
+			. /etc/sysconfig/defaultsource
+
+		[ -f /etc/conf.d/defaultsource ] && \
+			. /etc/conf.d/defaultsource
+
+	    	[ -n "$DEFAULTSOURCE" ]	&& \
+			PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
 
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
         fi
 
 	parms3=
-	if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
-	then
+	if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
 	    addsource
 	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
 	fi
 
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
+	if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
+						"0.0.0.0/0.0.0.0" ] ; then
 		# opportunistic encryption work around
 		# need to provide route that eclipses default, without 
 		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms $parms2 $parms3"
-		;;
-	esac
+		it="ip route $1   0.0.0.0/1 $parms2 $parms3 &&
+		    ip route $1 128.0.0.0/1 $parms2 $parms3"
+	else
+		it="ip route $1 $parms $parms2 $parms3"
+	fi
+
 	oops="`eval $it 2>&1`"
 	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
+
+	if [ " $oops" = " " -a " $st" != " 0" ] ; then
+		oops="silent error, exit status $st"
 	fi
+
+	if [ " $oops" != " " -o " $st" != " 0" ] ; then
+		echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+
 	return $st
 }
- 
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-	IPSEC_POLICY_IN=""
-	IPSEC_POLICY_OUT=""
-else
-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
 
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-	S_MY_PORT="--sport $PLUTO_MY_PORT"
-	D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
+dologentry() {
+	action=$1
+
+	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
+		rem="$PLUTO_PEER"
+	else
+		rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
+	fi
+
+	if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
+		loc="$PLUTO_ME"
+	else
+		loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
+	fi
+
+	$LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
+}
+
 
 # the big choice
+
 case "$PLUTO_VERB:$1" in
 prepare-host:*|prepare-client:*)
 	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without 
+
+	if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
+						"0.0.0.0/0.0.0.0" ] ; then
+		# need to remove the route that eclipses default, without 
 		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
+		it="( ip route delete   0.0.0.0/1 ;
+		      ip route delete 128.0.0.0/1 )"
+	else
+		it="ip route delete $PLUTO_PEER_CLIENT"
+	fi
+
+	oops="`$it 2>&1`"
+	st="$?"
+
+	if [ " $oops" = " " -a " $st" != " 0" ] ; then
+		oops="silent error, exit status $st"
 	fi
+
 	case "$oops" in
 	*'RTNETLINK answers: No such process'*)	
 		# This is what route (currently -- not documented!) gives
 		# for "could not find such a route".
 		oops=
-		status=0
+		st=0
 		;;
 	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
+
+	if [ " $oops" != " " -o " $st" != " 0" ] ; then
 		echo "$0: \`$it' failed ($oops)" >&2
 	fi
-	exit $status
+
+	exit $st
+
 	;;
 route-host:*|route-client:*)
 	# connection to me or my client subnet being routed
+
+	ipsec _showstatus valid
 	uproute
+
 	;;
 unroute-host:*|unroute-client:*)
 	# connection to me or my client subnet being unrouted
+
+	ipsec _showstatus invalid
 	downroute
+
 	;;
-up-host:)
+up-host:*)
 	# connection to me coming up
-	# If you are doing a custom version, firewall commands go here.
+
+	ipsec _showstatus up
+	upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+	dologentry "VPN-UP"
+
 	;;
-down-host:)
+down-host:*)
 	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
+
+	ipsec _showstatus down
+	downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+	dologentry "VPN-DN"
+
 	;;
-up-host:iptables)
-	# connection to me, with (left/right)firewall=yes, coming up
-	# This is used only by the default updown script, not by your custom
-	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi	
-	;;
-down-host:iptables)
-	# connection to me, with (left/right)firewall=yes, going down
-	# This is used only by the default updown script, not by your custom
-	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	#
-	# log IPsec host connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-	  fi
-	fi
-	;;
-up-client:iptables)
-	# connection to client subnet, with (left/right)firewall=yes, coming up
-	# This is used only by the default updown script, not by your custom
-	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
+up-client:*)
+	# connection to client subnet coming up
+
+	ipsec _showstatus up
+
+	if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
+	     "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
+		upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
 	fi
-	#
+
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection setup
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO \
-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
-	fi
-	;;
-down-client:iptables)
-	# connection to client subnet, with (left/right)firewall=yes, going down
-	# This is used only by the default updown script, not by your custom
-	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
+		upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+	fi
+
+	dologentry "VPN-UP"
+
+	;;
+down-client:*)
+	# connection to client subnet going down
+
+	ipsec _showstatus down
+
+	if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
+	     "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
+		downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
 	fi
-	#
+
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
-	#
-	# log IPsec client connection teardown
-	if [ $VPN_LOGGING ]
-	then
-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-	  then
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  else
-	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-	  fi
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
+		downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
 	fi
+
+	dologentry "VPN-DN"
+
 	;;
-#
-# IPv6
-#
 prepare-host-v6:*|prepare-client-v6:*)
+
 	;;
 route-host-v6:*|route-client-v6:*)
 	# connection to me or my client subnet being routed
+
 	#uproute_v6
+
 	;;
 unroute-host-v6:*|unroute-client-v6:*)
 	# connection to me or my client subnet being unrouted
+
 	#downroute_v6
+
 	;;
 up-host-v6:*)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
+
 	;;
 down-host-v6:*)
 	# connection to me going down
 	# If you are doing a custom version, firewall commands go here.
+
 	;;
 up-client-v6:)
 	# connection to my client subnet coming up
 	# If you are doing a custom version, firewall commands go here.
+
 	;;
 down-client-v6:)
 	# connection to my client subnet going down
 	# If you are doing a custom version, firewall commands go here.
+
 	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+*)
+	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
 	exit 1
+
 	;;
 esac
+