+++ /dev/null
-Index: strongswan-2.8.2/programs/_updown/_updown.8
-===================================================================
---- strongswan-2.8.2.orig/programs/_updown/_updown.8 2007-06-04 13:23:04.632029720 +0200
-+++ strongswan-2.8.2/programs/_updown/_updown.8 2007-06-04 13:23:06.656721920 +0200
-@@ -8,8 +8,23 @@
- .I _updown
- is invoked by pluto when it has brought up a new connection. This script
- is used to insert the appropriate routing entries for IPsec operation.
--It can also be used to insert and delete dynamic iptables firewall rules.
--The interface to the script is documented in the pluto man page.
-+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
-+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
-+tables. Most distributions will want to change that to provide more
-+flexibility in their firewall configuration.
-+The script looks for the environment variables
-+.B IPSEC_UPDOWN_RULE_IN
-+for the iptables table it should insert into,
-+.B IPSEC_UPDOWN_DEST_IN
-+for where the rule should -j jump to,
-+.B IPSEC_UPDOWN_RULE_OUT
-+.B IPSEC_UPDOWN_DEST_OUT
-+for the same on outgoing packets, and
-+.B IPSEC_UPDOWN_FWD_RULE_IN
-+.B IPSEC_UPDOWN_FWD_DEST_IN
-+.B IPSEC_UPDOWN_FWD_RULE_OUT
-+.B IPSEC_UPDOWN_FWD_DEST_OUT
-+respectively for packets being forwarded to/from the local networks.
- .SH "SEE ALSO"
- ipsec(8), ipsec_pluto(8).
- .SH HISTORY
-Index: strongswan-2.8.2/programs/_updown/_updown.in
-===================================================================
---- strongswan-2.8.2.orig/programs/_updown/_updown.in 2007-06-04 13:23:04.642028200 +0200
-+++ strongswan-2.8.2/programs/_updown/_updown.in 2007-06-04 13:23:06.657721768 +0200
-@@ -5,6 +5,7 @@
- # Copyright (C) 2003-2004 Tuomo Soini
- # Copyright (C) 2002-2004 Michael Richardson
- # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
-+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
- #
- # This program is free software; you can redistribute it and/or modify it
- # under the terms of the GNU General Public License as published by the
-@@ -118,20 +119,61 @@
- # restricted on the peer side.
- #
-
--# uncomment to log VPN connections
--VPN_LOGGING=1
--#
-+# set to /bin/true to silence log messages
-+LOGGER=logger
-+
- # tag put in front of each log entry:
- TAG=vpn
--#
-+
- # syslog facility and priority used:
--FAC_PRIO=local0.notice
--#
--# to create a special vpn logging file, put the following line into
--# the syslog configuration file /etc/syslog.conf:
--#
--# local0.notice -/var/log/vpn
--#
-+FAC_PRIO=authpriv.info
-+
-+
-+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
-+ IPSEC_POLICY_IN=""
-+ IPSEC_POLICY_OUT=""
-+else
-+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-+fi
-+
-+# are there port numbers?
-+if [ "$PLUTO_MY_PORT" != 0 ] ; then
-+ S_MY_PORT="--sport $PLUTO_MY_PORT"
-+ D_MY_PORT="--dport $PLUTO_MY_PORT"
-+fi
-+
-+if [ "$PLUTO_PEER_PORT" != 0 ] ; then
-+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-+fi
-+
-+# import firewall behavior
-+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
-+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
-+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
-+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
-+
-+# import forwarding behavior
-+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
-+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
-+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
-+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
-+
-+# default firewall behavior
-+[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
-+[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
-+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
-+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
-+
-+# default forwarding behavior
-+[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
-+[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
-+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
-+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
-+
-
- # check interface version
- case "$PLUTO_VERSION" in
-@@ -150,8 +192,6 @@
- case "$1:$*" in
- ':') # no parameters
- ;;
--iptables:iptables) # due to (left/right)firewall; for default script only
-- ;;
- custom:*) # custom parameters (see above CAUTION comment)
- ;;
- *) echo "$0: unknown parameters \`$*'" >&2
-@@ -159,345 +199,307 @@
- ;;
- esac
-
-+
- # utility functions for route manipulation
- # Meddling with this stuff should not be necessary and requires great care.
-+
- uproute() {
- doroute add
- ip route flush cache
- }
-+
- downroute() {
- doroute delete
- ip route flush cache
- }
-
-+upfirewall() {
-+ in_rule=$1
-+ in_dest=$2
-+ out_rule=$3
-+ out_dest=$4
-+
-+ [ -n "$in_rule" -a -n "$in_dest" ] && \
-+ iptables -I $in_rule 1 \
-+ -i $PLUTO_INTERFACE \
-+ -p $PLUTO_MY_PROTOCOL \
-+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
-+ $IPSEC_POLICY_IN \
-+ -j $in_dest
-+
-+ [ -n "$out_rule" -a -n "$out_dest" ] && \
-+ iptables -I $out_rule 1 \
-+ -o $PLUTO_INTERFACE \
-+ -p $PLUTO_PEER_PROTOCOL \
-+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-+ $IPSEC_POLICY_OUT \
-+ -j $out_dest
-+
-+}
-+
-+downfirewall() {
-+ in_rule=$1
-+ in_dest=$2
-+ out_rule=$3
-+ out_dest=$4
-+
-+ [ -n "$in_rule" -a -n "$in_dest" ] && \
-+ iptables -D $in_rule \
-+ -i $PLUTO_INTERFACE \
-+ -p $PLUTO_MY_PROTOCOL \
-+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
-+ $IPSEC_POLICY_IN \
-+ -j $in_dest
-+
-+ [ -n "$out_rule" -a -n "$out_dest" ] && \
-+ iptables -D $out_rule \
-+ -o $PLUTO_INTERFACE \
-+ -p $PLUTO_PEER_PROTOCOL \
-+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-+ $IPSEC_POLICY_OUT \
-+ -j $out_dest
-+
-+}
-+
- addsource() {
- st=0
-- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-- then
-+
-+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
-+
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
-- if test " $oops" = " " -a " $st" != " 0"
-- then
-+
-+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
- oops="silent error, exit status $st"
- fi
-- if test " $oops" != " " -o " $st" != " 0"
-- then
-+
-+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
-+
- return $st
- }
-
- doroute() {
- st=0
- parms="$PLUTO_PEER_CLIENT"
-+ parms2="dev $PLUTO_INTERFACE"
-
-- parms2=
-- if [ -n "$PLUTO_NEXT_HOP" ]
-- then
-- parms2="via $PLUTO_NEXT_HOP"
-- fi
-- parms2="$parms2 dev $PLUTO_INTERFACE"
--
-- if [ -z "$PLUTO_MY_SOURCEIP" ]
-- then
-- if [ -f /etc/sysconfig/defaultsource ]
-- then
-- . /etc/sysconfig/defaultsource
-- fi
-+ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
-
-- if [ -f /etc/conf.d/defaultsource ]
-- then
-- . /etc/conf.d/defaultsource
-- fi
-+ [ -f /etc/sysconfig/defaultsource ] && \
-+ . /etc/sysconfig/defaultsource
-+
-+ [ -f /etc/conf.d/defaultsource ] && \
-+ . /etc/conf.d/defaultsource
-+
-+ [ -n "$DEFAULTSOURCE" ] && \
-+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-
-- if [ -n "$DEFAULTSOURCE" ]
-- then
-- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-- fi
- fi
-
- parms3=
-- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
-- then
-+ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
- addsource
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
- fi
-
-- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-- "0.0.0.0/0.0.0.0")
-+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
-+ "0.0.0.0/0.0.0.0" ] ; then
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
-- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-- ip route $1 128.0.0.0/1 $parms2 $parms3"
-- ;;
-- *) it="ip route $1 $parms $parms2 $parms3"
-- ;;
-- esac
-+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-+ ip route $1 128.0.0.0/1 $parms2 $parms3"
-+ else
-+ it="ip route $1 $parms $parms2 $parms3"
-+ fi
-+
- oops="`eval $it 2>&1`"
- st=$?
-- if test " $oops" = " " -a " $st" != " 0"
-- then
-- oops="silent error, exit status $st"
-- fi
-- if test " $oops" != " " -o " $st" != " 0"
-- then
-- echo "$0: doroute \`$it' failed ($oops)" >&2
-+
-+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
-+ oops="silent error, exit status $st"
- fi
-+
-+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
-+ echo "$0: doroute \`$it' failed ($oops)" >&2
-+ fi
-+
- return $st
- }
--
--# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
--if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
--then
-- IPSEC_POLICY_IN=""
-- IPSEC_POLICY_OUT=""
--else
-- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
--fi
-
--# are there port numbers?
--if [ "$PLUTO_MY_PORT" != 0 ]
--then
-- S_MY_PORT="--sport $PLUTO_MY_PORT"
-- D_MY_PORT="--dport $PLUTO_MY_PORT"
--fi
--if [ "$PLUTO_PEER_PORT" != 0 ]
--then
-- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
--fi
-+dologentry() {
-+ action=$1
-+
-+ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
-+ rem="$PLUTO_PEER"
-+ else
-+ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
-+ fi
-+
-+ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
-+ loc="$PLUTO_ME"
-+ else
-+ loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
-+ fi
-+
-+ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
-+}
-+
-
- # the big choice
-+
- case "$PLUTO_VERB:$1" in
- prepare-host:*|prepare-client:*)
- # delete possibly-existing route (preliminary to adding a route)
-- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-- "0.0.0.0/0.0.0.0")
-- # need to provide route that eclipses default, without
-+
-+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
-+ "0.0.0.0/0.0.0.0" ] ; then
-+ # need to remove the route that eclipses default, without
- # replacing it.
-- parms1="0.0.0.0/1"
-- parms2="128.0.0.0/1"
-- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-- ;;
-- *)
-- parms="$PLUTO_PEER_CLIENT"
-- it="ip route delete $parms 2>&1"
-- oops="`ip route delete $parms 2>&1`"
-- ;;
-- esac
-- status="$?"
-- if test " $oops" = " " -a " $status" != " 0"
-- then
-- oops="silent error, exit status $status"
-+ it="( ip route delete 0.0.0.0/1 ;
-+ ip route delete 128.0.0.0/1 )"
-+ else
-+ it="ip route delete $PLUTO_PEER_CLIENT"
-+ fi
-+
-+ oops="`$it 2>&1`"
-+ st="$?"
-+
-+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
-+ oops="silent error, exit status $st"
- fi
-+
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
-- status=0
-+ st=0
- ;;
- esac
-- if test " $oops" != " " -o " $status" != " 0"
-- then
-+
-+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
-- exit $status
-+
-+ exit $st
-+
- ;;
- route-host:*|route-client:*)
- # connection to me or my client subnet being routed
-+
-+ ipsec _showstatus valid
- uproute
-+
- ;;
- unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
-+
-+ ipsec _showstatus invalid
- downroute
-+
- ;;
--up-host:)
-+up-host:*)
- # connection to me coming up
-- # If you are doing a custom version, firewall commands go here.
-+
-+ ipsec _showstatus up
-+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
-+ dologentry "VPN-UP"
-+
- ;;
--down-host:)
-+down-host:*)
- # connection to me going down
-- # If you are doing a custom version, firewall commands go here.
-- ;;
--up-client:)
-- # connection to my client subnet coming up
-- # If you are doing a custom version, firewall commands go here.
-- ;;
--down-client:)
-- # connection to my client subnet going down
-- # If you are doing a custom version, firewall commands go here.
-+
-+ ipsec _showstatus down
-+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
-+ dologentry "VPN-DN"
-+
- ;;
--up-host:iptables)
-- # connection to me, with (left/right)firewall=yes, coming up
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-- #
-- # log IPsec host connection setup
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-- fi
-- fi
-- ;;
--down-host:iptables)
-- # connection to me, with (left/right)firewall=yes, going down
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-- #
-- # log IPsec host connection teardown
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-- else
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-- fi
-- fi
-- ;;
--up-client:iptables)
-- # connection to client subnet, with (left/right)firewall=yes, coming up
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-- then
-- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-+up-client:*)
-+ # connection to client subnet coming up
-+
-+ ipsec _showstatus up
-+
-+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
-+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
-+ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
- fi
-- #
-+
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
-- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-- then
-- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- fi
-- #
-- # log IPsec client connection setup
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- fi
-- fi
-- ;;
--down-client:iptables)
-- # connection to client subnet, with (left/right)firewall=yes, going down
-- # This is used only by the default updown script, not by your custom
-- # ones, so do not mess with it; see CAUTION comment up at top.
-- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-- then
-- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
-+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
-+ fi
-+
-+ dologentry "VPN-UP"
-+
-+ ;;
-+down-client:*)
-+ # connection to client subnet going down
-+
-+ ipsec _showstatus down
-+
-+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
-+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
-+ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
- fi
-- #
-+
- # a virtual IP requires an INPUT and OUTPUT rule on the host
- # or sometimes host access via the internal IP is needed
-- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-- then
-- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-- $IPSEC_POLICY_IN -j ACCEPT
-- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-- $IPSEC_POLICY_OUT -j ACCEPT
-- fi
-- #
-- # log IPsec client connection teardown
-- if [ $VPN_LOGGING ]
-- then
-- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-- then
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- else
-- logger -t $TAG -p $FAC_PRIO -- \
-- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-- fi
-+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
-+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
- fi
-+
-+ dologentry "VPN-DN"
-+
- ;;
--#
--# IPv6
--#
- prepare-host-v6:*|prepare-client-v6:*)
-+
- ;;
- route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
-+
- #uproute_v6
-+
- ;;
- unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
-+
- #downroute_v6
-+
- ;;
- up-host-v6:*)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
- down-host-v6:*)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
- up-client-v6:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
- down-client-v6:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
-+
- ;;
--*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-+*)
-+ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
-+
- ;;
- esac
-+
projects / openwrt / openwrt.git / blobdiff