projects / openwrt / svn-archive / archive.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
packages: move Xorg category to its own feed, move X-related packages as well
[openwrt/svn-archive/archive.git] / net / strongswan / patches / 210-updown.patch
1 Index: strongswan-2.8.2/programs/_updown/_updown.8
2 ===================================================================
3 --- strongswan-2.8.2.orig/programs/_updown/_updown.8 2007-06-04 13:23:04.632029720 +0200
4 +++ strongswan-2.8.2/programs/_updown/_updown.8 2007-06-04 13:23:06.656721920 +0200
5 @@ -8,8 +8,23 @@
6 .I _updown
7 is invoked by pluto when it has brought up a new connection. This script
8 is used to insert the appropriate routing entries for IPsec operation.
9 -It can also be used to insert and delete dynamic iptables firewall rules.
10 -The interface to the script is documented in the pluto man page.
11 +It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
12 +By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
13 +tables. Most distributions will want to change that to provide more
14 +flexibility in their firewall configuration.
15 +The script looks for the environment variables
16 +.B IPSEC_UPDOWN_RULE_IN
17 +for the iptables table it should insert into,
18 +.B IPSEC_UPDOWN_DEST_IN
19 +for where the rule should -j jump to,
20 +.B IPSEC_UPDOWN_RULE_OUT
21 +.B IPSEC_UPDOWN_DEST_OUT
22 +for the same on outgoing packets, and
23 +.B IPSEC_UPDOWN_FWD_RULE_IN
24 +.B IPSEC_UPDOWN_FWD_DEST_IN
25 +.B IPSEC_UPDOWN_FWD_RULE_OUT
26 +.B IPSEC_UPDOWN_FWD_DEST_OUT
27 +respectively for packets being forwarded to/from the local networks.
28 .SH "SEE ALSO"
29 ipsec(8), ipsec_pluto(8).
30 .SH HISTORY
31 Index: strongswan-2.8.2/programs/_updown/_updown.in
32 ===================================================================
33 --- strongswan-2.8.2.orig/programs/_updown/_updown.in 2007-06-04 13:23:04.642028200 +0200
34 +++ strongswan-2.8.2/programs/_updown/_updown.in 2007-06-04 13:23:06.657721768 +0200
35 @@ -5,6 +5,7 @@
36 # Copyright (C) 2003-2004 Tuomo Soini
37 # Copyright (C) 2002-2004 Michael Richardson
38 # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
39 +# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
40 #
41 # This program is free software; you can redistribute it and/or modify it
42 # under the terms of the GNU General Public License as published by the
43 @@ -118,20 +119,61 @@
44 # restricted on the peer side.
45 #
46
47 -# uncomment to log VPN connections
48 -VPN_LOGGING=1
49 -#
50 +# set to /bin/true to silence log messages
51 +LOGGER=logger
52 +
53 # tag put in front of each log entry:
54 TAG=vpn
55 -#
56 +
57 # syslog facility and priority used:
58 -FAC_PRIO=local0.notice
59 -#
60 -# to create a special vpn logging file, put the following line into
61 -# the syslog configuration file /etc/syslog.conf:
62 -#
63 -# local0.notice -/var/log/vpn
64 -#
65 +FAC_PRIO=authpriv.info
66 +
67 +
68 +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
69 +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
70 + IPSEC_POLICY_IN=""
71 + IPSEC_POLICY_OUT=""
72 +else
73 + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
74 + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
75 + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
76 +fi
77 +
78 +# are there port numbers?
79 +if [ "$PLUTO_MY_PORT" != 0 ] ; then
80 + S_MY_PORT="--sport $PLUTO_MY_PORT"
81 + D_MY_PORT="--dport $PLUTO_MY_PORT"
82 +fi
83 +
84 +if [ "$PLUTO_PEER_PORT" != 0 ] ; then
85 + S_PEER_PORT="--sport $PLUTO_PEER_PORT"
86 + D_PEER_PORT="--dport $PLUTO_PEER_PORT"
87 +fi
88 +
89 +# import firewall behavior
90 +IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
91 +IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
92 +IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
93 +IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
94 +
95 +# import forwarding behavior
96 +FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
97 +FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
98 +FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
99 +FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
100 +
101 +# default firewall behavior
102 +[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
103 +[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
104 +[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
105 +[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
106 +
107 +# default forwarding behavior
108 +[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
109 +[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
110 +[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
111 +[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
112 +
113
114 # check interface version
115 case "$PLUTO_VERSION" in
116 @@ -150,8 +192,6 @@
117 case "$1:$*" in
118 ':') # no parameters
119 ;;
120 -iptables:iptables) # due to (left/right)firewall; for default script only
121 - ;;
122 custom:*) # custom parameters (see above CAUTION comment)
123 ;;
124 *) echo "$0: unknown parameters \`$*'" >&2
125 @@ -159,345 +199,307 @@
126 ;;
127 esac
128
129 +
130 # utility functions for route manipulation
131 # Meddling with this stuff should not be necessary and requires great care.
132 +
133 uproute() {
134 doroute add
135 ip route flush cache
136 }
137 +
138 downroute() {
139 doroute delete
140 ip route flush cache
141 }
142
143 +upfirewall() {
144 + in_rule=$1
145 + in_dest=$2
146 + out_rule=$3
147 + out_dest=$4
148 +
149 + [ -n "$in_rule" -a -n "$in_dest" ] && \
150 + iptables -I $in_rule 1 \
151 + -i $PLUTO_INTERFACE \
152 + -p $PLUTO_MY_PROTOCOL \
153 + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
154 + -d $PLUTO_MY_CLIENT $D_MY_PORT \
155 + $IPSEC_POLICY_IN \
156 + -j $in_dest
157 +
158 + [ -n "$out_rule" -a -n "$out_dest" ] && \
159 + iptables -I $out_rule 1 \
160 + -o $PLUTO_INTERFACE \
161 + -p $PLUTO_PEER_PROTOCOL \
162 + -s $PLUTO_MY_CLIENT $S_MY_PORT \
163 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
164 + $IPSEC_POLICY_OUT \
165 + -j $out_dest
166 +
167 +}
168 +
169 +downfirewall() {
170 + in_rule=$1
171 + in_dest=$2
172 + out_rule=$3
173 + out_dest=$4
174 +
175 + [ -n "$in_rule" -a -n "$in_dest" ] && \
176 + iptables -D $in_rule \
177 + -i $PLUTO_INTERFACE \
178 + -p $PLUTO_MY_PROTOCOL \
179 + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
180 + -d $PLUTO_MY_CLIENT $D_MY_PORT \
181 + $IPSEC_POLICY_IN \
182 + -j $in_dest
183 +
184 + [ -n "$out_rule" -a -n "$out_dest" ] && \
185 + iptables -D $out_rule \
186 + -o $PLUTO_INTERFACE \
187 + -p $PLUTO_PEER_PROTOCOL \
188 + -s $PLUTO_MY_CLIENT $S_MY_PORT \
189 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
190 + $IPSEC_POLICY_OUT \
191 + -j $out_dest
192 +
193 +}
194 +
195 addsource() {
196 st=0
197 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
198 - then
199 +
200 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
201 +
202 it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
203 oops="`eval $it 2>&1`"
204 st=$?
205 - if test " $oops" = " " -a " $st" != " 0"
206 - then
207 +
208 + if [ " $oops" = " " -a " $st" != " 0" ] ; then
209 oops="silent error, exit status $st"
210 fi
211 - if test " $oops" != " " -o " $st" != " 0"
212 - then
213 +
214 + if [ " $oops" != " " -o " $st" != " 0" ] ; then
215 echo "$0: addsource \`$it' failed ($oops)" >&2
216 fi
217 fi
218 +
219 return $st
220 }
221
222 doroute() {
223 st=0
224 parms="$PLUTO_PEER_CLIENT"
225 + parms2="dev $PLUTO_INTERFACE"
226
227 - parms2=
228 - if [ -n "$PLUTO_NEXT_HOP" ]
229 - then
230 - parms2="via $PLUTO_NEXT_HOP"
231 - fi
232 - parms2="$parms2 dev $PLUTO_INTERFACE"
233 -
234 - if [ -z "$PLUTO_MY_SOURCEIP" ]
235 - then
236 - if [ -f /etc/sysconfig/defaultsource ]
237 - then
238 - . /etc/sysconfig/defaultsource
239 - fi
240 + if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
241
242 - if [ -f /etc/conf.d/defaultsource ]
243 - then
244 - . /etc/conf.d/defaultsource
245 - fi
246 + [ -f /etc/sysconfig/defaultsource ] && \
247 + . /etc/sysconfig/defaultsource
248 +
249 + [ -f /etc/conf.d/defaultsource ] && \
250 + . /etc/conf.d/defaultsource
251 +
252 + [ -n "$DEFAULTSOURCE" ] && \
253 + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
254
255 - if [ -n "$DEFAULTSOURCE" ]
256 - then
257 - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
258 - fi
259 fi
260
261 parms3=
262 - if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
263 - then
264 + if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
265 addsource
266 parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
267 fi
268
269 - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
270 - "0.0.0.0/0.0.0.0")
271 + if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
272 + "0.0.0.0/0.0.0.0" ] ; then
273 # opportunistic encryption work around
274 # need to provide route that eclipses default, without
275 # replacing it.
276 - it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
277 - ip route $1 128.0.0.0/1 $parms2 $parms3"
278 - ;;
279 - *) it="ip route $1 $parms $parms2 $parms3"
280 - ;;
281 - esac
282 + it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
283 + ip route $1 128.0.0.0/1 $parms2 $parms3"
284 + else
285 + it="ip route $1 $parms $parms2 $parms3"
286 + fi
287 +
288 oops="`eval $it 2>&1`"
289 st=$?
290 - if test " $oops" = " " -a " $st" != " 0"
291 - then
292 - oops="silent error, exit status $st"
293 - fi
294 - if test " $oops" != " " -o " $st" != " 0"
295 - then
296 - echo "$0: doroute \`$it' failed ($oops)" >&2
297 +
298 + if [ " $oops" = " " -a " $st" != " 0" ] ; then
299 + oops="silent error, exit status $st"
300 fi
301 +
302 + if [ " $oops" != " " -o " $st" != " 0" ] ; then
303 + echo "$0: doroute \`$it' failed ($oops)" >&2
304 + fi
305 +
306 return $st
307 }
308 -
309 -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
310 -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
311 -then
312 - IPSEC_POLICY_IN=""
313 - IPSEC_POLICY_OUT=""
314 -else
315 - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
316 - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
317 - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
318 -fi
319
320 -# are there port numbers?
321 -if [ "$PLUTO_MY_PORT" != 0 ]
322 -then
323 - S_MY_PORT="--sport $PLUTO_MY_PORT"
324 - D_MY_PORT="--dport $PLUTO_MY_PORT"
325 -fi
326 -if [ "$PLUTO_PEER_PORT" != 0 ]
327 -then
328 - S_PEER_PORT="--sport $PLUTO_PEER_PORT"
329 - D_PEER_PORT="--dport $PLUTO_PEER_PORT"
330 -fi
331 +dologentry() {
332 + action=$1
333 +
334 + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
335 + rem="$PLUTO_PEER"
336 + else
337 + rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
338 + fi
339 +
340 + if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
341 + loc="$PLUTO_ME"
342 + else
343 + loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
344 + fi
345 +
346 + $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
347 +}
348 +
349
350 # the big choice
351 +
352 case "$PLUTO_VERB:$1" in
353 prepare-host:*|prepare-client:*)
354 # delete possibly-existing route (preliminary to adding a route)
355 - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
356 - "0.0.0.0/0.0.0.0")
357 - # need to provide route that eclipses default, without
358 +
359 + if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
360 + "0.0.0.0/0.0.0.0" ] ; then
361 + # need to remove the route that eclipses default, without
362 # replacing it.
363 - parms1="0.0.0.0/1"
364 - parms2="128.0.0.0/1"
365 - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
366 - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
367 - ;;
368 - *)
369 - parms="$PLUTO_PEER_CLIENT"
370 - it="ip route delete $parms 2>&1"
371 - oops="`ip route delete $parms 2>&1`"
372 - ;;
373 - esac
374 - status="$?"
375 - if test " $oops" = " " -a " $status" != " 0"
376 - then
377 - oops="silent error, exit status $status"
378 + it="( ip route delete 0.0.0.0/1 ;
379 + ip route delete 128.0.0.0/1 )"
380 + else
381 + it="ip route delete $PLUTO_PEER_CLIENT"
382 + fi
383 +
384 + oops="`$it 2>&1`"
385 + st="$?"
386 +
387 + if [ " $oops" = " " -a " $st" != " 0" ] ; then
388 + oops="silent error, exit status $st"
389 fi
390 +
391 case "$oops" in
392 *'RTNETLINK answers: No such process'*)
393 # This is what route (currently -- not documented!) gives
394 # for "could not find such a route".
395 oops=
396 - status=0
397 + st=0
398 ;;
399 esac
400 - if test " $oops" != " " -o " $status" != " 0"
401 - then
402 +
403 + if [ " $oops" != " " -o " $st" != " 0" ] ; then
404 echo "$0: \`$it' failed ($oops)" >&2
405 fi
406 - exit $status
407 +
408 + exit $st
409 +
410 ;;
411 route-host:*|route-client:*)
412 # connection to me or my client subnet being routed
413 +
414 + ipsec _showstatus valid
415 uproute
416 +
417 ;;
418 unroute-host:*|unroute-client:*)
419 # connection to me or my client subnet being unrouted
420 +
421 + ipsec _showstatus invalid
422 downroute
423 +
424 ;;
425 -up-host:)
426 +up-host:*)
427 # connection to me coming up
428 - # If you are doing a custom version, firewall commands go here.
429 +
430 + ipsec _showstatus up
431 + upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
432 + dologentry "VPN-UP"
433 +
434 ;;
435 -down-host:)
436 +down-host:*)
437 # connection to me going down
438 - # If you are doing a custom version, firewall commands go here.
439 - ;;
440 -up-client:)
441 - # connection to my client subnet coming up
442 - # If you are doing a custom version, firewall commands go here.
443 - ;;
444 -down-client:)
445 - # connection to my client subnet going down
446 - # If you are doing a custom version, firewall commands go here.
447 +
448 + ipsec _showstatus down
449 + downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
450 + dologentry "VPN-DN"
451 +
452 ;;
453 -up-host:iptables)
454 - # connection to me, with (left/right)firewall=yes, coming up
455 - # This is used only by the default updown script, not by your custom
456 - # ones, so do not mess with it; see CAUTION comment up at top.
457 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
458 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
459 - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
460 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
461 - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
462 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
463 - #
464 - # log IPsec host connection setup
465 - if [ $VPN_LOGGING ]
466 - then
467 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
468 - then
469 - logger -t $TAG -p $FAC_PRIO \
470 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
471 - else
472 - logger -t $TAG -p $FAC_PRIO \
473 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
474 - fi
475 - fi
476 - ;;
477 -down-host:iptables)
478 - # connection to me, with (left/right)firewall=yes, going down
479 - # This is used only by the default updown script, not by your custom
480 - # ones, so do not mess with it; see CAUTION comment up at top.
481 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
482 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
483 - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
484 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
485 - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
486 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
487 - #
488 - # log IPsec host connection teardown
489 - if [ $VPN_LOGGING ]
490 - then
491 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
492 - then
493 - logger -t $TAG -p $FAC_PRIO -- \
494 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
495 - else
496 - logger -t $TAG -p $FAC_PRIO -- \
497 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
498 - fi
499 - fi
500 - ;;
501 -up-client:iptables)
502 - # connection to client subnet, with (left/right)firewall=yes, coming up
503 - # This is used only by the default updown script, not by your custom
504 - # ones, so do not mess with it; see CAUTION comment up at top.
505 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
506 - then
507 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
508 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
509 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
510 - $IPSEC_POLICY_OUT -j ACCEPT
511 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
512 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
513 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
514 - $IPSEC_POLICY_IN -j ACCEPT
515 +up-client:*)
516 + # connection to client subnet coming up
517 +
518 + ipsec _showstatus up
519 +
520 + if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
521 + "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
522 + upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
523 fi
524 - #
525 +
526 # a virtual IP requires an INPUT and OUTPUT rule on the host
527 # or sometimes host access via the internal IP is needed
528 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
529 - then
530 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
531 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
532 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
533 - $IPSEC_POLICY_IN -j ACCEPT
534 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
535 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
536 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
537 - $IPSEC_POLICY_OUT -j ACCEPT
538 - fi
539 - #
540 - # log IPsec client connection setup
541 - if [ $VPN_LOGGING ]
542 - then
543 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
544 - then
545 - logger -t $TAG -p $FAC_PRIO \
546 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
547 - else
548 - logger -t $TAG -p $FAC_PRIO \
549 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
550 - fi
551 - fi
552 - ;;
553 -down-client:iptables)
554 - # connection to client subnet, with (left/right)firewall=yes, going down
555 - # This is used only by the default updown script, not by your custom
556 - # ones, so do not mess with it; see CAUTION comment up at top.
557 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
558 - then
559 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
560 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
561 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
562 - $IPSEC_POLICY_OUT -j ACCEPT
563 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
564 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
565 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
566 - $IPSEC_POLICY_IN -j ACCEPT
567 + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
568 + upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
569 + fi
570 +
571 + dologentry "VPN-UP"
572 +
573 + ;;
574 +down-client:*)
575 + # connection to client subnet going down
576 +
577 + ipsec _showstatus down
578 +
579 + if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
580 + "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
581 + downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
582 fi
583 - #
584 +
585 # a virtual IP requires an INPUT and OUTPUT rule on the host
586 # or sometimes host access via the internal IP is needed
587 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
588 - then
589 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
590 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
591 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
592 - $IPSEC_POLICY_IN -j ACCEPT
593 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
594 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
595 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
596 - $IPSEC_POLICY_OUT -j ACCEPT
597 - fi
598 - #
599 - # log IPsec client connection teardown
600 - if [ $VPN_LOGGING ]
601 - then
602 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
603 - then
604 - logger -t $TAG -p $FAC_PRIO -- \
605 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
606 - else
607 - logger -t $TAG -p $FAC_PRIO -- \
608 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
609 - fi
610 + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
611 + downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
612 fi
613 +
614 + dologentry "VPN-DN"
615 +
616 ;;
617 -#
618 -# IPv6
619 -#
620 prepare-host-v6:*|prepare-client-v6:*)
621 +
622 ;;
623 route-host-v6:*|route-client-v6:*)
624 # connection to me or my client subnet being routed
625 +
626 #uproute_v6
627 +
628 ;;
629 unroute-host-v6:*|unroute-client-v6:*)
630 # connection to me or my client subnet being unrouted
631 +
632 #downroute_v6
633 +
634 ;;
635 up-host-v6:*)
636 # connection to me coming up
637 # If you are doing a custom version, firewall commands go here.
638 +
639 ;;
640 down-host-v6:*)
641 # connection to me going down
642 # If you are doing a custom version, firewall commands go here.
643 +
644 ;;
645 up-client-v6:)
646 # connection to my client subnet coming up
647 # If you are doing a custom version, firewall commands go here.
648 +
649 ;;
650 down-client-v6:)
651 # connection to my client subnet going down
652 # If you are doing a custom version, firewall commands go here.
653 +
654 ;;
655 -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
656 +*)
657 + echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
658 exit 1
659 +
660 ;;
661 esac
662 +
OpenWrt SVN history