1 --- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
2 +++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
8 - id status name lefthost type ctype psk local local_id leftsubnets
9 - remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
10 - x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
11 - route x23 mode interface_mode interface_address interface_mtu rest
14 -function ip_encode() {
19 - int=$(( $(( $int << 8 )) | $field ))
25 -function ip_in_subnet() {
27 - netmask=$(_netmask $2)
28 - [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
31 -function _netmask() {
34 - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
37 # define a minimum PATH environment in case it is not set
38 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
44 - # Read IPsec configuration
45 - while IFS="," read -r "${VARS[@]}"; do
46 - if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
49 - done < /var/ipfire/vpn/config
51 # connection to client subnet, with (left/right)firewall=yes, coming up
52 # This is used only by the default updown script, not by your custom
53 # ones, so do not mess with it; see CAUTION comment up at top.
55 logger -t $TAG -p $FAC_PRIO \
56 "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
59 - if [ -z "${interface_mode}" ]; then
60 - # Add source nat so also the gateway can access the other nets
61 - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
62 - for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
63 - ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
64 - if [ $? -eq 0 ]; then
70 - if [ -n "${src}" ]; then
71 - iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
72 - logger -t $TAG -p $FAC_PRIO \
73 - "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
75 - logger -t $TAG -p $FAC_PRIO \
76 - "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
80 - # Flush routing cache
81 - ip route flush cache
84 # connection to client subnet, with (left/right)firewall=yes, going down
86 logger -t $TAG -p $FAC_PRIO \
87 "tunnel- $PLUTO_PEER -- $PLUTO_ME"
91 - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
92 - for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
93 - ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
94 - if [ $? -eq 0 ]; then
100 - if [ -n "${src}" ]; then
101 - iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
102 - logger -t $TAG -p $FAC_PRIO \
103 - "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
105 - logger -t $TAG -p $FAC_PRIO \
106 - "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
109 - # Flush routing cache
110 - ip route flush cache