--- /dev/null
+--- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
++++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
+@@ -130,36 +130,6 @@
+ # address family.
+ #
+
+-VARS=(
+- id status name lefthost type ctype psk local local_id leftsubnets
+- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+- route x23 mode interface_mode interface_address interface_mtu rest
+-)
+-
+-function ip_encode() {
+- local IFS=.
+-
+- local int=0
+- for field in $1; do
+- int=$(( $(( $int << 8 )) | $field ))
+- done
+-
+- echo $int
+-}
+-
+-function ip_in_subnet() {
+- local netmask
+- netmask=$(_netmask $2)
+- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+- local vlsm
+- vlsm=${1#*/}
+- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+ export PATH
+@@ -326,13 +296,6 @@
+ fi
+ ;;
+ up-client:iptables)
+- # Read IPsec configuration
+- while IFS="," read -r "${VARS[@]}"; do
+- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+- break
+- fi
+- done < /var/ipfire/vpn/config
+-
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -396,30 +359,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- if [ -z "${interface_mode}" ]; then
+- # Add source nat so also the gateway can access the other nets
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+- fi
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+@@ -487,28 +426,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- # remove source nat
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ #
+ # IPv6
projects / ipfire-2.x.git / blobdiff