+++ /dev/null
---- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000
-+++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000
-@@ -130,6 +130,13 @@
- # address family.
- #
-
-+VARS=(
-+ id status name lefthost type ctype psk local local_id leftsubnets
-+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
-+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
-+ route x23 mode interface_mode interface_address interface_mtu rest
-+)
-+
- function ip_encode() {
- local IFS=.
-
-@@ -319,6 +326,13 @@
- fi
- ;;
- up-client:iptables)
-+ # Read IPsec configuration
-+ while IFS="," read -r "${VARS[@]}"; do
-+ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
-+ break
-+ fi
-+ done < /var/ipfire/vpn/config
-+
- # connection to client subnet, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
-@@ -383,23 +397,25 @@
- "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
- fi
-
-- # Add source nat so also the gateway can access the other nets
-- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-- if [ $? -eq 0 ]; then
-- src=${_src}
-- break
-+ if [ -z "${interface_mode}" ]; then
-+ # Add source nat so also the gateway can access the other nets
-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-+ if [ $? -eq 0 ]; then
-+ src=${_src}
-+ break
-+ fi
-+ done
-+
-+ if [ -n "${src}" ]; then
-+ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-+ logger -t $TAG -p $FAC_PRIO \
-+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-+ else
-+ logger -t $TAG -p $FAC_PRIO \
-+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
- fi
-- done
--
-- if [ -n "${src}" ]; then
-- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-- logger -t $TAG -p $FAC_PRIO \
-- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
- fi
-
- # Flush routing cache
+++ /dev/null
---- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
-+++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
-@@ -130,36 +130,6 @@
- # address family.
- #
-
--VARS=(
-- id status name lefthost type ctype psk local local_id leftsubnets
-- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
-- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
-- route x23 mode interface_mode interface_address interface_mtu rest
--)
--
--function ip_encode() {
-- local IFS=.
--
-- local int=0
-- for field in $1; do
-- int=$(( $(( $int << 8 )) | $field ))
-- done
--
-- echo $int
--}
--
--function ip_in_subnet() {
-- local netmask
-- netmask=$(_netmask $2)
-- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
--}
--
--function _netmask() {
-- local vlsm
-- vlsm=${1#*/}
-- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
--}
--
- # define a minimum PATH environment in case it is not set
- PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
- export PATH
-@@ -326,13 +296,6 @@
- fi
- ;;
- up-client:iptables)
-- # Read IPsec configuration
-- while IFS="," read -r "${VARS[@]}"; do
-- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
-- break
-- fi
-- done < /var/ipfire/vpn/config
--
- # connection to client subnet, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
-@@ -396,30 +359,6 @@
- logger -t $TAG -p $FAC_PRIO \
- "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
- fi
--
-- if [ -z "${interface_mode}" ]; then
-- # Add source nat so also the gateway can access the other nets
-- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-- if [ $? -eq 0 ]; then
-- src=${_src}
-- break
-- fi
-- done
--
-- if [ -n "${src}" ]; then
-- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-- logger -t $TAG -p $FAC_PRIO \
-- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
-- fi
-- fi
--
-- # Flush routing cache
-- ip route flush cache
- ;;
- down-client:iptables)
- # connection to client subnet, with (left/right)firewall=yes, going down
-@@ -487,28 +426,6 @@
- logger -t $TAG -p $FAC_PRIO \
- "tunnel- $PLUTO_PEER -- $PLUTO_ME"
- fi
--
-- # remove source nat
-- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-- if [ $? -eq 0 ]; then
-- src=${_src}
-- break
-- fi
-- done
--
-- if [ -n "${src}" ]; then
-- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-- logger -t $TAG -p $FAC_PRIO \
-- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
-- fi
--
-- # Flush routing cache
-- ip route flush cache
- ;;
- #
- # IPv6
---- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000
-+++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000
-@@ -122,6 +122,29 @@
- # address family.
- #
-
-+function ip_encode() {
-+ local IFS=.
-+
-+ local int=0
-+ for field in $1; do
-+ int=$(( $(( $int << 8 )) | $field ))
-+ done
-+
-+ echo $int
-+}
-+
-+function ip_in_subnet() {
-+ local netmask
-+ netmask=$(_netmask $2)
-+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
-+}
-+
-+function _netmask() {
-+ local vlsm
-+ vlsm=${1#*/}
-+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
-+}
-+
- # define a minimum PATH environment in case it is not set
- PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
- export PATH
-@@ -232,12 +255,12 @@
+diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
+--- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
++++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-18 14:51:34.446203334 +0200
+@@ -242,12 +242,15 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
#
# allow IPIP traffic because of the implicit SA created by the kernel if
# IPComp is used (for small inbound packets that are not compressed)
-@@ -253,10 +276,10 @@
+@@ -263,10 +266,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
fi
fi
;;
-@@ -264,12 +287,12 @@
+@@ -274,12 +277,15 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
#
# IPIP exception teardown
if [ -n "$PLUTO_IPCOMP" ]
-@@ -284,10 +307,10 @@
+@@ -294,10 +300,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
fi
fi
;;
-@@ -297,24 +320,24 @@
+@@ -307,24 +313,30 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
+ iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
fi
#
# a virtual IP requires an INPUT and OUTPUT rule on the host
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
fi
#
# allow IPIP traffic because of the implicit SA created by the kernel if
-@@ -322,7 +345,7 @@
+@@ -332,7 +344,7 @@
# INPUT is correct here even for forwarded traffic.
if [ -n "$PLUTO_IPCOMP" ]
then
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -332,12 +355,51 @@
+@@ -342,12 +354,29 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
-+
-+ # Add source nat so also the gateway can access the other nets
-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-+ if [ $? -eq 0 ]; then
-+ src=${_src}
-+ break
-+ fi
-+ done
-+
-+ if [ -n "${src}" ]; then
-+ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-+ logger -t $TAG -p $FAC_PRIO \
-+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-+ else
-+ logger -t $TAG -p $FAC_PRIO \
-+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
-+ fi
-+
-+ # Flush routing cache
-+ ip route flush cache
;;
down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
-@@ -345,34 +407,34 @@
+@@ -355,34 +384,42 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
++ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
++ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j RETURN
fi
#
-d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j RETURN
+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
-+ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
fi
#
# IPIP exception teardown
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -382,12 +444,51 @@
+@@ -392,12 +429,29 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ fi
-+
-+ # remove source nat
-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-+ if [ $? -eq 0 ]; then
-+ src=${_src}
-+ break
-+ fi
-+ done
-+
-+ if [ -n "${src}" ]; then
-+ iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-+ logger -t $TAG -p $FAC_PRIO \
-+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-+ else
-+ logger -t $TAG -p $FAC_PRIO \
-+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
-+ fi
-+
-+ # Flush routing cache
-+ ip route flush cache
;;
#
# IPv6
-@@ -412,10 +513,10 @@
+@@ -422,10 +476,10 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -436,10 +537,10 @@
+@@ -454,10 +508,10 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -462,10 +563,10 @@
+@@ -487,10 +541,10 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
-@@ -474,10 +575,10 @@
+@@ -499,10 +553,10 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
-@@ -501,11 +602,11 @@
+@@ -535,11 +589,11 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
-@@ -515,11 +616,11 @@
+@@ -549,11 +603,11 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
projects / ipfire-2.x.git / commitdiff
