[people/mfischer/ipfire-2.x.git] / src / patches / strongswan-ipfire.patch

commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Mar 21 19:49:02 2022 +0000

    IPFire modifications to _updown script
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 34eaf68c7..514ecb578 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -242,10 +242,10 @@ up-host:iptables)
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -263,10 +263,10 @@ up-host:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -274,10 +274,10 @@ down-host:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -294,10 +294,10 @@ down-host:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -305,34 +305,16 @@ up-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	fi
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
 	# IPComp is used (for small inbound packets that are not compressed).
 	# INPUT is correct here even for forwarded traffic.
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -342,10 +324,10 @@ up-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
 	;;
@@ -353,36 +335,14 @@ down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -392,10 +352,10 @@ down-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
 	;;
@@ -422,10 +382,10 @@ up-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -454,10 +414,10 @@ down-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -487,10 +447,10 @@ up-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -499,10 +459,10 @@ up-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -535,11 +495,11 @@ down-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -549,11 +509,11 @@ down-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
28f659f7 MT	1	commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027
	2	Author: Michael Tremer <michael.tremer@ipfire.org>
	3	Date: Mon Mar 21 19:49:02 2022 +0000
	4
	5	IPFire modifications to _updown script
	6
	7	Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
	8
	9	diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
	10	index 34eaf68c7..514ecb578 100644
	11	--- a/src/_updown/_updown.in
	12	+++ b/src/_updown/_updown.in
	13	@@ -242,10 +242,10 @@ up-host:iptables)
6652626c AF	14	# connection to me, with (left/right)firewall=yes, coming up
	15	# This is used only by the default updown script, not by your custom
	16	# ones, so do not mess with it; see CAUTION comment up at top.
	17	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	18	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	19	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	20	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	21	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
28f659f7 MT	22	+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	23	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	24	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	25	#
28f659f7	26	@@ -263,10 +263,10 @@ up-host:iptables)
6652626c AF	27	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	28	then
	29	logger -t $TAG -p $FAC_PRIO \
	30	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	31	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	32	else
	33	logger -t $TAG -p $FAC_PRIO \
	34	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	35	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	36	fi
	37	fi
	38	;;
28f659f7	39	@@ -274,10 +274,10 @@ down-host:iptables)
6652626c AF	40	# connection to me, with (left/right)firewall=yes, going down
	41	# This is used only by the default updown script, not by your custom
	42	# ones, so do not mess with it; see CAUTION comment up at top.
	43	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	44	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	45	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	46	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	47	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
28f659f7 MT	48	+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	49	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	50	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	51	#
28f659f7	52	@@ -294,10 +294,10 @@ down-host:iptables)
6652626c AF	53	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	54	then
	55	logger -t $TAG -p $FAC_PRIO -- \
	56	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	57	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	58	else
	59	logger -t $TAG -p $FAC_PRIO -- \
	60	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	61	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	62	fi
	63	fi
	64	;;
28f659f7	65	@@ -305,34 +305,16 @@ up-client:iptables)
aa60fd7b AF	66	# connection to client subnet, with (left/right)firewall=yes, coming up
aa60fd7b AF	67	# This is used only by the default updown script, not by your custom
6652626c	68	# ones, so do not mess with it; see CAUTION comment up at top.
aa60fd7b AF	69	- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
aa60fd7b AF	70	- then
6652626c	71	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	72	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	73	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c	74	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b	75	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
dc33c23b	76	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
aa60fd7b	77	- fi
dc33c23b AM	78	#
dc33c23b AM	79	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c	80	# or sometimes host access via the internal IP is needed
aa60fd7b AF	81	- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
aa60fd7b AF	82	- then
6652626c	83	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b	84	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
d7050fc0	85	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
6652626c	86	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	87	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	88	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
aa60fd7b	89	- fi
db073a10	90	#
d7050fc0	91	# allow IPIP traffic because of the implicit SA created by the kernel if
aa60fd7b	92	# IPComp is used (for small inbound packets that are not compressed).
d7050fc0 MT	93	# INPUT is correct here even for forwarded traffic.
	94	if [ -n "$PLUTO_IPCOMP" ]
	95	then
	96	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
d8145673	97	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	98	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	99	fi
	100	#
28f659f7	101	@@ -342,10 +324,10 @@ up-client:iptables)
6652626c AF	102	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	103	then
	104	logger -t $TAG -p $FAC_PRIO \
	105	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	106	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	107	else
	108	logger -t $TAG -p $FAC_PRIO \
	109	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	110	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	111	fi
	112	fi
6652626c	113	;;
28f659f7	114	@@ -353,36 +335,14 @@ down-client:iptables)
6652626c	115	# connection to client subnet, with (left/right)firewall=yes, going down
aa60fd7b	116	# This is used only by the default updown script, not by your custom
6652626c	117	# ones, so do not mess with it; see CAUTION comment up at top.
aa60fd7b AF	118	- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
aa60fd7b AF	119	- then
6652626c	120	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	121	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	122	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	123	- $IPSEC_POLICY_OUT -j ACCEPT
6652626c	124	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b AF	125	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
aa60fd7b AF	126	- -d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b	127	- $IPSEC_POLICY_IN -j ACCEPT
aa60fd7b	128	- fi
dc33c23b AM	129	#
dc33c23b AM	130	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c	131	# or sometimes host access via the internal IP is needed
aa60fd7b AF	132	- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
aa60fd7b AF	133	- then
6652626c	134	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b AF	135	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
aa60fd7b AF	136	- -d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0	137	- $IPSEC_POLICY_IN -j ACCEPT
6652626c	138	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	139	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	140	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	141	- $IPSEC_POLICY_OUT -j ACCEPT
aa60fd7b	142	- fi
db073a10	143	#
d7050fc0 MT	144	# IPIP exception teardown
	145	if [ -n "$PLUTO_IPCOMP" ]
	146	then
	147	- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
d8145673	148	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	149	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	150	fi
	151	#
28f659f7	152	@@ -392,10 +352,10 @@ down-client:iptables)
6652626c AF	153	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	154	then
	155	logger -t $TAG -p $FAC_PRIO -- \
	156	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	157	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	158	else
	159	logger -t $TAG -p $FAC_PRIO -- \
	160	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	161	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	162	fi
	163	fi
6652626c	164	;;
28f659f7	165	@@ -422,10 +382,10 @@ up-host-v6:iptables)
6652626c AF	166	# connection to me, with (left/right)firewall=yes, coming up
	167	# This is used only by the default updown script, not by your custom
	168	# ones, so do not mess with it; see CAUTION comment up at top.
	169	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	170	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	171	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	172	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	173	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	174	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	175	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	176	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	177	#
28f659f7	178	@@ -454,10 +414,10 @@ down-host-v6:iptables)
6652626c AF	179	# connection to me, with (left/right)firewall=yes, going down
	180	# This is used only by the default updown script, not by your custom
	181	# ones, so do not mess with it; see CAUTION comment up at top.
	182	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	183	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	184	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	185	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	186	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	187	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	188	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	189	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	190	#
28f659f7	191	@@ -487,10 +447,10 @@ up-client-v6:iptables)
6652626c AF	192	# ones, so do not mess with it; see CAUTION comment up at top.
	193	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	194	then
	195	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	196	+ ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	197	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	198	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	199	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	200	+ ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	201	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	202	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	203	fi
28f659f7	204	@@ -499,10 +459,10 @@ up-client-v6:iptables)
6652626c AF	205	# or sometimes host access via the internal IP is needed
	206	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	207	then
	208	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	209	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	210	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	211	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	212	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	213	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	214	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	215	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	216	fi
28f659f7	217	@@ -535,11 +495,11 @@ down-client-v6:iptables)
6652626c AF	218	# ones, so do not mess with it; see CAUTION comment up at top.
	219	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	220	then
	221	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	222	+ ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	223	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	224	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	225	$IPSEC_POLICY_OUT -j ACCEPT
	226	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	227	+ ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	228	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	229	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	230	$IPSEC_POLICY_IN -j ACCEPT
28f659f7	231	@@ -549,11 +509,11 @@ down-client-v6:iptables)
6652626c AF	232	# or sometimes host access via the internal IP is needed
	233	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	234	then
	235	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	236	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	237	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	238	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	239	$IPSEC_POLICY_IN -j ACCEPT
	240	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	241	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	242	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	243	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	244	$IPSEC_POLICY_OUT -j ACCEPT