]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | #! /bin/sh |
2 | # iproute2 version, default updown script | |
3 | # | |
4 | # Copyright (C) 2003-2004 Nigel Meteringham | |
5 | # Copyright (C) 2003-2004 Tuomo Soini | |
6 | # Copyright (C) 2002-2004 Michael Richardson | |
ef014519 | 7 | # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> |
8b3b4a24 | 8 | # |
997358a6 MW |
9 | # This program is free software; you can redistribute it and/or modify it |
10 | # under the terms of the GNU General Public License as published by the | |
11 | # Free Software Foundation; either version 2 of the License, or (at your | |
12 | # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
8b3b4a24 | 13 | # |
997358a6 MW |
14 | # This program is distributed in the hope that it will be useful, but |
15 | # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
16 | # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
17 | # for more details. | |
997358a6 MW |
18 | |
19 | # CAUTION: Installing a new version of strongSwan will install a new | |
20 | # copy of this script, wiping out any custom changes you make. If | |
21 | # you need changes, make a copy of this under another name, and customize | |
22 | # that, and use the (left/right)updown parameters in ipsec.conf to make | |
23 | # strongSwan use yours instead of this default one. | |
24 | ||
25 | # things that this script gets (from ipsec_pluto(8) man page) | |
26 | # | |
27 | # PLUTO_VERSION | |
28 | # indicates what version of this interface is being | |
29 | # used. This document describes version 1.1. This | |
30 | # is upwardly compatible with version 1.0. | |
31 | # | |
32 | # PLUTO_VERB | |
33 | # specifies the name of the operation to be performed | |
34 | # (prepare-host, prepare-client, up-host, up-client, | |
35 | # down-host, or down-client). If the address family | |
8af25c56 | 36 | # for security gateway to security gateway communica- |
997358a6 MW |
37 | # tions is IPv6, then a suffix of -v6 is added to the |
38 | # verb. | |
39 | # | |
40 | # PLUTO_CONNECTION | |
41 | # is the name of the connection for which we are | |
42 | # routing. | |
43 | # | |
997358a6 MW |
44 | # PLUTO_INTERFACE |
45 | # is the name of the ipsec interface to be used. | |
46 | # | |
47 | # PLUTO_REQID | |
c5d9b133 MW |
48 | # is the requid of the AH|ESP policy |
49 | # | |
50 | # PLUTO_PROTO | |
51 | # is the negotiated IPsec protocol, ah|esp | |
997358a6 | 52 | # |
2ce40343 EH |
53 | # PLUTO_UNIQUEID |
54 | # is the unique identifier of the associated IKE_SA | |
55 | # | |
997358a6 MW |
56 | # PLUTO_ME |
57 | # is the IP address of our host. | |
58 | # | |
59 | # PLUTO_MY_ID | |
60 | # is the ID of our host. | |
61 | # | |
62 | # PLUTO_MY_CLIENT | |
63 | # is the IP address / count of our client subnet. If | |
64 | # the client is just the host, this will be the | |
65 | # host's own IP address / max (where max is 32 for | |
66 | # IPv4 and 128 for IPv6). | |
67 | # | |
997358a6 | 68 | # PLUTO_MY_SOURCEIP |
2df15595 MW |
69 | # PLUTO_MY_SOURCEIP4_$i |
70 | # PLUTO_MY_SOURCEIP6_$i | |
71 | # contains IPv4/IPv6 virtual IP received from a responder, | |
72 | # $i enumerates from 1 to the number of IP per address family. | |
73 | # PLUTO_MY_SOURCEIP is a legacy variable and equals to the first | |
74 | # virtual IP, IPv4 or IPv6. | |
997358a6 MW |
75 | # |
76 | # PLUTO_MY_PROTOCOL | |
77 | # is the IP protocol that will be transported. | |
78 | # | |
79 | # PLUTO_MY_PORT | |
80 | # is the UDP/TCP port to which the IPsec SA is | |
81 | # restricted on our side. | |
82 | # | |
83 | # PLUTO_PEER | |
84 | # is the IP address of our peer. | |
85 | # | |
86 | # PLUTO_PEER_ID | |
87 | # is the ID of our peer. | |
88 | # | |
997358a6 | 89 | # PLUTO_PEER_CLIENT |
8af25c56 | 90 | # is the IP address / count of the peer's client sub- |
997358a6 MW |
91 | # net. If the client is just the peer, this will be |
92 | # the peer's own IP address / max (where max is 32 | |
93 | # for IPv4 and 128 for IPv6). | |
94 | # | |
997358a6 MW |
95 | # PLUTO_PEER_PROTOCOL |
96 | # is the IP protocol that will be transported. | |
97 | # | |
98 | # PLUTO_PEER_PORT | |
99 | # is the UDP/TCP port to which the IPsec SA is | |
100 | # restricted on the peer side. | |
101 | # | |
16c97c8e AS |
102 | # PLUTO_XAUTH_ID |
103 | # is an optional user ID employed by the XAUTH protocol | |
104 | # | |
105 | # PLUTO_MARK_IN | |
106 | # is an optional XFRM mark set on the inbound IPsec SA | |
107 | # | |
108 | # PLUTO_MARK_OUT | |
109 | # is an optional XFRM mark set on the outbound IPsec SA | |
110 | # | |
6d71f4dc | 111 | # PLUTO_UDP_ENC |
16c97c8e AS |
112 | # contains the remote UDP port in the case of ESP_IN_UDP |
113 | # encapsulation | |
964f6372 | 114 | # |
2b08ae45 MW |
115 | # PLUTO_DNS4_$i |
116 | # PLUTO_DNS6_$i | |
117 | # contains IPv4/IPv6 DNS server attribute received from a | |
118 | # responder, $i enumerates from 1 to the number of servers per | |
119 | # address family. | |
120 | # | |
997358a6 | 121 | |
c2bb1eca | 122 | # define a minimum PATH environment in case it is not set |
b7b56533 | 123 | PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" |
c2bb1eca AS |
124 | export PATH |
125 | ||
997358a6 MW |
126 | # uncomment to log VPN connections |
127 | VPN_LOGGING=1 | |
128 | # | |
129 | # tag put in front of each log entry: | |
130 | TAG=vpn | |
131 | # | |
132 | # syslog facility and priority used: | |
133 | FAC_PRIO=local0.notice | |
134 | # | |
135 | # to create a special vpn logging file, put the following line into | |
136 | # the syslog configuration file /etc/syslog.conf: | |
137 | # | |
138 | # local0.notice -/var/log/vpn | |
f6f55adb AS |
139 | |
140 | # in order to use source IP routing the Linux kernel options | |
141 | # CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES | |
142 | # must be enabled | |
143 | # | |
144 | # special routing table for sourceip routes | |
b7b56533 | 145 | SOURCEIP_ROUTING_TABLE=@routing_table@ |
997358a6 | 146 | # |
f6f55adb | 147 | # priority of the sourceip routing table |
b7b56533 | 148 | SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@ |
997358a6 MW |
149 | |
150 | # check interface version | |
151 | case "$PLUTO_VERSION" in | |
152 | 1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. | |
153 | echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 | |
154 | echo "$0: called by obsolete Pluto?" >&2 | |
155 | exit 2 | |
156 | ;; | |
157 | 1.*) ;; | |
158 | *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 | |
159 | exit 2 | |
160 | ;; | |
161 | esac | |
162 | ||
163 | # check parameter(s) | |
164 | case "$1:$*" in | |
165 | ':') # no parameters | |
166 | ;; | |
167 | iptables:iptables) # due to (left/right)firewall; for default script only | |
168 | ;; | |
169 | custom:*) # custom parameters (see above CAUTION comment) | |
170 | ;; | |
171 | *) echo "$0: unknown parameters \`$*'" >&2 | |
172 | exit 2 | |
173 | ;; | |
174 | esac | |
175 | ||
176 | # utility functions for route manipulation | |
177 | # Meddling with this stuff should not be necessary and requires great care. | |
178 | uproute() { | |
179 | doroute add | |
180 | ip route flush cache | |
181 | } | |
182 | downroute() { | |
183 | doroute delete | |
184 | ip route flush cache | |
185 | } | |
186 | ||
187 | addsource() { | |
188 | st=0 | |
189 | if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local | |
190 | then | |
191 | it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" | |
192 | oops="`eval $it 2>&1`" | |
193 | st=$? | |
194 | if test " $oops" = " " -a " $st" != " 0" | |
195 | then | |
196 | oops="silent error, exit status $st" | |
197 | fi | |
198 | if test " $oops" != " " -o " $st" != " 0" | |
199 | then | |
200 | echo "$0: addsource \`$it' failed ($oops)" >&2 | |
201 | fi | |
202 | fi | |
203 | return $st | |
204 | } | |
205 | ||
206 | doroute() { | |
207 | st=0 | |
997358a6 MW |
208 | |
209 | if [ -z "$PLUTO_MY_SOURCEIP" ] | |
210 | then | |
14c408ee AS |
211 | for dir in /etc/sysconfig /etc/conf.d; do |
212 | if [ -f "$dir/defaultsource" ] | |
213 | then | |
214 | . "$dir/defaultsource" | |
215 | fi | |
216 | done | |
997358a6 MW |
217 | |
218 | if [ -n "$DEFAULTSOURCE" ] | |
219 | then | |
220 | PLUTO_MY_SOURCEIP=$DEFAULTSOURCE | |
221 | fi | |
222 | fi | |
223 | ||
ef014519 AS |
224 | if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] |
225 | then | |
226 | # leave because no route entry is required | |
227 | return $st | |
228 | fi | |
229 | ||
230 | parms1="$PLUTO_PEER_CLIENT" | |
231 | ||
f6f55adb | 232 | if [ -n "$PLUTO_NEXT_HOP" ] |
ef014519 | 233 | then |
f6f55adb | 234 | parms2="via $PLUTO_NEXT_HOP" |
ef014519 | 235 | else |
f6f55adb | 236 | parms2="via $PLUTO_PEER" |
8b3b4a24 | 237 | fi |
ef014519 AS |
238 | parms2="$parms2 dev $PLUTO_INTERFACE" |
239 | ||
997358a6 | 240 | parms3= |
f6f55adb | 241 | if [ -n "$PLUTO_MY_SOURCEIP" ] |
997358a6 | 242 | then |
f6f55adb AS |
243 | if test "$1" = "add" |
244 | then | |
245 | addsource | |
ca694c61 | 246 | if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" |
f6f55adb | 247 | then |
ca694c61 | 248 | ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE |
f6f55adb AS |
249 | fi |
250 | fi | |
ca694c61 | 251 | parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" |
997358a6 MW |
252 | fi |
253 | ||
254 | case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in | |
255 | "0.0.0.0/0.0.0.0") | |
256 | # opportunistic encryption work around | |
8b3b4a24 | 257 | # need to provide route that eclipses default, without |
997358a6 MW |
258 | # replacing it. |
259 | it="ip route $1 0.0.0.0/1 $parms2 $parms3 && | |
260 | ip route $1 128.0.0.0/1 $parms2 $parms3" | |
261 | ;; | |
ef014519 | 262 | *) it="ip route $1 $parms1 $parms2 $parms3" |
997358a6 MW |
263 | ;; |
264 | esac | |
265 | oops="`eval $it 2>&1`" | |
266 | st=$? | |
267 | if test " $oops" = " " -a " $st" != " 0" | |
268 | then | |
269 | oops="silent error, exit status $st" | |
270 | fi | |
271 | if test " $oops" != " " -o " $st" != " 0" | |
272 | then | |
273 | echo "$0: doroute \`$it' failed ($oops)" >&2 | |
274 | fi | |
275 | return $st | |
276 | } | |
8b3b4a24 MW |
277 | |
278 | # in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY | |
997358a6 MW |
279 | if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] |
280 | then | |
ef014519 | 281 | KLIPS=1 |
997358a6 MW |
282 | IPSEC_POLICY_IN="" |
283 | IPSEC_POLICY_OUT="" | |
284 | else | |
ef014519 | 285 | KLIPS= |
48175958 | 286 | IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" |
997358a6 MW |
287 | IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" |
288 | IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" | |
289 | fi | |
290 | ||
291 | # are there port numbers? | |
292 | if [ "$PLUTO_MY_PORT" != 0 ] | |
293 | then | |
294 | S_MY_PORT="--sport $PLUTO_MY_PORT" | |
295 | D_MY_PORT="--dport $PLUTO_MY_PORT" | |
296 | fi | |
297 | if [ "$PLUTO_PEER_PORT" != 0 ] | |
298 | then | |
299 | S_PEER_PORT="--sport $PLUTO_PEER_PORT" | |
300 | D_PEER_PORT="--dport $PLUTO_PEER_PORT" | |
301 | fi | |
302 | ||
bb7b613b AS |
303 | # resolve octal escape sequences |
304 | PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` | |
305 | PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` | |
306 | ||
997358a6 MW |
307 | # the big choice |
308 | case "$PLUTO_VERB:$1" in | |
309 | prepare-host:*|prepare-client:*) | |
7a1f49c3 AS |
310 | if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] |
311 | then | |
312 | # exit because no route will be added, | |
313 | # so that existing routes can stay | |
314 | exit 0 | |
315 | fi | |
316 | ||
997358a6 MW |
317 | # delete possibly-existing route (preliminary to adding a route) |
318 | case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in | |
319 | "0.0.0.0/0.0.0.0") | |
8b3b4a24 | 320 | # need to provide route that eclipses default, without |
997358a6 MW |
321 | # replacing it. |
322 | parms1="0.0.0.0/1" | |
323 | parms2="128.0.0.0/1" | |
324 | it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" | |
325 | oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" | |
326 | ;; | |
327 | *) | |
328 | parms="$PLUTO_PEER_CLIENT" | |
329 | it="ip route delete $parms 2>&1" | |
330 | oops="`ip route delete $parms 2>&1`" | |
331 | ;; | |
332 | esac | |
333 | status="$?" | |
334 | if test " $oops" = " " -a " $status" != " 0" | |
335 | then | |
336 | oops="silent error, exit status $status" | |
337 | fi | |
338 | case "$oops" in | |
8b3b4a24 | 339 | *'RTNETLINK answers: No such process'*) |
997358a6 MW |
340 | # This is what route (currently -- not documented!) gives |
341 | # for "could not find such a route". | |
342 | oops= | |
343 | status=0 | |
344 | ;; | |
345 | esac | |
346 | if test " $oops" != " " -o " $status" != " 0" | |
347 | then | |
348 | echo "$0: \`$it' failed ($oops)" >&2 | |
349 | fi | |
350 | exit $status | |
351 | ;; | |
352 | route-host:*|route-client:*) | |
353 | # connection to me or my client subnet being routed | |
354 | uproute | |
355 | ;; | |
356 | unroute-host:*|unroute-client:*) | |
357 | # connection to me or my client subnet being unrouted | |
358 | downroute | |
359 | ;; | |
360 | up-host:) | |
361 | # connection to me coming up | |
362 | # If you are doing a custom version, firewall commands go here. | |
363 | ;; | |
364 | down-host:) | |
365 | # connection to me going down | |
366 | # If you are doing a custom version, firewall commands go here. | |
367 | ;; | |
368 | up-client:) | |
369 | # connection to my client subnet coming up | |
370 | # If you are doing a custom version, firewall commands go here. | |
371 | ;; | |
372 | down-client:) | |
373 | # connection to my client subnet going down | |
374 | # If you are doing a custom version, firewall commands go here. | |
375 | ;; | |
376 | up-host:iptables) | |
377 | # connection to me, with (left/right)firewall=yes, coming up | |
378 | # This is used only by the default updown script, not by your custom | |
379 | # ones, so do not mess with it; see CAUTION comment up at top. | |
380 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 381 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
382 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
383 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
384 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 385 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 MW |
386 | # |
387 | # log IPsec host connection setup | |
388 | if [ $VPN_LOGGING ] | |
389 | then | |
bb7b613b | 390 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
391 | then |
392 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 393 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
394 | else |
395 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 396 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 | 397 | fi |
8b3b4a24 | 398 | fi |
997358a6 MW |
399 | ;; |
400 | down-host:iptables) | |
401 | # connection to me, with (left/right)firewall=yes, going down | |
402 | # This is used only by the default updown script, not by your custom | |
403 | # ones, so do not mess with it; see CAUTION comment up at top. | |
404 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 405 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
406 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
407 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
408 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 409 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 MW |
410 | # |
411 | # log IPsec host connection teardown | |
412 | if [ $VPN_LOGGING ] | |
413 | then | |
bb7b613b | 414 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
415 | then |
416 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 417 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
418 | else |
419 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 420 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
421 | fi |
422 | fi | |
423 | ;; | |
424 | up-client:iptables) | |
425 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
426 | # This is used only by the default updown script, not by your custom | |
427 | # ones, so do not mess with it; see CAUTION comment up at top. | |
428 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
429 | then | |
430 | iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
431 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
432 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 | 433 | iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
b14a8768 AS |
434 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
435 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 MW |
436 | fi |
437 | # | |
438 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
439 | # or sometimes host access via the internal IP is needed | |
440 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
441 | then | |
442 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
443 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
444 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 | 445 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
b14a8768 AS |
446 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
447 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 MW |
448 | fi |
449 | # | |
450 | # log IPsec client connection setup | |
451 | if [ $VPN_LOGGING ] | |
452 | then | |
bb7b613b | 453 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
454 | then |
455 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 456 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
457 | else |
458 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 459 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
460 | fi |
461 | fi | |
462 | ;; | |
463 | down-client:iptables) | |
464 | # connection to client subnet, with (left/right)firewall=yes, going down | |
465 | # This is used only by the default updown script, not by your custom | |
466 | # ones, so do not mess with it; see CAUTION comment up at top. | |
467 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
468 | then | |
469 | iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
470 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
471 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
472 | $IPSEC_POLICY_OUT -j ACCEPT |
473 | iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
474 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
475 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
476 | $IPSEC_POLICY_IN -j ACCEPT |
477 | fi | |
478 | # | |
479 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
480 | # or sometimes host access via the internal IP is needed | |
481 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
482 | then | |
483 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
484 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
485 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
486 | $IPSEC_POLICY_IN -j ACCEPT |
487 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
488 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
489 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
490 | $IPSEC_POLICY_OUT -j ACCEPT |
491 | fi | |
492 | # | |
493 | # log IPsec client connection teardown | |
494 | if [ $VPN_LOGGING ] | |
495 | then | |
bb7b613b | 496 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
497 | then |
498 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 499 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
500 | else |
501 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 502 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
503 | fi |
504 | fi | |
505 | ;; | |
506 | # | |
507 | # IPv6 | |
508 | # | |
509 | prepare-host-v6:*|prepare-client-v6:*) | |
510 | ;; | |
511 | route-host-v6:*|route-client-v6:*) | |
512 | # connection to me or my client subnet being routed | |
513 | #uproute_v6 | |
514 | ;; | |
515 | unroute-host-v6:*|unroute-client-v6:*) | |
516 | # connection to me or my client subnet being unrouted | |
517 | #downroute_v6 | |
518 | ;; | |
b14a8768 | 519 | up-host-v6:) |
997358a6 MW |
520 | # connection to me coming up |
521 | # If you are doing a custom version, firewall commands go here. | |
522 | ;; | |
b14a8768 | 523 | down-host-v6:) |
997358a6 MW |
524 | # connection to me going down |
525 | # If you are doing a custom version, firewall commands go here. | |
526 | ;; | |
b14a8768 | 527 | up-client-v6:) |
997358a6 MW |
528 | # connection to my client subnet coming up |
529 | # If you are doing a custom version, firewall commands go here. | |
530 | ;; | |
b14a8768 | 531 | down-client-v6:) |
997358a6 MW |
532 | # connection to my client subnet going down |
533 | # If you are doing a custom version, firewall commands go here. | |
534 | ;; | |
b14a8768 AS |
535 | up-host-v6:iptables) |
536 | # connection to me, with (left/right)firewall=yes, coming up | |
537 | # This is used only by the default updown script, not by your custom | |
538 | # ones, so do not mess with it; see CAUTION comment up at top. | |
539 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
540 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
541 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
542 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
543 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
544 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
545 | # | |
546 | # log IPsec host connection setup | |
547 | if [ $VPN_LOGGING ] | |
548 | then | |
bb7b613b | 549 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
550 | then |
551 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 552 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
553 | else |
554 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 555 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 | 556 | fi |
8b3b4a24 | 557 | fi |
b14a8768 AS |
558 | ;; |
559 | down-host-v6:iptables) | |
560 | # connection to me, with (left/right)firewall=yes, going down | |
561 | # This is used only by the default updown script, not by your custom | |
562 | # ones, so do not mess with it; see CAUTION comment up at top. | |
563 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
564 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
565 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
566 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
567 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
568 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
569 | # | |
570 | # log IPsec host connection teardown | |
571 | if [ $VPN_LOGGING ] | |
572 | then | |
bb7b613b | 573 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
574 | then |
575 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 576 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
577 | else |
578 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 579 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
580 | fi |
581 | fi | |
582 | ;; | |
583 | up-client-v6:iptables) | |
584 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
585 | # This is used only by the default updown script, not by your custom | |
586 | # ones, so do not mess with it; see CAUTION comment up at top. | |
587 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
588 | then | |
589 | ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
590 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
591 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
592 | ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
593 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
594 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
595 | fi | |
596 | # | |
597 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
598 | # or sometimes host access via the internal IP is needed | |
599 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
600 | then | |
601 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
602 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
603 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
604 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
605 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
606 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
607 | fi | |
608 | # | |
609 | # log IPsec client connection setup | |
610 | if [ $VPN_LOGGING ] | |
611 | then | |
bb7b613b | 612 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
613 | then |
614 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 615 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
616 | else |
617 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 618 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
619 | fi |
620 | fi | |
621 | ;; | |
622 | down-client-v6:iptables) | |
623 | # connection to client subnet, with (left/right)firewall=yes, going down | |
624 | # This is used only by the default updown script, not by your custom | |
625 | # ones, so do not mess with it; see CAUTION comment up at top. | |
626 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
627 | then | |
628 | ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
629 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
630 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
631 | $IPSEC_POLICY_OUT -j ACCEPT | |
632 | ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
633 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
634 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
635 | $IPSEC_POLICY_IN -j ACCEPT | |
636 | fi | |
637 | # | |
638 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
639 | # or sometimes host access via the internal IP is needed | |
640 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
641 | then | |
642 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
643 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
644 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
645 | $IPSEC_POLICY_IN -j ACCEPT | |
646 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
647 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
648 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
649 | $IPSEC_POLICY_OUT -j ACCEPT | |
650 | fi | |
651 | # | |
652 | # log IPsec client connection teardown | |
653 | if [ $VPN_LOGGING ] | |
654 | then | |
bb7b613b | 655 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
656 | then |
657 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 658 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
659 | else |
660 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 661 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
662 | fi |
663 | fi | |
664 | ;; | |
997358a6 MW |
665 | *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 |
666 | exit 1 | |
667 | ;; | |
668 | esac |