]>
Commit | Line | Data |
---|---|---|
997358a6 MW |
1 | #! /bin/sh |
2 | # iproute2 version, default updown script | |
3 | # | |
4 | # Copyright (C) 2003-2004 Nigel Meteringham | |
5 | # Copyright (C) 2003-2004 Tuomo Soini | |
6 | # Copyright (C) 2002-2004 Michael Richardson | |
ef014519 | 7 | # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> |
8b3b4a24 | 8 | # |
997358a6 MW |
9 | # This program is free software; you can redistribute it and/or modify it |
10 | # under the terms of the GNU General Public License as published by the | |
11 | # Free Software Foundation; either version 2 of the License, or (at your | |
12 | # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
8b3b4a24 | 13 | # |
997358a6 MW |
14 | # This program is distributed in the hope that it will be useful, but |
15 | # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
16 | # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
17 | # for more details. | |
997358a6 MW |
18 | |
19 | # CAUTION: Installing a new version of strongSwan will install a new | |
20 | # copy of this script, wiping out any custom changes you make. If | |
21 | # you need changes, make a copy of this under another name, and customize | |
22 | # that, and use the (left/right)updown parameters in ipsec.conf to make | |
23 | # strongSwan use yours instead of this default one. | |
24 | ||
25 | # things that this script gets (from ipsec_pluto(8) man page) | |
26 | # | |
27 | # PLUTO_VERSION | |
28 | # indicates what version of this interface is being | |
29 | # used. This document describes version 1.1. This | |
30 | # is upwardly compatible with version 1.0. | |
31 | # | |
32 | # PLUTO_VERB | |
33 | # specifies the name of the operation to be performed | |
34 | # (prepare-host, prepare-client, up-host, up-client, | |
35 | # down-host, or down-client). If the address family | |
8af25c56 | 36 | # for security gateway to security gateway communica- |
997358a6 MW |
37 | # tions is IPv6, then a suffix of -v6 is added to the |
38 | # verb. | |
39 | # | |
40 | # PLUTO_CONNECTION | |
41 | # is the name of the connection for which we are | |
42 | # routing. | |
43 | # | |
44 | # PLUTO_NEXT_HOP | |
45 | # is the next hop to which packets bound for the peer | |
46 | # must be sent. | |
47 | # | |
48 | # PLUTO_INTERFACE | |
49 | # is the name of the ipsec interface to be used. | |
50 | # | |
51 | # PLUTO_REQID | |
52 | # is the requid of the ESP policy | |
53 | # | |
54 | # PLUTO_ME | |
55 | # is the IP address of our host. | |
56 | # | |
57 | # PLUTO_MY_ID | |
58 | # is the ID of our host. | |
59 | # | |
60 | # PLUTO_MY_CLIENT | |
61 | # is the IP address / count of our client subnet. If | |
62 | # the client is just the host, this will be the | |
63 | # host's own IP address / max (where max is 32 for | |
64 | # IPv4 and 128 for IPv6). | |
65 | # | |
66 | # PLUTO_MY_CLIENT_NET | |
67 | # is the IP address of our client net. If the client | |
68 | # is just the host, this will be the host's own IP | |
69 | # address. | |
70 | # | |
71 | # PLUTO_MY_CLIENT_MASK | |
72 | # is the mask for our client net. If the client is | |
73 | # just the host, this will be 255.255.255.255. | |
74 | # | |
75 | # PLUTO_MY_SOURCEIP | |
76 | # if non-empty, then the source address for the route will be | |
77 | # set to this IP address. | |
78 | # | |
79 | # PLUTO_MY_PROTOCOL | |
80 | # is the IP protocol that will be transported. | |
81 | # | |
82 | # PLUTO_MY_PORT | |
83 | # is the UDP/TCP port to which the IPsec SA is | |
84 | # restricted on our side. | |
85 | # | |
86 | # PLUTO_PEER | |
87 | # is the IP address of our peer. | |
88 | # | |
89 | # PLUTO_PEER_ID | |
90 | # is the ID of our peer. | |
91 | # | |
92 | # PLUTO_PEER_CA | |
93 | # is the CA which issued the cert of our peer. | |
94 | # | |
95 | # PLUTO_PEER_CLIENT | |
8af25c56 | 96 | # is the IP address / count of the peer's client sub- |
997358a6 MW |
97 | # net. If the client is just the peer, this will be |
98 | # the peer's own IP address / max (where max is 32 | |
99 | # for IPv4 and 128 for IPv6). | |
100 | # | |
101 | # PLUTO_PEER_CLIENT_NET | |
102 | # is the IP address of the peer's client net. If the | |
103 | # client is just the peer, this will be the peer's | |
104 | # own IP address. | |
105 | # | |
106 | # PLUTO_PEER_CLIENT_MASK | |
107 | # is the mask for the peer's client net. If the | |
108 | # client is just the peer, this will be | |
109 | # 255.255.255.255. | |
110 | # | |
111 | # PLUTO_PEER_PROTOCOL | |
112 | # is the IP protocol that will be transported. | |
113 | # | |
114 | # PLUTO_PEER_PORT | |
115 | # is the UDP/TCP port to which the IPsec SA is | |
116 | # restricted on the peer side. | |
117 | # | |
118 | ||
c2bb1eca | 119 | # define a minimum PATH environment in case it is not set |
52bb1876 | 120 | PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@" |
c2bb1eca AS |
121 | export PATH |
122 | ||
997358a6 MW |
123 | # uncomment to log VPN connections |
124 | VPN_LOGGING=1 | |
125 | # | |
126 | # tag put in front of each log entry: | |
127 | TAG=vpn | |
128 | # | |
129 | # syslog facility and priority used: | |
130 | FAC_PRIO=local0.notice | |
131 | # | |
132 | # to create a special vpn logging file, put the following line into | |
133 | # the syslog configuration file /etc/syslog.conf: | |
134 | # | |
135 | # local0.notice -/var/log/vpn | |
f6f55adb AS |
136 | |
137 | # in order to use source IP routing the Linux kernel options | |
138 | # CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES | |
139 | # must be enabled | |
140 | # | |
141 | # special routing table for sourceip routes | |
4e411c83 | 142 | SOURCEIP_ROUTING_TABLE=@IPSEC_ROUTING_TABLE@ |
997358a6 | 143 | # |
f6f55adb | 144 | # priority of the sourceip routing table |
0739cca9 | 145 | SOURCEIP_ROUTING_TABLE_PRIO=@IPSEC_ROUTING_TABLE_PRIO@ |
997358a6 MW |
146 | |
147 | # check interface version | |
148 | case "$PLUTO_VERSION" in | |
149 | 1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. | |
150 | echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 | |
151 | echo "$0: called by obsolete Pluto?" >&2 | |
152 | exit 2 | |
153 | ;; | |
154 | 1.*) ;; | |
155 | *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 | |
156 | exit 2 | |
157 | ;; | |
158 | esac | |
159 | ||
160 | # check parameter(s) | |
161 | case "$1:$*" in | |
162 | ':') # no parameters | |
163 | ;; | |
164 | iptables:iptables) # due to (left/right)firewall; for default script only | |
165 | ;; | |
166 | custom:*) # custom parameters (see above CAUTION comment) | |
167 | ;; | |
168 | *) echo "$0: unknown parameters \`$*'" >&2 | |
169 | exit 2 | |
170 | ;; | |
171 | esac | |
172 | ||
173 | # utility functions for route manipulation | |
174 | # Meddling with this stuff should not be necessary and requires great care. | |
175 | uproute() { | |
176 | doroute add | |
177 | ip route flush cache | |
178 | } | |
179 | downroute() { | |
180 | doroute delete | |
181 | ip route flush cache | |
182 | } | |
183 | ||
184 | addsource() { | |
185 | st=0 | |
186 | if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local | |
187 | then | |
188 | it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" | |
189 | oops="`eval $it 2>&1`" | |
190 | st=$? | |
191 | if test " $oops" = " " -a " $st" != " 0" | |
192 | then | |
193 | oops="silent error, exit status $st" | |
194 | fi | |
195 | if test " $oops" != " " -o " $st" != " 0" | |
196 | then | |
197 | echo "$0: addsource \`$it' failed ($oops)" >&2 | |
198 | fi | |
199 | fi | |
200 | return $st | |
201 | } | |
202 | ||
203 | doroute() { | |
204 | st=0 | |
997358a6 MW |
205 | |
206 | if [ -z "$PLUTO_MY_SOURCEIP" ] | |
207 | then | |
14c408ee AS |
208 | for dir in /etc/sysconfig /etc/conf.d; do |
209 | if [ -f "$dir/defaultsource" ] | |
210 | then | |
211 | . "$dir/defaultsource" | |
212 | fi | |
213 | done | |
997358a6 MW |
214 | |
215 | if [ -n "$DEFAULTSOURCE" ] | |
216 | then | |
217 | PLUTO_MY_SOURCEIP=$DEFAULTSOURCE | |
218 | fi | |
219 | fi | |
220 | ||
ef014519 AS |
221 | if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] |
222 | then | |
223 | # leave because no route entry is required | |
224 | return $st | |
225 | fi | |
226 | ||
227 | parms1="$PLUTO_PEER_CLIENT" | |
228 | ||
f6f55adb | 229 | if [ -n "$PLUTO_NEXT_HOP" ] |
ef014519 | 230 | then |
f6f55adb | 231 | parms2="via $PLUTO_NEXT_HOP" |
ef014519 | 232 | else |
f6f55adb | 233 | parms2="via $PLUTO_PEER" |
8b3b4a24 | 234 | fi |
ef014519 AS |
235 | parms2="$parms2 dev $PLUTO_INTERFACE" |
236 | ||
997358a6 | 237 | parms3= |
f6f55adb | 238 | if [ -n "$PLUTO_MY_SOURCEIP" ] |
997358a6 | 239 | then |
f6f55adb AS |
240 | if test "$1" = "add" |
241 | then | |
242 | addsource | |
ca694c61 | 243 | if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" |
f6f55adb | 244 | then |
ca694c61 | 245 | ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE |
f6f55adb AS |
246 | fi |
247 | fi | |
ca694c61 | 248 | parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" |
997358a6 MW |
249 | fi |
250 | ||
251 | case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in | |
252 | "0.0.0.0/0.0.0.0") | |
253 | # opportunistic encryption work around | |
8b3b4a24 | 254 | # need to provide route that eclipses default, without |
997358a6 MW |
255 | # replacing it. |
256 | it="ip route $1 0.0.0.0/1 $parms2 $parms3 && | |
257 | ip route $1 128.0.0.0/1 $parms2 $parms3" | |
258 | ;; | |
ef014519 | 259 | *) it="ip route $1 $parms1 $parms2 $parms3" |
997358a6 MW |
260 | ;; |
261 | esac | |
262 | oops="`eval $it 2>&1`" | |
263 | st=$? | |
264 | if test " $oops" = " " -a " $st" != " 0" | |
265 | then | |
266 | oops="silent error, exit status $st" | |
267 | fi | |
268 | if test " $oops" != " " -o " $st" != " 0" | |
269 | then | |
270 | echo "$0: doroute \`$it' failed ($oops)" >&2 | |
271 | fi | |
272 | return $st | |
273 | } | |
8b3b4a24 MW |
274 | |
275 | # in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY | |
997358a6 MW |
276 | if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] |
277 | then | |
ef014519 | 278 | KLIPS=1 |
997358a6 MW |
279 | IPSEC_POLICY_IN="" |
280 | IPSEC_POLICY_OUT="" | |
281 | else | |
ef014519 | 282 | KLIPS= |
997358a6 MW |
283 | IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" |
284 | IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" | |
285 | IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" | |
286 | fi | |
287 | ||
288 | # are there port numbers? | |
289 | if [ "$PLUTO_MY_PORT" != 0 ] | |
290 | then | |
291 | S_MY_PORT="--sport $PLUTO_MY_PORT" | |
292 | D_MY_PORT="--dport $PLUTO_MY_PORT" | |
293 | fi | |
294 | if [ "$PLUTO_PEER_PORT" != 0 ] | |
295 | then | |
296 | S_PEER_PORT="--sport $PLUTO_PEER_PORT" | |
297 | D_PEER_PORT="--dport $PLUTO_PEER_PORT" | |
298 | fi | |
299 | ||
bb7b613b AS |
300 | # resolve octal escape sequences |
301 | PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` | |
302 | PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` | |
303 | ||
997358a6 MW |
304 | # the big choice |
305 | case "$PLUTO_VERB:$1" in | |
306 | prepare-host:*|prepare-client:*) | |
7a1f49c3 AS |
307 | if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] |
308 | then | |
309 | # exit because no route will be added, | |
310 | # so that existing routes can stay | |
311 | exit 0 | |
312 | fi | |
313 | ||
997358a6 MW |
314 | # delete possibly-existing route (preliminary to adding a route) |
315 | case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in | |
316 | "0.0.0.0/0.0.0.0") | |
8b3b4a24 | 317 | # need to provide route that eclipses default, without |
997358a6 MW |
318 | # replacing it. |
319 | parms1="0.0.0.0/1" | |
320 | parms2="128.0.0.0/1" | |
321 | it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" | |
322 | oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" | |
323 | ;; | |
324 | *) | |
325 | parms="$PLUTO_PEER_CLIENT" | |
326 | it="ip route delete $parms 2>&1" | |
327 | oops="`ip route delete $parms 2>&1`" | |
328 | ;; | |
329 | esac | |
330 | status="$?" | |
331 | if test " $oops" = " " -a " $status" != " 0" | |
332 | then | |
333 | oops="silent error, exit status $status" | |
334 | fi | |
335 | case "$oops" in | |
8b3b4a24 | 336 | *'RTNETLINK answers: No such process'*) |
997358a6 MW |
337 | # This is what route (currently -- not documented!) gives |
338 | # for "could not find such a route". | |
339 | oops= | |
340 | status=0 | |
341 | ;; | |
342 | esac | |
343 | if test " $oops" != " " -o " $status" != " 0" | |
344 | then | |
345 | echo "$0: \`$it' failed ($oops)" >&2 | |
346 | fi | |
347 | exit $status | |
348 | ;; | |
349 | route-host:*|route-client:*) | |
350 | # connection to me or my client subnet being routed | |
351 | uproute | |
352 | ;; | |
353 | unroute-host:*|unroute-client:*) | |
354 | # connection to me or my client subnet being unrouted | |
355 | downroute | |
356 | ;; | |
357 | up-host:) | |
358 | # connection to me coming up | |
359 | # If you are doing a custom version, firewall commands go here. | |
360 | ;; | |
361 | down-host:) | |
362 | # connection to me going down | |
363 | # If you are doing a custom version, firewall commands go here. | |
364 | ;; | |
365 | up-client:) | |
366 | # connection to my client subnet coming up | |
367 | # If you are doing a custom version, firewall commands go here. | |
368 | ;; | |
369 | down-client:) | |
370 | # connection to my client subnet going down | |
371 | # If you are doing a custom version, firewall commands go here. | |
372 | ;; | |
373 | up-host:iptables) | |
374 | # connection to me, with (left/right)firewall=yes, coming up | |
375 | # This is used only by the default updown script, not by your custom | |
376 | # ones, so do not mess with it; see CAUTION comment up at top. | |
377 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 378 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
379 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
380 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
381 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 382 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 MW |
383 | # |
384 | # log IPsec host connection setup | |
385 | if [ $VPN_LOGGING ] | |
386 | then | |
bb7b613b | 387 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
388 | then |
389 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 390 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
391 | else |
392 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 393 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 | 394 | fi |
8b3b4a24 | 395 | fi |
997358a6 MW |
396 | ;; |
397 | down-host:iptables) | |
398 | # connection to me, with (left/right)firewall=yes, going down | |
399 | # This is used only by the default updown script, not by your custom | |
400 | # ones, so do not mess with it; see CAUTION comment up at top. | |
401 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 | 402 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
997358a6 MW |
403 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
404 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
405 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
b14a8768 | 406 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
997358a6 MW |
407 | # |
408 | # log IPsec host connection teardown | |
409 | if [ $VPN_LOGGING ] | |
410 | then | |
bb7b613b | 411 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
412 | then |
413 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 414 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
415 | else |
416 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 417 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
997358a6 MW |
418 | fi |
419 | fi | |
420 | ;; | |
421 | up-client:iptables) | |
422 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
423 | # This is used only by the default updown script, not by your custom | |
424 | # ones, so do not mess with it; see CAUTION comment up at top. | |
425 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
426 | then | |
427 | iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
428 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
429 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 | 430 | iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
b14a8768 AS |
431 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
432 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 MW |
433 | fi |
434 | # | |
435 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
436 | # or sometimes host access via the internal IP is needed | |
437 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
438 | then | |
439 | iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
440 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
441 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
997358a6 | 442 | iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
b14a8768 AS |
443 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
444 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
997358a6 MW |
445 | fi |
446 | # | |
447 | # log IPsec client connection setup | |
448 | if [ $VPN_LOGGING ] | |
449 | then | |
bb7b613b | 450 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
451 | then |
452 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 453 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
454 | else |
455 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 456 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
457 | fi |
458 | fi | |
459 | ;; | |
460 | down-client:iptables) | |
461 | # connection to client subnet, with (left/right)firewall=yes, going down | |
462 | # This is used only by the default updown script, not by your custom | |
463 | # ones, so do not mess with it; see CAUTION comment up at top. | |
464 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
465 | then | |
466 | iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
467 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
468 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
469 | $IPSEC_POLICY_OUT -j ACCEPT |
470 | iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
471 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
472 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
473 | $IPSEC_POLICY_IN -j ACCEPT |
474 | fi | |
475 | # | |
476 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
477 | # or sometimes host access via the internal IP is needed | |
478 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
479 | then | |
480 | iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
b14a8768 AS |
481 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
482 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
997358a6 MW |
483 | $IPSEC_POLICY_IN -j ACCEPT |
484 | iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
b14a8768 AS |
485 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
486 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
997358a6 MW |
487 | $IPSEC_POLICY_OUT -j ACCEPT |
488 | fi | |
489 | # | |
490 | # log IPsec client connection teardown | |
491 | if [ $VPN_LOGGING ] | |
492 | then | |
bb7b613b | 493 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
997358a6 MW |
494 | then |
495 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 496 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
497 | else |
498 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 499 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
997358a6 MW |
500 | fi |
501 | fi | |
502 | ;; | |
503 | # | |
504 | # IPv6 | |
505 | # | |
506 | prepare-host-v6:*|prepare-client-v6:*) | |
507 | ;; | |
508 | route-host-v6:*|route-client-v6:*) | |
509 | # connection to me or my client subnet being routed | |
510 | #uproute_v6 | |
511 | ;; | |
512 | unroute-host-v6:*|unroute-client-v6:*) | |
513 | # connection to me or my client subnet being unrouted | |
514 | #downroute_v6 | |
515 | ;; | |
b14a8768 | 516 | up-host-v6:) |
997358a6 MW |
517 | # connection to me coming up |
518 | # If you are doing a custom version, firewall commands go here. | |
519 | ;; | |
b14a8768 | 520 | down-host-v6:) |
997358a6 MW |
521 | # connection to me going down |
522 | # If you are doing a custom version, firewall commands go here. | |
523 | ;; | |
b14a8768 | 524 | up-client-v6:) |
997358a6 MW |
525 | # connection to my client subnet coming up |
526 | # If you are doing a custom version, firewall commands go here. | |
527 | ;; | |
b14a8768 | 528 | down-client-v6:) |
997358a6 MW |
529 | # connection to my client subnet going down |
530 | # If you are doing a custom version, firewall commands go here. | |
531 | ;; | |
b14a8768 AS |
532 | up-host-v6:iptables) |
533 | # connection to me, with (left/right)firewall=yes, coming up | |
534 | # This is used only by the default updown script, not by your custom | |
535 | # ones, so do not mess with it; see CAUTION comment up at top. | |
536 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
537 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
538 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
539 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
540 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
541 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
542 | # | |
543 | # log IPsec host connection setup | |
544 | if [ $VPN_LOGGING ] | |
545 | then | |
bb7b613b | 546 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
547 | then |
548 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 549 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
550 | else |
551 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 552 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 | 553 | fi |
8b3b4a24 | 554 | fi |
b14a8768 AS |
555 | ;; |
556 | down-host-v6:iptables) | |
557 | # connection to me, with (left/right)firewall=yes, going down | |
558 | # This is used only by the default updown script, not by your custom | |
559 | # ones, so do not mess with it; see CAUTION comment up at top. | |
560 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
561 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
562 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
563 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
564 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
565 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
566 | # | |
567 | # log IPsec host connection teardown | |
568 | if [ $VPN_LOGGING ] | |
569 | then | |
bb7b613b | 570 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
571 | then |
572 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 573 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
574 | else |
575 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 576 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" |
b14a8768 AS |
577 | fi |
578 | fi | |
579 | ;; | |
580 | up-client-v6:iptables) | |
581 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
582 | # This is used only by the default updown script, not by your custom | |
583 | # ones, so do not mess with it; see CAUTION comment up at top. | |
584 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
585 | then | |
586 | ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
587 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
588 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
589 | ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
590 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
591 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
592 | fi | |
593 | # | |
594 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
595 | # or sometimes host access via the internal IP is needed | |
596 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
597 | then | |
598 | ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
599 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
600 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
601 | ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
602 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
603 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
604 | fi | |
605 | # | |
606 | # log IPsec client connection setup | |
607 | if [ $VPN_LOGGING ] | |
608 | then | |
bb7b613b | 609 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
610 | then |
611 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 612 | "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
613 | else |
614 | logger -t $TAG -p $FAC_PRIO \ | |
bb7b613b | 615 | "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
616 | fi |
617 | fi | |
618 | ;; | |
619 | down-client-v6:iptables) | |
620 | # connection to client subnet, with (left/right)firewall=yes, going down | |
621 | # This is used only by the default updown script, not by your custom | |
622 | # ones, so do not mess with it; see CAUTION comment up at top. | |
623 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
624 | then | |
625 | ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
626 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
627 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
628 | $IPSEC_POLICY_OUT -j ACCEPT | |
629 | ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
630 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
631 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
632 | $IPSEC_POLICY_IN -j ACCEPT | |
633 | fi | |
634 | # | |
635 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
636 | # or sometimes host access via the internal IP is needed | |
637 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
638 | then | |
639 | ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
640 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
641 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
642 | $IPSEC_POLICY_IN -j ACCEPT | |
643 | ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
644 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
645 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
646 | $IPSEC_POLICY_OUT -j ACCEPT | |
647 | fi | |
648 | # | |
649 | # log IPsec client connection teardown | |
650 | if [ $VPN_LOGGING ] | |
651 | then | |
bb7b613b | 652 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] |
b14a8768 AS |
653 | then |
654 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 655 | "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
656 | else |
657 | logger -t $TAG -p $FAC_PRIO -- \ | |
bb7b613b | 658 | "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" |
b14a8768 AS |
659 | fi |
660 | fi | |
661 | ;; | |
997358a6 MW |
662 | *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 |
663 | exit 1 | |
664 | ;; | |
665 | esac |