]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/_updown/_updown.in
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use macros to define --enable/--disable options
[thirdparty/strongswan.git] / src / _updown / _updown.in
CommitLineData
997358a6
MW		 1#! /bin/sh
2# iproute2 version, default updown script
3#
4# Copyright (C) 2003-2004 Nigel Meteringham
5# Copyright (C) 2003-2004 Tuomo Soini
6# Copyright (C) 2002-2004 Michael Richardson
ef014519 7# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
8b3b4a24 8#
997358a6
MW		 9# This program is free software; you can redistribute it and/or modify it
10# under the terms of the GNU General Public License as published by the
11# Free Software Foundation; either version 2 of the License, or (at your
12# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8b3b4a24 13#
997358a6
MW		 14# This program is distributed in the hope that it will be useful, but
15# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17# for more details.
997358a6
MW		 18
19# CAUTION: Installing a new version of strongSwan will install a new
20# copy of this script, wiping out any custom changes you make. If
21# you need changes, make a copy of this under another name, and customize
22# that, and use the (left/right)updown parameters in ipsec.conf to make
23# strongSwan use yours instead of this default one.
24
25# things that this script gets (from ipsec_pluto(8) man page)
26#
27# PLUTO_VERSION
28# indicates what version of this interface is being
29# used. This document describes version 1.1. This
30# is upwardly compatible with version 1.0.
31#
32# PLUTO_VERB
33# specifies the name of the operation to be performed
34# (prepare-host, prepare-client, up-host, up-client,
35# down-host, or down-client). If the address family
8af25c56 36# for security gateway to security gateway communica-
997358a6
MW		 37# tions is IPv6, then a suffix of -v6 is added to the
38# verb.
39#
40# PLUTO_CONNECTION
41# is the name of the connection for which we are
42# routing.
43#
44# PLUTO_NEXT_HOP
45# is the next hop to which packets bound for the peer
46# must be sent.
47#
48# PLUTO_INTERFACE
49# is the name of the ipsec interface to be used.
50#
51# PLUTO_REQID
52# is the requid of the ESP policy
53#
54# PLUTO_ME
55# is the IP address of our host.
56#
57# PLUTO_MY_ID
58# is the ID of our host.
59#
60# PLUTO_MY_CLIENT
61# is the IP address / count of our client subnet. If
62# the client is just the host, this will be the
63# host's own IP address / max (where max is 32 for
64# IPv4 and 128 for IPv6).
65#
66# PLUTO_MY_CLIENT_NET
67# is the IP address of our client net. If the client
68# is just the host, this will be the host's own IP
69# address.
70#
71# PLUTO_MY_CLIENT_MASK
72# is the mask for our client net. If the client is
73# just the host, this will be 255.255.255.255.
74#
75# PLUTO_MY_SOURCEIP
76# if non-empty, then the source address for the route will be
77# set to this IP address.
78#
79# PLUTO_MY_PROTOCOL
80# is the IP protocol that will be transported.
81#
82# PLUTO_MY_PORT
83# is the UDP/TCP port to which the IPsec SA is
84# restricted on our side.
85#
86# PLUTO_PEER
87# is the IP address of our peer.
88#
89# PLUTO_PEER_ID
90# is the ID of our peer.
91#
92# PLUTO_PEER_CA
93# is the CA which issued the cert of our peer.
94#
95# PLUTO_PEER_CLIENT
8af25c56 96# is the IP address / count of the peer's client sub-
997358a6
MW		 97# net. If the client is just the peer, this will be
98# the peer's own IP address / max (where max is 32
99# for IPv4 and 128 for IPv6).
100#
101# PLUTO_PEER_CLIENT_NET
102# is the IP address of the peer's client net. If the
103# client is just the peer, this will be the peer's
104# own IP address.
105#
106# PLUTO_PEER_CLIENT_MASK
107# is the mask for the peer's client net. If the
108# client is just the peer, this will be
109# 255.255.255.255.
110#
111# PLUTO_PEER_PROTOCOL
112# is the IP protocol that will be transported.
113#
114# PLUTO_PEER_PORT
115# is the UDP/TCP port to which the IPsec SA is
116# restricted on the peer side.
117#
118
c2bb1eca 119# define a minimum PATH environment in case it is not set
52bb1876 120PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
c2bb1eca
AS		 121export PATH
122
997358a6
MW		 123# uncomment to log VPN connections
124VPN_LOGGING=1
125#
126# tag put in front of each log entry:
127TAG=vpn
128#
129# syslog facility and priority used:
130FAC_PRIO=local0.notice
131#
132# to create a special vpn logging file, put the following line into
133# the syslog configuration file /etc/syslog.conf:
134#
135# local0.notice -/var/log/vpn
f6f55adb
AS		 136
137# in order to use source IP routing the Linux kernel options
138# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
139# must be enabled
140#
141# special routing table for sourceip routes
4e411c83 142SOURCEIP_ROUTING_TABLE=@IPSEC_ROUTING_TABLE@
997358a6 143#
f6f55adb 144# priority of the sourceip routing table
0739cca9 145SOURCEIP_ROUTING_TABLE_PRIO=@IPSEC_ROUTING_TABLE_PRIO@
997358a6
MW		 146
147# check interface version
148case "$PLUTO_VERSION" in
1491.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
150 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
151 echo "$0: called by obsolete Pluto?" >&2
152 exit 2
153 ;;
1541.*) ;;
155*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
156 exit 2
157 ;;
158esac
159
160# check parameter(s)
161case "$1:$*" in
162':') # no parameters
163 ;;
164iptables:iptables) # due to (left/right)firewall; for default script only
165 ;;
166custom:*) # custom parameters (see above CAUTION comment)
167 ;;
168*) echo "$0: unknown parameters \`$*'" >&2
169 exit 2
170 ;;
171esac
172
173# utility functions for route manipulation
174# Meddling with this stuff should not be necessary and requires great care.
175uproute() {
176 doroute add
177 ip route flush cache
178}
179downroute() {
180 doroute delete
181 ip route flush cache
182}
183
184addsource() {
185 st=0
186 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
187 then
188 it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
189 oops="`eval $it 2>&1`"
190 st=$?
191 if test " $oops" = " " -a " $st" != " 0"
192 then
193 oops="silent error, exit status $st"
194 fi
195 if test " $oops" != " " -o " $st" != " 0"
196 then
197 echo "$0: addsource \`$it' failed ($oops)" >&2
198 fi
199 fi
200 return $st
201}
202
203doroute() {
204 st=0
997358a6
MW		 205
206 if [ -z "$PLUTO_MY_SOURCEIP" ]
207 then
14c408ee
AS		 208 for dir in /etc/sysconfig /etc/conf.d; do
209 if [ -f "$dir/defaultsource" ]
210 then
211 . "$dir/defaultsource"
212 fi
213 done
997358a6
MW		 214
215 if [ -n "$DEFAULTSOURCE" ]
216 then
217 PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
218 fi
219 fi
220
ef014519
AS		 221 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
222 then
223 # leave because no route entry is required
224 return $st
225 fi
226
227 parms1="$PLUTO_PEER_CLIENT"
228
f6f55adb 229 if [ -n "$PLUTO_NEXT_HOP" ]
ef014519 230 then
f6f55adb 231 parms2="via $PLUTO_NEXT_HOP"
ef014519 232 else
f6f55adb 233 parms2="via $PLUTO_PEER"
8b3b4a24 234 fi
ef014519
AS		 235 parms2="$parms2 dev $PLUTO_INTERFACE"
236
997358a6 237 parms3=
f6f55adb 238 if [ -n "$PLUTO_MY_SOURCEIP" ]
997358a6 239 then
f6f55adb
AS		 240 if test "$1" = "add"
241 then
242 addsource
ca694c61 243 if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
f6f55adb 244 then
ca694c61 245 ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
f6f55adb
AS		 246 fi
247 fi
ca694c61 248 parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
997358a6
MW		 249 fi
250
251 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
252 "0.0.0.0/0.0.0.0")
253 # opportunistic encryption work around
8b3b4a24 254 # need to provide route that eclipses default, without
997358a6
MW		 255 # replacing it.
256 it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
257 ip route $1 128.0.0.0/1 $parms2 $parms3"
258 ;;
ef014519 259 *) it="ip route $1 $parms1 $parms2 $parms3"
997358a6
MW		 260 ;;
261 esac
262 oops="`eval $it 2>&1`"
263 st=$?
264 if test " $oops" = " " -a " $st" != " 0"
265 then
266 oops="silent error, exit status $st"
267 fi
268 if test " $oops" != " " -o " $st" != " 0"
269 then
270 echo "$0: doroute \`$it' failed ($oops)" >&2
271 fi
272 return $st
273}
8b3b4a24
MW		 274
275# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
997358a6
MW		 276if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
277then
ef014519 278 KLIPS=1
997358a6
MW		 279 IPSEC_POLICY_IN=""
280 IPSEC_POLICY_OUT=""
281else
ef014519 282 KLIPS=
997358a6
MW		 283 IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
284 IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
285 IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
286fi
287
288# are there port numbers?
289if [ "$PLUTO_MY_PORT" != 0 ]
290then
291 S_MY_PORT="--sport $PLUTO_MY_PORT"
292 D_MY_PORT="--dport $PLUTO_MY_PORT"
293fi
294if [ "$PLUTO_PEER_PORT" != 0 ]
295then
296 S_PEER_PORT="--sport $PLUTO_PEER_PORT"
297 D_PEER_PORT="--dport $PLUTO_PEER_PORT"
298fi
299
bb7b613b
AS		 300# resolve octal escape sequences
301PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
302PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
303
997358a6
MW		 304# the big choice
305case "$PLUTO_VERB:$1" in
306prepare-host:*|prepare-client:*)
7a1f49c3
AS		 307 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
308 then
309 # exit because no route will be added,
310 # so that existing routes can stay
311 exit 0
312 fi
313
997358a6
MW		 314 # delete possibly-existing route (preliminary to adding a route)
315 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
316 "0.0.0.0/0.0.0.0")
8b3b4a24 317 # need to provide route that eclipses default, without
997358a6
MW		 318 # replacing it.
319 parms1="0.0.0.0/1"
320 parms2="128.0.0.0/1"
321 it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
322 oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
323 ;;
324 *)
325 parms="$PLUTO_PEER_CLIENT"
326 it="ip route delete $parms 2>&1"
327 oops="`ip route delete $parms 2>&1`"
328 ;;
329 esac
330 status="$?"
331 if test " $oops" = " " -a " $status" != " 0"
332 then
333 oops="silent error, exit status $status"
334 fi
335 case "$oops" in
8b3b4a24 336 *'RTNETLINK answers: No such process'*)
997358a6
MW		 337 # This is what route (currently -- not documented!) gives
338 # for "could not find such a route".
339 oops=
340 status=0
341 ;;
342 esac
343 if test " $oops" != " " -o " $status" != " 0"
344 then
345 echo "$0: \`$it' failed ($oops)" >&2
346 fi
347 exit $status
348 ;;
349route-host:*|route-client:*)
350 # connection to me or my client subnet being routed
351 uproute
352 ;;
353unroute-host:*|unroute-client:*)
354 # connection to me or my client subnet being unrouted
355 downroute
356 ;;
357up-host:)
358 # connection to me coming up
359 # If you are doing a custom version, firewall commands go here.
360 ;;
361down-host:)
362 # connection to me going down
363 # If you are doing a custom version, firewall commands go here.
364 ;;
365up-client:)
366 # connection to my client subnet coming up
367 # If you are doing a custom version, firewall commands go here.
368 ;;
369down-client:)
370 # connection to my client subnet going down
371 # If you are doing a custom version, firewall commands go here.
372 ;;
373up-host:iptables)
374 # connection to me, with (left/right)firewall=yes, coming up
375 # This is used only by the default updown script, not by your custom
376 # ones, so do not mess with it; see CAUTION comment up at top.
377 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768 378 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
997358a6
MW		 379 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
380 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
381 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
b14a8768 382 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
997358a6
MW		 383 #
384 # log IPsec host connection setup
385 if [ $VPN_LOGGING ]
386 then
bb7b613b 387 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 388 then
389 logger -t $TAG -p $FAC_PRIO \
bb7b613b 390 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 391 else
392 logger -t $TAG -p $FAC_PRIO \
bb7b613b 393 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
997358a6 394 fi
8b3b4a24 395 fi
997358a6
MW		 396 ;;
397down-host:iptables)
398 # connection to me, with (left/right)firewall=yes, going down
399 # This is used only by the default updown script, not by your custom
400 # ones, so do not mess with it; see CAUTION comment up at top.
401 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768 402 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
997358a6
MW		 403 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
404 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
405 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
b14a8768 406 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
997358a6
MW		 407 #
408 # log IPsec host connection teardown
409 if [ $VPN_LOGGING ]
410 then
bb7b613b 411 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 412 then
413 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 414 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 415 else
416 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 417 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 418 fi
419 fi
420 ;;
421up-client:iptables)
422 # connection to client subnet, with (left/right)firewall=yes, coming up
423 # This is used only by the default updown script, not by your custom
424 # ones, so do not mess with it; see CAUTION comment up at top.
425 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
426 then
427 iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 428 -s $PLUTO_MY_CLIENT $S_MY_PORT \
429 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
997358a6 430 iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 431 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
432 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
997358a6
MW		 433 fi
434 #
435 # a virtual IP requires an INPUT and OUTPUT rule on the host
436 # or sometimes host access via the internal IP is needed
437 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
438 then
439 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 440 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
441 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
997358a6 442 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 443 -s $PLUTO_MY_CLIENT $S_MY_PORT \
444 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
997358a6
MW		 445 fi
446 #
447 # log IPsec client connection setup
448 if [ $VPN_LOGGING ]
449 then
bb7b613b 450 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 451 then
452 logger -t $TAG -p $FAC_PRIO \
bb7b613b 453 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 454 else
455 logger -t $TAG -p $FAC_PRIO \
bb7b613b 456 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 457 fi
458 fi
459 ;;
460down-client:iptables)
461 # connection to client subnet, with (left/right)firewall=yes, going down
462 # This is used only by the default updown script, not by your custom
463 # ones, so do not mess with it; see CAUTION comment up at top.
464 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
465 then
466 iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 467 -s $PLUTO_MY_CLIENT $S_MY_PORT \
468 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
997358a6
MW		 469 $IPSEC_POLICY_OUT -j ACCEPT
470 iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 471 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
472 -d $PLUTO_MY_CLIENT $D_MY_PORT \
997358a6
MW		 473 $IPSEC_POLICY_IN -j ACCEPT
474 fi
475 #
476 # a virtual IP requires an INPUT and OUTPUT rule on the host
477 # or sometimes host access via the internal IP is needed
478 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
479 then
480 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 481 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
482 -d $PLUTO_MY_CLIENT $D_MY_PORT \
997358a6
MW		 483 $IPSEC_POLICY_IN -j ACCEPT
484 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 485 -s $PLUTO_MY_CLIENT $S_MY_PORT \
486 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
997358a6
MW		 487 $IPSEC_POLICY_OUT -j ACCEPT
488 fi
489 #
490 # log IPsec client connection teardown
491 if [ $VPN_LOGGING ]
492 then
bb7b613b 493 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 494 then
495 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 496 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 497 else
498 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 499 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 500 fi
501 fi
502 ;;
503#
504# IPv6
505#
506prepare-host-v6:*|prepare-client-v6:*)
507 ;;
508route-host-v6:*|route-client-v6:*)
509 # connection to me or my client subnet being routed
510 #uproute_v6
511 ;;
512unroute-host-v6:*|unroute-client-v6:*)
513 # connection to me or my client subnet being unrouted
514 #downroute_v6
515 ;;
b14a8768 516up-host-v6:)
997358a6
MW		 517 # connection to me coming up
518 # If you are doing a custom version, firewall commands go here.
519 ;;
b14a8768 520down-host-v6:)
997358a6
MW		 521 # connection to me going down
522 # If you are doing a custom version, firewall commands go here.
523 ;;
b14a8768 524up-client-v6:)
997358a6
MW		 525 # connection to my client subnet coming up
526 # If you are doing a custom version, firewall commands go here.
527 ;;
b14a8768 528down-client-v6:)
997358a6
MW		 529 # connection to my client subnet going down
530 # If you are doing a custom version, firewall commands go here.
531 ;;
b14a8768
AS		 532up-host-v6:iptables)
533 # connection to me, with (left/right)firewall=yes, coming up
534 # This is used only by the default updown script, not by your custom
535 # ones, so do not mess with it; see CAUTION comment up at top.
536 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
537 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
538 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
539 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
540 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
541 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
542 #
543 # log IPsec host connection setup
544 if [ $VPN_LOGGING ]
545 then
bb7b613b 546 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 547 then
548 logger -t $TAG -p $FAC_PRIO \
bb7b613b 549 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 550 else
551 logger -t $TAG -p $FAC_PRIO \
bb7b613b 552 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
b14a8768 553 fi
8b3b4a24 554 fi
b14a8768
AS		 555 ;;
556down-host-v6:iptables)
557 # connection to me, with (left/right)firewall=yes, going down
558 # This is used only by the default updown script, not by your custom
559 # ones, so do not mess with it; see CAUTION comment up at top.
560 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
561 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
562 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
563 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
564 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
565 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
566 #
567 # log IPsec host connection teardown
568 if [ $VPN_LOGGING ]
569 then
bb7b613b 570 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 571 then
572 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 573 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 574 else
575 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 576 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 577 fi
578 fi
579 ;;
580up-client-v6:iptables)
581 # connection to client subnet, with (left/right)firewall=yes, coming up
582 # This is used only by the default updown script, not by your custom
583 # ones, so do not mess with it; see CAUTION comment up at top.
584 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
585 then
586 ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
587 -s $PLUTO_MY_CLIENT $S_MY_PORT \
588 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
589 ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
590 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
591 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
592 fi
593 #
594 # a virtual IP requires an INPUT and OUTPUT rule on the host
595 # or sometimes host access via the internal IP is needed
596 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
597 then
598 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
599 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
600 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
601 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
602 -s $PLUTO_MY_CLIENT $S_MY_PORT \
603 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
604 fi
605 #
606 # log IPsec client connection setup
607 if [ $VPN_LOGGING ]
608 then
bb7b613b 609 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 610 then
611 logger -t $TAG -p $FAC_PRIO \
bb7b613b 612 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 613 else
614 logger -t $TAG -p $FAC_PRIO \
bb7b613b 615 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 616 fi
617 fi
618 ;;
619down-client-v6:iptables)
620 # connection to client subnet, with (left/right)firewall=yes, going down
621 # This is used only by the default updown script, not by your custom
622 # ones, so do not mess with it; see CAUTION comment up at top.
623 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
624 then
625 ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
626 -s $PLUTO_MY_CLIENT $S_MY_PORT \
627 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
628 $IPSEC_POLICY_OUT -j ACCEPT
629 ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
630 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
631 -d $PLUTO_MY_CLIENT $D_MY_PORT \
632 $IPSEC_POLICY_IN -j ACCEPT
633 fi
634 #
635 # a virtual IP requires an INPUT and OUTPUT rule on the host
636 # or sometimes host access via the internal IP is needed
637 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
638 then
639 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
640 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
641 -d $PLUTO_MY_CLIENT $D_MY_PORT \
642 $IPSEC_POLICY_IN -j ACCEPT
643 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
644 -s $PLUTO_MY_CLIENT $S_MY_PORT \
645 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
646 $IPSEC_POLICY_OUT -j ACCEPT
647 fi
648 #
649 # log IPsec client connection teardown
650 if [ $VPN_LOGGING ]
651 then
bb7b613b 652 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 653 then
654 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 655 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 656 else
657 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 658 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 659 fi
660 fi
661 ;;
997358a6
MW		 662*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
663 exit 1
664 ;;
665esac
Unnamed repository; edit this file 'description' to name the repository.