]>
Commit | Line | Data |
---|---|---|
50a488f4 AF |
1 | diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in |
2 | --- strongswan-4.4.0.org/src/_updown/_updown.in 2010-03-15 21:52:51.000000000 +0100 | |
bc4b68b4 | 3 | +++ strongswan-4.4.0/src/_updown/_updown.in 2010-05-15 13:33:40.000000000 +0200 |
db073a10 | 4 | @@ -374,12 +374,12 @@ |
6652626c AF |
5 | # connection to me, with (left/right)firewall=yes, coming up |
6 | # This is used only by the default updown script, not by your custom | |
7 | # ones, so do not mess with it; see CAUTION comment up at top. | |
8 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
9 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
10 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
11 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
12 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
13 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
14 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
15 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
16 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 17 | # |
db073a10 AF |
18 | # log IPsec host connection setup |
19 | if [ $VPN_LOGGING ] | |
6652626c AF |
20 | @@ -387,10 +387,10 @@ |
21 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
22 | then | |
23 | logger -t $TAG -p $FAC_PRIO \ | |
24 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
25 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
26 | else | |
27 | logger -t $TAG -p $FAC_PRIO \ | |
28 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
29 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
30 | fi | |
31 | fi | |
32 | ;; | |
db073a10 | 33 | @@ -398,12 +398,12 @@ |
6652626c AF |
34 | # connection to me, with (left/right)firewall=yes, going down |
35 | # This is used only by the default updown script, not by your custom | |
36 | # ones, so do not mess with it; see CAUTION comment up at top. | |
37 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
38 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
39 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
40 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
41 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
42 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
43 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
44 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
45 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 46 | # |
db073a10 AF |
47 | # log IPsec host connection teardown |
48 | if [ $VPN_LOGGING ] | |
6652626c AF |
49 | @@ -411,10 +411,10 @@ |
50 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] | |
51 | then | |
52 | logger -t $TAG -p $FAC_PRIO -- \ | |
53 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
54 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
55 | else | |
56 | logger -t $TAG -p $FAC_PRIO -- \ | |
57 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
58 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
59 | fi | |
60 | fi | |
61 | ;; | |
62 | @@ -424,10 +424,10 @@ | |
63 | # ones, so do not mess with it; see CAUTION comment up at top. | |
64 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
65 | then | |
66 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
67 | + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
68 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 | 69 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 70 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 71 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
72 | + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
73 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
74 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
75 | fi | |
db073a10 | 76 | @@ -436,12 +436,12 @@ |
6652626c AF |
77 | # or sometimes host access via the internal IP is needed |
78 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
79 | then | |
80 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
81 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
82 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
83 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
84 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
85 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
86 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 AF |
87 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
88 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
6652626c | 89 | fi |
db073a10 AF |
90 | # |
91 | # log IPsec client connection setup | |
bc4b68b4 | 92 | @@ -450,12 +450,38 @@ |
6652626c AF |
93 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
94 | then | |
95 | logger -t $TAG -p $FAC_PRIO \ | |
96 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
97 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
98 | else | |
99 | logger -t $TAG -p $FAC_PRIO \ | |
100 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
101 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
102 | fi | |
103 | fi | |
104 | + | |
105 | + # | |
50a488f4 AF |
106 | + # Open Firewall for IPinIP + AH + ESP Traffic |
107 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ | |
108 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
109 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
110 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
111 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
112 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
113 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
114 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
115 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
116 | + if [ $VPN_LOGGING ] |
117 | + then | |
118 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 119 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 120 | + fi |
c4cd0f7b AF |
121 | + |
122 | + # Add source nat so also the gateway can access the other nets | |
123 | + src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src)) | |
124 | + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
125 | + logger -t $TAG -p $FAC_PRIO \ | |
126 | + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
6652626c | 127 | + |
bc4b68b4 AF |
128 | + # Flush routing cache |
129 | + ip route flush cache | |
6652626c AF |
130 | ;; |
131 | down-client:iptables) | |
132 | # connection to client subnet, with (left/right)firewall=yes, going down | |
bc4b68b4 | 133 | @@ -463,11 +489,11 @@ |
6652626c AF |
134 | # ones, so do not mess with it; see CAUTION comment up at top. |
135 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
136 | then | |
137 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
138 | + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
139 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
140 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 141 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 142 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 143 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
144 | + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
145 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
146 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
147 | $IPSEC_POLICY_IN -j ACCEPT | |
bc4b68b4 | 148 | @@ -477,14 +503,14 @@ |
6652626c AF |
149 | # or sometimes host access via the internal IP is needed |
150 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
151 | then | |
152 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
153 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
154 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
155 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
156 | $IPSEC_POLICY_IN -j ACCEPT | |
157 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
158 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
159 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
160 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 AF |
161 | - $IPSEC_POLICY_OUT -j ACCEPT |
162 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
163 | fi | |
164 | # | |
165 | # log IPsec client connection teardown | |
bc4b68b4 | 166 | @@ -493,12 +519,38 @@ |
6652626c AF |
167 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
168 | then | |
169 | logger -t $TAG -p $FAC_PRIO -- \ | |
170 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
171 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
172 | else | |
173 | logger -t $TAG -p $FAC_PRIO -- \ | |
174 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
175 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
176 | fi | |
177 | fi | |
178 | + | |
179 | + # | |
50a488f4 AF |
180 | + # Close Firewall for IPinIP + AH + ESP Traffic |
181 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ | |
182 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
183 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
184 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
185 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
186 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
187 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
188 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
189 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
190 | + if [ $VPN_LOGGING ] |
191 | + then | |
192 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 193 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 194 | + fi |
c4cd0f7b AF |
195 | + |
196 | + # remove source nat | |
197 | + src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src)) | |
198 | + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
199 | + logger -t $TAG -p $FAC_PRIO \ | |
200 | + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
6652626c | 201 | + |
bc4b68b4 AF |
202 | + # Flush routing cache |
203 | + ip route flush cache | |
6652626c AF |
204 | ;; |
205 | # | |
206 | # IPv6 | |
bc4b68b4 | 207 | @@ -533,10 +585,10 @@ |
6652626c AF |
208 | # connection to me, with (left/right)firewall=yes, coming up |
209 | # This is used only by the default updown script, not by your custom | |
210 | # ones, so do not mess with it; see CAUTION comment up at top. | |
211 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
212 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
213 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
214 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
215 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
216 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
217 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
218 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
219 | # | |
bc4b68b4 | 220 | @@ -557,10 +609,10 @@ |
6652626c AF |
221 | # connection to me, with (left/right)firewall=yes, going down |
222 | # This is used only by the default updown script, not by your custom | |
223 | # ones, so do not mess with it; see CAUTION comment up at top. | |
224 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
225 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
226 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
227 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
228 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
229 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
230 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
231 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
232 | # | |
bc4b68b4 | 233 | @@ -583,10 +635,10 @@ |
6652626c AF |
234 | # ones, so do not mess with it; see CAUTION comment up at top. |
235 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
236 | then | |
237 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
238 | + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
239 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
240 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
241 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
242 | + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
243 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
244 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
245 | fi | |
bc4b68b4 | 246 | @@ -595,10 +647,10 @@ |
6652626c AF |
247 | # or sometimes host access via the internal IP is needed |
248 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
249 | then | |
250 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
251 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
252 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
253 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
254 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
255 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
256 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
257 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
258 | fi | |
bc4b68b4 | 259 | @@ -622,11 +674,11 @@ |
6652626c AF |
260 | # ones, so do not mess with it; see CAUTION comment up at top. |
261 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
262 | then | |
263 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
264 | + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
265 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
266 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
267 | $IPSEC_POLICY_OUT -j ACCEPT | |
268 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
269 | + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
270 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
271 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
272 | $IPSEC_POLICY_IN -j ACCEPT | |
bc4b68b4 | 273 | @@ -636,11 +688,11 @@ |
6652626c AF |
274 | # or sometimes host access via the internal IP is needed |
275 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
276 | then | |
277 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
278 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
279 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
280 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
281 | $IPSEC_POLICY_IN -j ACCEPT | |
282 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
283 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
284 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
285 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
286 | $IPSEC_POLICY_OUT -j ACCEPT |