]>
Commit | Line | Data |
---|---|---|
7589902e AF |
1 | diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in |
2 | --- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200 | |
3 | +++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200 | |
4 | @@ -183,6 +183,29 @@ | |
5 | ;; | |
6 | esac | |
7 | ||
8 | +function ip_encode() { | |
9 | + local IFS=. | |
10 | + | |
11 | + local int=0 | |
12 | + for field in $1; do | |
13 | + int=$(( $(( $int << 8 )) | $field )) | |
14 | + done | |
15 | + | |
16 | + echo $int | |
17 | +} | |
18 | + | |
19 | +function ip_in_subnet() { | |
20 | + local netmask | |
21 | + netmask=$(_netmask $2) | |
22 | + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] | |
23 | +} | |
24 | + | |
25 | +function _netmask() { | |
26 | + local vlsm | |
27 | + vlsm=${1#*/} | |
28 | + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) | |
29 | +} | |
30 | + | |
31 | # utility functions for route manipulation | |
32 | # Meddling with this stuff should not be necessary and requires great care. | |
33 | uproute() { | |
34 | @@ -387,12 +410,12 @@ | |
6652626c AF |
35 | # connection to me, with (left/right)firewall=yes, coming up |
36 | # This is used only by the default updown script, not by your custom | |
37 | # ones, so do not mess with it; see CAUTION comment up at top. | |
38 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
39 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
40 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
41 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
42 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
43 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
44 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
45 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
46 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 47 | # |
db073a10 AF |
48 | # log IPsec host connection setup |
49 | if [ $VPN_LOGGING ] | |
7589902e | 50 | @@ -400,10 +423,10 @@ |
6652626c AF |
51 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
52 | then | |
53 | logger -t $TAG -p $FAC_PRIO \ | |
54 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
55 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
56 | else | |
57 | logger -t $TAG -p $FAC_PRIO \ | |
58 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
59 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
60 | fi | |
61 | fi | |
62 | ;; | |
7589902e | 63 | @@ -411,12 +434,12 @@ |
6652626c AF |
64 | # connection to me, with (left/right)firewall=yes, going down |
65 | # This is used only by the default updown script, not by your custom | |
66 | # ones, so do not mess with it; see CAUTION comment up at top. | |
67 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
68 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
69 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
70 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
71 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
72 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
73 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
74 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
75 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 76 | # |
db073a10 AF |
77 | # log IPsec host connection teardown |
78 | if [ $VPN_LOGGING ] | |
7589902e | 79 | @@ -424,10 +447,10 @@ |
6652626c AF |
80 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
81 | then | |
82 | logger -t $TAG -p $FAC_PRIO -- \ | |
83 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
84 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
85 | else | |
86 | logger -t $TAG -p $FAC_PRIO -- \ | |
87 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
88 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
89 | fi | |
90 | fi | |
91 | ;; | |
7589902e | 92 | @@ -437,10 +460,10 @@ |
6652626c AF |
93 | # ones, so do not mess with it; see CAUTION comment up at top. |
94 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
95 | then | |
96 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
97 | + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
98 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 | 99 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 100 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 101 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
102 | + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
103 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
104 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
105 | fi | |
7589902e | 106 | @@ -449,12 +472,12 @@ |
6652626c AF |
107 | # or sometimes host access via the internal IP is needed |
108 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
109 | then | |
110 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
111 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
112 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
113 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
114 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
115 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
116 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 AF |
117 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
118 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
6652626c | 119 | fi |
db073a10 AF |
120 | # |
121 | # log IPsec client connection setup | |
7589902e | 122 | @@ -463,12 +486,51 @@ |
6652626c AF |
123 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
124 | then | |
125 | logger -t $TAG -p $FAC_PRIO \ | |
126 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
127 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
128 | else | |
129 | logger -t $TAG -p $FAC_PRIO \ | |
130 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
131 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
132 | fi | |
133 | fi | |
134 | + | |
135 | + # | |
50a488f4 AF |
136 | + # Open Firewall for IPinIP + AH + ESP Traffic |
137 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ | |
138 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
139 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
140 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
141 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
142 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
143 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
144 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
145 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
146 | + if [ $VPN_LOGGING ] |
147 | + then | |
148 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 149 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 150 | + fi |
c4cd0f7b AF |
151 | + |
152 | + # Add source nat so also the gateway can access the other nets | |
7589902e AF |
153 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
154 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
155 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
156 | + if [ $? -eq 0 ]; then | |
157 | + src=${_src} | |
158 | + break | |
159 | + fi | |
160 | + done | |
161 | + | |
162 | + if [ -n "${src}" ]; then | |
163 | + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
164 | + logger -t $TAG -p $FAC_PRIO \ | |
165 | + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
166 | + else | |
167 | + logger -t $TAG -p $FAC_PRIO \ | |
168 | + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" | |
169 | + fi | |
6652626c | 170 | + |
bc4b68b4 AF |
171 | + # Flush routing cache |
172 | + ip route flush cache | |
6652626c AF |
173 | ;; |
174 | down-client:iptables) | |
175 | # connection to client subnet, with (left/right)firewall=yes, going down | |
7589902e | 176 | @@ -476,11 +538,11 @@ |
6652626c AF |
177 | # ones, so do not mess with it; see CAUTION comment up at top. |
178 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
179 | then | |
180 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
181 | + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
182 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
183 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 184 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 185 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 186 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
187 | + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
188 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
189 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
190 | $IPSEC_POLICY_IN -j ACCEPT | |
7589902e | 191 | @@ -490,14 +552,14 @@ |
6652626c AF |
192 | # or sometimes host access via the internal IP is needed |
193 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
194 | then | |
195 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
196 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
197 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
198 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
199 | $IPSEC_POLICY_IN -j ACCEPT | |
200 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
201 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
202 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
203 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 AF |
204 | - $IPSEC_POLICY_OUT -j ACCEPT |
205 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
206 | fi | |
207 | # | |
208 | # log IPsec client connection teardown | |
7589902e | 209 | @@ -506,12 +568,51 @@ |
6652626c AF |
210 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
211 | then | |
212 | logger -t $TAG -p $FAC_PRIO -- \ | |
213 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
214 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
215 | else | |
216 | logger -t $TAG -p $FAC_PRIO -- \ | |
217 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
218 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
219 | fi | |
220 | fi | |
221 | + | |
222 | + # | |
50a488f4 AF |
223 | + # Close Firewall for IPinIP + AH + ESP Traffic |
224 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ | |
225 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
226 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
227 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
228 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
229 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
230 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
231 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
232 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
233 | + if [ $VPN_LOGGING ] |
234 | + then | |
235 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 236 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 237 | + fi |
c4cd0f7b AF |
238 | + |
239 | + # remove source nat | |
7589902e AF |
240 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
241 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
242 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
243 | + if [ $? -eq 0 ]; then | |
244 | + src=${_src} | |
245 | + break | |
246 | + fi | |
247 | + done | |
248 | + | |
249 | + if [ -n "${src}" ]; then | |
250 | + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
251 | + logger -t $TAG -p $FAC_PRIO \ | |
252 | + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
253 | + else | |
254 | + logger -t $TAG -p $FAC_PRIO \ | |
255 | + "Cannot remove NAT rule because no IP of the IPFire does match the subnet." | |
256 | + fi | |
6652626c | 257 | + |
bc4b68b4 AF |
258 | + # Flush routing cache |
259 | + ip route flush cache | |
6652626c AF |
260 | ;; |
261 | # | |
262 | # IPv6 | |
7589902e | 263 | @@ -546,10 +647,10 @@ |
6652626c AF |
264 | # connection to me, with (left/right)firewall=yes, coming up |
265 | # This is used only by the default updown script, not by your custom | |
266 | # ones, so do not mess with it; see CAUTION comment up at top. | |
267 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
268 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
269 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
270 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
271 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
272 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
273 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
274 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
275 | # | |
7589902e | 276 | @@ -570,10 +671,10 @@ |
6652626c AF |
277 | # connection to me, with (left/right)firewall=yes, going down |
278 | # This is used only by the default updown script, not by your custom | |
279 | # ones, so do not mess with it; see CAUTION comment up at top. | |
280 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
281 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
282 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
283 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
284 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
285 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
286 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
287 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
288 | # | |
7589902e | 289 | @@ -596,10 +697,10 @@ |
6652626c AF |
290 | # ones, so do not mess with it; see CAUTION comment up at top. |
291 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
292 | then | |
293 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
294 | + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
295 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
296 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
297 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
298 | + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
299 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
300 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
301 | fi | |
7589902e | 302 | @@ -608,10 +709,10 @@ |
6652626c AF |
303 | # or sometimes host access via the internal IP is needed |
304 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
305 | then | |
306 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
307 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
308 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
309 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
310 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
311 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
312 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
313 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
314 | fi | |
7589902e | 315 | @@ -635,11 +736,11 @@ |
6652626c AF |
316 | # ones, so do not mess with it; see CAUTION comment up at top. |
317 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
318 | then | |
319 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
320 | + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
321 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
322 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
323 | $IPSEC_POLICY_OUT -j ACCEPT | |
324 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
325 | + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
326 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
327 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
328 | $IPSEC_POLICY_IN -j ACCEPT | |
7589902e | 329 | @@ -649,11 +750,11 @@ |
6652626c AF |
330 | # or sometimes host access via the internal IP is needed |
331 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
332 | then | |
333 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
334 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
335 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
336 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
337 | $IPSEC_POLICY_IN -j ACCEPT | |
338 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
339 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
340 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
341 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
342 | $IPSEC_POLICY_OUT -j ACCEPT |