]>
Commit | Line | Data |
---|---|---|
dc33c23b AM |
1 | diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in |
2 | index 3a40e21..d9f3ea0 100644 | |
3 | --- a/src/_updown/_updown.in | |
4 | +++ b/src/_updown/_updown.in | |
5 | @@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment) | |
7589902e AF |
6 | ;; |
7 | esac | |
8 | ||
9 | +function ip_encode() { | |
10 | + local IFS=. | |
11 | + | |
12 | + local int=0 | |
13 | + for field in $1; do | |
14 | + int=$(( $(( $int << 8 )) | $field )) | |
15 | + done | |
16 | + | |
17 | + echo $int | |
18 | +} | |
19 | + | |
20 | +function ip_in_subnet() { | |
21 | + local netmask | |
22 | + netmask=$(_netmask $2) | |
23 | + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] | |
24 | +} | |
25 | + | |
26 | +function _netmask() { | |
27 | + local vlsm | |
28 | + vlsm=${1#*/} | |
29 | + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) | |
30 | +} | |
31 | + | |
32 | # utility functions for route manipulation | |
33 | # Meddling with this stuff should not be necessary and requires great care. | |
34 | uproute() { | |
dc33c23b | 35 | @@ -397,12 +420,12 @@ up-host:iptables) |
6652626c AF |
36 | # connection to me, with (left/right)firewall=yes, coming up |
37 | # This is used only by the default updown script, not by your custom | |
38 | # ones, so do not mess with it; see CAUTION comment up at top. | |
39 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
40 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
41 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
42 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
43 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
44 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
45 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
46 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
47 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 48 | # |
db073a10 AF |
49 | # log IPsec host connection setup |
50 | if [ $VPN_LOGGING ] | |
dc33c23b | 51 | @@ -410,10 +433,10 @@ up-host:iptables) |
6652626c AF |
52 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
53 | then | |
54 | logger -t $TAG -p $FAC_PRIO \ | |
55 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
56 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
57 | else | |
58 | logger -t $TAG -p $FAC_PRIO \ | |
59 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
60 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
61 | fi | |
62 | fi | |
63 | ;; | |
dc33c23b | 64 | @@ -421,12 +444,12 @@ down-host:iptables) |
6652626c AF |
65 | # connection to me, with (left/right)firewall=yes, going down |
66 | # This is used only by the default updown script, not by your custom | |
67 | # ones, so do not mess with it; see CAUTION comment up at top. | |
68 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
69 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
70 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
71 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
72 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
73 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
74 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
75 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
76 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 77 | # |
db073a10 AF |
78 | # log IPsec host connection teardown |
79 | if [ $VPN_LOGGING ] | |
dc33c23b | 80 | @@ -434,10 +457,10 @@ down-host:iptables) |
6652626c AF |
81 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
82 | then | |
83 | logger -t $TAG -p $FAC_PRIO -- \ | |
84 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
85 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
86 | else | |
87 | logger -t $TAG -p $FAC_PRIO -- \ | |
88 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
89 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
90 | fi | |
91 | fi | |
92 | ;; | |
dc33c23b | 93 | @@ -447,24 +470,24 @@ up-client:iptables) |
6652626c AF |
94 | # ones, so do not mess with it; see CAUTION comment up at top. |
95 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
96 | then | |
97 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
98 | + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
99 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 | 100 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 101 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 102 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
103 | + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
104 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
dc33c23b AM |
105 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
106 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN | |
6652626c | 107 | fi |
dc33c23b AM |
108 | # |
109 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
110 | # or sometimes host access via the internal IP is needed |
111 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
112 | then | |
113 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
114 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
115 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
116 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
117 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
118 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
119 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 AF |
120 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
121 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
6652626c | 122 | fi |
db073a10 AF |
123 | # |
124 | # log IPsec client connection setup | |
dc33c23b | 125 | @@ -473,12 +496,51 @@ up-client:iptables) |
6652626c AF |
126 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
127 | then | |
128 | logger -t $TAG -p $FAC_PRIO \ | |
129 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
130 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
131 | else | |
132 | logger -t $TAG -p $FAC_PRIO \ | |
133 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
134 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
135 | fi | |
136 | fi | |
137 | + | |
138 | + # | |
50a488f4 AF |
139 | + # Open Firewall for IPinIP + AH + ESP Traffic |
140 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ | |
141 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
142 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
143 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
144 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
145 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
146 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
147 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
148 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
149 | + if [ $VPN_LOGGING ] |
150 | + then | |
151 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 152 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 153 | + fi |
c4cd0f7b AF |
154 | + |
155 | + # Add source nat so also the gateway can access the other nets | |
7589902e AF |
156 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
157 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
158 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
159 | + if [ $? -eq 0 ]; then | |
160 | + src=${_src} | |
161 | + break | |
162 | + fi | |
163 | + done | |
164 | + | |
165 | + if [ -n "${src}" ]; then | |
166 | + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
167 | + logger -t $TAG -p $FAC_PRIO \ | |
168 | + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
169 | + else | |
170 | + logger -t $TAG -p $FAC_PRIO \ | |
171 | + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" | |
172 | + fi | |
6652626c | 173 | + |
bc4b68b4 AF |
174 | + # Flush routing cache |
175 | + ip route flush cache | |
6652626c AF |
176 | ;; |
177 | down-client:iptables) | |
178 | # connection to client subnet, with (left/right)firewall=yes, going down | |
dc33c23b | 179 | @@ -486,28 +548,28 @@ down-client:iptables) |
6652626c AF |
180 | # ones, so do not mess with it; see CAUTION comment up at top. |
181 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
182 | then | |
183 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
184 | + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
185 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
186 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 187 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 188 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 189 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
190 | + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
191 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
192 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b AM |
193 | - $IPSEC_POLICY_IN -j ACCEPT |
194 | + $IPSEC_POLICY_IN -j RETURN | |
195 | fi | |
196 | # | |
197 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
198 | # or sometimes host access via the internal IP is needed |
199 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
200 | then | |
201 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
202 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
203 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
204 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
205 | $IPSEC_POLICY_IN -j ACCEPT | |
206 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
207 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
208 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
209 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 AF |
210 | - $IPSEC_POLICY_OUT -j ACCEPT |
211 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
212 | fi | |
213 | # | |
214 | # log IPsec client connection teardown | |
dc33c23b | 215 | @@ -516,12 +578,51 @@ down-client:iptables) |
6652626c AF |
216 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
217 | then | |
218 | logger -t $TAG -p $FAC_PRIO -- \ | |
219 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
220 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
221 | else | |
222 | logger -t $TAG -p $FAC_PRIO -- \ | |
223 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
224 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
225 | fi | |
226 | fi | |
227 | + | |
228 | + # | |
50a488f4 AF |
229 | + # Close Firewall for IPinIP + AH + ESP Traffic |
230 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ | |
231 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
232 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
233 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
234 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
235 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
236 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
237 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
238 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
239 | + if [ $VPN_LOGGING ] |
240 | + then | |
241 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 242 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 243 | + fi |
c4cd0f7b AF |
244 | + |
245 | + # remove source nat | |
7589902e AF |
246 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
247 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
248 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
249 | + if [ $? -eq 0 ]; then | |
250 | + src=${_src} | |
251 | + break | |
252 | + fi | |
253 | + done | |
254 | + | |
255 | + if [ -n "${src}" ]; then | |
256 | + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
257 | + logger -t $TAG -p $FAC_PRIO \ | |
258 | + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
259 | + else | |
260 | + logger -t $TAG -p $FAC_PRIO \ | |
261 | + "Cannot remove NAT rule because no IP of the IPFire does match the subnet." | |
262 | + fi | |
6652626c | 263 | + |
bc4b68b4 AF |
264 | + # Flush routing cache |
265 | + ip route flush cache | |
6652626c AF |
266 | ;; |
267 | # | |
268 | # IPv6 | |
dc33c23b | 269 | @@ -556,10 +657,10 @@ up-host-v6:iptables) |
6652626c AF |
270 | # connection to me, with (left/right)firewall=yes, coming up |
271 | # This is used only by the default updown script, not by your custom | |
272 | # ones, so do not mess with it; see CAUTION comment up at top. | |
273 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
274 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
275 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
276 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
277 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
278 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
279 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
280 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
281 | # | |
dc33c23b | 282 | @@ -580,10 +681,10 @@ down-host-v6:iptables) |
6652626c AF |
283 | # connection to me, with (left/right)firewall=yes, going down |
284 | # This is used only by the default updown script, not by your custom | |
285 | # ones, so do not mess with it; see CAUTION comment up at top. | |
286 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
287 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
288 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
289 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
290 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
291 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
292 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
293 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
294 | # | |
dc33c23b | 295 | @@ -606,10 +707,10 @@ up-client-v6:iptables) |
6652626c AF |
296 | # ones, so do not mess with it; see CAUTION comment up at top. |
297 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
298 | then | |
299 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
300 | + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
301 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
302 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
303 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
304 | + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
305 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
306 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
307 | fi | |
dc33c23b | 308 | @@ -618,10 +719,10 @@ up-client-v6:iptables) |
6652626c AF |
309 | # or sometimes host access via the internal IP is needed |
310 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
311 | then | |
312 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
313 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
314 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
315 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
316 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
317 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
318 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
319 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
320 | fi | |
dc33c23b | 321 | @@ -645,11 +746,11 @@ down-client-v6:iptables) |
6652626c AF |
322 | # ones, so do not mess with it; see CAUTION comment up at top. |
323 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
324 | then | |
325 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
326 | + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
327 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
328 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
329 | $IPSEC_POLICY_OUT -j ACCEPT | |
330 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
331 | + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
332 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
333 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
334 | $IPSEC_POLICY_IN -j ACCEPT | |
dc33c23b | 335 | @@ -659,11 +760,11 @@ down-client-v6:iptables) |
6652626c AF |
336 | # or sometimes host access via the internal IP is needed |
337 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
338 | then | |
339 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
340 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
341 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
342 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
343 | $IPSEC_POLICY_IN -j ACCEPT | |
344 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
345 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
346 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
347 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
348 | $IPSEC_POLICY_OUT -j ACCEPT |