]>
Commit | Line | Data |
---|---|---|
dc33c23b AM |
1 | --- a/src/_updown/_updown.in |
2 | +++ b/src/_updown/_updown.in | |
d7050fc0 | 3 | @@ -178,6 +178,29 @@ |
7589902e AF |
4 | ;; |
5 | esac | |
6 | ||
7 | +function ip_encode() { | |
8 | + local IFS=. | |
9 | + | |
10 | + local int=0 | |
11 | + for field in $1; do | |
12 | + int=$(( $(( $int << 8 )) | $field )) | |
13 | + done | |
14 | + | |
15 | + echo $int | |
16 | +} | |
17 | + | |
18 | +function ip_in_subnet() { | |
19 | + local netmask | |
20 | + netmask=$(_netmask $2) | |
21 | + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] | |
22 | +} | |
23 | + | |
24 | +function _netmask() { | |
25 | + local vlsm | |
26 | + vlsm=${1#*/} | |
27 | + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) | |
28 | +} | |
29 | + | |
30 | # utility functions for route manipulation | |
31 | # Meddling with this stuff should not be necessary and requires great care. | |
32 | uproute() { | |
d7050fc0 | 33 | @@ -407,12 +430,12 @@ |
6652626c AF |
34 | # connection to me, with (left/right)firewall=yes, coming up |
35 | # This is used only by the default updown script, not by your custom | |
36 | # ones, so do not mess with it; see CAUTION comment up at top. | |
37 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
38 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
39 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
40 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
41 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
42 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
43 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
44 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
45 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 46 | # |
d7050fc0 MT |
47 | # allow IPIP traffic because of the implicit SA created by the kernel if |
48 | # IPComp is used (for small inbound packets that are not compressed) | |
49 | @@ -428,10 +451,10 @@ | |
6652626c AF |
50 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
51 | then | |
52 | logger -t $TAG -p $FAC_PRIO \ | |
53 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
54 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
55 | else | |
56 | logger -t $TAG -p $FAC_PRIO \ | |
57 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
58 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
59 | fi | |
60 | fi | |
61 | ;; | |
d7050fc0 | 62 | @@ -439,12 +462,12 @@ |
6652626c AF |
63 | # connection to me, with (left/right)firewall=yes, going down |
64 | # This is used only by the default updown script, not by your custom | |
65 | # ones, so do not mess with it; see CAUTION comment up at top. | |
66 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
67 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
68 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
69 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
70 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
71 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
72 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
db073a10 AF |
73 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
74 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 75 | # |
d7050fc0 MT |
76 | # IPIP exception teardown |
77 | if [ -n "$PLUTO_IPCOMP" ] | |
78 | @@ -459,10 +482,10 @@ | |
6652626c AF |
79 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
80 | then | |
81 | logger -t $TAG -p $FAC_PRIO -- \ | |
82 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
83 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
84 | else | |
85 | logger -t $TAG -p $FAC_PRIO -- \ | |
86 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
87 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
88 | fi | |
89 | fi | |
90 | ;; | |
d7050fc0 | 91 | @@ -472,24 +495,24 @@ |
6652626c AF |
92 | # ones, so do not mess with it; see CAUTION comment up at top. |
93 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
94 | then | |
95 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
96 | + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
97 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 | 98 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 99 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 100 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
101 | + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
102 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
dc33c23b AM |
103 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
104 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN | |
6652626c | 105 | fi |
dc33c23b AM |
106 | # |
107 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
108 | # or sometimes host access via the internal IP is needed |
109 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
110 | then | |
111 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
112 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
113 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
d7050fc0 | 114 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 115 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
d7050fc0 | 116 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN |
6652626c AF |
117 | + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
118 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
db073a10 AF |
119 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
120 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
6652626c | 121 | fi |
db073a10 | 122 | # |
d7050fc0 MT |
123 | # allow IPIP traffic because of the implicit SA created by the kernel if |
124 | @@ -497,7 +520,7 @@ | |
125 | # INPUT is correct here even for forwarded traffic. | |
126 | if [ -n "$PLUTO_IPCOMP" ] | |
127 | then | |
128 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
129 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
130 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
131 | fi | |
132 | # | |
133 | @@ -507,12 +530,51 @@ | |
6652626c AF |
134 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
135 | then | |
136 | logger -t $TAG -p $FAC_PRIO \ | |
137 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
138 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
139 | else | |
140 | logger -t $TAG -p $FAC_PRIO \ | |
141 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
142 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
143 | fi | |
144 | fi | |
145 | + | |
146 | + # | |
50a488f4 AF |
147 | + # Open Firewall for IPinIP + AH + ESP Traffic |
148 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ | |
149 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
150 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
151 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
152 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
153 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
154 | + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
155 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
156 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
157 | + if [ $VPN_LOGGING ] |
158 | + then | |
159 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 160 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 161 | + fi |
c4cd0f7b AF |
162 | + |
163 | + # Add source nat so also the gateway can access the other nets | |
7589902e AF |
164 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
165 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
166 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
167 | + if [ $? -eq 0 ]; then | |
168 | + src=${_src} | |
169 | + break | |
170 | + fi | |
171 | + done | |
172 | + | |
173 | + if [ -n "${src}" ]; then | |
174 | + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
175 | + logger -t $TAG -p $FAC_PRIO \ | |
176 | + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
177 | + else | |
178 | + logger -t $TAG -p $FAC_PRIO \ | |
179 | + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" | |
180 | + fi | |
6652626c | 181 | + |
bc4b68b4 AF |
182 | + # Flush routing cache |
183 | + ip route flush cache | |
6652626c AF |
184 | ;; |
185 | down-client:iptables) | |
186 | # connection to client subnet, with (left/right)firewall=yes, going down | |
d7050fc0 | 187 | @@ -520,34 +582,34 @@ |
6652626c AF |
188 | # ones, so do not mess with it; see CAUTION comment up at top. |
189 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
190 | then | |
191 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
192 | + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
193 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
194 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 195 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 196 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 197 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
6652626c AF |
198 | + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
199 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
200 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b AM |
201 | - $IPSEC_POLICY_IN -j ACCEPT |
202 | + $IPSEC_POLICY_IN -j RETURN | |
203 | fi | |
204 | # | |
205 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
206 | # or sometimes host access via the internal IP is needed |
207 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
208 | then | |
209 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
210 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
211 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
212 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 213 | - $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 214 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
d7050fc0 | 215 | + $IPSEC_POLICY_IN -j RETURN |
6652626c AF |
216 | + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
217 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
218 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 AF |
219 | - $IPSEC_POLICY_OUT -j ACCEPT |
220 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
221 | fi | |
222 | # | |
d7050fc0 MT |
223 | # IPIP exception teardown |
224 | if [ -n "$PLUTO_IPCOMP" ] | |
225 | then | |
226 | - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
227 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ | |
228 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT | |
229 | fi | |
230 | # | |
231 | @@ -557,12 +619,51 @@ | |
6652626c AF |
232 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
233 | then | |
234 | logger -t $TAG -p $FAC_PRIO -- \ | |
235 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
236 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
237 | else | |
238 | logger -t $TAG -p $FAC_PRIO -- \ | |
239 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
240 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
241 | fi | |
242 | fi | |
243 | + | |
244 | + # | |
50a488f4 AF |
245 | + # Close Firewall for IPinIP + AH + ESP Traffic |
246 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ | |
247 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
248 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
db073a10 AF |
249 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
250 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
251 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
252 | + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
253 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
254 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
255 | + if [ $VPN_LOGGING ] |
256 | + then | |
257 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 258 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 259 | + fi |
c4cd0f7b AF |
260 | + |
261 | + # remove source nat | |
7589902e AF |
262 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
263 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
264 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
265 | + if [ $? -eq 0 ]; then | |
266 | + src=${_src} | |
267 | + break | |
268 | + fi | |
269 | + done | |
270 | + | |
271 | + if [ -n "${src}" ]; then | |
272 | + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
273 | + logger -t $TAG -p $FAC_PRIO \ | |
274 | + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
275 | + else | |
276 | + logger -t $TAG -p $FAC_PRIO \ | |
277 | + "Cannot remove NAT rule because no IP of the IPFire does match the subnet." | |
278 | + fi | |
6652626c | 279 | + |
bc4b68b4 AF |
280 | + # Flush routing cache |
281 | + ip route flush cache | |
6652626c AF |
282 | ;; |
283 | # | |
284 | # IPv6 | |
d7050fc0 | 285 | @@ -597,10 +698,10 @@ |
6652626c AF |
286 | # connection to me, with (left/right)firewall=yes, coming up |
287 | # This is used only by the default updown script, not by your custom | |
288 | # ones, so do not mess with it; see CAUTION comment up at top. | |
289 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
290 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
291 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
292 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
293 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
294 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
295 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
296 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
297 | # | |
d7050fc0 | 298 | @@ -621,10 +722,10 @@ |
6652626c AF |
299 | # connection to me, with (left/right)firewall=yes, going down |
300 | # This is used only by the default updown script, not by your custom | |
301 | # ones, so do not mess with it; see CAUTION comment up at top. | |
302 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
303 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
304 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
305 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
306 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
307 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
308 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
309 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
310 | # | |
d7050fc0 | 311 | @@ -647,10 +748,10 @@ |
6652626c AF |
312 | # ones, so do not mess with it; see CAUTION comment up at top. |
313 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
314 | then | |
315 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
316 | + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
317 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
318 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
319 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
320 | + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
321 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
322 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
323 | fi | |
d7050fc0 | 324 | @@ -659,10 +760,10 @@ |
6652626c AF |
325 | # or sometimes host access via the internal IP is needed |
326 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
327 | then | |
328 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
329 | + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
330 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
331 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
332 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
333 | + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
334 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
335 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
336 | fi | |
d7050fc0 | 337 | @@ -686,11 +787,11 @@ |
6652626c AF |
338 | # ones, so do not mess with it; see CAUTION comment up at top. |
339 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
340 | then | |
341 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
342 | + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
343 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
344 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
345 | $IPSEC_POLICY_OUT -j ACCEPT | |
346 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
347 | + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
348 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
349 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
350 | $IPSEC_POLICY_IN -j ACCEPT | |
d7050fc0 | 351 | @@ -700,11 +801,11 @@ |
6652626c AF |
352 | # or sometimes host access via the internal IP is needed |
353 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
354 | then | |
355 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
356 | + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
357 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
358 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
359 | $IPSEC_POLICY_IN -j ACCEPT | |
360 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
361 | + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
362 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ | |
363 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
364 | $IPSEC_POLICY_OUT -j ACCEPT |