]>
Commit | Line | Data |
---|---|---|
918ee4a4 MT |
1 | --- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100 |
2 | +++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100 | |
3 | @@ -130,36 +130,6 @@ | |
4 | # address family. | |
5 | # | |
6 | ||
7 | -VARS=( | |
8 | - id status name lefthost type ctype psk local local_id leftsubnets | |
9 | - remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 | |
10 | - x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 | |
11 | - route x23 mode interface_mode interface_address interface_mtu rest | |
12 | -) | |
13 | - | |
14 | -function ip_encode() { | |
15 | - local IFS=. | |
16 | - | |
17 | - local int=0 | |
18 | - for field in $1; do | |
19 | - int=$(( $(( $int << 8 )) | $field )) | |
20 | - done | |
21 | - | |
22 | - echo $int | |
23 | -} | |
24 | - | |
25 | -function ip_in_subnet() { | |
26 | - local netmask | |
27 | - netmask=$(_netmask $2) | |
28 | - [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] | |
29 | -} | |
30 | - | |
31 | -function _netmask() { | |
32 | - local vlsm | |
33 | - vlsm=${1#*/} | |
34 | - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) | |
35 | -} | |
36 | - | |
37 | # define a minimum PATH environment in case it is not set | |
38 | PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" | |
39 | export PATH | |
40 | @@ -326,13 +296,6 @@ | |
41 | fi | |
42 | ;; | |
43 | up-client:iptables) | |
44 | - # Read IPsec configuration | |
45 | - while IFS="," read -r "${VARS[@]}"; do | |
46 | - if [ "${PLUTO_CONNECTION}" = "${name}" ]; then | |
47 | - break | |
48 | - fi | |
49 | - done < /var/ipfire/vpn/config | |
50 | - | |
51 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
52 | # This is used only by the default updown script, not by your custom | |
53 | # ones, so do not mess with it; see CAUTION comment up at top. | |
54 | @@ -396,30 +359,6 @@ | |
55 | logger -t $TAG -p $FAC_PRIO \ | |
56 | "tunnel+ $PLUTO_PEER -- $PLUTO_ME" | |
57 | fi | |
58 | - | |
59 | - if [ -z "${interface_mode}" ]; then | |
60 | - # Add source nat so also the gateway can access the other nets | |
61 | - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
62 | - for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
63 | - ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
64 | - if [ $? -eq 0 ]; then | |
65 | - src=${_src} | |
66 | - break | |
67 | - fi | |
68 | - done | |
69 | - | |
70 | - if [ -n "${src}" ]; then | |
71 | - iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
72 | - logger -t $TAG -p $FAC_PRIO \ | |
73 | - "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
74 | - else | |
75 | - logger -t $TAG -p $FAC_PRIO \ | |
76 | - "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" | |
77 | - fi | |
78 | - fi | |
79 | - | |
80 | - # Flush routing cache | |
81 | - ip route flush cache | |
82 | ;; | |
83 | down-client:iptables) | |
84 | # connection to client subnet, with (left/right)firewall=yes, going down | |
85 | @@ -487,28 +426,6 @@ | |
86 | logger -t $TAG -p $FAC_PRIO \ | |
87 | "tunnel- $PLUTO_PEER -- $PLUTO_ME" | |
88 | fi | |
89 | - | |
90 | - # remove source nat | |
91 | - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
92 | - for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
93 | - ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
94 | - if [ $? -eq 0 ]; then | |
95 | - src=${_src} | |
96 | - break | |
97 | - fi | |
98 | - done | |
99 | - | |
100 | - if [ -n "${src}" ]; then | |
101 | - iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
102 | - logger -t $TAG -p $FAC_PRIO \ | |
103 | - "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
104 | - else | |
105 | - logger -t $TAG -p $FAC_PRIO \ | |
106 | - "Cannot remove NAT rule because no IP of the IPFire does match the subnet." | |
107 | - fi | |
108 | - | |
109 | - # Flush routing cache | |
110 | - ip route flush cache | |
111 | ;; | |
112 | # | |
113 | # IPv6 |