]>
Commit | Line | Data |
---|---|---|
80909fb6 AF |
1 | diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in |
2 | --- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100 | |
aa60fd7b | 3 | +++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-25 17:30:15.669773781 +0200 |
a38c882b | 4 | @@ -242,12 +242,9 @@ |
6652626c AF |
5 | # connection to me, with (left/right)firewall=yes, coming up |
6 | # This is used only by the default updown script, not by your custom | |
7 | # ones, so do not mess with it; see CAUTION comment up at top. | |
8 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 9 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
10 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
11 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
12 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
a38c882b | 13 | - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 | 14 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
6652626c | 15 | # |
d7050fc0 MT |
16 | # allow IPIP traffic because of the implicit SA created by the kernel if |
17 | # IPComp is used (for small inbound packets that are not compressed) | |
a38c882b | 18 | @@ -263,10 +260,10 @@ |
6652626c AF |
19 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
20 | then | |
21 | logger -t $TAG -p $FAC_PRIO \ | |
22 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
23 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
24 | else | |
25 | logger -t $TAG -p $FAC_PRIO \ | |
26 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
27 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
28 | fi | |
29 | fi | |
30 | ;; | |
a38c882b | 31 | @@ -274,12 +271,9 @@ |
6652626c AF |
32 | # connection to me, with (left/right)firewall=yes, going down |
33 | # This is used only by the default updown script, not by your custom | |
34 | # ones, so do not mess with it; see CAUTION comment up at top. | |
35 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 36 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
37 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
38 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
39 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
a38c882b | 40 | - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 | 41 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
6652626c | 42 | # |
d7050fc0 MT |
43 | # IPIP exception teardown |
44 | if [ -n "$PLUTO_IPCOMP" ] | |
a38c882b | 45 | @@ -294,10 +288,10 @@ |
6652626c AF |
46 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
47 | then | |
48 | logger -t $TAG -p $FAC_PRIO -- \ | |
49 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
50 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
51 | else | |
52 | logger -t $TAG -p $FAC_PRIO -- \ | |
53 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
54 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
55 | fi | |
56 | fi | |
57 | ;; | |
aa60fd7b AF |
58 | @@ -305,34 +299,16 @@ |
59 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
60 | # This is used only by the default updown script, not by your custom | |
6652626c | 61 | # ones, so do not mess with it; see CAUTION comment up at top. |
aa60fd7b AF |
62 | - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] |
63 | - then | |
6652626c | 64 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b | 65 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 66 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 67 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b | 68 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
dc33c23b | 69 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
aa60fd7b | 70 | - fi |
dc33c23b AM |
71 | # |
72 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c | 73 | # or sometimes host access via the internal IP is needed |
aa60fd7b AF |
74 | - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] |
75 | - then | |
6652626c | 76 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b | 77 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
d7050fc0 | 78 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 79 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b | 80 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 81 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
aa60fd7b | 82 | - fi |
db073a10 | 83 | # |
d7050fc0 | 84 | # allow IPIP traffic because of the implicit SA created by the kernel if |
aa60fd7b | 85 | # IPComp is used (for small inbound packets that are not compressed). |
d7050fc0 MT |
86 | # INPUT is correct here even for forwarded traffic. |
87 | if [ -n "$PLUTO_IPCOMP" ] | |
88 | then | |
89 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 90 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
91 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
92 | fi | |
93 | # | |
aa60fd7b | 94 | @@ -342,47 +318,42 @@ |
6652626c AF |
95 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
96 | then | |
97 | logger -t $TAG -p $FAC_PRIO \ | |
98 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
99 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
100 | else | |
101 | logger -t $TAG -p $FAC_PRIO \ | |
102 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
103 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
104 | fi | |
105 | fi | |
106 | + | |
107 | + # | |
50a488f4 | 108 | + # Open Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 109 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
110 | + -s $PLUTO_PEER $S_PEER_PORT \ |
111 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 112 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
113 | + -s $PLUTO_PEER $S_PEER_PORT \ |
114 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 115 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
116 | + -s $PLUTO_PEER $S_PEER_PORT \ |
117 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
118 | + if [ $VPN_LOGGING ] |
119 | + then | |
120 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 121 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 122 | + fi |
6652626c AF |
123 | ;; |
124 | down-client:iptables) | |
125 | # connection to client subnet, with (left/right)firewall=yes, going down | |
aa60fd7b | 126 | # This is used only by the default updown script, not by your custom |
6652626c | 127 | # ones, so do not mess with it; see CAUTION comment up at top. |
aa60fd7b AF |
128 | - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] |
129 | - then | |
6652626c | 130 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b AF |
131 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
132 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 133 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 134 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b AF |
135 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
136 | - -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b | 137 | - $IPSEC_POLICY_IN -j ACCEPT |
aa60fd7b | 138 | - fi |
dc33c23b AM |
139 | # |
140 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c | 141 | # or sometimes host access via the internal IP is needed |
aa60fd7b AF |
142 | - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] |
143 | - then | |
6652626c | 144 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b AF |
145 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
146 | - -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 147 | - $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 148 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b AF |
149 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
150 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 151 | - $IPSEC_POLICY_OUT -j ACCEPT |
aa60fd7b | 152 | - fi |
db073a10 | 153 | # |
d7050fc0 MT |
154 | # IPIP exception teardown |
155 | if [ -n "$PLUTO_IPCOMP" ] | |
156 | then | |
157 | - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 158 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
159 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
160 | fi | |
161 | # | |
aa60fd7b | 162 | @@ -392,12 +363,29 @@ |
6652626c AF |
163 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
164 | then | |
165 | logger -t $TAG -p $FAC_PRIO -- \ | |
166 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
167 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
168 | else | |
169 | logger -t $TAG -p $FAC_PRIO -- \ | |
170 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
171 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
172 | fi | |
173 | fi | |
174 | + | |
175 | + # | |
50a488f4 | 176 | + # Close Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 177 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
178 | + -s $PLUTO_PEER $S_PEER_PORT \ |
179 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 180 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
181 | + -s $PLUTO_PEER $S_PEER_PORT \ |
182 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 183 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
184 | + -s $PLUTO_PEER $S_PEER_PORT \ |
185 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
186 | + if [ $VPN_LOGGING ] |
187 | + then | |
188 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 189 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 190 | + fi |
6652626c AF |
191 | ;; |
192 | # | |
193 | # IPv6 | |
aa60fd7b | 194 | @@ -422,10 +410,10 @@ |
6652626c AF |
195 | # connection to me, with (left/right)firewall=yes, coming up |
196 | # This is used only by the default updown script, not by your custom | |
197 | # ones, so do not mess with it; see CAUTION comment up at top. | |
198 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 199 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
200 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
201 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
202 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 203 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
204 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
205 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
206 | # | |
aa60fd7b | 207 | @@ -454,10 +442,10 @@ |
6652626c AF |
208 | # connection to me, with (left/right)firewall=yes, going down |
209 | # This is used only by the default updown script, not by your custom | |
210 | # ones, so do not mess with it; see CAUTION comment up at top. | |
211 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 212 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
213 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
214 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
215 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 216 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
217 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
218 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
219 | # | |
aa60fd7b | 220 | @@ -487,10 +475,10 @@ |
6652626c AF |
221 | # ones, so do not mess with it; see CAUTION comment up at top. |
222 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
223 | then | |
224 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 225 | + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
226 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
227 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
228 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 229 | + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
230 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
231 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
232 | fi | |
aa60fd7b | 233 | @@ -499,10 +487,10 @@ |
6652626c AF |
234 | # or sometimes host access via the internal IP is needed |
235 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
236 | then | |
237 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 238 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
239 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
240 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
241 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 242 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
243 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
244 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
245 | fi | |
aa60fd7b | 246 | @@ -535,11 +523,11 @@ |
6652626c AF |
247 | # ones, so do not mess with it; see CAUTION comment up at top. |
248 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
249 | then | |
250 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 251 | + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
252 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
253 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
254 | $IPSEC_POLICY_OUT -j ACCEPT | |
255 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 256 | + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
257 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
258 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
259 | $IPSEC_POLICY_IN -j ACCEPT | |
aa60fd7b | 260 | @@ -549,11 +537,11 @@ |
6652626c AF |
261 | # or sometimes host access via the internal IP is needed |
262 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
263 | then | |
264 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 265 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
266 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
267 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
268 | $IPSEC_POLICY_IN -j ACCEPT | |
269 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 270 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
271 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
272 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
273 | $IPSEC_POLICY_OUT -j ACCEPT |