[people/pmueller/ipfire-2.x.git] / src / patches / strongswan-ipfire.patch

diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
--- strongswan-5.9.3.org/src/_updown/_updown.in	2020-12-09 19:01:30.000000000 +0100
+++ strongswan-5.9.3/src/_updown/_updown.in	2021-10-25 17:30:15.669773781 +0200
@@ -242,12 +242,9 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
 	# IPComp is used (for small inbound packets that are not compressed)
@@ -263,10 +260,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -274,12 +271,9 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
@@ -294,10 +288,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -305,34 +299,16 @@
 	# connection to client subnet, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	fi
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
 	# IPComp is used (for small inbound packets that are not compressed).
 	# INPUT is correct here even for forwarded traffic.
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -342,47 +318,42 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+	fi
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -392,12 +363,29 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+	fi
 	;;
 #
 # IPv6
@@ -422,10 +410,10 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -454,10 +442,10 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -487,10 +475,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -499,10 +487,10 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -535,11 +523,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -549,11 +537,11 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
80909fb6 AF	1	diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
80909fb6 AF	2	--- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
aa60fd7b	3	+++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-25 17:30:15.669773781 +0200
a38c882b	4	@@ -242,12 +242,9 @@
6652626c AF	5	# connection to me, with (left/right)firewall=yes, coming up
	6	# This is used only by the default updown script, not by your custom
	7	# ones, so do not mess with it; see CAUTION comment up at top.
	8	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	9	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	10	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	11	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	12	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	13	- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10	14	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	15	#
d7050fc0 MT	16	# allow IPIP traffic because of the implicit SA created by the kernel if
d7050fc0 MT	17	# IPComp is used (for small inbound packets that are not compressed)
a38c882b	18	@@ -263,10 +260,10 @@
6652626c AF	19	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	20	then
	21	logger -t $TAG -p $FAC_PRIO \
	22	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	23	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	24	else
	25	logger -t $TAG -p $FAC_PRIO \
	26	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	27	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	28	fi
	29	fi
	30	;;
a38c882b	31	@@ -274,12 +271,9 @@
6652626c AF	32	# connection to me, with (left/right)firewall=yes, going down
	33	# This is used only by the default updown script, not by your custom
	34	# ones, so do not mess with it; see CAUTION comment up at top.
	35	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	36	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	37	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	38	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	39	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	40	- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10	41	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	42	#
d7050fc0 MT	43	# IPIP exception teardown
d7050fc0 MT	44	if [ -n "$PLUTO_IPCOMP" ]
a38c882b	45	@@ -294,10 +288,10 @@
6652626c AF	46	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	47	then
	48	logger -t $TAG -p $FAC_PRIO -- \
	49	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	50	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	51	else
	52	logger -t $TAG -p $FAC_PRIO -- \
	53	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	54	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	55	fi
	56	fi
	57	;;
aa60fd7b AF	58	@@ -305,34 +299,16 @@
	59	# connection to client subnet, with (left/right)firewall=yes, coming up
	60	# This is used only by the default updown script, not by your custom
6652626c	61	# ones, so do not mess with it; see CAUTION comment up at top.
aa60fd7b AF	62	- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
aa60fd7b AF	63	- then
6652626c	64	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	65	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	66	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c	67	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b	68	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
dc33c23b	69	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
aa60fd7b	70	- fi
dc33c23b AM	71	#
dc33c23b AM	72	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c	73	# or sometimes host access via the internal IP is needed
aa60fd7b AF	74	- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
aa60fd7b AF	75	- then
6652626c	76	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b	77	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
d7050fc0	78	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
6652626c	79	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	80	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	81	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
aa60fd7b	82	- fi
db073a10	83	#
d7050fc0	84	# allow IPIP traffic because of the implicit SA created by the kernel if
aa60fd7b	85	# IPComp is used (for small inbound packets that are not compressed).
d7050fc0 MT	86	# INPUT is correct here even for forwarded traffic.
	87	if [ -n "$PLUTO_IPCOMP" ]
	88	then
	89	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
d8145673	90	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	91	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	92	fi
	93	#
aa60fd7b	94	@@ -342,47 +318,42 @@
6652626c AF	95	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	96	then
	97	logger -t $TAG -p $FAC_PRIO \
	98	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	99	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	100	else
	101	logger -t $TAG -p $FAC_PRIO \
	102	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	103	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	104	fi
	105	fi
	106	+
	107	+ #
50a488f4	108	+ # Open Firewall for IPinIP + AH + ESP Traffic
d8145673	109	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
50a488f4 AF	110	+ -s $PLUTO_PEER $S_PEER_PORT \
50a488f4 AF	111	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	112	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
db073a10 AF	113	+ -s $PLUTO_PEER $S_PEER_PORT \
db073a10 AF	114	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	115	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
6652626c AF	116	+ -s $PLUTO_PEER $S_PEER_PORT \
6652626c AF	117	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	118	+ if [ $VPN_LOGGING ]
	119	+ then
	120	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	121	+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c	122	+ fi
6652626c AF	123	;;
	124	down-client:iptables)
	125	# connection to client subnet, with (left/right)firewall=yes, going down
aa60fd7b	126	# This is used only by the default updown script, not by your custom
6652626c	127	# ones, so do not mess with it; see CAUTION comment up at top.
aa60fd7b AF	128	- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
aa60fd7b AF	129	- then
6652626c	130	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	131	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	132	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	133	- $IPSEC_POLICY_OUT -j ACCEPT
6652626c	134	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b AF	135	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
aa60fd7b AF	136	- -d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b	137	- $IPSEC_POLICY_IN -j ACCEPT
aa60fd7b	138	- fi
dc33c23b AM	139	#
dc33c23b AM	140	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c	141	# or sometimes host access via the internal IP is needed
aa60fd7b AF	142	- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
aa60fd7b AF	143	- then
6652626c	144	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b AF	145	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
aa60fd7b AF	146	- -d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0	147	- $IPSEC_POLICY_IN -j ACCEPT
6652626c	148	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	149	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	150	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	151	- $IPSEC_POLICY_OUT -j ACCEPT
aa60fd7b	152	- fi
db073a10	153	#
d7050fc0 MT	154	# IPIP exception teardown
	155	if [ -n "$PLUTO_IPCOMP" ]
	156	then
	157	- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
d8145673	158	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	159	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	160	fi
	161	#
aa60fd7b	162	@@ -392,12 +363,29 @@
6652626c AF	163	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	164	then
	165	logger -t $TAG -p $FAC_PRIO -- \
	166	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	167	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	168	else
	169	logger -t $TAG -p $FAC_PRIO -- \
	170	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	171	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	172	fi
	173	fi
	174	+
	175	+ #
50a488f4	176	+ # Close Firewall for IPinIP + AH + ESP Traffic
d8145673	177	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
50a488f4 AF	178	+ -s $PLUTO_PEER $S_PEER_PORT \
50a488f4 AF	179	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	180	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
db073a10 AF	181	+ -s $PLUTO_PEER $S_PEER_PORT \
db073a10 AF	182	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	183	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
6652626c AF	184	+ -s $PLUTO_PEER $S_PEER_PORT \
6652626c AF	185	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	186	+ if [ $VPN_LOGGING ]
	187	+ then
	188	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	189	+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c	190	+ fi
6652626c AF	191	;;
	192	#
	193	# IPv6
aa60fd7b	194	@@ -422,10 +410,10 @@
6652626c AF	195	# connection to me, with (left/right)firewall=yes, coming up
	196	# This is used only by the default updown script, not by your custom
	197	# ones, so do not mess with it; see CAUTION comment up at top.
	198	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	199	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	200	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	201	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	202	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	203	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	204	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	205	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	206	#
aa60fd7b	207	@@ -454,10 +442,10 @@
6652626c AF	208	# connection to me, with (left/right)firewall=yes, going down
	209	# This is used only by the default updown script, not by your custom
	210	# ones, so do not mess with it; see CAUTION comment up at top.
	211	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	212	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	213	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	214	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	215	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	216	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	217	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	218	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	219	#
aa60fd7b	220	@@ -487,10 +475,10 @@
6652626c AF	221	# ones, so do not mess with it; see CAUTION comment up at top.
	222	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	223	then
	224	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	225	+ ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	226	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	227	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	228	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	229	+ ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	230	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	231	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	232	fi
aa60fd7b	233	@@ -499,10 +487,10 @@
6652626c AF	234	# or sometimes host access via the internal IP is needed
	235	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	236	then
	237	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	238	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	239	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	240	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	241	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	242	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	243	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	244	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	245	fi
aa60fd7b	246	@@ -535,11 +523,11 @@
6652626c AF	247	# ones, so do not mess with it; see CAUTION comment up at top.
	248	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	249	then
	250	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	251	+ ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	252	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	253	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	254	$IPSEC_POLICY_OUT -j ACCEPT
	255	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	256	+ ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	257	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	258	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	259	$IPSEC_POLICY_IN -j ACCEPT
aa60fd7b	260	@@ -549,11 +537,11 @@
6652626c AF	261	# or sometimes host access via the internal IP is needed
	262	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	263	then
	264	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	265	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	266	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	267	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	268	$IPSEC_POLICY_IN -j ACCEPT
	269	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	270	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	271	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	272	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	273	$IPSEC_POLICY_OUT -j ACCEPT