]>
Commit | Line | Data |
---|---|---|
28f659f7 MT |
1 | commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027 |
2 | Author: Michael Tremer <michael.tremer@ipfire.org> | |
3 | Date: Mon Mar 21 19:49:02 2022 +0000 | |
4 | ||
5 | IPFire modifications to _updown script | |
6 | ||
7 | Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> | |
8 | ||
9 | diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in | |
10 | index 34eaf68c7..514ecb578 100644 | |
11 | --- a/src/_updown/_updown.in | |
12 | +++ b/src/_updown/_updown.in | |
13 | @@ -242,10 +242,10 @@ up-host:iptables) | |
6652626c AF |
14 | # connection to me, with (left/right)firewall=yes, coming up |
15 | # This is used only by the default updown script, not by your custom | |
16 | # ones, so do not mess with it; see CAUTION comment up at top. | |
17 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 18 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
19 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
20 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
21 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
28f659f7 MT |
22 | + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
23 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
24 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
6652626c | 25 | # |
28f659f7 | 26 | @@ -263,10 +263,10 @@ up-host:iptables) |
6652626c AF |
27 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
28 | then | |
29 | logger -t $TAG -p $FAC_PRIO \ | |
30 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
31 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
32 | else | |
33 | logger -t $TAG -p $FAC_PRIO \ | |
34 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
35 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
36 | fi | |
37 | fi | |
38 | ;; | |
28f659f7 | 39 | @@ -274,10 +274,10 @@ down-host:iptables) |
6652626c AF |
40 | # connection to me, with (left/right)firewall=yes, going down |
41 | # This is used only by the default updown script, not by your custom | |
42 | # ones, so do not mess with it; see CAUTION comment up at top. | |
43 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 44 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
45 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
46 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
47 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
28f659f7 MT |
48 | + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
49 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
50 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
6652626c | 51 | # |
28f659f7 | 52 | @@ -294,10 +294,10 @@ down-host:iptables) |
6652626c AF |
53 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
54 | then | |
55 | logger -t $TAG -p $FAC_PRIO -- \ | |
56 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
57 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
58 | else | |
59 | logger -t $TAG -p $FAC_PRIO -- \ | |
60 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
61 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
62 | fi | |
63 | fi | |
64 | ;; | |
28f659f7 | 65 | @@ -305,34 +305,16 @@ up-client:iptables) |
aa60fd7b AF |
66 | # connection to client subnet, with (left/right)firewall=yes, coming up |
67 | # This is used only by the default updown script, not by your custom | |
6652626c | 68 | # ones, so do not mess with it; see CAUTION comment up at top. |
aa60fd7b AF |
69 | - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] |
70 | - then | |
6652626c | 71 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b | 72 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 73 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 74 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b | 75 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
dc33c23b | 76 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
aa60fd7b | 77 | - fi |
dc33c23b AM |
78 | # |
79 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c | 80 | # or sometimes host access via the internal IP is needed |
aa60fd7b AF |
81 | - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] |
82 | - then | |
6652626c | 83 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b | 84 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
d7050fc0 | 85 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 86 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b | 87 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 88 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
aa60fd7b | 89 | - fi |
db073a10 | 90 | # |
d7050fc0 | 91 | # allow IPIP traffic because of the implicit SA created by the kernel if |
aa60fd7b | 92 | # IPComp is used (for small inbound packets that are not compressed). |
d7050fc0 MT |
93 | # INPUT is correct here even for forwarded traffic. |
94 | if [ -n "$PLUTO_IPCOMP" ] | |
95 | then | |
96 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 97 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
98 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
99 | fi | |
100 | # | |
28f659f7 | 101 | @@ -342,10 +324,10 @@ up-client:iptables) |
6652626c AF |
102 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
103 | then | |
104 | logger -t $TAG -p $FAC_PRIO \ | |
105 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
106 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
107 | else | |
108 | logger -t $TAG -p $FAC_PRIO \ | |
109 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
110 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
111 | fi | |
112 | fi | |
6652626c | 113 | ;; |
28f659f7 | 114 | @@ -353,36 +335,14 @@ down-client:iptables) |
6652626c | 115 | # connection to client subnet, with (left/right)firewall=yes, going down |
aa60fd7b | 116 | # This is used only by the default updown script, not by your custom |
6652626c | 117 | # ones, so do not mess with it; see CAUTION comment up at top. |
aa60fd7b AF |
118 | - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] |
119 | - then | |
6652626c | 120 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b AF |
121 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
122 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 123 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 124 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b AF |
125 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
126 | - -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b | 127 | - $IPSEC_POLICY_IN -j ACCEPT |
aa60fd7b | 128 | - fi |
dc33c23b AM |
129 | # |
130 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c | 131 | # or sometimes host access via the internal IP is needed |
aa60fd7b AF |
132 | - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] |
133 | - then | |
6652626c | 134 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b AF |
135 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
136 | - -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 137 | - $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 138 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b AF |
139 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
140 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 141 | - $IPSEC_POLICY_OUT -j ACCEPT |
aa60fd7b | 142 | - fi |
db073a10 | 143 | # |
d7050fc0 MT |
144 | # IPIP exception teardown |
145 | if [ -n "$PLUTO_IPCOMP" ] | |
146 | then | |
147 | - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 148 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
149 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
150 | fi | |
151 | # | |
28f659f7 | 152 | @@ -392,10 +352,10 @@ down-client:iptables) |
6652626c AF |
153 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
154 | then | |
155 | logger -t $TAG -p $FAC_PRIO -- \ | |
156 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
157 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
158 | else | |
159 | logger -t $TAG -p $FAC_PRIO -- \ | |
160 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
161 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
162 | fi | |
163 | fi | |
6652626c | 164 | ;; |
28f659f7 | 165 | @@ -422,10 +382,10 @@ up-host-v6:iptables) |
6652626c AF |
166 | # connection to me, with (left/right)firewall=yes, coming up |
167 | # This is used only by the default updown script, not by your custom | |
168 | # ones, so do not mess with it; see CAUTION comment up at top. | |
169 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 170 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
171 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
172 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
173 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 174 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
175 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
176 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
177 | # | |
28f659f7 | 178 | @@ -454,10 +414,10 @@ down-host-v6:iptables) |
6652626c AF |
179 | # connection to me, with (left/right)firewall=yes, going down |
180 | # This is used only by the default updown script, not by your custom | |
181 | # ones, so do not mess with it; see CAUTION comment up at top. | |
182 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 183 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
184 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
185 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
186 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 187 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
188 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
189 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
190 | # | |
28f659f7 | 191 | @@ -487,10 +447,10 @@ up-client-v6:iptables) |
6652626c AF |
192 | # ones, so do not mess with it; see CAUTION comment up at top. |
193 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
194 | then | |
195 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 196 | + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
197 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
198 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
199 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 200 | + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
201 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
202 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
203 | fi | |
28f659f7 | 204 | @@ -499,10 +459,10 @@ up-client-v6:iptables) |
6652626c AF |
205 | # or sometimes host access via the internal IP is needed |
206 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
207 | then | |
208 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 209 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
210 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
211 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
212 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 213 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
214 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
215 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
216 | fi | |
28f659f7 | 217 | @@ -535,11 +495,11 @@ down-client-v6:iptables) |
6652626c AF |
218 | # ones, so do not mess with it; see CAUTION comment up at top. |
219 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
220 | then | |
221 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 222 | + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
223 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
224 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
225 | $IPSEC_POLICY_OUT -j ACCEPT | |
226 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 227 | + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
228 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
229 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
230 | $IPSEC_POLICY_IN -j ACCEPT | |
28f659f7 | 231 | @@ -549,11 +509,11 @@ down-client-v6:iptables) |
6652626c AF |
232 | # or sometimes host access via the internal IP is needed |
233 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
234 | then | |
235 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 236 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
237 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
238 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
239 | $IPSEC_POLICY_IN -j ACCEPT | |
240 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 241 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
242 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
243 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
244 | $IPSEC_POLICY_OUT -j ACCEPT |