]>
Commit | Line | Data |
---|---|---|
df5fbff5 MT |
1 | --- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000 |
2 | +++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000 | |
3 | @@ -122,6 +122,29 @@ | |
4 | # address family. | |
5 | # | |
7589902e AF |
6 | |
7 | +function ip_encode() { | |
8 | + local IFS=. | |
9 | + | |
10 | + local int=0 | |
11 | + for field in $1; do | |
12 | + int=$(( $(( $int << 8 )) | $field )) | |
13 | + done | |
14 | + | |
15 | + echo $int | |
16 | +} | |
17 | + | |
18 | +function ip_in_subnet() { | |
19 | + local netmask | |
20 | + netmask=$(_netmask $2) | |
21 | + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] | |
22 | +} | |
23 | + | |
24 | +function _netmask() { | |
25 | + local vlsm | |
26 | + vlsm=${1#*/} | |
27 | + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) | |
28 | +} | |
29 | + | |
df5fbff5 MT |
30 | # define a minimum PATH environment in case it is not set |
31 | PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" | |
32 | export PATH | |
33 | @@ -232,12 +255,12 @@ | |
6652626c AF |
34 | # connection to me, with (left/right)firewall=yes, coming up |
35 | # This is used only by the default updown script, not by your custom | |
36 | # ones, so do not mess with it; see CAUTION comment up at top. | |
37 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 38 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
39 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
40 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
41 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 42 | + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 43 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 AF |
44 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
45 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 46 | # |
d7050fc0 MT |
47 | # allow IPIP traffic because of the implicit SA created by the kernel if |
48 | # IPComp is used (for small inbound packets that are not compressed) | |
df5fbff5 | 49 | @@ -253,10 +276,10 @@ |
6652626c AF |
50 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
51 | then | |
52 | logger -t $TAG -p $FAC_PRIO \ | |
53 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
54 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
55 | else | |
56 | logger -t $TAG -p $FAC_PRIO \ | |
57 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
58 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
59 | fi | |
60 | fi | |
61 | ;; | |
df5fbff5 | 62 | @@ -264,12 +287,12 @@ |
6652626c AF |
63 | # connection to me, with (left/right)firewall=yes, going down |
64 | # This is used only by the default updown script, not by your custom | |
65 | # ones, so do not mess with it; see CAUTION comment up at top. | |
66 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 67 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
68 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
69 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
70 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 71 | + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 72 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 AF |
73 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
74 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 | |
6652626c | 75 | # |
d7050fc0 MT |
76 | # IPIP exception teardown |
77 | if [ -n "$PLUTO_IPCOMP" ] | |
df5fbff5 | 78 | @@ -284,10 +307,10 @@ |
6652626c AF |
79 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
80 | then | |
81 | logger -t $TAG -p $FAC_PRIO -- \ | |
82 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
83 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
84 | else | |
85 | logger -t $TAG -p $FAC_PRIO -- \ | |
86 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
87 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
88 | fi | |
89 | fi | |
90 | ;; | |
df5fbff5 | 91 | @@ -297,24 +320,24 @@ |
6652626c AF |
92 | # ones, so do not mess with it; see CAUTION comment up at top. |
93 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
94 | then | |
95 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 96 | + iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 97 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 98 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 99 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 100 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
d8145673 | 101 | + iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c | 102 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
dc33c23b AM |
103 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
104 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN | |
6652626c | 105 | fi |
dc33c23b AM |
106 | # |
107 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
108 | # or sometimes host access via the internal IP is needed |
109 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
110 | then | |
111 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 112 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c | 113 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
d7050fc0 | 114 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 115 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
d7050fc0 | 116 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN |
d8145673 | 117 | + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 118 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 AF |
119 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
120 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
6652626c | 121 | fi |
db073a10 | 122 | # |
d7050fc0 | 123 | # allow IPIP traffic because of the implicit SA created by the kernel if |
df5fbff5 | 124 | @@ -322,7 +345,7 @@ |
d7050fc0 MT |
125 | # INPUT is correct here even for forwarded traffic. |
126 | if [ -n "$PLUTO_IPCOMP" ] | |
127 | then | |
128 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 129 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
130 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
131 | fi | |
132 | # | |
df5fbff5 | 133 | @@ -332,12 +355,51 @@ |
6652626c AF |
134 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
135 | then | |
136 | logger -t $TAG -p $FAC_PRIO \ | |
137 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
138 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
139 | else | |
140 | logger -t $TAG -p $FAC_PRIO \ | |
141 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
142 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
143 | fi | |
144 | fi | |
145 | + | |
146 | + # | |
50a488f4 | 147 | + # Open Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 148 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
149 | + -s $PLUTO_PEER $S_PEER_PORT \ |
150 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 151 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
152 | + -s $PLUTO_PEER $S_PEER_PORT \ |
153 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 154 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
155 | + -s $PLUTO_PEER $S_PEER_PORT \ |
156 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
157 | + if [ $VPN_LOGGING ] |
158 | + then | |
159 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 160 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 161 | + fi |
c4cd0f7b AF |
162 | + |
163 | + # Add source nat so also the gateway can access the other nets | |
7589902e AF |
164 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
165 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
166 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
167 | + if [ $? -eq 0 ]; then | |
168 | + src=${_src} | |
169 | + break | |
170 | + fi | |
171 | + done | |
172 | + | |
173 | + if [ -n "${src}" ]; then | |
d8145673 | 174 | + iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src |
7589902e AF |
175 | + logger -t $TAG -p $FAC_PRIO \ |
176 | + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
177 | + else | |
178 | + logger -t $TAG -p $FAC_PRIO \ | |
179 | + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" | |
180 | + fi | |
6652626c | 181 | + |
bc4b68b4 AF |
182 | + # Flush routing cache |
183 | + ip route flush cache | |
6652626c AF |
184 | ;; |
185 | down-client:iptables) | |
186 | # connection to client subnet, with (left/right)firewall=yes, going down | |
df5fbff5 | 187 | @@ -345,34 +407,34 @@ |
6652626c AF |
188 | # ones, so do not mess with it; see CAUTION comment up at top. |
189 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
190 | then | |
191 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 192 | + iptables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
193 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
194 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 195 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 196 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
db073a10 | 197 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 |
d8145673 | 198 | + iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
199 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
200 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b AM |
201 | - $IPSEC_POLICY_IN -j ACCEPT |
202 | + $IPSEC_POLICY_IN -j RETURN | |
203 | fi | |
204 | # | |
205 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
206 | # or sometimes host access via the internal IP is needed |
207 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
208 | then | |
209 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 210 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
211 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
212 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 213 | - $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 214 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
d7050fc0 | 215 | + $IPSEC_POLICY_IN -j RETURN |
d8145673 | 216 | + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
217 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
218 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 AF |
219 | - $IPSEC_POLICY_OUT -j ACCEPT |
220 | + $IPSEC_POLICY_OUT -j MARK --set-mark 50 | |
221 | fi | |
222 | # | |
d7050fc0 MT |
223 | # IPIP exception teardown |
224 | if [ -n "$PLUTO_IPCOMP" ] | |
225 | then | |
226 | - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 227 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
228 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
229 | fi | |
230 | # | |
df5fbff5 | 231 | @@ -382,12 +444,51 @@ |
6652626c AF |
232 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
233 | then | |
234 | logger -t $TAG -p $FAC_PRIO -- \ | |
235 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
236 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
237 | else | |
238 | logger -t $TAG -p $FAC_PRIO -- \ | |
239 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
240 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
241 | fi | |
242 | fi | |
243 | + | |
244 | + # | |
50a488f4 | 245 | + # Close Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 246 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
247 | + -s $PLUTO_PEER $S_PEER_PORT \ |
248 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 249 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
250 | + -s $PLUTO_PEER $S_PEER_PORT \ |
251 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 252 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
253 | + -s $PLUTO_PEER $S_PEER_PORT \ |
254 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
255 | + if [ $VPN_LOGGING ] |
256 | + then | |
257 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 258 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 259 | + fi |
c4cd0f7b AF |
260 | + |
261 | + # remove source nat | |
7589902e AF |
262 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
263 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
264 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
265 | + if [ $? -eq 0 ]; then | |
266 | + src=${_src} | |
267 | + break | |
268 | + fi | |
269 | + done | |
270 | + | |
271 | + if [ -n "${src}" ]; then | |
d8145673 | 272 | + iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src |
7589902e AF |
273 | + logger -t $TAG -p $FAC_PRIO \ |
274 | + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
275 | + else | |
276 | + logger -t $TAG -p $FAC_PRIO \ | |
277 | + "Cannot remove NAT rule because no IP of the IPFire does match the subnet." | |
278 | + fi | |
6652626c | 279 | + |
bc4b68b4 AF |
280 | + # Flush routing cache |
281 | + ip route flush cache | |
6652626c AF |
282 | ;; |
283 | # | |
284 | # IPv6 | |
df5fbff5 | 285 | @@ -412,10 +513,10 @@ |
6652626c AF |
286 | # connection to me, with (left/right)firewall=yes, coming up |
287 | # This is used only by the default updown script, not by your custom | |
288 | # ones, so do not mess with it; see CAUTION comment up at top. | |
289 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 290 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
291 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
292 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
293 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 294 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
295 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
296 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
297 | # | |
df5fbff5 | 298 | @@ -436,10 +537,10 @@ |
6652626c AF |
299 | # connection to me, with (left/right)firewall=yes, going down |
300 | # This is used only by the default updown script, not by your custom | |
301 | # ones, so do not mess with it; see CAUTION comment up at top. | |
302 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 303 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
304 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
305 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
306 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 307 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
308 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
309 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
310 | # | |
df5fbff5 | 311 | @@ -462,10 +563,10 @@ |
6652626c AF |
312 | # ones, so do not mess with it; see CAUTION comment up at top. |
313 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
314 | then | |
315 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 316 | + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
317 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
318 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
319 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 320 | + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
321 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
322 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
323 | fi | |
df5fbff5 | 324 | @@ -474,10 +575,10 @@ |
6652626c AF |
325 | # or sometimes host access via the internal IP is needed |
326 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
327 | then | |
328 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 329 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
330 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
331 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
332 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 333 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
334 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
335 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
336 | fi | |
df5fbff5 | 337 | @@ -501,11 +602,11 @@ |
6652626c AF |
338 | # ones, so do not mess with it; see CAUTION comment up at top. |
339 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
340 | then | |
341 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 342 | + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
343 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
344 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
345 | $IPSEC_POLICY_OUT -j ACCEPT | |
346 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 347 | + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
348 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
349 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
350 | $IPSEC_POLICY_IN -j ACCEPT | |
df5fbff5 | 351 | @@ -515,11 +616,11 @@ |
6652626c AF |
352 | # or sometimes host access via the internal IP is needed |
353 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
354 | then | |
355 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 356 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
357 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
358 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
359 | $IPSEC_POLICY_IN -j ACCEPT | |
360 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 361 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
362 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
363 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
364 | $IPSEC_POLICY_OUT -j ACCEPT |