updown: Properly configure ICMP[v6] message type and code in firewall rules

[thirdparty/strongswan.git] / src / _updown / _updown.in

diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 72ec7d246b31bcb73509977ea33f25fe9c42d5b9..c68c23d8a595e2a4dcc38d3b1562db13dac2f86f 100644 (file)
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -290,16 +290,41 @@ else
        IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 fi
 
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)     # ICMP
+       ICMP_TYPE_OPTION="--icmp-type"
+       ;;
+58)    # ICMPv6
+       ICMP_TYPE_OPTION="--icmpv6-type"
+       ;;
+*)
+       ;;
+esac
+
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-       S_MY_PORT="--sport $PLUTO_MY_PORT"
-       D_MY_PORT="--dport $PLUTO_MY_PORT"
+       if [ -n "$ICMP_TYPE_OPTION" ]
+       then
+               S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+               D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+       else
+               S_MY_PORT="--sport $PLUTO_MY_PORT"
+               D_MY_PORT="--dport $PLUTO_MY_PORT"
+       fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-       S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-       D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+       if [ -n "$ICMP_TYPE_OPTION" ]
+       then
+               # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+               S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+               D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+       else
+               S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+               D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+       fi
 fi
 
 # resolve octal escape sequences