--- /dev/null
+--- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
++++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
+@@ -130,36 +130,6 @@
+ # address family.
+ #
+
+-VARS=(
+- id status name lefthost type ctype psk local local_id leftsubnets
+- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+- route x23 mode interface_mode interface_address interface_mtu rest
+-)
+-
+-function ip_encode() {
+- local IFS=.
+-
+- local int=0
+- for field in $1; do
+- int=$(( $(( $int << 8 )) | $field ))
+- done
+-
+- echo $int
+-}
+-
+-function ip_in_subnet() {
+- local netmask
+- netmask=$(_netmask $2)
+- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+- local vlsm
+- vlsm=${1#*/}
+- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+ export PATH
+@@ -326,13 +296,6 @@
+ fi
+ ;;
+ up-client:iptables)
+- # Read IPsec configuration
+- while IFS="," read -r "${VARS[@]}"; do
+- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+- break
+- fi
+- done < /var/ipfire/vpn/config
+-
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -396,30 +359,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- if [ -z "${interface_mode}" ]; then
+- # Add source nat so also the gateway can access the other nets
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+- fi
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+@@ -487,28 +426,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- # remove source nat
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ #
+ # IPv6
VPN_CONFIG="/var/ipfire/vpn/config"
+ROUTE_TABLE="220"
+ROUTE_TABLE_PRIO="128"
+
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+# Get RED interface name
+if [ -r "/var/ipfire/red/iface" ]; then
+ RED_INTF="$(</var/ipfire/red/iface)"
+else
+ RED_INTF="red0"
+fi
+
VARS=(
id status name lefthost type ctype psk local local_id leftsubnets
remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
dig +short A "${hostname}" | tail -n1
}
+ip_encode() {
+ local address="${1}"
+
+ local int=0
+ for field in ${address//./ }; do
+ int=$(( $(( ${int} << 8 )) | ${field} ))
+ done
+
+ echo ${int}
+}
+
+function ip_in_subnet() {
+ local address="${1}"
+ local subnet="${2}"
+
+ local netmask="${subnet#*/}"
+
+ # Convert netmask to prefix if necessary
+ case "${netmask}" in
+ [0-9]+)
+ ;;
+ *)
+ netmask="$(netmask2prefix "${netmask}")"
+ ;;
+ esac
+
+ local vlsm=$(( -1 << $(( 32 - ${netmask} )) ))
+
+ [ "$(( $(ip_encode "${address}") & ${vlsm} ))" -eq "$(( $(ip_encode "${subnet%/*}") & ${vlsm} ))" ]
+}
+
+netmask2prefix() {
+ local netmask="${1}"
+ local mask="$(ip_encode "${netmask}")"
+
+ local cidr=0
+ local x="$(( 128 << 24 ))" # 0x80000000
+
+ while [ $(( ${x} & ${mask} )) -ne 0 ]; do
+ [ ${mask} -eq ${x} ] && mask=0 || mask=$(( ${mask} << 1 ))
+ cidr=$(( ${cidr} + 1 ))
+ done
+
+ echo "${cidr}"
+}
+
main() {
# Register local variables
local "${VARS[@]}"
local interfaces=()
+ # Flush IPsec routes
+ ip route flush table "${ROUTE_TABLE}"
+
+ # Remove lookups
+ ip rule del lookup "${ROUTE_TABLE}"
+
# We are done when IPsec is not enabled
if [ "${ENABLED}" = "on" ]; then
+ # Enable route table lookup
+ ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}"
+
while IFS="," read -r "${VARS[@]}"; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
local intf="${interface_mode}${id}"
;;
*)
+ # Install routes
+ local address
+
+ local _address
+ for _address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+ local leftsubnet
+ for leftsubnet in ${leftsubnets//\|/ }; do
+ if ip_in_subnet "${_address}" "${leftsubnet}"; then
+ address="${_address}"
+ break
+ fi
+ done
+
+ # End loop when address is set
+ [ -n "${address}" ] && break
+ done
+
+ local rightsubnet
+ for rightsubnet in ${rightsubnets//\|/ }; do
+ # Ignore default
+ case "${rightsubnet}" in
+ 0.0.0.0/*)
+ continue
+ ;;
+ esac
+
+ log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})"
+ ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \
+ dev "${RED_INTF}" src "${address}"
+ done
+
+ # No interface processing required
continue
;;
esac