]> git.ipfire.org Git - people/ms/ipfire-2.x.git/commitdiff
projects / people / ms / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7821843)
strongswan: Create AH/ESP rules for host connections, too strongswan-esp-fix
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 2 May 2023 13:26:13 +0000 (15:26 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 2 May 2023 13:26:13 +0000 (15:26 +0200)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
lfs/strongswan patch | blob | blame | history
src/patches/strongswan-ipfire-esp-for-host-connections.patch [new file with mode: 0644] patch | blob

diff --git a/lfs/strongswan b/lfs/strongswan
index 7cb886fe716471163b39798dd33b325ef8d49030..272446b1d0ed2d41b3c9812bdf202ae3f2ea01ce 100644 (file)
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-esp-for-host-connections.patch
 
        $(UPDATE_AUTOMAKE)
        cd $(DIR_APP) && ./configure \
diff --git a/src/patches/strongswan-ipfire-esp-for-host-connections.patch b/src/patches/strongswan-ipfire-esp-for-host-connections.patch
new file mode 100644 (file)
index 0000000..e7342e5
--- /dev/null
+++ b/src/patches/strongswan-ipfire-esp-for-host-connections.patch
@@ -0,0 +1,28 @@
+--- a/src/_updown/_updown.in   2023-05-02 15:23:07.978551169 +0200
++++ b/src/_updown/_updown.in   2023-05-02 15:19:02.072300060 +0200
+@@ -248,6 +248,12 @@
+       iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++      iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++          -s $PLUTO_PEER_CLIENT \
++          -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++      iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++          -s $PLUTO_PEER_CLIENT \
++          -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       #
+       # allow IPIP traffic because of the implicit SA created by the kernel if
+       # IPComp is used (for small inbound packets that are not compressed)
+@@ -280,6 +286,12 @@
+       iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++      iptables --wait -D IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++          -s $PLUTO_PEER_CLIENT \
++          -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++      iptables --wait -D IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++          -s $PLUTO_PEER_CLIENT \
++          -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       #
+       # IPIP exception teardown
+       if [ -n "$PLUTO_IPCOMP" ]
Michael's tree of IPFire 2.x.