From: Arne Fitzenreiter Date: Tue, 13 Sep 2011 12:25:44 +0000 (+0200) Subject: strongswan: import micha's new strongswan gateway detection. X-Git-Tag: v2.9-core53~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7589902e644345a8b383d604cf5e16c786352f59;p=people%2Fstevee%2Fipfire-2.x.git strongswan: import micha's new strongswan gateway detection. --- diff --git a/lfs/strongswan b/lfs/strongswan index 1efd283bbe..cb97bf7e4c 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -71,7 +71,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.4.0_ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc" \ --enable-cisco-quirks \ diff --git a/src/patches/strongswan-4.4.0_ipfire.patch b/src/patches/strongswan-4.5.3_ipfire.patch similarity index 83% rename from src/patches/strongswan-4.4.0_ipfire.patch rename to src/patches/strongswan-4.5.3_ipfire.patch index 298a1e3a73..2ba975b1d5 100644 --- a/src/patches/strongswan-4.4.0_ipfire.patch +++ b/src/patches/strongswan-4.5.3_ipfire.patch @@ -1,7 +1,37 @@ -diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in ---- strongswan-4.4.0.org/src/_updown/_updown.in 2010-03-15 21:52:51.000000000 +0100 -+++ strongswan-4.4.0/src/_updown/_updown.in 2010-05-15 13:33:40.000000000 +0200 -@@ -374,12 +374,12 @@ +diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in +--- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200 ++++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200 +@@ -183,6 +183,29 @@ + ;; + esac + ++function ip_encode() { ++ local IFS=. ++ ++ local int=0 ++ for field in $1; do ++ int=$(( $(( $int << 8 )) | $field )) ++ done ++ ++ echo $int ++} ++ ++function ip_in_subnet() { ++ local netmask ++ netmask=$(_netmask $2) ++ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] ++} ++ ++function _netmask() { ++ local vlsm ++ vlsm=${1#*/} ++ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) ++} ++ + # utility functions for route manipulation + # Meddling with this stuff should not be necessary and requires great care. + uproute() { +@@ -387,12 +410,12 @@ # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -17,7 +47,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd # # log IPsec host connection setup if [ $VPN_LOGGING ] -@@ -387,10 +387,10 @@ +@@ -400,10 +423,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -30,7 +60,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd fi fi ;; -@@ -398,12 +398,12 @@ +@@ -411,12 +434,12 @@ # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -46,7 +76,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd # # log IPsec host connection teardown if [ $VPN_LOGGING ] -@@ -411,10 +411,10 @@ +@@ -424,10 +447,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -59,7 +89,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd fi fi ;; -@@ -424,10 +424,10 @@ +@@ -437,10 +460,10 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -73,7 +103,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -436,12 +436,12 @@ +@@ -449,12 +472,12 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -89,7 +119,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd fi # # log IPsec client connection setup -@@ -450,12 +450,38 @@ +@@ -463,12 +486,51 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -120,17 +150,30 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd + fi + + # Add source nat so also the gateway can access the other nets -+ src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src)) -+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src -+ logger -t $TAG -p $FAC_PRIO \ -+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" ++ fi + + # Flush routing cache + ip route flush cache ;; down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down -@@ -463,11 +489,11 @@ +@@ -476,11 +538,11 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -145,7 +188,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -477,14 +503,14 @@ +@@ -490,14 +552,14 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -163,7 +206,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd fi # # log IPsec client connection teardown -@@ -493,12 +519,38 @@ +@@ -506,12 +568,51 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -194,17 +237,30 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd + fi + + # remove source nat -+ src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src)) -+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src -+ logger -t $TAG -p $FAC_PRIO \ -+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot remove NAT rule because no IP of the IPFire does match the subnet." ++ fi + + # Flush routing cache + ip route flush cache ;; # # IPv6 -@@ -533,10 +585,10 @@ +@@ -546,10 +647,10 @@ # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -217,7 +273,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -557,10 +609,10 @@ +@@ -570,10 +671,10 @@ # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -230,7 +286,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -583,10 +635,10 @@ +@@ -596,10 +697,10 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -243,7 +299,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -595,10 +647,10 @@ +@@ -608,10 +709,10 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -256,7 +312,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -622,11 +674,11 @@ +@@ -635,11 +736,11 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -270,7 +326,7 @@ diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_upd -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -636,11 +688,11 @@ +@@ -649,11 +750,11 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then