From a38c882bfb59d5b359b22df3d97f3ed88f497d93 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Mon, 25 Oct 2021 13:45:39 +0200
Subject: [PATCH] strongswan: remove CONNMARK rules.

the marks are not used by firewall and QoS anymore.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 src/patches/strongswan-ipfire.patch | 86 +++++++++--------------------
 1 file changed, 27 insertions(+), 59 deletions(-)

diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 38202c1ec5..31c32dc4ec 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -1,7 +1,7 @@
 diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
 --- strongswan-5.9.3.org/src/_updown/_updown.in	2020-12-09 19:01:30.000000000 +0100
-+++ strongswan-5.9.3/src/_updown/_updown.in	2021-10-18 14:51:34.446203334 +0200
-@@ -242,12 +242,15 @@
++++ strongswan-5.9.3/src/_updown/_updown.in	2021-10-25 13:41:23.791826699 +0200
+@@ -242,12 +242,9 @@
  	# connection to me, with (left/right)firewall=yes, coming up
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -10,17 +10,12 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 -	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
-+	iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 -	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
  	#
  	# allow IPIP traffic because of the implicit SA created by the kernel if
  	# IPComp is used (for small inbound packets that are not compressed)
-@@ -263,10 +266,10 @@
+@@ -263,10 +260,10 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
  	    logger -t $TAG -p $FAC_PRIO \
@@ -33,26 +28,21 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	  fi
  	fi
  	;;
-@@ -274,12 +277,15 @@
+@@ -274,12 +271,9 @@
  	# connection to me, with (left/right)firewall=yes, going down
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
 -	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
 +	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 -	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 -	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
  	#
  	# IPIP exception teardown
  	if [ -n "$PLUTO_IPCOMP" ]
-@@ -294,10 +300,10 @@
+@@ -294,10 +288,10 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
  	    logger -t $TAG -p $FAC_PRIO -- \
@@ -65,23 +55,18 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	  fi
  	fi
  	;;
-@@ -307,24 +313,30 @@
+@@ -307,24 +301,18 @@
  	# ones, so do not mess with it; see CAUTION comment up at top.
  	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
  	then
 -	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	  iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
-+	  iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 -	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
 +	  iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 -	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
++	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
  	fi
  	#
  	# a virtual IP requires an INPUT and OUTPUT rule on the host
@@ -93,18 +78,13 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 -	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 -	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
-+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
-+	  iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 -	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
++	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
  	fi
  	#
  	# allow IPIP traffic because of the implicit SA created by the kernel if
-@@ -332,7 +344,7 @@
+@@ -332,7 +320,7 @@
  	# INPUT is correct here even for forwarded traffic.
  	if [ -n "$PLUTO_IPCOMP" ]
  	then
@@ -113,7 +93,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
  	fi
  	#
-@@ -342,12 +354,29 @@
+@@ -342,12 +330,29 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
  	    logger -t $TAG -p $FAC_PRIO \
@@ -145,25 +125,19 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	;;
  down-client:iptables)
  	# connection to client subnet, with (left/right)firewall=yes, going down
-@@ -355,34 +384,42 @@
+@@ -355,34 +360,26 @@
  	# ones, so do not mess with it; see CAUTION comment up at top.
  	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
  	then
 -	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	  iptables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
- 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 -	         $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	         $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
 +	  iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 -	         $IPSEC_POLICY_IN -j ACCEPT
-+	         $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
-+	  iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 +	         $IPSEC_POLICY_IN -j RETURN
  	fi
  	#
@@ -177,16 +151,10 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 -	         $IPSEC_POLICY_IN -j ACCEPT
 -	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	         $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
-+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-+	         $IPSEC_POLICY_IN -j RETURN
-+	  iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
- 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 -	         $IPSEC_POLICY_OUT -j ACCEPT
-+	         $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
++	         $IPSEC_POLICY_IN -j RETURN
  	fi
  	#
  	# IPIP exception teardown
@@ -197,7 +165,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
  	fi
  	#
-@@ -392,12 +429,29 @@
+@@ -392,12 +389,29 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
  	    logger -t $TAG -p $FAC_PRIO -- \
@@ -229,7 +197,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	;;
  #
  # IPv6
-@@ -422,10 +476,10 @@
+@@ -422,10 +436,10 @@
  	# connection to me, with (left/right)firewall=yes, coming up
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -242,7 +210,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
  	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
  	#
-@@ -454,10 +508,10 @@
+@@ -454,10 +468,10 @@
  	# connection to me, with (left/right)firewall=yes, going down
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -255,7 +223,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
  	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
  	#
-@@ -487,10 +541,10 @@
+@@ -487,10 +501,10 @@
  	# ones, so do not mess with it; see CAUTION comment up at top.
  	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
  	then
@@ -268,7 +236,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
  	fi
-@@ -499,10 +553,10 @@
+@@ -499,10 +513,10 @@
  	# or sometimes host access via the internal IP is needed
  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
  	then
@@ -281,7 +249,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
  	fi
-@@ -535,11 +589,11 @@
+@@ -535,11 +549,11 @@
  	# ones, so do not mess with it; see CAUTION comment up at top.
  	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
  	then
@@ -295,7 +263,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
  	         $IPSEC_POLICY_IN -j ACCEPT
-@@ -549,11 +603,11 @@
+@@ -549,11 +563,11 @@
  	# or sometimes host access via the internal IP is needed
  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
  	then
-- 
2.39.5