[ipfire-2.x.git] / src / patches / strongswan-4.5.3_ipfire.patch

diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in
--- strongswan-4.5.3.org/src/_updown/_updown.in	2010-10-22 16:33:30.000000000 +0200
+++ strongswan-4.5.3/src/_updown/_updown.in	2011-09-13 14:19:31.000000000 +0200
@@ -183,6 +183,29 @@
 	;;
 esac
 
+function ip_encode() {
+	local IFS=.
+
+	local int=0
+	for field in $1; do
+		int=$(( $(( $int << 8 )) | $field ))
+	done
+
+	echo $int
+}
+
+function ip_in_subnet() {
+	local netmask
+	netmask=$(_netmask $2)
+	[ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+}
+
+function _netmask() {
+	local vlsm
+	vlsm=${1#*/}
+	[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+}
+
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
 uproute() {
@@ -387,12 +410,12 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
@@ -400,10 +423,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -411,12 +434,12 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
@@ -424,10 +447,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -437,10 +460,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -449,12 +472,12 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# log IPsec client connection setup
@@ -463,12 +486,51 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# Add source nat so also the gateway can access the other nets
+	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+		if [ $? -eq 0 ]; then
+			src=${_src}
+			break
+		fi
+	done
+
+	if [ -n "${src}" ]; then
+		iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+		logger -t $TAG -p $FAC_PRIO \
+			"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+	else
+		logger -t $TAG -p $FAC_PRIO \
+			"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+	fi
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
@@ -476,11 +538,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -490,14 +552,14 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# log IPsec client connection teardown
@@ -506,12 +568,51 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# remove source nat
+	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+		if [ $? -eq 0 ]; then
+			src=${_src}
+			break
+		fi
+	done
+
+	if [ -n "${src}" ]; then
+		iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+		logger -t $TAG -p $FAC_PRIO \
+			"snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+	else
+		logger -t $TAG -p $FAC_PRIO \
+			"Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+	fi
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 #
 # IPv6
@@ -546,10 +647,10 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -570,10 +671,10 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -596,10 +697,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -608,10 +709,10 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -635,11 +736,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -649,11 +750,11 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
7589902e AF	1	diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in
	2	--- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200
	3	+++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200
	4	@@ -183,6 +183,29 @@
	5	;;
	6	esac
	7
	8	+function ip_encode() {
	9	+ local IFS=.
	10	+
	11	+ local int=0
	12	+ for field in $1; do
	13	+ int=$(( $(( $int << 8 )) \| $field ))
	14	+ done
	15	+
	16	+ echo $int
	17	+}
	18	+
	19	+function ip_in_subnet() {
	20	+ local netmask
	21	+ netmask=$(_netmask $2)
	22	+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
	23	+}
	24	+
	25	+function _netmask() {
	26	+ local vlsm
	27	+ vlsm=${1#*/}
	28	+ [ $vlsm -eq 0 ] && echo 0 \|\| echo $(( -1 << $(( 32 - $vlsm )) ))
	29	+}
	30	+
	31	# utility functions for route manipulation
	32	# Meddling with this stuff should not be necessary and requires great care.
	33	uproute() {
	34	@@ -387,12 +410,12 @@
6652626c AF	35	# connection to me, with (left/right)firewall=yes, coming up
	36	# This is used only by the default updown script, not by your custom
	37	# ones, so do not mess with it; see CAUTION comment up at top.
	38	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	39	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	40	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	41	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	42	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	43	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	44	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 AF	45	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
db073a10 AF	46	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c	47	#
db073a10 AF	48	# log IPsec host connection setup
db073a10 AF	49	if [ $VPN_LOGGING ]
7589902e	50	@@ -400,10 +423,10 @@
6652626c AF	51	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	52	then
	53	logger -t $TAG -p $FAC_PRIO \
	54	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	55	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	56	else
	57	logger -t $TAG -p $FAC_PRIO \
	58	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	59	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	60	fi
	61	fi
	62	;;
7589902e	63	@@ -411,12 +434,12 @@
6652626c AF	64	# connection to me, with (left/right)firewall=yes, going down
	65	# This is used only by the default updown script, not by your custom
	66	# ones, so do not mess with it; see CAUTION comment up at top.
	67	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	68	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	69	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	70	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	71	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	72	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	73	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 AF	74	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
db073a10 AF	75	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c	76	#
db073a10 AF	77	# log IPsec host connection teardown
db073a10 AF	78	if [ $VPN_LOGGING ]
7589902e	79	@@ -424,10 +447,10 @@
6652626c AF	80	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	81	then
	82	logger -t $TAG -p $FAC_PRIO -- \
	83	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	84	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	85	else
	86	logger -t $TAG -p $FAC_PRIO -- \
	87	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	88	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	89	fi
	90	fi
	91	;;
7589902e	92	@@ -437,10 +460,10 @@
6652626c AF	93	# ones, so do not mess with it; see CAUTION comment up at top.
	94	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	95	then
	96	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	97	+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	98	-s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	99	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c	100	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10	101	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c AF	102	+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	103	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	104	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	105	fi
7589902e	106	@@ -449,12 +472,12 @@
6652626c AF	107	# or sometimes host access via the internal IP is needed
	108	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	109	then
	110	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	111	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	112	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	113	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	114	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	115	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	116	-s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10 AF	117	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
db073a10 AF	118	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c	119	fi
db073a10 AF	120	#
db073a10 AF	121	# log IPsec client connection setup
7589902e	122	@@ -463,12 +486,51 @@
6652626c AF	123	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	124	then
	125	logger -t $TAG -p $FAC_PRIO \
	126	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	127	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	128	else
	129	logger -t $TAG -p $FAC_PRIO \
	130	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	131	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	132	fi
	133	fi
	134	+
	135	+ #
50a488f4 AF	136	+ # Open Firewall for IPinIP + AH + ESP Traffic
	137	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
	138	+ -s $PLUTO_PEER $S_PEER_PORT \
	139	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10 AF	140	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
	141	+ -s $PLUTO_PEER $S_PEER_PORT \
	142	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	143	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
	144	+ -s $PLUTO_PEER $S_PEER_PORT \
	145	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	146	+ if [ $VPN_LOGGING ]
	147	+ then
	148	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	149	+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c	150	+ fi
c4cd0f7b AF	151	+
c4cd0f7b AF	152	+ # Add source nat so also the gateway can access the other nets
7589902e AF	153	+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	154	+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	155	+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	156	+ if [ $? -eq 0 ]; then
	157	+ src=${_src}
	158	+ break
	159	+ fi
	160	+ done
	161	+
	162	+ if [ -n "${src}" ]; then
	163	+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	164	+ logger -t $TAG -p $FAC_PRIO \
	165	+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
	166	+ else
	167	+ logger -t $TAG -p $FAC_PRIO \
	168	+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
	169	+ fi
6652626c	170	+
bc4b68b4 AF	171	+ # Flush routing cache
bc4b68b4 AF	172	+ ip route flush cache
6652626c AF	173	;;
	174	down-client:iptables)
	175	# connection to client subnet, with (left/right)firewall=yes, going down
7589902e	176	@@ -476,11 +538,11 @@
6652626c AF	177	# ones, so do not mess with it; see CAUTION comment up at top.
	178	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	179	then
	180	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	181	+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	182	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	183	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	184	- $IPSEC_POLICY_OUT -j ACCEPT
6652626c	185	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10	186	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c AF	187	+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	188	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	189	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	190	$IPSEC_POLICY_IN -j ACCEPT
7589902e	191	@@ -490,14 +552,14 @@
6652626c AF	192	# or sometimes host access via the internal IP is needed
	193	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	194	then
	195	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	196	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	197	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	198	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	199	$IPSEC_POLICY_IN -j ACCEPT
	200	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	201	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	202	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	203	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10 AF	204	- $IPSEC_POLICY_OUT -j ACCEPT
	205	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
	206	fi
	207	#
	208	# log IPsec client connection teardown
7589902e	209	@@ -506,12 +568,51 @@
6652626c AF	210	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	211	then
	212	logger -t $TAG -p $FAC_PRIO -- \
	213	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	214	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	215	else
	216	logger -t $TAG -p $FAC_PRIO -- \
	217	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	218	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	219	fi
	220	fi
	221	+
	222	+ #
50a488f4 AF	223	+ # Close Firewall for IPinIP + AH + ESP Traffic
	224	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
	225	+ -s $PLUTO_PEER $S_PEER_PORT \
	226	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10 AF	227	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
	228	+ -s $PLUTO_PEER $S_PEER_PORT \
	229	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	230	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
	231	+ -s $PLUTO_PEER $S_PEER_PORT \
	232	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	233	+ if [ $VPN_LOGGING ]
	234	+ then
	235	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	236	+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c	237	+ fi
c4cd0f7b AF	238	+
c4cd0f7b AF	239	+ # remove source nat
7589902e AF	240	+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	241	+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	242	+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	243	+ if [ $? -eq 0 ]; then
	244	+ src=${_src}
	245	+ break
	246	+ fi
	247	+ done
	248	+
	249	+ if [ -n "${src}" ]; then
	250	+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	251	+ logger -t $TAG -p $FAC_PRIO \
	252	+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
	253	+ else
	254	+ logger -t $TAG -p $FAC_PRIO \
	255	+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
	256	+ fi
6652626c	257	+
bc4b68b4 AF	258	+ # Flush routing cache
bc4b68b4 AF	259	+ ip route flush cache
6652626c AF	260	;;
	261	#
	262	# IPv6
7589902e	263	@@ -546,10 +647,10 @@
6652626c AF	264	# connection to me, with (left/right)firewall=yes, coming up
	265	# This is used only by the default updown script, not by your custom
	266	# ones, so do not mess with it; see CAUTION comment up at top.
	267	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	268	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	269	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	270	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	271	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	272	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	273	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	274	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	275	#
7589902e	276	@@ -570,10 +671,10 @@
6652626c AF	277	# connection to me, with (left/right)firewall=yes, going down
	278	# This is used only by the default updown script, not by your custom
	279	# ones, so do not mess with it; see CAUTION comment up at top.
	280	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	281	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	282	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	283	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	284	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	285	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	286	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	287	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	288	#
7589902e	289	@@ -596,10 +697,10 @@
6652626c AF	290	# ones, so do not mess with it; see CAUTION comment up at top.
	291	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	292	then
	293	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	294	+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	295	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	296	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	297	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	298	+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	299	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	300	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	301	fi
7589902e	302	@@ -608,10 +709,10 @@
6652626c AF	303	# or sometimes host access via the internal IP is needed
	304	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	305	then
	306	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	307	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	308	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	309	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	310	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	311	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	312	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	313	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	314	fi
7589902e	315	@@ -635,11 +736,11 @@
6652626c AF	316	# ones, so do not mess with it; see CAUTION comment up at top.
	317	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	318	then
	319	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	320	+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	321	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	322	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	323	$IPSEC_POLICY_OUT -j ACCEPT
	324	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	325	+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	326	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	327	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	328	$IPSEC_POLICY_IN -j ACCEPT
7589902e	329	@@ -649,11 +750,11 @@
6652626c AF	330	# or sometimes host access via the internal IP is needed
	331	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	332	then
	333	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	334	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	335	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	336	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	337	$IPSEC_POLICY_IN -j ACCEPT
	338	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	339	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	340	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	341	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	342	$IPSEC_POLICY_OUT -j ACCEPT