[ipfire-2.x.git] / src / patches / strongswan-ipfire-interfaces.patch

--- strongswan-5.7.0/src/_updown/_updown.in.bak	2019-02-06 18:19:25.723893992 +0000
+++ strongswan-5.7.0/src/_updown/_updown.in	2019-02-06 18:28:21.520560665 +0000
@@ -130,6 +130,13 @@
 #              address family.
 #
 
+VARS=(
+	id status name lefthost type ctype psk local local_id leftsubnets
+	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+	route x23 mode interface_mode interface_address interface_mtu rest
+)
+
 function ip_encode() {
 	local IFS=.
 
@@ -319,6 +326,13 @@
 	fi
 	;;
 up-client:iptables)
+	# Read IPsec configuration
+	while IFS="," read -r "${VARS[@]}"; do
+		if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+			break
+		fi
+	done < /var/ipfire/vpn/config
+
 	# connection to client subnet, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -383,23 +397,25 @@
 	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
 	fi
 
-	# Add source nat so also the gateway can access the other nets
-	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-		if [ $? -eq 0 ]; then
-			src=${_src}
-			break
+	if [ -z "${interface_mode}" ]; then
+		# Add source nat so also the gateway can access the other nets
+		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+		for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+			ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+			if [ $? -eq 0 ]; then
+				src=${_src}
+				break
+			fi
+		done
+
+		if [ -n "${src}" ]; then
+			iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+			logger -t $TAG -p $FAC_PRIO \
+				"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+		else
+			logger -t $TAG -p $FAC_PRIO \
+				"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
 		fi
-	done
-
-	if [ -n "${src}" ]; then
-		iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-		logger -t $TAG -p $FAC_PRIO \
-			"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-	else
-		logger -t $TAG -p $FAC_PRIO \
-			"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
 	fi
 
 	# Flush routing cache
Commit	Line	Data
8be516b3 MT	1	--- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000
	2	+++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000
	3	@@ -130,6 +130,13 @@
	4	# address family.
	5	#
	6
	7	+VARS=(
	8	+ id status name lefthost type ctype psk local local_id leftsubnets
	9	+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
	10	+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
	11	+ route x23 mode interface_mode interface_address interface_mtu rest
	12	+)
	13	+
	14	function ip_encode() {
	15	local IFS=.
	16
	17	@@ -319,6 +326,13 @@
	18	fi
	19	;;
	20	up-client:iptables)
	21	+ # Read IPsec configuration
	22	+ while IFS="," read -r "${VARS[@]}"; do
	23	+ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
	24	+ break
	25	+ fi
	26	+ done < /var/ipfire/vpn/config
	27	+
	28	# connection to client subnet, with (left/right)firewall=yes, coming up
	29	# This is used only by the default updown script, not by your custom
	30	# ones, so do not mess with it; see CAUTION comment up at top.
	31	@@ -383,23 +397,25 @@
	32	"tunnel+ $PLUTO_PEER -- $PLUTO_ME"
	33	fi
	34
	35	- # Add source nat so also the gateway can access the other nets
	36	- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	37	- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	38	- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	39	- if [ $? -eq 0 ]; then
	40	- src=${_src}
	41	- break
	42	+ if [ -z "${interface_mode}" ]; then
	43	+ # Add source nat so also the gateway can access the other nets
	44	+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	45	+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	46	+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	47	+ if [ $? -eq 0 ]; then
	48	+ src=${_src}
	49	+ break
	50	+ fi
	51	+ done
	52	+
	53	+ if [ -n "${src}" ]; then
	54	+ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	55	+ logger -t $TAG -p $FAC_PRIO \
	56	+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
	57	+ else
	58	+ logger -t $TAG -p $FAC_PRIO \
	59	+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
	60	fi
	61	- done
	62	-
	63	- if [ -n "${src}" ]; then
	64	- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
65	- logger -t $TAG -p $FAC_PRIO \
66	- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
67	- else
68	- logger -t $TAG -p $FAC_PRIO \
69	- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
70	fi
71
72	# Flush routing cache