[ipfire-2.x.git] / src / patches / strongswan-ipfire.patch

commit b439f74361d393bcb85109b6c41a905cf613a296
Author: Peter Müller <peter.mueller@ipfire.org>
Date:   Wed May 18 17:46:57 2022 +0000

    IPFire modifications to _updown script
    
    Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 34eaf68c7..9ed387a0a 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -242,10 +242,10 @@ up-host:iptables)
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -263,10 +263,10 @@ up-host:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -274,10 +274,10 @@ down-host:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -294,10 +294,10 @@ down-host:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -305,34 +305,16 @@ up-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	fi
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
 	# IPComp is used (for small inbound packets that are not compressed).
 	# INPUT is correct here even for forwarded traffic.
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -342,47 +324,37 @@ up-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	fi
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -392,12 +364,24 @@ down-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+		-s $PLUTO_PEER $S_PEER_PORT \
+		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
+
 	;;
 #
 # IPv6
@@ -422,10 +406,10 @@ up-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -454,10 +438,10 @@ down-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -487,10 +471,10 @@ up-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -499,10 +483,10 @@ up-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -535,11 +519,11 @@ down-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -549,11 +533,11 @@ down-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
8077bacb PM	1	commit b439f74361d393bcb85109b6c41a905cf613a296
	2	Author: Peter Müller <peter.mueller@ipfire.org>
	3	Date: Wed May 18 17:46:57 2022 +0000
28f659f7 MT	4
	5	IPFire modifications to _updown script
	6
8077bacb	7	Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
28f659f7 MT	8
28f659f7 MT	9	diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
8077bacb	10	index 34eaf68c7..9ed387a0a 100644
28f659f7 MT	11	--- a/src/_updown/_updown.in
	12	+++ b/src/_updown/_updown.in
	13	@@ -242,10 +242,10 @@ up-host:iptables)
6652626c AF	14	# connection to me, with (left/right)firewall=yes, coming up
	15	# This is used only by the default updown script, not by your custom
	16	# ones, so do not mess with it; see CAUTION comment up at top.
	17	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	18	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	19	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	20	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	21	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
28f659f7 MT	22	+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	23	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	24	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	25	#
28f659f7	26	@@ -263,10 +263,10 @@ up-host:iptables)
6652626c AF	27	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	28	then
	29	logger -t $TAG -p $FAC_PRIO \
	30	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	31	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	32	else
	33	logger -t $TAG -p $FAC_PRIO \
	34	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	35	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	36	fi
	37	fi
	38	;;
28f659f7	39	@@ -274,10 +274,10 @@ down-host:iptables)
6652626c AF	40	# connection to me, with (left/right)firewall=yes, going down
	41	# This is used only by the default updown script, not by your custom
	42	# ones, so do not mess with it; see CAUTION comment up at top.
	43	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	44	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	45	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	46	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	47	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
28f659f7 MT	48	+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	49	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	50	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	51	#
28f659f7	52	@@ -294,10 +294,10 @@ down-host:iptables)
6652626c AF	53	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	54	then
	55	logger -t $TAG -p $FAC_PRIO -- \
	56	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	57	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	58	else
	59	logger -t $TAG -p $FAC_PRIO -- \
	60	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	61	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	62	fi
	63	fi
	64	;;
28f659f7	65	@@ -305,34 +305,16 @@ up-client:iptables)
aa60fd7b AF	66	# connection to client subnet, with (left/right)firewall=yes, coming up
aa60fd7b AF	67	# This is used only by the default updown script, not by your custom
6652626c	68	# ones, so do not mess with it; see CAUTION comment up at top.
aa60fd7b AF	69	- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
aa60fd7b AF	70	- then
6652626c	71	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	72	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	73	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c	74	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b	75	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
dc33c23b	76	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
aa60fd7b	77	- fi
dc33c23b AM	78	#
dc33c23b AM	79	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c	80	# or sometimes host access via the internal IP is needed
aa60fd7b AF	81	- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
aa60fd7b AF	82	- then
6652626c	83	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b	84	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
d7050fc0	85	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
6652626c	86	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	87	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	88	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
aa60fd7b	89	- fi
db073a10	90	#
d7050fc0	91	# allow IPIP traffic because of the implicit SA created by the kernel if
aa60fd7b	92	# IPComp is used (for small inbound packets that are not compressed).
d7050fc0 MT	93	# INPUT is correct here even for forwarded traffic.
	94	if [ -n "$PLUTO_IPCOMP" ]
	95	then
	96	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
d8145673	97	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	98	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	99	fi
	100	#
8077bacb	101	@@ -342,47 +324,37 @@ up-client:iptables)
6652626c AF	102	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	103	then
	104	logger -t $TAG -p $FAC_PRIO \
	105	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	106	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	107	else
	108	logger -t $TAG -p $FAC_PRIO \
	109	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	110	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	111	fi
	112	fi
8077bacb PM	113	+
	114	+ # Open Firewall for IPinIP + AH + ESP Traffic
	115	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
	116	+ -s $PLUTO_PEER $S_PEER_PORT \
	117	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	118	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
	119	+ -s $PLUTO_PEER $S_PEER_PORT \
	120	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	121	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
	122	+ -s $PLUTO_PEER $S_PEER_PORT \
	123	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	124	+
6652626c	125	;;
8077bacb	126	down-client:iptables)
6652626c	127	# connection to client subnet, with (left/right)firewall=yes, going down
aa60fd7b	128	# This is used only by the default updown script, not by your custom
6652626c	129	# ones, so do not mess with it; see CAUTION comment up at top.
aa60fd7b AF	130	- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
aa60fd7b AF	131	- then
6652626c	132	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	133	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	134	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	135	- $IPSEC_POLICY_OUT -j ACCEPT
6652626c	136	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b AF	137	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
aa60fd7b AF	138	- -d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b	139	- $IPSEC_POLICY_IN -j ACCEPT
aa60fd7b	140	- fi
dc33c23b AM	141	#
dc33c23b AM	142	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c	143	# or sometimes host access via the internal IP is needed
aa60fd7b AF	144	- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
aa60fd7b AF	145	- then
6652626c	146	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
aa60fd7b AF	147	- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
aa60fd7b AF	148	- -d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0	149	- $IPSEC_POLICY_IN -j ACCEPT
6652626c	150	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	151	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	152	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	153	- $IPSEC_POLICY_OUT -j ACCEPT
aa60fd7b	154	- fi
db073a10	155	#
d7050fc0 MT	156	# IPIP exception teardown
	157	if [ -n "$PLUTO_IPCOMP" ]
	158	then
	159	- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
d8145673	160	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	161	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	162	fi
	163	#
8077bacb	164	@@ -392,12 +364,24 @@ down-client:iptables)
6652626c AF	165	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	166	then
	167	logger -t $TAG -p $FAC_PRIO -- \
	168	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	169	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	170	else
	171	logger -t $TAG -p $FAC_PRIO -- \
	172	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	173	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	174	fi
	175	fi
8077bacb PM	176	+
	177	+ # Close Firewall for IPinIP + AH + ESP Traffic
	178	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
	179	+ -s $PLUTO_PEER $S_PEER_PORT \
	180	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	181	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
	182	+ -s $PLUTO_PEER $S_PEER_PORT \
	183	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	184	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
	185	+ -s $PLUTO_PEER $S_PEER_PORT \
	186	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	187	+
6652626c	188	;;
8077bacb PM	189	#
	190	# IPv6
	191	@@ -422,10 +406,10 @@ up-host-v6:iptables)
6652626c AF	192	# connection to me, with (left/right)firewall=yes, coming up
	193	# This is used only by the default updown script, not by your custom
	194	# ones, so do not mess with it; see CAUTION comment up at top.
	195	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	196	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	197	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	198	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	199	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	200	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	201	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	202	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	203	#
8077bacb	204	@@ -454,10 +438,10 @@ down-host-v6:iptables)
6652626c AF	205	# connection to me, with (left/right)firewall=yes, going down
	206	# This is used only by the default updown script, not by your custom
	207	# ones, so do not mess with it; see CAUTION comment up at top.
	208	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	209	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	210	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	211	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	212	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	213	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	214	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	215	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	216	#
8077bacb	217	@@ -487,10 +471,10 @@ up-client-v6:iptables)
6652626c AF	218	# ones, so do not mess with it; see CAUTION comment up at top.
	219	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	220	then
	221	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	222	+ ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	223	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	224	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	225	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	226	+ ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	227	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	228	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	229	fi
8077bacb	230	@@ -499,10 +483,10 @@ up-client-v6:iptables)
6652626c AF	231	# or sometimes host access via the internal IP is needed
	232	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	233	then
	234	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	235	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	236	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	237	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	238	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	239	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	240	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	241	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	242	fi
8077bacb	243	@@ -535,11 +519,11 @@ down-client-v6:iptables)
6652626c AF	244	# ones, so do not mess with it; see CAUTION comment up at top.
	245	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	246	then
	247	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	248	+ ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	249	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	250	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	251	$IPSEC_POLICY_OUT -j ACCEPT
	252	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	253	+ ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	254	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	255	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	256	$IPSEC_POLICY_IN -j ACCEPT
8077bacb	257	@@ -549,11 +533,11 @@ down-client-v6:iptables)
6652626c AF	258	# or sometimes host access via the internal IP is needed
	259	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	260	then
	261	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	262	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	263	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	264	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	265	$IPSEC_POLICY_IN -j ACCEPT
	266	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	267	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	268	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	269	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	270	$IPSEC_POLICY_OUT -j ACCEPT