]>
Commit | Line | Data |
---|---|---|
80909fb6 AF |
1 | diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in |
2 | --- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100 | |
a38c882b AF |
3 | +++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-25 13:41:23.791826699 +0200 |
4 | @@ -242,12 +242,9 @@ | |
6652626c AF |
5 | # connection to me, with (left/right)firewall=yes, coming up |
6 | # This is used only by the default updown script, not by your custom | |
7 | # ones, so do not mess with it; see CAUTION comment up at top. | |
8 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 9 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
10 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
11 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
12 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
a38c882b | 13 | - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 | 14 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
6652626c | 15 | # |
d7050fc0 MT |
16 | # allow IPIP traffic because of the implicit SA created by the kernel if |
17 | # IPComp is used (for small inbound packets that are not compressed) | |
a38c882b | 18 | @@ -263,10 +260,10 @@ |
6652626c AF |
19 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
20 | then | |
21 | logger -t $TAG -p $FAC_PRIO \ | |
22 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
23 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
24 | else | |
25 | logger -t $TAG -p $FAC_PRIO \ | |
26 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
27 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
28 | fi | |
29 | fi | |
30 | ;; | |
a38c882b | 31 | @@ -274,12 +271,9 @@ |
6652626c AF |
32 | # connection to me, with (left/right)firewall=yes, going down |
33 | # This is used only by the default updown script, not by your custom | |
34 | # ones, so do not mess with it; see CAUTION comment up at top. | |
35 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 36 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
37 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
38 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
39 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
a38c882b | 40 | - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 | 41 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
6652626c | 42 | # |
d7050fc0 MT |
43 | # IPIP exception teardown |
44 | if [ -n "$PLUTO_IPCOMP" ] | |
a38c882b | 45 | @@ -294,10 +288,10 @@ |
6652626c AF |
46 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
47 | then | |
48 | logger -t $TAG -p $FAC_PRIO -- \ | |
49 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
50 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
51 | else | |
52 | logger -t $TAG -p $FAC_PRIO -- \ | |
53 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
54 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
55 | fi | |
56 | fi | |
57 | ;; | |
a38c882b | 58 | @@ -307,24 +301,18 @@ |
6652626c AF |
59 | # ones, so do not mess with it; see CAUTION comment up at top. |
60 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
61 | then | |
62 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
a38c882b | 63 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 64 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 65 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
d8145673 | 66 | + iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c | 67 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
dc33c23b | 68 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
a38c882b | 69 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN |
6652626c | 70 | fi |
dc33c23b AM |
71 | # |
72 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
73 | # or sometimes host access via the internal IP is needed |
74 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
75 | then | |
76 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 77 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c | 78 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
d7050fc0 | 79 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 80 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b | 81 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 82 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
a38c882b | 83 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN |
6652626c | 84 | fi |
db073a10 | 85 | # |
d7050fc0 | 86 | # allow IPIP traffic because of the implicit SA created by the kernel if |
a38c882b | 87 | @@ -332,7 +320,7 @@ |
d7050fc0 MT |
88 | # INPUT is correct here even for forwarded traffic. |
89 | if [ -n "$PLUTO_IPCOMP" ] | |
90 | then | |
91 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 92 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
93 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
94 | fi | |
95 | # | |
a38c882b | 96 | @@ -342,12 +330,29 @@ |
6652626c AF |
97 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
98 | then | |
99 | logger -t $TAG -p $FAC_PRIO \ | |
100 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
101 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
102 | else | |
103 | logger -t $TAG -p $FAC_PRIO \ | |
104 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
105 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
106 | fi | |
107 | fi | |
108 | + | |
109 | + # | |
50a488f4 | 110 | + # Open Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 111 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
112 | + -s $PLUTO_PEER $S_PEER_PORT \ |
113 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 114 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
115 | + -s $PLUTO_PEER $S_PEER_PORT \ |
116 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 117 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
118 | + -s $PLUTO_PEER $S_PEER_PORT \ |
119 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
120 | + if [ $VPN_LOGGING ] |
121 | + then | |
122 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 123 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 124 | + fi |
6652626c AF |
125 | ;; |
126 | down-client:iptables) | |
127 | # connection to client subnet, with (left/right)firewall=yes, going down | |
a38c882b | 128 | @@ -355,34 +360,26 @@ |
6652626c AF |
129 | # ones, so do not mess with it; see CAUTION comment up at top. |
130 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
131 | then | |
132 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
a38c882b AF |
133 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
134 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 135 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 136 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
d8145673 | 137 | + iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
138 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
139 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b AM |
140 | - $IPSEC_POLICY_IN -j ACCEPT |
141 | + $IPSEC_POLICY_IN -j RETURN | |
142 | fi | |
143 | # | |
144 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
145 | # or sometimes host access via the internal IP is needed |
146 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
147 | then | |
148 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 149 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
150 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
151 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 152 | - $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 153 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b AF |
154 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
155 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 156 | - $IPSEC_POLICY_OUT -j ACCEPT |
a38c882b | 157 | + $IPSEC_POLICY_IN -j RETURN |
db073a10 AF |
158 | fi |
159 | # | |
d7050fc0 MT |
160 | # IPIP exception teardown |
161 | if [ -n "$PLUTO_IPCOMP" ] | |
162 | then | |
163 | - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 164 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
165 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
166 | fi | |
167 | # | |
a38c882b | 168 | @@ -392,12 +389,29 @@ |
6652626c AF |
169 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
170 | then | |
171 | logger -t $TAG -p $FAC_PRIO -- \ | |
172 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
173 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
174 | else | |
175 | logger -t $TAG -p $FAC_PRIO -- \ | |
176 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
177 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
178 | fi | |
179 | fi | |
180 | + | |
181 | + # | |
50a488f4 | 182 | + # Close Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 183 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
184 | + -s $PLUTO_PEER $S_PEER_PORT \ |
185 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 186 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
187 | + -s $PLUTO_PEER $S_PEER_PORT \ |
188 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 189 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
190 | + -s $PLUTO_PEER $S_PEER_PORT \ |
191 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
192 | + if [ $VPN_LOGGING ] |
193 | + then | |
194 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 195 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 196 | + fi |
6652626c AF |
197 | ;; |
198 | # | |
199 | # IPv6 | |
a38c882b | 200 | @@ -422,10 +436,10 @@ |
6652626c AF |
201 | # connection to me, with (left/right)firewall=yes, coming up |
202 | # This is used only by the default updown script, not by your custom | |
203 | # ones, so do not mess with it; see CAUTION comment up at top. | |
204 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 205 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
206 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
207 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
208 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 209 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
210 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
211 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
212 | # | |
a38c882b | 213 | @@ -454,10 +468,10 @@ |
6652626c AF |
214 | # connection to me, with (left/right)firewall=yes, going down |
215 | # This is used only by the default updown script, not by your custom | |
216 | # ones, so do not mess with it; see CAUTION comment up at top. | |
217 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 218 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
219 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
220 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
221 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 222 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
223 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
224 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
225 | # | |
a38c882b | 226 | @@ -487,10 +501,10 @@ |
6652626c AF |
227 | # ones, so do not mess with it; see CAUTION comment up at top. |
228 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
229 | then | |
230 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 231 | + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
232 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
233 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
234 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 235 | + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
236 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
237 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
238 | fi | |
a38c882b | 239 | @@ -499,10 +513,10 @@ |
6652626c AF |
240 | # or sometimes host access via the internal IP is needed |
241 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
242 | then | |
243 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 244 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
245 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
246 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
247 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 248 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
249 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
250 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
251 | fi | |
a38c882b | 252 | @@ -535,11 +549,11 @@ |
6652626c AF |
253 | # ones, so do not mess with it; see CAUTION comment up at top. |
254 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
255 | then | |
256 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 257 | + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
258 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
259 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
260 | $IPSEC_POLICY_OUT -j ACCEPT | |
261 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 262 | + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
263 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
264 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
265 | $IPSEC_POLICY_IN -j ACCEPT | |
a38c882b | 266 | @@ -549,11 +563,11 @@ |
6652626c AF |
267 | # or sometimes host access via the internal IP is needed |
268 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
269 | then | |
270 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 271 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
272 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
273 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
274 | $IPSEC_POLICY_IN -j ACCEPT | |
275 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 276 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
277 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
278 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
279 | $IPSEC_POLICY_OUT -j ACCEPT |