[ipfire-2.x.git] / src / patches / strongswan-ipfire.patch

diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
--- strongswan-5.9.3.org/src/_updown/_updown.in	2020-12-09 19:01:30.000000000 +0100
+++ strongswan-5.9.3/src/_updown/_updown.in	2021-10-25 13:41:23.791826699 +0200
@@ -242,12 +242,9 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
 	# IPComp is used (for small inbound packets that are not compressed)
@@ -263,10 +260,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -274,12 +271,9 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
@@ -294,10 +288,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -307,24 +301,18 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
@@ -332,7 +320,7 @@
 	# INPUT is correct here even for forwarded traffic.
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -342,12 +330,29 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+	fi
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
@@ -355,34 +360,26 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
+	         $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
+	         $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -392,12 +389,29 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+	fi
 	;;
 #
 # IPv6
@@ -422,10 +436,10 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -454,10 +468,10 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -487,10 +501,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -499,10 +513,10 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -535,11 +549,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -549,11 +563,11 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
80909fb6 AF	1	diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
80909fb6 AF	2	--- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
a38c882b AF	3	+++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-25 13:41:23.791826699 +0200
a38c882b AF	4	@@ -242,12 +242,9 @@
6652626c AF	5	# connection to me, with (left/right)firewall=yes, coming up
	6	# This is used only by the default updown script, not by your custom
	7	# ones, so do not mess with it; see CAUTION comment up at top.
	8	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	9	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	10	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	11	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	12	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	13	- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10	14	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	15	#
d7050fc0 MT	16	# allow IPIP traffic because of the implicit SA created by the kernel if
d7050fc0 MT	17	# IPComp is used (for small inbound packets that are not compressed)
a38c882b	18	@@ -263,10 +260,10 @@
6652626c AF	19	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	20	then
	21	logger -t $TAG -p $FAC_PRIO \
	22	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	23	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	24	else
	25	logger -t $TAG -p $FAC_PRIO \
	26	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	27	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	28	fi
	29	fi
	30	;;
a38c882b	31	@@ -274,12 +271,9 @@
6652626c AF	32	# connection to me, with (left/right)firewall=yes, going down
	33	# This is used only by the default updown script, not by your custom
	34	# ones, so do not mess with it; see CAUTION comment up at top.
	35	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	36	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	37	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	38	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	39	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	40	- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10	41	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
6652626c	42	#
d7050fc0 MT	43	# IPIP exception teardown
d7050fc0 MT	44	if [ -n "$PLUTO_IPCOMP" ]
a38c882b	45	@@ -294,10 +288,10 @@
6652626c AF	46	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	47	then
	48	logger -t $TAG -p $FAC_PRIO -- \
	49	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	50	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	51	else
	52	logger -t $TAG -p $FAC_PRIO -- \
	53	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	54	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	55	fi
	56	fi
	57	;;
a38c882b	58	@@ -307,24 +301,18 @@
6652626c AF	59	# ones, so do not mess with it; see CAUTION comment up at top.
	60	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	61	then
	62	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	63	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	64	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c	65	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	66	+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c	67	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
dc33c23b	68	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
a38c882b	69	+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
6652626c	70	fi
dc33c23b AM	71	#
dc33c23b AM	72	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c AF	73	# or sometimes host access via the internal IP is needed
	74	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	75	then
	76	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	77	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c	78	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
d7050fc0	79	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
6652626c	80	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b	81	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	82	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
a38c882b	83	+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
6652626c	84	fi
db073a10	85	#
d7050fc0	86	# allow IPIP traffic because of the implicit SA created by the kernel if
a38c882b	87	@@ -332,7 +320,7 @@
d7050fc0 MT	88	# INPUT is correct here even for forwarded traffic.
	89	if [ -n "$PLUTO_IPCOMP" ]
	90	then
	91	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
d8145673	92	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	93	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	94	fi
	95	#
a38c882b	96	@@ -342,12 +330,29 @@
6652626c AF	97	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	98	then
	99	logger -t $TAG -p $FAC_PRIO \
	100	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	101	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	102	else
	103	logger -t $TAG -p $FAC_PRIO \
	104	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	105	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	106	fi
	107	fi
	108	+
	109	+ #
50a488f4	110	+ # Open Firewall for IPinIP + AH + ESP Traffic
d8145673	111	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
50a488f4 AF	112	+ -s $PLUTO_PEER $S_PEER_PORT \
50a488f4 AF	113	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	114	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
db073a10 AF	115	+ -s $PLUTO_PEER $S_PEER_PORT \
db073a10 AF	116	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	117	+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
6652626c AF	118	+ -s $PLUTO_PEER $S_PEER_PORT \
6652626c AF	119	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	120	+ if [ $VPN_LOGGING ]
	121	+ then
	122	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	123	+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c	124	+ fi
6652626c AF	125	;;
	126	down-client:iptables)
	127	# connection to client subnet, with (left/right)firewall=yes, going down
a38c882b	128	@@ -355,34 +360,26 @@
6652626c AF	129	# ones, so do not mess with it; see CAUTION comment up at top.
	130	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	131	then
	132	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	133	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	134	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	135	- $IPSEC_POLICY_OUT -j ACCEPT
6652626c	136	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	137	+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	138	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
6652626c AF	139	-d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b AM	140	- $IPSEC_POLICY_IN -j ACCEPT
	141	+ $IPSEC_POLICY_IN -j RETURN
	142	fi
	143	#
	144	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c AF	145	# or sometimes host access via the internal IP is needed
	146	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	147	then
	148	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	149	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	150	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
6652626c AF	151	-d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0	152	- $IPSEC_POLICY_IN -j ACCEPT
6652626c	153	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
a38c882b AF	154	- -s $PLUTO_MY_CLIENT $S_MY_PORT \
a38c882b AF	155	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	156	- $IPSEC_POLICY_OUT -j ACCEPT
a38c882b	157	+ $IPSEC_POLICY_IN -j RETURN
db073a10 AF	158	fi
db073a10 AF	159	#
d7050fc0 MT	160	# IPIP exception teardown
	161	if [ -n "$PLUTO_IPCOMP" ]
	162	then
	163	- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
d8145673	164	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
d7050fc0 MT	165	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	166	fi
	167	#
a38c882b	168	@@ -392,12 +389,29 @@
6652626c AF	169	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	170	then
	171	logger -t $TAG -p $FAC_PRIO -- \
	172	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	173	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	174	else
	175	logger -t $TAG -p $FAC_PRIO -- \
	176	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	177	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	178	fi
	179	fi
	180	+
	181	+ #
50a488f4	182	+ # Close Firewall for IPinIP + AH + ESP Traffic
d8145673	183	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
50a488f4 AF	184	+ -s $PLUTO_PEER $S_PEER_PORT \
50a488f4 AF	185	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	186	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
db073a10 AF	187	+ -s $PLUTO_PEER $S_PEER_PORT \
db073a10 AF	188	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673	189	+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
6652626c AF	190	+ -s $PLUTO_PEER $S_PEER_PORT \
6652626c AF	191	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	192	+ if [ $VPN_LOGGING ]
	193	+ then
	194	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	195	+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c	196	+ fi
6652626c AF	197	;;
	198	#
	199	# IPv6
a38c882b	200	@@ -422,10 +436,10 @@
6652626c AF	201	# connection to me, with (left/right)firewall=yes, coming up
	202	# This is used only by the default updown script, not by your custom
	203	# ones, so do not mess with it; see CAUTION comment up at top.
	204	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	205	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	206	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	207	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	208	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	209	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	210	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	211	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	212	#
a38c882b	213	@@ -454,10 +468,10 @@
6652626c AF	214	# connection to me, with (left/right)firewall=yes, going down
	215	# This is used only by the default updown script, not by your custom
	216	# ones, so do not mess with it; see CAUTION comment up at top.
	217	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	218	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	219	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	220	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	221	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	222	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	223	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	224	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	225	#
a38c882b	226	@@ -487,10 +501,10 @@
6652626c AF	227	# ones, so do not mess with it; see CAUTION comment up at top.
	228	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	229	then
	230	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	231	+ ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	232	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	233	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	234	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	235	+ ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	236	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	237	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	238	fi
a38c882b	239	@@ -499,10 +513,10 @@
6652626c AF	240	# or sometimes host access via the internal IP is needed
	241	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	242	then
	243	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	244	+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	245	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	246	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	247	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	248	+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	249	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	250	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	251	fi
a38c882b	252	@@ -535,11 +549,11 @@
6652626c AF	253	# ones, so do not mess with it; see CAUTION comment up at top.
	254	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	255	then
	256	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	257	+ ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	258	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	259	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	260	$IPSEC_POLICY_OUT -j ACCEPT
	261	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	262	+ ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	263	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	264	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	265	$IPSEC_POLICY_IN -j ACCEPT
a38c882b	266	@@ -549,11 +563,11 @@
6652626c AF	267	# or sometimes host access via the internal IP is needed
	268	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	269	then
	270	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673	271	+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	272	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	273	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	274	$IPSEC_POLICY_IN -j ACCEPT
	275	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673	276	+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	277	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	278	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	279	$IPSEC_POLICY_OUT -j ACCEPT