]>
Commit | Line | Data |
---|---|---|
8077bacb PM |
1 | commit b439f74361d393bcb85109b6c41a905cf613a296 |
2 | Author: Peter Müller <peter.mueller@ipfire.org> | |
3 | Date: Wed May 18 17:46:57 2022 +0000 | |
28f659f7 MT |
4 | |
5 | IPFire modifications to _updown script | |
6 | ||
8077bacb | 7 | Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
28f659f7 MT |
8 | |
9 | diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in | |
8077bacb | 10 | index 34eaf68c7..9ed387a0a 100644 |
28f659f7 MT |
11 | --- a/src/_updown/_updown.in |
12 | +++ b/src/_updown/_updown.in | |
13 | @@ -242,10 +242,10 @@ up-host:iptables) | |
6652626c AF |
14 | # connection to me, with (left/right)firewall=yes, coming up |
15 | # This is used only by the default updown script, not by your custom | |
16 | # ones, so do not mess with it; see CAUTION comment up at top. | |
17 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 18 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
19 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
20 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
21 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
28f659f7 MT |
22 | + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
23 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
24 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
6652626c | 25 | # |
28f659f7 | 26 | @@ -263,10 +263,10 @@ up-host:iptables) |
6652626c AF |
27 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
28 | then | |
29 | logger -t $TAG -p $FAC_PRIO \ | |
30 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
31 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
32 | else | |
33 | logger -t $TAG -p $FAC_PRIO \ | |
34 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
35 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
36 | fi | |
37 | fi | |
38 | ;; | |
28f659f7 | 39 | @@ -274,10 +274,10 @@ down-host:iptables) |
6652626c AF |
40 | # connection to me, with (left/right)firewall=yes, going down |
41 | # This is used only by the default updown script, not by your custom | |
42 | # ones, so do not mess with it; see CAUTION comment up at top. | |
43 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 44 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
45 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
46 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
47 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
28f659f7 MT |
48 | + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
49 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ | |
50 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
6652626c | 51 | # |
28f659f7 | 52 | @@ -294,10 +294,10 @@ down-host:iptables) |
6652626c AF |
53 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
54 | then | |
55 | logger -t $TAG -p $FAC_PRIO -- \ | |
56 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
57 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
58 | else | |
59 | logger -t $TAG -p $FAC_PRIO -- \ | |
60 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
61 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
62 | fi | |
63 | fi | |
64 | ;; | |
28f659f7 | 65 | @@ -305,34 +305,16 @@ up-client:iptables) |
aa60fd7b AF |
66 | # connection to client subnet, with (left/right)firewall=yes, coming up |
67 | # This is used only by the default updown script, not by your custom | |
6652626c | 68 | # ones, so do not mess with it; see CAUTION comment up at top. |
aa60fd7b AF |
69 | - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] |
70 | - then | |
6652626c | 71 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b | 72 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 73 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 74 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b | 75 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
dc33c23b | 76 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
aa60fd7b | 77 | - fi |
dc33c23b AM |
78 | # |
79 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c | 80 | # or sometimes host access via the internal IP is needed |
aa60fd7b AF |
81 | - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] |
82 | - then | |
6652626c | 83 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b | 84 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
d7050fc0 | 85 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 86 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b | 87 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 88 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
aa60fd7b | 89 | - fi |
db073a10 | 90 | # |
d7050fc0 | 91 | # allow IPIP traffic because of the implicit SA created by the kernel if |
aa60fd7b | 92 | # IPComp is used (for small inbound packets that are not compressed). |
d7050fc0 MT |
93 | # INPUT is correct here even for forwarded traffic. |
94 | if [ -n "$PLUTO_IPCOMP" ] | |
95 | then | |
96 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 97 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
98 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
99 | fi | |
100 | # | |
8077bacb | 101 | @@ -342,47 +324,37 @@ up-client:iptables) |
6652626c AF |
102 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
103 | then | |
104 | logger -t $TAG -p $FAC_PRIO \ | |
105 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
106 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
107 | else | |
108 | logger -t $TAG -p $FAC_PRIO \ | |
109 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
110 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
111 | fi | |
112 | fi | |
8077bacb PM |
113 | + |
114 | + # Open Firewall for IPinIP + AH + ESP Traffic | |
115 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \ | |
116 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
117 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
118 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ | |
119 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
120 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
121 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ | |
122 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
123 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
124 | + | |
6652626c | 125 | ;; |
8077bacb | 126 | down-client:iptables) |
6652626c | 127 | # connection to client subnet, with (left/right)firewall=yes, going down |
aa60fd7b | 128 | # This is used only by the default updown script, not by your custom |
6652626c | 129 | # ones, so do not mess with it; see CAUTION comment up at top. |
aa60fd7b AF |
130 | - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] |
131 | - then | |
6652626c | 132 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b AF |
133 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
134 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 135 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 136 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b AF |
137 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
138 | - -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b | 139 | - $IPSEC_POLICY_IN -j ACCEPT |
aa60fd7b | 140 | - fi |
dc33c23b AM |
141 | # |
142 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c | 143 | # or sometimes host access via the internal IP is needed |
aa60fd7b AF |
144 | - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] |
145 | - then | |
6652626c | 146 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
aa60fd7b AF |
147 | - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
148 | - -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 149 | - $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 150 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
a38c882b AF |
151 | - -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
152 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 153 | - $IPSEC_POLICY_OUT -j ACCEPT |
aa60fd7b | 154 | - fi |
db073a10 | 155 | # |
d7050fc0 MT |
156 | # IPIP exception teardown |
157 | if [ -n "$PLUTO_IPCOMP" ] | |
158 | then | |
159 | - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 160 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
161 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
162 | fi | |
163 | # | |
8077bacb | 164 | @@ -392,12 +364,24 @@ down-client:iptables) |
6652626c AF |
165 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
166 | then | |
167 | logger -t $TAG -p $FAC_PRIO -- \ | |
168 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
169 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
170 | else | |
171 | logger -t $TAG -p $FAC_PRIO -- \ | |
172 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
173 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
174 | fi | |
175 | fi | |
8077bacb PM |
176 | + |
177 | + # Close Firewall for IPinIP + AH + ESP Traffic | |
178 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \ | |
179 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
180 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
181 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ | |
182 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
183 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
184 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ | |
185 | + -s $PLUTO_PEER $S_PEER_PORT \ | |
186 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
187 | + | |
6652626c | 188 | ;; |
8077bacb PM |
189 | # |
190 | # IPv6 | |
191 | @@ -422,10 +406,10 @@ up-host-v6:iptables) | |
6652626c AF |
192 | # connection to me, with (left/right)firewall=yes, coming up |
193 | # This is used only by the default updown script, not by your custom | |
194 | # ones, so do not mess with it; see CAUTION comment up at top. | |
195 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 196 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
197 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
198 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
199 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 200 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
201 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
202 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
203 | # | |
8077bacb | 204 | @@ -454,10 +438,10 @@ down-host-v6:iptables) |
6652626c AF |
205 | # connection to me, with (left/right)firewall=yes, going down |
206 | # This is used only by the default updown script, not by your custom | |
207 | # ones, so do not mess with it; see CAUTION comment up at top. | |
208 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 209 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
210 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
211 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
212 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 213 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
214 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
215 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
216 | # | |
8077bacb | 217 | @@ -487,10 +471,10 @@ up-client-v6:iptables) |
6652626c AF |
218 | # ones, so do not mess with it; see CAUTION comment up at top. |
219 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
220 | then | |
221 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 222 | + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
223 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
224 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
225 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 226 | + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
227 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
228 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
229 | fi | |
8077bacb | 230 | @@ -499,10 +483,10 @@ up-client-v6:iptables) |
6652626c AF |
231 | # or sometimes host access via the internal IP is needed |
232 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
233 | then | |
234 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 235 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
236 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
237 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
238 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 239 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
240 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
241 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
242 | fi | |
8077bacb | 243 | @@ -535,11 +519,11 @@ down-client-v6:iptables) |
6652626c AF |
244 | # ones, so do not mess with it; see CAUTION comment up at top. |
245 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
246 | then | |
247 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 248 | + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
249 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
250 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
251 | $IPSEC_POLICY_OUT -j ACCEPT | |
252 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 253 | + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
254 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
255 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
256 | $IPSEC_POLICY_IN -j ACCEPT | |
8077bacb | 257 | @@ -549,11 +533,11 @@ down-client-v6:iptables) |
6652626c AF |
258 | # or sometimes host access via the internal IP is needed |
259 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
260 | then | |
261 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 262 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
263 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
264 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
265 | $IPSEC_POLICY_IN -j ACCEPT | |
266 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 267 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
268 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
269 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
270 | $IPSEC_POLICY_OUT -j ACCEPT |