strongswan: Use --wait option for iptables commands
[ipfire-2.x.git] / src / patches / strongswan-ipfire.patch
CommitLineData
df5fbff5
MT
1--- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000
2+++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000
3@@ -122,6 +122,29 @@
4 # address family.
5 #
7589902e
AF
6
7+function ip_encode() {
8+ local IFS=.
9+
10+ local int=0
11+ for field in $1; do
12+ int=$(( $(( $int << 8 )) | $field ))
13+ done
14+
15+ echo $int
16+}
17+
18+function ip_in_subnet() {
19+ local netmask
20+ netmask=$(_netmask $2)
21+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
22+}
23+
24+function _netmask() {
25+ local vlsm
26+ vlsm=${1#*/}
27+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
28+}
29+
df5fbff5
MT
30 # define a minimum PATH environment in case it is not set
31 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
32 export PATH
33@@ -232,12 +255,12 @@
6652626c
AF
34 # connection to me, with (left/right)firewall=yes, coming up
35 # This is used only by the default updown script, not by your custom
36 # ones, so do not mess with it; see CAUTION comment up at top.
37- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 38+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
39 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
40 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
41- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 42+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 43 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10
AF
44- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
45+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c 46 #
d7050fc0
MT
47 # allow IPIP traffic because of the implicit SA created by the kernel if
48 # IPComp is used (for small inbound packets that are not compressed)
df5fbff5 49@@ -253,10 +276,10 @@
6652626c
AF
50 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
51 then
52 logger -t $TAG -p $FAC_PRIO \
53- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
54+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
55 else
56 logger -t $TAG -p $FAC_PRIO \
57- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
58+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
59 fi
60 fi
61 ;;
df5fbff5 62@@ -264,12 +287,12 @@
6652626c
AF
63 # connection to me, with (left/right)firewall=yes, going down
64 # This is used only by the default updown script, not by your custom
65 # ones, so do not mess with it; see CAUTION comment up at top.
66- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 67+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
68 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
69 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
70- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 71+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 72 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10
AF
73- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
74+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c 75 #
d7050fc0
MT
76 # IPIP exception teardown
77 if [ -n "$PLUTO_IPCOMP" ]
df5fbff5 78@@ -284,10 +307,10 @@
6652626c
AF
79 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
80 then
81 logger -t $TAG -p $FAC_PRIO -- \
82- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
83+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
84 else
85 logger -t $TAG -p $FAC_PRIO -- \
86- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
87+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
88 fi
89 fi
90 ;;
df5fbff5 91@@ -297,24 +320,24 @@
6652626c
AF
92 # ones, so do not mess with it; see CAUTION comment up at top.
93 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
94 then
95- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 96+ iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 97 -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10 98- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c 99- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10 100+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
d8145673 101+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c 102 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
dc33c23b
AM
103- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
104+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
6652626c 105 fi
dc33c23b
AM
106 #
107 # a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c
AF
108 # or sometimes host access via the internal IP is needed
109 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
110 then
111- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 112+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c 113 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
d7050fc0 114- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
6652626c 115- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d7050fc0 116+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
d8145673 117+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 118 -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10
AF
119- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
120+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c 121 fi
db073a10 122 #
d7050fc0 123 # allow IPIP traffic because of the implicit SA created by the kernel if
df5fbff5 124@@ -322,7 +345,7 @@
d7050fc0
MT
125 # INPUT is correct here even for forwarded traffic.
126 if [ -n "$PLUTO_IPCOMP" ]
127 then
128- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
d8145673 129+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
d7050fc0
MT
130 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
131 fi
132 #
df5fbff5 133@@ -332,12 +355,51 @@
6652626c
AF
134 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
135 then
136 logger -t $TAG -p $FAC_PRIO \
137- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
138+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
139 else
140 logger -t $TAG -p $FAC_PRIO \
141- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
142+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
143 fi
144 fi
145+
146+ #
50a488f4 147+ # Open Firewall for IPinIP + AH + ESP Traffic
d8145673 148+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
50a488f4
AF
149+ -s $PLUTO_PEER $S_PEER_PORT \
150+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 151+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
db073a10
AF
152+ -s $PLUTO_PEER $S_PEER_PORT \
153+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 154+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
6652626c
AF
155+ -s $PLUTO_PEER $S_PEER_PORT \
156+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF
157+ if [ $VPN_LOGGING ]
158+ then
159+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b 160+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c 161+ fi
c4cd0f7b
AF
162+
163+ # Add source nat so also the gateway can access the other nets
7589902e
AF
164+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
165+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
166+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
167+ if [ $? -eq 0 ]; then
168+ src=${_src}
169+ break
170+ fi
171+ done
172+
173+ if [ -n "${src}" ]; then
d8145673 174+ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
7589902e
AF
175+ logger -t $TAG -p $FAC_PRIO \
176+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
177+ else
178+ logger -t $TAG -p $FAC_PRIO \
179+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
180+ fi
6652626c 181+
bc4b68b4
AF
182+ # Flush routing cache
183+ ip route flush cache
6652626c
AF
184 ;;
185 down-client:iptables)
186 # connection to client subnet, with (left/right)firewall=yes, going down
df5fbff5 187@@ -345,34 +407,34 @@
6652626c
AF
188 # ones, so do not mess with it; see CAUTION comment up at top.
189 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
190 then
191- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 192+ iptables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
193 -s $PLUTO_MY_CLIENT $S_MY_PORT \
194 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10 195- $IPSEC_POLICY_OUT -j ACCEPT
6652626c 196- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10 197+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
d8145673 198+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
199 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
200 -d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b
AM
201- $IPSEC_POLICY_IN -j ACCEPT
202+ $IPSEC_POLICY_IN -j RETURN
203 fi
204 #
205 # a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c
AF
206 # or sometimes host access via the internal IP is needed
207 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
208 then
209- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 210+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
211 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
212 -d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0 213- $IPSEC_POLICY_IN -j ACCEPT
6652626c 214- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d7050fc0 215+ $IPSEC_POLICY_IN -j RETURN
d8145673 216+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
217 -s $PLUTO_MY_CLIENT $S_MY_PORT \
218 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10
AF
219- $IPSEC_POLICY_OUT -j ACCEPT
220+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
221 fi
222 #
d7050fc0
MT
223 # IPIP exception teardown
224 if [ -n "$PLUTO_IPCOMP" ]
225 then
226- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
d8145673 227+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
d7050fc0
MT
228 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
229 fi
230 #
df5fbff5 231@@ -382,12 +444,51 @@
6652626c
AF
232 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
233 then
234 logger -t $TAG -p $FAC_PRIO -- \
235- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
236+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
237 else
238 logger -t $TAG -p $FAC_PRIO -- \
239- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
240+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
241 fi
242 fi
243+
244+ #
50a488f4 245+ # Close Firewall for IPinIP + AH + ESP Traffic
d8145673 246+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
50a488f4
AF
247+ -s $PLUTO_PEER $S_PEER_PORT \
248+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 249+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
db073a10
AF
250+ -s $PLUTO_PEER $S_PEER_PORT \
251+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 252+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
6652626c
AF
253+ -s $PLUTO_PEER $S_PEER_PORT \
254+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF
255+ if [ $VPN_LOGGING ]
256+ then
257+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b 258+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c 259+ fi
c4cd0f7b
AF
260+
261+ # remove source nat
7589902e
AF
262+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
263+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
264+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
265+ if [ $? -eq 0 ]; then
266+ src=${_src}
267+ break
268+ fi
269+ done
270+
271+ if [ -n "${src}" ]; then
d8145673 272+ iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
7589902e
AF
273+ logger -t $TAG -p $FAC_PRIO \
274+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
275+ else
276+ logger -t $TAG -p $FAC_PRIO \
277+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
278+ fi
6652626c 279+
bc4b68b4
AF
280+ # Flush routing cache
281+ ip route flush cache
6652626c
AF
282 ;;
283 #
284 # IPv6
df5fbff5 285@@ -412,10 +513,10 @@
6652626c
AF
286 # connection to me, with (left/right)firewall=yes, coming up
287 # This is used only by the default updown script, not by your custom
288 # ones, so do not mess with it; see CAUTION comment up at top.
289- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 290+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
291 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
292 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
293- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 294+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
295 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
296 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
297 #
df5fbff5 298@@ -436,10 +537,10 @@
6652626c
AF
299 # connection to me, with (left/right)firewall=yes, going down
300 # This is used only by the default updown script, not by your custom
301 # ones, so do not mess with it; see CAUTION comment up at top.
302- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 303+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
304 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
305 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
306- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 307+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
308 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
309 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
310 #
df5fbff5 311@@ -462,10 +563,10 @@
6652626c
AF
312 # ones, so do not mess with it; see CAUTION comment up at top.
313 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
314 then
315- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 316+ ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
317 -s $PLUTO_MY_CLIENT $S_MY_PORT \
318 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
319- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 320+ ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
321 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
322 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
323 fi
df5fbff5 324@@ -474,10 +575,10 @@
6652626c
AF
325 # or sometimes host access via the internal IP is needed
326 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
327 then
328- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 329+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
330 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
331 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
332- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 333+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
334 -s $PLUTO_MY_CLIENT $S_MY_PORT \
335 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
336 fi
df5fbff5 337@@ -501,11 +602,11 @@
6652626c
AF
338 # ones, so do not mess with it; see CAUTION comment up at top.
339 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
340 then
341- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 342+ ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
343 -s $PLUTO_MY_CLIENT $S_MY_PORT \
344 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
345 $IPSEC_POLICY_OUT -j ACCEPT
346- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 347+ ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
348 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
349 -d $PLUTO_MY_CLIENT $D_MY_PORT \
350 $IPSEC_POLICY_IN -j ACCEPT
df5fbff5 351@@ -515,11 +616,11 @@
6652626c
AF
352 # or sometimes host access via the internal IP is needed
353 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
354 then
355- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 356+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF
357 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
358 -d $PLUTO_MY_CLIENT $D_MY_PORT \
359 $IPSEC_POLICY_IN -j ACCEPT
360- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 361+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF
362 -s $PLUTO_MY_CLIENT $S_MY_PORT \
363 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
364 $IPSEC_POLICY_OUT -j ACCEPT