]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/strongswan-ipfire-revert.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
strongswan: Manually install all routes for non-routed VPNs
[ipfire-2.x.git] / src / patches / strongswan-ipfire-revert.patch
1 --- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
2 +++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
3 @@ -130,36 +130,6 @@
4 # address family.
5 #
6
7 -VARS=(
8 - id status name lefthost type ctype psk local local_id leftsubnets
9 - remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
10 - x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
11 - route x23 mode interface_mode interface_address interface_mtu rest
12 -)
13 -
14 -function ip_encode() {
15 - local IFS=.
16 -
17 - local int=0
18 - for field in $1; do
19 - int=$(( $(( $int << 8 )) | $field ))
20 - done
21 -
22 - echo $int
23 -}
24 -
25 -function ip_in_subnet() {
26 - local netmask
27 - netmask=$(_netmask $2)
28 - [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
29 -}
30 -
31 -function _netmask() {
32 - local vlsm
33 - vlsm=${1#*/}
34 - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
35 -}
36 -
37 # define a minimum PATH environment in case it is not set
38 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
39 export PATH
40 @@ -326,13 +296,6 @@
41 fi
42 ;;
43 up-client:iptables)
44 - # Read IPsec configuration
45 - while IFS="," read -r "${VARS[@]}"; do
46 - if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
47 - break
48 - fi
49 - done < /var/ipfire/vpn/config
50 -
51 # connection to client subnet, with (left/right)firewall=yes, coming up
52 # This is used only by the default updown script, not by your custom
53 # ones, so do not mess with it; see CAUTION comment up at top.
54 @@ -396,30 +359,6 @@
55 logger -t $TAG -p $FAC_PRIO \
56 "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
57 fi
58 -
59 - if [ -z "${interface_mode}" ]; then
60 - # Add source nat so also the gateway can access the other nets
61 - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
62 - for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
63 - ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
64 - if [ $? -eq 0 ]; then
65 - src=${_src}
66 - break
67 - fi
68 - done
69 -
70 - if [ -n "${src}" ]; then
71 - iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
72 - logger -t $TAG -p $FAC_PRIO \
73 - "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
74 - else
75 - logger -t $TAG -p $FAC_PRIO \
76 - "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
77 - fi
78 - fi
79 -
80 - # Flush routing cache
81 - ip route flush cache
82 ;;
83 down-client:iptables)
84 # connection to client subnet, with (left/right)firewall=yes, going down
85 @@ -487,28 +426,6 @@
86 logger -t $TAG -p $FAC_PRIO \
87 "tunnel- $PLUTO_PEER -- $PLUTO_ME"
88 fi
89 -
90 - # remove source nat
91 - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
92 - for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
93 - ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
94 - if [ $? -eq 0 ]; then
95 - src=${_src}
96 - break
97 - fi
98 - done
99 -
100 - if [ -n "${src}" ]; then
101 - iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
102 - logger -t $TAG -p $FAC_PRIO \
103 - "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
104 - else
105 - logger -t $TAG -p $FAC_PRIO \
106 - "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
107 - fi
108 -
109 - # Flush routing cache
110 - ip route flush cache
111 ;;
112 #
113 # IPv6
IPFire 2.x development tree