]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/strongswan-ipfire.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
suricata: Change midstream policy to "pass-flow"
[ipfire-2.x.git] / src / patches / strongswan-ipfire.patch
1 diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
2 --- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
3 +++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-25 17:30:15.669773781 +0200
4 @@ -242,12 +242,9 @@
5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
9 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
13 - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
14 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
15 #
16 # allow IPIP traffic because of the implicit SA created by the kernel if
17 # IPComp is used (for small inbound packets that are not compressed)
18 @@ -263,10 +260,10 @@
19 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
20 then
21 logger -t $TAG -p $FAC_PRIO \
22 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
23 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
24 else
25 logger -t $TAG -p $FAC_PRIO \
26 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
27 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
28 fi
29 fi
30 ;;
31 @@ -274,12 +271,9 @@
32 # connection to me, with (left/right)firewall=yes, going down
33 # This is used only by the default updown script, not by your custom
34 # ones, so do not mess with it; see CAUTION comment up at top.
35 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
36 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
37 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
38 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
39 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
40 - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
41 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
42 #
43 # IPIP exception teardown
44 if [ -n "$PLUTO_IPCOMP" ]
45 @@ -294,10 +288,10 @@
46 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
47 then
48 logger -t $TAG -p $FAC_PRIO -- \
49 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
50 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
51 else
52 logger -t $TAG -p $FAC_PRIO -- \
53 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
54 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
55 fi
56 fi
57 ;;
58 @@ -305,34 +299,16 @@
59 # connection to client subnet, with (left/right)firewall=yes, coming up
60 # This is used only by the default updown script, not by your custom
61 # ones, so do not mess with it; see CAUTION comment up at top.
62 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
63 - then
64 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
65 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
66 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
67 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
68 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
69 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
70 - fi
71 #
72 # a virtual IP requires an INPUT and OUTPUT rule on the host
73 # or sometimes host access via the internal IP is needed
74 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
75 - then
76 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
77 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
78 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
79 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
80 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
81 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
82 - fi
83 #
84 # allow IPIP traffic because of the implicit SA created by the kernel if
85 # IPComp is used (for small inbound packets that are not compressed).
86 # INPUT is correct here even for forwarded traffic.
87 if [ -n "$PLUTO_IPCOMP" ]
88 then
89 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
90 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
91 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
92 fi
93 #
94 @@ -342,47 +318,42 @@
95 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
96 then
97 logger -t $TAG -p $FAC_PRIO \
98 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
99 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
100 else
101 logger -t $TAG -p $FAC_PRIO \
102 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
103 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
104 fi
105 fi
106 +
107 + #
108 + # Open Firewall for IPinIP + AH + ESP Traffic
109 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
110 + -s $PLUTO_PEER $S_PEER_PORT \
111 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
112 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
113 + -s $PLUTO_PEER $S_PEER_PORT \
114 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
115 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
116 + -s $PLUTO_PEER $S_PEER_PORT \
117 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
118 + if [ $VPN_LOGGING ]
119 + then
120 + logger -t $TAG -p $FAC_PRIO \
121 + "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
122 + fi
123 ;;
124 down-client:iptables)
125 # connection to client subnet, with (left/right)firewall=yes, going down
126 # This is used only by the default updown script, not by your custom
127 # ones, so do not mess with it; see CAUTION comment up at top.
128 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
129 - then
130 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
131 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
132 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
133 - $IPSEC_POLICY_OUT -j ACCEPT
134 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
135 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
136 - -d $PLUTO_MY_CLIENT $D_MY_PORT \
137 - $IPSEC_POLICY_IN -j ACCEPT
138 - fi
139 #
140 # a virtual IP requires an INPUT and OUTPUT rule on the host
141 # or sometimes host access via the internal IP is needed
142 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
143 - then
144 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
145 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
146 - -d $PLUTO_MY_CLIENT $D_MY_PORT \
147 - $IPSEC_POLICY_IN -j ACCEPT
148 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
149 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
150 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
151 - $IPSEC_POLICY_OUT -j ACCEPT
152 - fi
153 #
154 # IPIP exception teardown
155 if [ -n "$PLUTO_IPCOMP" ]
156 then
157 - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
158 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
159 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
160 fi
161 #
162 @@ -392,12 +363,29 @@
163 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
164 then
165 logger -t $TAG -p $FAC_PRIO -- \
166 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
167 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
168 else
169 logger -t $TAG -p $FAC_PRIO -- \
170 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
171 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
172 fi
173 fi
174 +
175 + #
176 + # Close Firewall for IPinIP + AH + ESP Traffic
177 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
178 + -s $PLUTO_PEER $S_PEER_PORT \
179 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
180 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
181 + -s $PLUTO_PEER $S_PEER_PORT \
182 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
183 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
184 + -s $PLUTO_PEER $S_PEER_PORT \
185 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
186 + if [ $VPN_LOGGING ]
187 + then
188 + logger -t $TAG -p $FAC_PRIO \
189 + "tunnel- $PLUTO_PEER -- $PLUTO_ME"
190 + fi
191 ;;
192 #
193 # IPv6
194 @@ -422,10 +410,10 @@
195 # connection to me, with (left/right)firewall=yes, coming up
196 # This is used only by the default updown script, not by your custom
197 # ones, so do not mess with it; see CAUTION comment up at top.
198 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
199 + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
200 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
201 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
202 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
203 + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
204 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
205 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
206 #
207 @@ -454,10 +442,10 @@
208 # connection to me, with (left/right)firewall=yes, going down
209 # This is used only by the default updown script, not by your custom
210 # ones, so do not mess with it; see CAUTION comment up at top.
211 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
212 + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
213 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
214 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
215 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
216 + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
217 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
218 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
219 #
220 @@ -487,10 +475,10 @@
221 # ones, so do not mess with it; see CAUTION comment up at top.
222 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
223 then
224 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
225 + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
226 -s $PLUTO_MY_CLIENT $S_MY_PORT \
227 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
228 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
229 + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
230 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
231 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
232 fi
233 @@ -499,10 +487,10 @@
234 # or sometimes host access via the internal IP is needed
235 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
236 then
237 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
238 + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
239 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
240 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
241 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
242 + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
243 -s $PLUTO_MY_CLIENT $S_MY_PORT \
244 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
245 fi
246 @@ -535,11 +523,11 @@
247 # ones, so do not mess with it; see CAUTION comment up at top.
248 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
249 then
250 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
251 + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
252 -s $PLUTO_MY_CLIENT $S_MY_PORT \
253 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
254 $IPSEC_POLICY_OUT -j ACCEPT
255 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
256 + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
257 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
258 -d $PLUTO_MY_CLIENT $D_MY_PORT \
259 $IPSEC_POLICY_IN -j ACCEPT
260 @@ -549,11 +537,11 @@
261 # or sometimes host access via the internal IP is needed
262 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
263 then
264 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
265 + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
266 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
267 -d $PLUTO_MY_CLIENT $D_MY_PORT \
268 $IPSEC_POLICY_IN -j ACCEPT
269 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
270 + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
271 -s $PLUTO_MY_CLIENT $S_MY_PORT \
272 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
273 $IPSEC_POLICY_OUT -j ACCEPT
IPFire 2.x development tree