79bee046908fa0fd78459963d5a49b8d71b45413
[ipfire-2.x.git] / src / patches / strongswan-ipfire.patch
1 --- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000
2 +++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000
3 @@ -122,6 +122,29 @@
4 # address family.
5 #
6
7 +function ip_encode() {
8 + local IFS=.
9 +
10 + local int=0
11 + for field in $1; do
12 + int=$(( $(( $int << 8 )) | $field ))
13 + done
14 +
15 + echo $int
16 +}
17 +
18 +function ip_in_subnet() {
19 + local netmask
20 + netmask=$(_netmask $2)
21 + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
22 +}
23 +
24 +function _netmask() {
25 + local vlsm
26 + vlsm=${1#*/}
27 + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
28 +}
29 +
30 # define a minimum PATH environment in case it is not set
31 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
32 export PATH
33 @@ -232,12 +255,12 @@
34 # connection to me, with (left/right)firewall=yes, coming up
35 # This is used only by the default updown script, not by your custom
36 # ones, so do not mess with it; see CAUTION comment up at top.
37 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
38 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
39 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
40 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
41 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
42 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
43 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
44 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
45 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
46 #
47 # allow IPIP traffic because of the implicit SA created by the kernel if
48 # IPComp is used (for small inbound packets that are not compressed)
49 @@ -253,10 +276,10 @@
50 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
51 then
52 logger -t $TAG -p $FAC_PRIO \
53 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
54 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
55 else
56 logger -t $TAG -p $FAC_PRIO \
57 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
58 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
59 fi
60 fi
61 ;;
62 @@ -264,12 +287,12 @@
63 # connection to me, with (left/right)firewall=yes, going down
64 # This is used only by the default updown script, not by your custom
65 # ones, so do not mess with it; see CAUTION comment up at top.
66 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
67 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
68 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
69 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
70 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
71 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
72 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
73 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
74 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
75 #
76 # IPIP exception teardown
77 if [ -n "$PLUTO_IPCOMP" ]
78 @@ -284,10 +307,10 @@
79 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
80 then
81 logger -t $TAG -p $FAC_PRIO -- \
82 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
83 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
84 else
85 logger -t $TAG -p $FAC_PRIO -- \
86 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
87 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
88 fi
89 fi
90 ;;
91 @@ -297,24 +320,24 @@
92 # ones, so do not mess with it; see CAUTION comment up at top.
93 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
94 then
95 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
96 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
97 -s $PLUTO_MY_CLIENT $S_MY_PORT \
98 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
99 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
100 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
101 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
102 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
103 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
104 + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
105 fi
106 #
107 # a virtual IP requires an INPUT and OUTPUT rule on the host
108 # or sometimes host access via the internal IP is needed
109 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
110 then
111 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
112 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
113 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
114 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
115 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
116 + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
117 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
118 -s $PLUTO_MY_CLIENT $S_MY_PORT \
119 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
120 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
121 fi
122 #
123 # allow IPIP traffic because of the implicit SA created by the kernel if
124 @@ -322,7 +345,7 @@
125 # INPUT is correct here even for forwarded traffic.
126 if [ -n "$PLUTO_IPCOMP" ]
127 then
128 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
129 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
130 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
131 fi
132 #
133 @@ -332,12 +355,51 @@
134 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
135 then
136 logger -t $TAG -p $FAC_PRIO \
137 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
138 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
139 else
140 logger -t $TAG -p $FAC_PRIO \
141 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
142 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
143 fi
144 fi
145 +
146 + #
147 + # Open Firewall for IPinIP + AH + ESP Traffic
148 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
149 + -s $PLUTO_PEER $S_PEER_PORT \
150 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
151 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
152 + -s $PLUTO_PEER $S_PEER_PORT \
153 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
154 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
155 + -s $PLUTO_PEER $S_PEER_PORT \
156 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
157 + if [ $VPN_LOGGING ]
158 + then
159 + logger -t $TAG -p $FAC_PRIO \
160 + "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
161 + fi
162 +
163 + # Add source nat so also the gateway can access the other nets
164 + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
165 + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
166 + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
167 + if [ $? -eq 0 ]; then
168 + src=${_src}
169 + break
170 + fi
171 + done
172 +
173 + if [ -n "${src}" ]; then
174 + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
175 + logger -t $TAG -p $FAC_PRIO \
176 + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
177 + else
178 + logger -t $TAG -p $FAC_PRIO \
179 + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
180 + fi
181 +
182 + # Flush routing cache
183 + ip route flush cache
184 ;;
185 down-client:iptables)
186 # connection to client subnet, with (left/right)firewall=yes, going down
187 @@ -345,34 +407,34 @@
188 # ones, so do not mess with it; see CAUTION comment up at top.
189 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
190 then
191 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
192 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
193 -s $PLUTO_MY_CLIENT $S_MY_PORT \
194 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
195 - $IPSEC_POLICY_OUT -j ACCEPT
196 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
197 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
198 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
199 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
200 -d $PLUTO_MY_CLIENT $D_MY_PORT \
201 - $IPSEC_POLICY_IN -j ACCEPT
202 + $IPSEC_POLICY_IN -j RETURN
203 fi
204 #
205 # a virtual IP requires an INPUT and OUTPUT rule on the host
206 # or sometimes host access via the internal IP is needed
207 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
208 then
209 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
210 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
211 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
212 -d $PLUTO_MY_CLIENT $D_MY_PORT \
213 - $IPSEC_POLICY_IN -j ACCEPT
214 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
215 + $IPSEC_POLICY_IN -j RETURN
216 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
217 -s $PLUTO_MY_CLIENT $S_MY_PORT \
218 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
219 - $IPSEC_POLICY_OUT -j ACCEPT
220 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
221 fi
222 #
223 # IPIP exception teardown
224 if [ -n "$PLUTO_IPCOMP" ]
225 then
226 - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
227 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
228 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
229 fi
230 #
231 @@ -382,12 +444,51 @@
232 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
233 then
234 logger -t $TAG -p $FAC_PRIO -- \
235 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
236 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
237 else
238 logger -t $TAG -p $FAC_PRIO -- \
239 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
240 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
241 fi
242 fi
243 +
244 + #
245 + # Close Firewall for IPinIP + AH + ESP Traffic
246 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
247 + -s $PLUTO_PEER $S_PEER_PORT \
248 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
249 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
250 + -s $PLUTO_PEER $S_PEER_PORT \
251 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
252 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
253 + -s $PLUTO_PEER $S_PEER_PORT \
254 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
255 + if [ $VPN_LOGGING ]
256 + then
257 + logger -t $TAG -p $FAC_PRIO \
258 + "tunnel- $PLUTO_PEER -- $PLUTO_ME"
259 + fi
260 +
261 + # remove source nat
262 + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
263 + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
264 + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
265 + if [ $? -eq 0 ]; then
266 + src=${_src}
267 + break
268 + fi
269 + done
270 +
271 + if [ -n "${src}" ]; then
272 + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
273 + logger -t $TAG -p $FAC_PRIO \
274 + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
275 + else
276 + logger -t $TAG -p $FAC_PRIO \
277 + "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
278 + fi
279 +
280 + # Flush routing cache
281 + ip route flush cache
282 ;;
283 #
284 # IPv6
285 @@ -412,10 +513,10 @@
286 # connection to me, with (left/right)firewall=yes, coming up
287 # This is used only by the default updown script, not by your custom
288 # ones, so do not mess with it; see CAUTION comment up at top.
289 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
290 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
291 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
292 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
293 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
294 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
295 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
296 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
297 #
298 @@ -436,10 +537,10 @@
299 # connection to me, with (left/right)firewall=yes, going down
300 # This is used only by the default updown script, not by your custom
301 # ones, so do not mess with it; see CAUTION comment up at top.
302 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
303 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
304 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
305 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
306 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
307 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
308 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
309 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
310 #
311 @@ -462,10 +563,10 @@
312 # ones, so do not mess with it; see CAUTION comment up at top.
313 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
314 then
315 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
316 + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
317 -s $PLUTO_MY_CLIENT $S_MY_PORT \
318 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
319 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
320 + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
321 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
322 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
323 fi
324 @@ -474,10 +575,10 @@
325 # or sometimes host access via the internal IP is needed
326 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
327 then
328 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
329 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
330 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
331 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
332 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
333 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
334 -s $PLUTO_MY_CLIENT $S_MY_PORT \
335 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
336 fi
337 @@ -501,11 +602,11 @@
338 # ones, so do not mess with it; see CAUTION comment up at top.
339 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
340 then
341 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
342 + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
343 -s $PLUTO_MY_CLIENT $S_MY_PORT \
344 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
345 $IPSEC_POLICY_OUT -j ACCEPT
346 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
347 + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
348 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
349 -d $PLUTO_MY_CLIENT $D_MY_PORT \
350 $IPSEC_POLICY_IN -j ACCEPT
351 @@ -515,11 +616,11 @@
352 # or sometimes host access via the internal IP is needed
353 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
354 then
355 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
356 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
357 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
358 -d $PLUTO_MY_CLIENT $D_MY_PORT \
359 $IPSEC_POLICY_IN -j ACCEPT
360 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
361 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
362 -s $PLUTO_MY_CLIENT $S_MY_PORT \
363 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
364 $IPSEC_POLICY_OUT -j ACCEPT