suricata: Change midstream policy to "pass-flow"

[ipfire-2.x.git] / src / patches / strongswan-ipfire.patch

commit b439f74361d393bcb85109b6c41a905cf613a296
Author: Peter Müller <peter.mueller@ipfire.org>
Date:   Wed May 18 17:46:57 2022 +0000

    IPFire modifications to _updown script
    
    Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 34eaf68c7..9ed387a0a 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -242,10 +242,10 @@ up-host:iptables)
        # connection to me, with (left/right)firewall=yes, coming up
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
-       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+       iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+       iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
        #
@@ -263,10 +263,10 @@ up-host:iptables)
          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
          then
            logger -t $TAG -p $FAC_PRIO \
-             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+             "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
          else
            logger -t $TAG -p $FAC_PRIO \
-             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+             "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
          fi
        fi
        ;;
@@ -274,10 +274,10 @@ down-host:iptables)
        # connection to me, with (left/right)firewall=yes, going down
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
-       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+       iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+       iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
        #
@@ -294,10 +294,10 @@ down-host:iptables)
          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
          then
            logger -t $TAG -p $FAC_PRIO -- \
-             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+             "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
          else
            logger -t $TAG -p $FAC_PRIO -- \
-           "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+           "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
          fi
        fi
        ;;
@@ -305,34 +305,16 @@ up-client:iptables)
        # connection to client subnet, with (left/right)firewall=yes, coming up
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
-       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-       then
-         iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-         iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-       fi
        #
        # a virtual IP requires an INPUT and OUTPUT rule on the host
        # or sometimes host access via the internal IP is needed
-       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-       then
-         iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-         iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-       fi
        #
        # allow IPIP traffic because of the implicit SA created by the kernel if
        # IPComp is used (for small inbound packets that are not compressed).
        # INPUT is correct here even for forwarded traffic.
        if [ -n "$PLUTO_IPCOMP" ]
        then
-         iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+         iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
        fi
        #
@@ -342,47 +324,37 @@ up-client:iptables)
          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
          then
            logger -t $TAG -p $FAC_PRIO \
-             "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+             "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
          else
            logger -t $TAG -p $FAC_PRIO \
-             "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+             "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
          fi
        fi
+
+       # Open Firewall for IPinIP + AH + ESP Traffic
+       iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
+               -s $PLUTO_PEER $S_PEER_PORT \
+               -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+               -s $PLUTO_PEER $S_PEER_PORT \
+               -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+               -s $PLUTO_PEER $S_PEER_PORT \
+               -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+
        ;;
 down-client:iptables)
        # connection to client subnet, with (left/right)firewall=yes, going down
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
-       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-       then
-         iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-                $IPSEC_POLICY_OUT -j ACCEPT
-         iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT $D_MY_PORT \
-                $IPSEC_POLICY_IN -j ACCEPT
-       fi
        #
        # a virtual IP requires an INPUT and OUTPUT rule on the host
        # or sometimes host access via the internal IP is needed
-       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-       then
-         iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT $D_MY_PORT \
-                $IPSEC_POLICY_IN -j ACCEPT
-         iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-                $IPSEC_POLICY_OUT -j ACCEPT
-       fi
        #
        # IPIP exception teardown
        if [ -n "$PLUTO_IPCOMP" ]
        then
-         iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+         iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
        fi
        #
@@ -392,12 +364,24 @@ down-client:iptables)
          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
          then
            logger -t $TAG -p $FAC_PRIO -- \
-             "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+             "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
          else
            logger -t $TAG -p $FAC_PRIO -- \
-             "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+             "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
          fi
        fi
+
+       # Close Firewall for IPinIP + AH + ESP Traffic
+       iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
+               -s $PLUTO_PEER $S_PEER_PORT \
+               -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+               -s $PLUTO_PEER $S_PEER_PORT \
+               -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+       iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+               -s $PLUTO_PEER $S_PEER_PORT \
+               -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+
        ;;
 #
 # IPv6
@@ -422,10 +406,10 @@ up-host-v6:iptables)
        # connection to me, with (left/right)firewall=yes, coming up
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
-       ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+       ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-       ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+       ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
        #
@@ -454,10 +438,10 @@ down-host-v6:iptables)
        # connection to me, with (left/right)firewall=yes, going down
        # This is used only by the default updown script, not by your custom
        # ones, so do not mess with it; see CAUTION comment up at top.
-       ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+       ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-       ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+       ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
        #
@@ -487,10 +471,10 @@ up-client-v6:iptables)
        # ones, so do not mess with it; see CAUTION comment up at top.
        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
        then
-         ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+         ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
              -s $PLUTO_MY_CLIENT $S_MY_PORT \
              -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-         ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+         ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
              -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
        fi
@@ -499,10 +483,10 @@ up-client-v6:iptables)
        # or sometimes host access via the internal IP is needed
        if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
        then
-         ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+         ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
              -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-         ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+         ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
              -s $PLUTO_MY_CLIENT $S_MY_PORT \
              -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
        fi
@@ -535,11 +519,11 @@ down-client-v6:iptables)
        # ones, so do not mess with it; see CAUTION comment up at top.
        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
        then
-         ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+         ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
              -s $PLUTO_MY_CLIENT $S_MY_PORT \
              -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
                 $IPSEC_POLICY_OUT -j ACCEPT
-         ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+         ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
              -d $PLUTO_MY_CLIENT $D_MY_PORT \
                 $IPSEC_POLICY_IN -j ACCEPT
@@ -549,11 +533,11 @@ down-client-v6:iptables)
        # or sometimes host access via the internal IP is needed
        if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
        then
-         ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+         ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
              -d $PLUTO_MY_CLIENT $D_MY_PORT \
                 $IPSEC_POLICY_IN -j ACCEPT
-         ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+         ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
              -s $PLUTO_MY_CLIENT $S_MY_PORT \
              -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
                 $IPSEC_POLICY_OUT -j ACCEPT