1 commit b439f74361d393bcb85109b6c41a905cf613a296
2 Author: Peter Müller <peter.mueller@ipfire.org>
3 Date: Wed May 18 17:46:57 2022 +0000
5 IPFire modifications to _updown script
7 Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
9 diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
10 index 34eaf68c7..9ed387a0a 100644
11 --- a/src/_updown/_updown.in
12 +++ b/src/_updown/_updown.in
13 @@ -242,10 +242,10 @@ up-host:iptables)
14 # connection to me, with (left/right)firewall=yes, coming up
15 # This is used only by the default updown script, not by your custom
16 # ones, so do not mess with it; see CAUTION comment up at top.
17 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
18 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
19 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
20 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
21 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
22 + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
23 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
24 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
26 @@ -263,10 +263,10 @@ up-host:iptables)
27 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
29 logger -t $TAG -p $FAC_PRIO \
30 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
31 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
33 logger -t $TAG -p $FAC_PRIO \
34 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
35 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
39 @@ -274,10 +274,10 @@ down-host:iptables)
40 # connection to me, with (left/right)firewall=yes, going down
41 # This is used only by the default updown script, not by your custom
42 # ones, so do not mess with it; see CAUTION comment up at top.
43 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
44 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
45 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
46 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
47 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
48 + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
49 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
50 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
52 @@ -294,10 +294,10 @@ down-host:iptables)
53 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
55 logger -t $TAG -p $FAC_PRIO -- \
56 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
57 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
59 logger -t $TAG -p $FAC_PRIO -- \
60 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
61 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
65 @@ -305,34 +305,16 @@ up-client:iptables)
66 # connection to client subnet, with (left/right)firewall=yes, coming up
67 # This is used only by the default updown script, not by your custom
68 # ones, so do not mess with it; see CAUTION comment up at top.
69 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
71 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
72 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
73 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
74 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
75 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
76 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
79 # a virtual IP requires an INPUT and OUTPUT rule on the host
80 # or sometimes host access via the internal IP is needed
81 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
83 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
84 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
85 - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
86 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
87 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
88 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
91 # allow IPIP traffic because of the implicit SA created by the kernel if
92 # IPComp is used (for small inbound packets that are not compressed).
93 # INPUT is correct here even for forwarded traffic.
94 if [ -n "$PLUTO_IPCOMP" ]
96 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
97 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
98 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
101 @@ -342,47 +324,37 @@ up-client:iptables)
102 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
104 logger -t $TAG -p $FAC_PRIO \
105 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
106 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
108 logger -t $TAG -p $FAC_PRIO \
109 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
110 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
114 + # Open Firewall for IPinIP + AH + ESP Traffic
115 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
116 + -s $PLUTO_PEER $S_PEER_PORT \
117 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
118 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
119 + -s $PLUTO_PEER $S_PEER_PORT \
120 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
121 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
122 + -s $PLUTO_PEER $S_PEER_PORT \
123 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
126 down-client:iptables)
127 # connection to client subnet, with (left/right)firewall=yes, going down
128 # This is used only by the default updown script, not by your custom
129 # ones, so do not mess with it; see CAUTION comment up at top.
130 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
132 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
133 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
134 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
135 - $IPSEC_POLICY_OUT -j ACCEPT
136 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
137 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
138 - -d $PLUTO_MY_CLIENT $D_MY_PORT \
139 - $IPSEC_POLICY_IN -j ACCEPT
142 # a virtual IP requires an INPUT and OUTPUT rule on the host
143 # or sometimes host access via the internal IP is needed
144 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
146 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
147 - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
148 - -d $PLUTO_MY_CLIENT $D_MY_PORT \
149 - $IPSEC_POLICY_IN -j ACCEPT
150 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
151 - -s $PLUTO_MY_CLIENT $S_MY_PORT \
152 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
153 - $IPSEC_POLICY_OUT -j ACCEPT
156 # IPIP exception teardown
157 if [ -n "$PLUTO_IPCOMP" ]
159 - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
160 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
161 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
164 @@ -392,12 +364,24 @@ down-client:iptables)
165 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
167 logger -t $TAG -p $FAC_PRIO -- \
168 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
169 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
171 logger -t $TAG -p $FAC_PRIO -- \
172 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
173 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
177 + # Close Firewall for IPinIP + AH + ESP Traffic
178 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
179 + -s $PLUTO_PEER $S_PEER_PORT \
180 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
181 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
182 + -s $PLUTO_PEER $S_PEER_PORT \
183 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
184 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
185 + -s $PLUTO_PEER $S_PEER_PORT \
186 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
191 @@ -422,10 +406,10 @@ up-host-v6:iptables)
192 # connection to me, with (left/right)firewall=yes, coming up
193 # This is used only by the default updown script, not by your custom
194 # ones, so do not mess with it; see CAUTION comment up at top.
195 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
196 + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
197 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
198 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
199 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
200 + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
201 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
202 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
204 @@ -454,10 +438,10 @@ down-host-v6:iptables)
205 # connection to me, with (left/right)firewall=yes, going down
206 # This is used only by the default updown script, not by your custom
207 # ones, so do not mess with it; see CAUTION comment up at top.
208 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
209 + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
210 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
211 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
212 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
213 + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
214 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
215 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
217 @@ -487,10 +471,10 @@ up-client-v6:iptables)
218 # ones, so do not mess with it; see CAUTION comment up at top.
219 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
221 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
222 + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
223 -s $PLUTO_MY_CLIENT $S_MY_PORT \
224 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
225 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
226 + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
227 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
228 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
230 @@ -499,10 +483,10 @@ up-client-v6:iptables)
231 # or sometimes host access via the internal IP is needed
232 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
234 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
235 + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
236 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
237 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
238 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
239 + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
240 -s $PLUTO_MY_CLIENT $S_MY_PORT \
241 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
243 @@ -535,11 +519,11 @@ down-client-v6:iptables)
244 # ones, so do not mess with it; see CAUTION comment up at top.
245 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
247 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
248 + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
249 -s $PLUTO_MY_CLIENT $S_MY_PORT \
250 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
251 $IPSEC_POLICY_OUT -j ACCEPT
252 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
253 + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
254 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
255 -d $PLUTO_MY_CLIENT $D_MY_PORT \
256 $IPSEC_POLICY_IN -j ACCEPT
257 @@ -549,11 +533,11 @@ down-client-v6:iptables)
258 # or sometimes host access via the internal IP is needed
259 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
261 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
262 + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
263 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
264 -d $PLUTO_MY_CLIENT $D_MY_PORT \
265 $IPSEC_POLICY_IN -j ACCEPT
266 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
267 + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
268 -s $PLUTO_MY_CLIENT $S_MY_PORT \
269 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
270 $IPSEC_POLICY_OUT -j ACCEPT