]>
Commit | Line | Data |
---|---|---|
80909fb6 AF |
1 | diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in |
2 | --- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100 | |
3 | +++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-18 14:51:34.446203334 +0200 | |
4 | @@ -242,12 +242,15 @@ | |
6652626c AF |
5 | # connection to me, with (left/right)firewall=yes, coming up |
6 | # This is used only by the default updown script, not by your custom | |
7 | # ones, so do not mess with it; see CAUTION comment up at top. | |
8 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 9 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
10 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
11 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
12 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
80909fb6 AF |
13 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
14 | + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
15 | + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000 | |
d8145673 | 16 | + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 17 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 | 18 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
80909fb6 | 19 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000 |
6652626c | 20 | # |
d7050fc0 MT |
21 | # allow IPIP traffic because of the implicit SA created by the kernel if |
22 | # IPComp is used (for small inbound packets that are not compressed) | |
80909fb6 | 23 | @@ -263,10 +266,10 @@ |
6652626c AF |
24 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
25 | then | |
26 | logger -t $TAG -p $FAC_PRIO \ | |
27 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
28 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
29 | else | |
30 | logger -t $TAG -p $FAC_PRIO \ | |
31 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
32 | + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
33 | fi | |
34 | fi | |
35 | ;; | |
80909fb6 | 36 | @@ -274,12 +277,15 @@ |
6652626c AF |
37 | # connection to me, with (left/right)firewall=yes, going down |
38 | # This is used only by the default updown script, not by your custom | |
39 | # ones, so do not mess with it; see CAUTION comment up at top. | |
40 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
80909fb6 AF |
41 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
42 | + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
43 | + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000 | |
d8145673 | 44 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
45 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
46 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
47 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 48 | + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 49 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
db073a10 | 50 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT |
80909fb6 | 51 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000 |
6652626c | 52 | # |
d7050fc0 MT |
53 | # IPIP exception teardown |
54 | if [ -n "$PLUTO_IPCOMP" ] | |
80909fb6 | 55 | @@ -294,10 +300,10 @@ |
6652626c AF |
56 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
57 | then | |
58 | logger -t $TAG -p $FAC_PRIO -- \ | |
59 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
60 | + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" | |
61 | else | |
62 | logger -t $TAG -p $FAC_PRIO -- \ | |
63 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
64 | + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" | |
65 | fi | |
66 | fi | |
67 | ;; | |
80909fb6 | 68 | @@ -307,24 +313,30 @@ |
6652626c AF |
69 | # ones, so do not mess with it; see CAUTION comment up at top. |
70 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
71 | then | |
72 | - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
80909fb6 AF |
73 | + iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
74 | + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
75 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN | |
d8145673 | 76 | + iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 77 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 78 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 79 | - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
80909fb6 | 80 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000 |
d8145673 | 81 | + iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c | 82 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
dc33c23b | 83 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
80909fb6 | 84 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000 |
6652626c | 85 | fi |
dc33c23b AM |
86 | # |
87 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
88 | # or sometimes host access via the internal IP is needed |
89 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
90 | then | |
91 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 92 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c | 93 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
d7050fc0 | 94 | - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 95 | - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
d7050fc0 | 96 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN |
80909fb6 AF |
97 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
98 | + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
99 | + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000 | |
d8145673 | 100 | + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c | 101 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
db073a10 | 102 | - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT |
80909fb6 | 103 | + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000 |
6652626c | 104 | fi |
db073a10 | 105 | # |
d7050fc0 | 106 | # allow IPIP traffic because of the implicit SA created by the kernel if |
80909fb6 | 107 | @@ -332,7 +344,7 @@ |
d7050fc0 MT |
108 | # INPUT is correct here even for forwarded traffic. |
109 | if [ -n "$PLUTO_IPCOMP" ] | |
110 | then | |
111 | - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 112 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
113 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
114 | fi | |
115 | # | |
80909fb6 | 116 | @@ -342,12 +354,29 @@ |
6652626c AF |
117 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
118 | then | |
119 | logger -t $TAG -p $FAC_PRIO \ | |
120 | - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
121 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
122 | else | |
123 | logger -t $TAG -p $FAC_PRIO \ | |
124 | - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
125 | + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
126 | fi | |
127 | fi | |
128 | + | |
129 | + # | |
50a488f4 | 130 | + # Open Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 131 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
132 | + -s $PLUTO_PEER $S_PEER_PORT \ |
133 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 134 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
135 | + -s $PLUTO_PEER $S_PEER_PORT \ |
136 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 137 | + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
138 | + -s $PLUTO_PEER $S_PEER_PORT \ |
139 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
140 | + if [ $VPN_LOGGING ] |
141 | + then | |
142 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 143 | + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 144 | + fi |
6652626c AF |
145 | ;; |
146 | down-client:iptables) | |
147 | # connection to client subnet, with (left/right)firewall=yes, going down | |
80909fb6 | 148 | @@ -355,34 +384,42 @@ |
6652626c AF |
149 | # ones, so do not mess with it; see CAUTION comment up at top. |
150 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] | |
151 | then | |
152 | - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 153 | + iptables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
154 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
155 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 156 | - $IPSEC_POLICY_OUT -j ACCEPT |
6652626c | 157 | - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
80909fb6 | 158 | + $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000 |
d8145673 | 159 | + iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
160 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
161 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b | 162 | - $IPSEC_POLICY_IN -j ACCEPT |
80909fb6 AF |
163 | + $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000 |
164 | + iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
165 | + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
166 | + -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
dc33c23b AM |
167 | + $IPSEC_POLICY_IN -j RETURN |
168 | fi | |
169 | # | |
170 | # a virtual IP requires an INPUT and OUTPUT rule on the host | |
6652626c AF |
171 | # or sometimes host access via the internal IP is needed |
172 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
173 | then | |
174 | - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 175 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
176 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
177 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 178 | - $IPSEC_POLICY_IN -j ACCEPT |
6652626c | 179 | - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
80909fb6 AF |
180 | + $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000 |
181 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
182 | + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ | |
183 | + -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
d7050fc0 | 184 | + $IPSEC_POLICY_IN -j RETURN |
d8145673 | 185 | + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
186 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
187 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
db073a10 | 188 | - $IPSEC_POLICY_OUT -j ACCEPT |
80909fb6 | 189 | + $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000 |
db073a10 AF |
190 | fi |
191 | # | |
d7050fc0 MT |
192 | # IPIP exception teardown |
193 | if [ -n "$PLUTO_IPCOMP" ] | |
194 | then | |
195 | - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ | |
d8145673 | 196 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ |
d7050fc0 MT |
197 | -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT |
198 | fi | |
199 | # | |
80909fb6 | 200 | @@ -392,12 +429,29 @@ |
6652626c AF |
201 | if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] |
202 | then | |
203 | logger -t $TAG -p $FAC_PRIO -- \ | |
204 | - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
205 | + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
206 | else | |
207 | logger -t $TAG -p $FAC_PRIO -- \ | |
208 | - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
209 | + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" | |
210 | fi | |
211 | fi | |
212 | + | |
213 | + # | |
50a488f4 | 214 | + # Close Firewall for IPinIP + AH + ESP Traffic |
d8145673 | 215 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ |
50a488f4 AF |
216 | + -s $PLUTO_PEER $S_PEER_PORT \ |
217 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 218 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ |
db073a10 AF |
219 | + -s $PLUTO_PEER $S_PEER_PORT \ |
220 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
d8145673 | 221 | + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ |
6652626c AF |
222 | + -s $PLUTO_PEER $S_PEER_PORT \ |
223 | + -d $PLUTO_ME $D_MY_PORT -j ACCEPT | |
6652626c AF |
224 | + if [ $VPN_LOGGING ] |
225 | + then | |
226 | + logger -t $TAG -p $FAC_PRIO \ | |
c4cd0f7b | 227 | + "tunnel- $PLUTO_PEER -- $PLUTO_ME" |
6652626c | 228 | + fi |
6652626c AF |
229 | ;; |
230 | # | |
231 | # IPv6 | |
80909fb6 | 232 | @@ -422,10 +476,10 @@ |
6652626c AF |
233 | # connection to me, with (left/right)firewall=yes, coming up |
234 | # This is used only by the default updown script, not by your custom | |
235 | # ones, so do not mess with it; see CAUTION comment up at top. | |
236 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 237 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
238 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
239 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
240 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 241 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
242 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
243 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
244 | # | |
80909fb6 | 245 | @@ -454,10 +508,10 @@ |
6652626c AF |
246 | # connection to me, with (left/right)firewall=yes, going down |
247 | # This is used only by the default updown script, not by your custom | |
248 | # ones, so do not mess with it; see CAUTION comment up at top. | |
249 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 250 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
251 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
252 | -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
253 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 254 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
255 | -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ |
256 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT | |
257 | # | |
80909fb6 | 258 | @@ -487,10 +541,10 @@ |
6652626c AF |
259 | # ones, so do not mess with it; see CAUTION comment up at top. |
260 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
261 | then | |
262 | - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 263 | + ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
264 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
265 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
266 | - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 267 | + ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
268 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
269 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
270 | fi | |
80909fb6 | 271 | @@ -499,10 +553,10 @@ |
6652626c AF |
272 | # or sometimes host access via the internal IP is needed |
273 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
274 | then | |
275 | - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 276 | + ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
277 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
278 | -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT | |
279 | - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 280 | + ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
281 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
282 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT | |
283 | fi | |
80909fb6 | 284 | @@ -535,11 +589,11 @@ |
6652626c AF |
285 | # ones, so do not mess with it; see CAUTION comment up at top. |
286 | if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] | |
287 | then | |
288 | - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 289 | + ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
290 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
291 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
292 | $IPSEC_POLICY_OUT -j ACCEPT | |
293 | - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 294 | + ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
295 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
296 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
297 | $IPSEC_POLICY_IN -j ACCEPT | |
80909fb6 | 298 | @@ -549,11 +603,11 @@ |
6652626c AF |
299 | # or sometimes host access via the internal IP is needed |
300 | if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] | |
301 | then | |
302 | - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ | |
d8145673 | 303 | + ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ |
6652626c AF |
304 | -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ |
305 | -d $PLUTO_MY_CLIENT $D_MY_PORT \ | |
306 | $IPSEC_POLICY_IN -j ACCEPT | |
307 | - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ | |
d8145673 | 308 | + ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ |
6652626c AF |
309 | -s $PLUTO_MY_CLIENT $S_MY_PORT \ |
310 | -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ | |
311 | $IPSEC_POLICY_OUT -j ACCEPT |