]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - src/patches/strongswan-ipfire.patch
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
speed.cgi: replave parsing of ip show output
[people/pmueller/ipfire-2.x.git] / src / patches / strongswan-ipfire.patch
CommitLineData
80909fb6
AF		 1diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
2--- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
3+++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-18 14:51:34.446203334 +0200
4@@ -242,12 +242,15 @@
6652626c
AF		 5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 9+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
80909fb6
AF		 13+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
14+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
15+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
d8145673 16+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 17 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 18- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
80909fb6 19+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
6652626c 20 #
d7050fc0
MT		 21 # allow IPIP traffic because of the implicit SA created by the kernel if
22 # IPComp is used (for small inbound packets that are not compressed)
80909fb6 23@@ -263,10 +266,10 @@
6652626c
AF		 24 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
25 then
26 logger -t $TAG -p $FAC_PRIO \
27- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
28+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
29 else
30 logger -t $TAG -p $FAC_PRIO \
31- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
32+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
33 fi
34 fi
35 ;;
80909fb6 36@@ -274,12 +277,15 @@
6652626c
AF		 37 # connection to me, with (left/right)firewall=yes, going down
38 # This is used only by the default updown script, not by your custom
39 # ones, so do not mess with it; see CAUTION comment up at top.
40- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
80909fb6
AF		 41+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
42+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
43+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
d8145673 44+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 45 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
46 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
47- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 48+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 49 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 50- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
80909fb6 51+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
6652626c 52 #
d7050fc0
MT		 53 # IPIP exception teardown
54 if [ -n "$PLUTO_IPCOMP" ]
80909fb6 55@@ -294,10 +300,10 @@
6652626c
AF		 56 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
57 then
58 logger -t $TAG -p $FAC_PRIO -- \
59- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
60+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
61 else
62 logger -t $TAG -p $FAC_PRIO -- \
63- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
64+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
65 fi
66 fi
67 ;;
80909fb6 68@@ -307,24 +313,30 @@
6652626c
AF		 69 # ones, so do not mess with it; see CAUTION comment up at top.
70 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
71 then
72- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
80909fb6
AF		 73+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
74+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
75+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
d8145673 76+ iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 77 -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10 78- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c 79- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
80909fb6 80+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
d8145673 81+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c 82 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
dc33c23b 83- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
80909fb6 84+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
6652626c 85 fi
dc33c23b
AM		 86 #
87 # a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c
AF		 88 # or sometimes host access via the internal IP is needed
89 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
90 then
91- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 92+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c 93 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
d7050fc0 94- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
6652626c 95- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d7050fc0 96+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
80909fb6
AF		 97+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
98+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
99+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
d8145673 100+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c 101 -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10 102- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
80909fb6 103+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
6652626c 104 fi
db073a10 105 #
d7050fc0 106 # allow IPIP traffic because of the implicit SA created by the kernel if
80909fb6 107@@ -332,7 +344,7 @@
d7050fc0
MT		 108 # INPUT is correct here even for forwarded traffic.
109 if [ -n "$PLUTO_IPCOMP" ]
110 then
111- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
d8145673 112+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
d7050fc0
MT		 113 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
114 fi
115 #
80909fb6 116@@ -342,12 +354,29 @@
6652626c
AF		 117 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
118 then
119 logger -t $TAG -p $FAC_PRIO \
120- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
121+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
122 else
123 logger -t $TAG -p $FAC_PRIO \
124- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
125+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
126 fi
127 fi
128+
129+ #
50a488f4 130+ # Open Firewall for IPinIP + AH + ESP Traffic
d8145673 131+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
50a488f4
AF		 132+ -s $PLUTO_PEER $S_PEER_PORT \
133+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 134+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
db073a10
AF		 135+ -s $PLUTO_PEER $S_PEER_PORT \
136+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 137+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
6652626c
AF		 138+ -s $PLUTO_PEER $S_PEER_PORT \
139+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF		 140+ if [ $VPN_LOGGING ]
141+ then
142+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b 143+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c 144+ fi
6652626c
AF		 145 ;;
146 down-client:iptables)
147 # connection to client subnet, with (left/right)firewall=yes, going down
80909fb6 148@@ -355,34 +384,42 @@
6652626c
AF		 149 # ones, so do not mess with it; see CAUTION comment up at top.
150 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
151 then
152- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 153+ iptables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 154 -s $PLUTO_MY_CLIENT $S_MY_PORT \
155 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10 156- $IPSEC_POLICY_OUT -j ACCEPT
6652626c 157- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
80909fb6 158+ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
d8145673 159+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 160 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
161 -d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b 162- $IPSEC_POLICY_IN -j ACCEPT
80909fb6
AF		 163+ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
164+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
165+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
166+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b
AM		 167+ $IPSEC_POLICY_IN -j RETURN
168 fi
169 #
170 # a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c
AF		 171 # or sometimes host access via the internal IP is needed
172 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
173 then
174- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 175+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 176 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
177 -d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0 178- $IPSEC_POLICY_IN -j ACCEPT
6652626c 179- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
80909fb6
AF		 180+ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
181+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
182+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
183+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0 184+ $IPSEC_POLICY_IN -j RETURN
d8145673 185+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 186 -s $PLUTO_MY_CLIENT $S_MY_PORT \
187 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10 188- $IPSEC_POLICY_OUT -j ACCEPT
80909fb6 189+ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
db073a10
AF		 190 fi
191 #
d7050fc0
MT		 192 # IPIP exception teardown
193 if [ -n "$PLUTO_IPCOMP" ]
194 then
195- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
d8145673 196+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
d7050fc0
MT		 197 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
198 fi
199 #
80909fb6 200@@ -392,12 +429,29 @@
6652626c
AF		 201 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
202 then
203 logger -t $TAG -p $FAC_PRIO -- \
204- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
205+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
206 else
207 logger -t $TAG -p $FAC_PRIO -- \
208- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
209+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
210 fi
211 fi
212+
213+ #
50a488f4 214+ # Close Firewall for IPinIP + AH + ESP Traffic
d8145673 215+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
50a488f4
AF		 216+ -s $PLUTO_PEER $S_PEER_PORT \
217+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 218+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
db073a10
AF		 219+ -s $PLUTO_PEER $S_PEER_PORT \
220+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
d8145673 221+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
6652626c
AF		 222+ -s $PLUTO_PEER $S_PEER_PORT \
223+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF		 224+ if [ $VPN_LOGGING ]
225+ then
226+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b 227+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c 228+ fi
6652626c
AF		 229 ;;
230 #
231 # IPv6
80909fb6 232@@ -422,10 +476,10 @@
6652626c
AF		 233 # connection to me, with (left/right)firewall=yes, coming up
234 # This is used only by the default updown script, not by your custom
235 # ones, so do not mess with it; see CAUTION comment up at top.
236- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 237+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 238 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
239 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
240- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 241+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 242 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
243 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
244 #
80909fb6 245@@ -454,10 +508,10 @@
6652626c
AF		 246 # connection to me, with (left/right)firewall=yes, going down
247 # This is used only by the default updown script, not by your custom
248 # ones, so do not mess with it; see CAUTION comment up at top.
249- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 250+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 251 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
252 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
253- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 254+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 255 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
256 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
257 #
80909fb6 258@@ -487,10 +541,10 @@
6652626c
AF		 259 # ones, so do not mess with it; see CAUTION comment up at top.
260 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
261 then
262- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 263+ ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 264 -s $PLUTO_MY_CLIENT $S_MY_PORT \
265 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
266- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 267+ ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 268 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
269 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
270 fi
80909fb6 271@@ -499,10 +553,10 @@
6652626c
AF		 272 # or sometimes host access via the internal IP is needed
273 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
274 then
275- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 276+ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 277 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
278 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
279- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 280+ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 281 -s $PLUTO_MY_CLIENT $S_MY_PORT \
282 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
283 fi
80909fb6 284@@ -535,11 +589,11 @@
6652626c
AF		 285 # ones, so do not mess with it; see CAUTION comment up at top.
286 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
287 then
288- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 289+ ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 290 -s $PLUTO_MY_CLIENT $S_MY_PORT \
291 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
292 $IPSEC_POLICY_OUT -j ACCEPT
293- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 294+ ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 295 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
296 -d $PLUTO_MY_CLIENT $D_MY_PORT \
297 $IPSEC_POLICY_IN -j ACCEPT
80909fb6 298@@ -549,11 +603,11 @@
6652626c
AF		 299 # or sometimes host access via the internal IP is needed
300 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
301 then
302- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
d8145673 303+ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c
AF		 304 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
305 -d $PLUTO_MY_CLIENT $D_MY_PORT \
306 $IPSEC_POLICY_IN -j ACCEPT
307- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d8145673 308+ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c
AF		 309 -s $PLUTO_MY_CLIENT $S_MY_PORT \
310 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
311 $IPSEC_POLICY_OUT -j ACCEPT
Peter's tree of IPFire 2.x