1 diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
2 --- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200
3 +++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-20 18:44:11.000000000 +0100
5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
9 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
13 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
14 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
15 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
18 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
20 logger -t $TAG -p $FAC_PRIO \
21 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
22 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
24 logger -t $TAG -p $FAC_PRIO \
25 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
26 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
31 # connection to me, with (left/right)firewall=yes, going down
32 # This is used only by the default updown script, not by your custom
33 # ones, so do not mess with it; see CAUTION comment up at top.
34 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
35 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
36 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
37 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
38 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
39 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
40 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
41 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
44 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
46 logger -t $TAG -p $FAC_PRIO -- \
47 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
48 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
50 logger -t $TAG -p $FAC_PRIO -- \
51 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
52 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
57 # ones, so do not mess with it; see CAUTION comment up at top.
58 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
60 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
61 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
62 -s $PLUTO_MY_CLIENT $S_MY_PORT \
63 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
64 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
65 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
66 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
67 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
70 # or sometimes host access via the internal IP is needed
71 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
73 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
74 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
75 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
76 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
77 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
78 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
79 -s $PLUTO_MY_CLIENT $S_MY_PORT \
80 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
83 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
85 logger -t $TAG -p $FAC_PRIO \
86 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
87 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
89 logger -t $TAG -p $FAC_PRIO \
90 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
91 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
96 + # Open Firewall for ESP Traffic
97 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
98 + -s $PLUTO_PEER $S_PEER_PORT \
99 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
100 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
101 + -d $PLUTO_PEER $S_PEER_PORT \
102 + -s $PLUTO_ME $D_MY_PORT -j ACCEPT
103 + if [ $VPN_LOGGING ]
105 + logger -t $TAG -p $FAC_PRIO \
106 + "ESP+ $PLUTO_PEER -- $PLUTO_ME"
110 down-client:iptables)
111 # connection to client subnet, with (left/right)firewall=yes, going down
112 @@ -463,11 +478,11 @@
113 # ones, so do not mess with it; see CAUTION comment up at top.
114 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
116 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
117 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
118 -s $PLUTO_MY_CLIENT $S_MY_PORT \
119 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
120 $IPSEC_POLICY_OUT -j ACCEPT
121 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
122 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
123 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
124 -d $PLUTO_MY_CLIENT $D_MY_PORT \
125 $IPSEC_POLICY_IN -j ACCEPT
126 @@ -477,11 +492,11 @@
127 # or sometimes host access via the internal IP is needed
128 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
130 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
131 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
132 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
133 -d $PLUTO_MY_CLIENT $D_MY_PORT \
134 $IPSEC_POLICY_IN -j ACCEPT
135 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
136 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
137 -s $PLUTO_MY_CLIENT $S_MY_PORT \
138 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
139 $IPSEC_POLICY_OUT -j ACCEPT
140 @@ -493,12 +508,27 @@
141 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
143 logger -t $TAG -p $FAC_PRIO -- \
144 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
145 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
147 logger -t $TAG -p $FAC_PRIO -- \
148 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
149 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
154 + # Close Firewall for ESP Traffic
155 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
156 + -s $PLUTO_PEER $S_PEER_PORT \
157 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
158 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
159 + -d $PLUTO_PEER $S_PEER_PORT \
160 + -s $PLUTO_ME $D_MY_PORT -j ACCEPT
161 + if [ $VPN_LOGGING ]
163 + logger -t $TAG -p $FAC_PRIO \
164 + "ESP- $PLUTO_PEER -- $PLUTO_ME"
170 @@ -533,10 +563,10 @@
171 # connection to me, with (left/right)firewall=yes, coming up
172 # This is used only by the default updown script, not by your custom
173 # ones, so do not mess with it; see CAUTION comment up at top.
174 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
175 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
176 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
177 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
178 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
179 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
180 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
181 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
183 @@ -557,10 +587,10 @@
184 # connection to me, with (left/right)firewall=yes, going down
185 # This is used only by the default updown script, not by your custom
186 # ones, so do not mess with it; see CAUTION comment up at top.
187 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
188 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
189 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
190 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
191 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
192 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
193 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
194 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
196 @@ -583,10 +613,10 @@
197 # ones, so do not mess with it; see CAUTION comment up at top.
198 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
200 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
201 + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
202 -s $PLUTO_MY_CLIENT $S_MY_PORT \
203 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
204 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
205 + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
206 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
207 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
209 @@ -595,10 +625,10 @@
210 # or sometimes host access via the internal IP is needed
211 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
213 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
214 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
215 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
216 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
217 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
218 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
219 -s $PLUTO_MY_CLIENT $S_MY_PORT \
220 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
222 @@ -622,11 +652,11 @@
223 # ones, so do not mess with it; see CAUTION comment up at top.
224 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
226 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
227 + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
228 -s $PLUTO_MY_CLIENT $S_MY_PORT \
229 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
230 $IPSEC_POLICY_OUT -j ACCEPT
231 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
232 + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
233 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
234 -d $PLUTO_MY_CLIENT $D_MY_PORT \
235 $IPSEC_POLICY_IN -j ACCEPT
236 @@ -636,11 +666,11 @@
237 # or sometimes host access via the internal IP is needed
238 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
240 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
241 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
242 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
243 -d $PLUTO_MY_CLIENT $D_MY_PORT \
244 $IPSEC_POLICY_IN -j ACCEPT
245 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
246 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
247 -s $PLUTO_MY_CLIENT $S_MY_PORT \
248 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
249 $IPSEC_POLICY_OUT -j ACCEPT
250 diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
251 --- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark 2009-09-27 21:50:42.000000000 +0200
252 +++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark 2010-03-15 18:52:28.000000000 +0100
253 @@ -247,10 +247,10 @@
256 # add the following static rule to the INPUT chain in the mangle table
257 -# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
258 +# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
260 # NAT traversal via UDP encapsulation is supported with the rule
261 -# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
262 +# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
264 # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
265 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
266 @@ -325,10 +325,10 @@
268 # connection to me coming up
269 # If you are doing a custom version, firewall commands go here.
270 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
271 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
272 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
273 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
274 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
275 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
276 -s $PLUTO_ME $S_MY_PORT \
277 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
279 @@ -346,10 +346,10 @@
280 # If you are doing a custom version, firewall commands go here.
281 # connection to me going down
282 # If you are doing a custom version, firewall commands go here.
283 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
284 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
285 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
286 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
287 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
288 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
289 -s $PLUTO_ME $S_MY_PORT \
290 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
292 @@ -365,10 +365,10 @@
294 # connection to my client subnet coming up
295 # If you are doing a custom version, firewall commands go here.
296 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
297 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
298 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
299 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
300 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
301 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
302 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
303 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
304 $CHECK_MARK -j ACCEPT
305 @@ -385,10 +385,10 @@
307 # connection to my client subnet going down
308 # If you are doing a custom version, firewall commands go here.
309 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
310 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
311 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
312 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
313 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
315 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
316 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
317 $CHECK_MARK -j ACCEPT