]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/patches/strongswan-4.3.6_ipfire.patch
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add strongswan (4.3.6) for testing.
[people/pmueller/ipfire-2.x.git] / src / patches / strongswan-4.3.6_ipfire.patch
1 diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
2 --- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200
3 +++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-20 18:44:11.000000000 +0100
4 @@ -374,10 +374,10 @@
5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
9 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
13 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
14 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
15 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
16 #
17 @@ -387,10 +387,10 @@
18 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
19 then
20 logger -t $TAG -p $FAC_PRIO \
21 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
22 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
23 else
24 logger -t $TAG -p $FAC_PRIO \
25 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
26 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
27 fi
28 fi
29 ;;
30 @@ -398,10 +398,10 @@
31 # connection to me, with (left/right)firewall=yes, going down
32 # This is used only by the default updown script, not by your custom
33 # ones, so do not mess with it; see CAUTION comment up at top.
34 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
35 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
36 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
37 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
38 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
39 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
40 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
41 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
42 #
43 @@ -411,10 +411,10 @@
44 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
45 then
46 logger -t $TAG -p $FAC_PRIO -- \
47 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
48 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
49 else
50 logger -t $TAG -p $FAC_PRIO -- \
51 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
52 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
53 fi
54 fi
55 ;;
56 @@ -424,10 +424,10 @@
57 # ones, so do not mess with it; see CAUTION comment up at top.
58 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
59 then
60 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
61 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
62 -s $PLUTO_MY_CLIENT $S_MY_PORT \
63 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
64 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
65 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
66 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
67 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
68 fi
69 @@ -436,10 +436,10 @@
70 # or sometimes host access via the internal IP is needed
71 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
72 then
73 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
74 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
75 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
76 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
77 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
78 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
79 -s $PLUTO_MY_CLIENT $S_MY_PORT \
80 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
81 fi
82 @@ -450,12 +450,27 @@
83 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
84 then
85 logger -t $TAG -p $FAC_PRIO \
86 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
87 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
88 else
89 logger -t $TAG -p $FAC_PRIO \
90 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
91 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
92 fi
93 fi
94 +
95 + #
96 + # Open Firewall for ESP Traffic
97 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
98 + -s $PLUTO_PEER $S_PEER_PORT \
99 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
100 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
101 + -d $PLUTO_PEER $S_PEER_PORT \
102 + -s $PLUTO_ME $D_MY_PORT -j ACCEPT
103 + if [ $VPN_LOGGING ]
104 + then
105 + logger -t $TAG -p $FAC_PRIO \
106 + "ESP+ $PLUTO_PEER -- $PLUTO_ME"
107 + fi
108 +
109 ;;
110 down-client:iptables)
111 # connection to client subnet, with (left/right)firewall=yes, going down
112 @@ -463,11 +478,11 @@
113 # ones, so do not mess with it; see CAUTION comment up at top.
114 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
115 then
116 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
117 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
118 -s $PLUTO_MY_CLIENT $S_MY_PORT \
119 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
120 $IPSEC_POLICY_OUT -j ACCEPT
121 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
122 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
123 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
124 -d $PLUTO_MY_CLIENT $D_MY_PORT \
125 $IPSEC_POLICY_IN -j ACCEPT
126 @@ -477,11 +492,11 @@
127 # or sometimes host access via the internal IP is needed
128 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
129 then
130 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
131 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
132 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
133 -d $PLUTO_MY_CLIENT $D_MY_PORT \
134 $IPSEC_POLICY_IN -j ACCEPT
135 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
136 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
137 -s $PLUTO_MY_CLIENT $S_MY_PORT \
138 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
139 $IPSEC_POLICY_OUT -j ACCEPT
140 @@ -493,12 +508,27 @@
141 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
142 then
143 logger -t $TAG -p $FAC_PRIO -- \
144 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
145 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
146 else
147 logger -t $TAG -p $FAC_PRIO -- \
148 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
149 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
150 fi
151 fi
152 +
153 + #
154 + # Close Firewall for ESP Traffic
155 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
156 + -s $PLUTO_PEER $S_PEER_PORT \
157 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
158 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
159 + -d $PLUTO_PEER $S_PEER_PORT \
160 + -s $PLUTO_ME $D_MY_PORT -j ACCEPT
161 + if [ $VPN_LOGGING ]
162 + then
163 + logger -t $TAG -p $FAC_PRIO \
164 + "ESP- $PLUTO_PEER -- $PLUTO_ME"
165 + fi
166 +
167 ;;
168 #
169 # IPv6
170 @@ -533,10 +563,10 @@
171 # connection to me, with (left/right)firewall=yes, coming up
172 # This is used only by the default updown script, not by your custom
173 # ones, so do not mess with it; see CAUTION comment up at top.
174 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
175 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
176 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
177 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
178 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
179 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
180 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
181 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
182 #
183 @@ -557,10 +587,10 @@
184 # connection to me, with (left/right)firewall=yes, going down
185 # This is used only by the default updown script, not by your custom
186 # ones, so do not mess with it; see CAUTION comment up at top.
187 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
188 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
189 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
190 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
191 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
192 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
193 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
194 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
195 #
196 @@ -583,10 +613,10 @@
197 # ones, so do not mess with it; see CAUTION comment up at top.
198 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
199 then
200 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
201 + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
202 -s $PLUTO_MY_CLIENT $S_MY_PORT \
203 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
204 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
205 + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
206 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
207 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
208 fi
209 @@ -595,10 +625,10 @@
210 # or sometimes host access via the internal IP is needed
211 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
212 then
213 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
214 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
215 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
216 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
217 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
218 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
219 -s $PLUTO_MY_CLIENT $S_MY_PORT \
220 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
221 fi
222 @@ -622,11 +652,11 @@
223 # ones, so do not mess with it; see CAUTION comment up at top.
224 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
225 then
226 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
227 + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
228 -s $PLUTO_MY_CLIENT $S_MY_PORT \
229 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
230 $IPSEC_POLICY_OUT -j ACCEPT
231 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
232 + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
233 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
234 -d $PLUTO_MY_CLIENT $D_MY_PORT \
235 $IPSEC_POLICY_IN -j ACCEPT
236 @@ -636,11 +666,11 @@
237 # or sometimes host access via the internal IP is needed
238 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
239 then
240 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
241 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
242 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
243 -d $PLUTO_MY_CLIENT $D_MY_PORT \
244 $IPSEC_POLICY_IN -j ACCEPT
245 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
246 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
247 -s $PLUTO_MY_CLIENT $S_MY_PORT \
248 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
249 $IPSEC_POLICY_OUT -j ACCEPT
250 diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
251 --- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark 2009-09-27 21:50:42.000000000 +0200
252 +++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark 2010-03-15 18:52:28.000000000 +0100
253 @@ -247,10 +247,10 @@
254 ESP_MARK=50
255
256 # add the following static rule to the INPUT chain in the mangle table
257 -# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
258 +# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
259
260 # NAT traversal via UDP encapsulation is supported with the rule
261 -# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
262 +# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
263
264 # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
265 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
266 @@ -325,10 +325,10 @@
267 up-host:*)
268 # connection to me coming up
269 # If you are doing a custom version, firewall commands go here.
270 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
271 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
272 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
273 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
274 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
275 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
276 -s $PLUTO_ME $S_MY_PORT \
277 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
278 #
279 @@ -346,10 +346,10 @@
280 # If you are doing a custom version, firewall commands go here.
281 # connection to me going down
282 # If you are doing a custom version, firewall commands go here.
283 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
284 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
285 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
286 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
287 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
288 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
289 -s $PLUTO_ME $S_MY_PORT \
290 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
291 #
292 @@ -365,10 +365,10 @@
293 up-client:)
294 # connection to my client subnet coming up
295 # If you are doing a custom version, firewall commands go here.
296 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
297 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
298 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
299 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
300 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
301 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
302 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
303 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
304 $CHECK_MARK -j ACCEPT
305 @@ -385,10 +385,10 @@
306 down-client:)
307 # connection to my client subnet going down
308 # If you are doing a custom version, firewall commands go here.
309 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
310 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
311 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
312 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
313 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
315 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
316 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
317 $CHECK_MARK -j ACCEPT
Peter's tree of IPFire 2.x