1 diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
2 --- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200
3 +++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-27 16:32:13.000000000 +0100
5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
9 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
13 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
14 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
15 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
16 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
18 # log IPsec host connection setup
21 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
23 logger -t $TAG -p $FAC_PRIO \
24 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
25 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
27 logger -t $TAG -p $FAC_PRIO \
28 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
29 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
34 # connection to me, with (left/right)firewall=yes, going down
35 # This is used only by the default updown script, not by your custom
36 # ones, so do not mess with it; see CAUTION comment up at top.
37 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
38 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
39 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
40 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
41 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
42 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
43 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
44 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
45 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
47 # log IPsec host connection teardown
50 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
52 logger -t $TAG -p $FAC_PRIO -- \
53 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
54 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
56 logger -t $TAG -p $FAC_PRIO -- \
57 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
58 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
63 # ones, so do not mess with it; see CAUTION comment up at top.
64 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
66 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
67 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
68 -s $PLUTO_MY_CLIENT $S_MY_PORT \
69 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
70 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
71 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
72 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
73 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
74 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
77 # or sometimes host access via the internal IP is needed
78 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
80 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
81 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
82 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
83 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
84 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
85 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
86 -s $PLUTO_MY_CLIENT $S_MY_PORT \
87 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
88 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
91 # log IPsec client connection setup
93 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
95 logger -t $TAG -p $FAC_PRIO \
96 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
97 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
99 logger -t $TAG -p $FAC_PRIO \
100 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
101 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
106 + # Open Firewall for AH + ESP Traffic
107 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
108 + -s $PLUTO_PEER $S_PEER_PORT \
109 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
110 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
111 + -s $PLUTO_PEER $S_PEER_PORT \
112 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
113 + if [ $VPN_LOGGING ]
115 + logger -t $TAG -p $FAC_PRIO \
116 + "ESP+ $PLUTO_PEER -- $PLUTO_ME"
120 down-client:iptables)
121 # connection to client subnet, with (left/right)firewall=yes, going down
122 @@ -463,11 +478,11 @@
123 # ones, so do not mess with it; see CAUTION comment up at top.
124 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
126 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
127 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
128 -s $PLUTO_MY_CLIENT $S_MY_PORT \
129 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
130 - $IPSEC_POLICY_OUT -j ACCEPT
131 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
132 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
133 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
134 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
135 -d $PLUTO_MY_CLIENT $D_MY_PORT \
136 $IPSEC_POLICY_IN -j ACCEPT
137 @@ -477,14 +492,14 @@
138 # or sometimes host access via the internal IP is needed
139 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
141 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
142 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
143 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
144 -d $PLUTO_MY_CLIENT $D_MY_PORT \
145 $IPSEC_POLICY_IN -j ACCEPT
146 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
147 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
148 -s $PLUTO_MY_CLIENT $S_MY_PORT \
149 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
150 - $IPSEC_POLICY_OUT -j ACCEPT
151 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
154 # log IPsec client connection teardown
155 @@ -493,12 +508,27 @@
156 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
158 logger -t $TAG -p $FAC_PRIO -- \
159 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
160 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
162 logger -t $TAG -p $FAC_PRIO -- \
163 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
164 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
169 + # Close Firewall for AH+ESP Traffic
170 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
171 + -s $PLUTO_PEER $S_PEER_PORT \
172 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
173 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
174 + -s $PLUTO_PEER $S_PEER_PORT \
175 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
176 + if [ $VPN_LOGGING ]
178 + logger -t $TAG -p $FAC_PRIO \
179 + "ESP- $PLUTO_PEER -- $PLUTO_ME"
185 @@ -533,10 +563,10 @@
186 # connection to me, with (left/right)firewall=yes, coming up
187 # This is used only by the default updown script, not by your custom
188 # ones, so do not mess with it; see CAUTION comment up at top.
189 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
190 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
191 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
192 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
193 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
194 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
195 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
196 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
198 @@ -557,10 +587,10 @@
199 # connection to me, with (left/right)firewall=yes, going down
200 # This is used only by the default updown script, not by your custom
201 # ones, so do not mess with it; see CAUTION comment up at top.
202 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
203 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
204 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
205 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
206 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
207 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
208 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
209 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
211 @@ -583,10 +613,10 @@
212 # ones, so do not mess with it; see CAUTION comment up at top.
213 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
215 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
216 + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
217 -s $PLUTO_MY_CLIENT $S_MY_PORT \
218 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
219 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
220 + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
221 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
222 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
224 @@ -595,10 +625,10 @@
225 # or sometimes host access via the internal IP is needed
226 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
228 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
229 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
230 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
231 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
232 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
233 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
234 -s $PLUTO_MY_CLIENT $S_MY_PORT \
235 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
237 @@ -622,11 +652,11 @@
238 # ones, so do not mess with it; see CAUTION comment up at top.
239 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
241 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
242 + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
243 -s $PLUTO_MY_CLIENT $S_MY_PORT \
244 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
245 $IPSEC_POLICY_OUT -j ACCEPT
246 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
247 + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
248 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
249 -d $PLUTO_MY_CLIENT $D_MY_PORT \
250 $IPSEC_POLICY_IN -j ACCEPT
251 @@ -636,11 +666,11 @@
252 # or sometimes host access via the internal IP is needed
253 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
255 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
256 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
257 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
258 -d $PLUTO_MY_CLIENT $D_MY_PORT \
259 $IPSEC_POLICY_IN -j ACCEPT
260 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
261 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
262 -s $PLUTO_MY_CLIENT $S_MY_PORT \
263 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
264 $IPSEC_POLICY_OUT -j ACCEPT