]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/patches/strongswan-4.4.0_ipfire.patch
projects / people / pmueller / ipfire-2.x.git / blob
? search:


de805ac2f92ce9b9f19f953f324a093a7392a086
[people/pmueller/ipfire-2.x.git] / src / patches / strongswan-4.4.0_ipfire.patch
1 diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in
2 --- strongswan-4.4.0.org/src/_updown/_updown.in 2010-03-15 21:52:51.000000000 +0100
3 +++ strongswan-4.4.0/src/_updown/_updown.in 2010-05-12 12:50:41.000000000 +0200
4 @@ -374,12 +374,12 @@
5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
9 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
13 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
14 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
15 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
16 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
17 #
18 # log IPsec host connection setup
19 if [ $VPN_LOGGING ]
20 @@ -387,10 +387,10 @@
21 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
22 then
23 logger -t $TAG -p $FAC_PRIO \
24 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
25 + "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
26 else
27 logger -t $TAG -p $FAC_PRIO \
28 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
29 + "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
30 fi
31 fi
32 ;;
33 @@ -398,12 +398,12 @@
34 # connection to me, with (left/right)firewall=yes, going down
35 # This is used only by the default updown script, not by your custom
36 # ones, so do not mess with it; see CAUTION comment up at top.
37 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
38 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
39 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
40 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
41 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
42 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
43 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
44 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
45 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
46 #
47 # log IPsec host connection teardown
48 if [ $VPN_LOGGING ]
49 @@ -411,10 +411,10 @@
50 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
51 then
52 logger -t $TAG -p $FAC_PRIO -- \
53 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
54 + "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
55 else
56 logger -t $TAG -p $FAC_PRIO -- \
57 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
58 + "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
59 fi
60 fi
61 ;;
62 @@ -424,10 +424,10 @@
63 # ones, so do not mess with it; see CAUTION comment up at top.
64 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
65 then
66 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
67 + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
68 -s $PLUTO_MY_CLIENT $S_MY_PORT \
69 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
70 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
71 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
72 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
73 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
74 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
75 fi
76 @@ -436,12 +436,12 @@
77 # or sometimes host access via the internal IP is needed
78 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
79 then
80 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
81 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
82 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
83 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
84 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
85 + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
86 -s $PLUTO_MY_CLIENT $S_MY_PORT \
87 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
88 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
89 fi
90 #
91 # log IPsec client connection setup
92 @@ -450,12 +450,36 @@
93 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
94 then
95 logger -t $TAG -p $FAC_PRIO \
96 - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
97 + "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
98 else
99 logger -t $TAG -p $FAC_PRIO \
100 - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
101 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
102 fi
103 fi
104 +
105 + #
106 + # Open Firewall for IPinIP + AH + ESP Traffic
107 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
108 + -s $PLUTO_PEER $S_PEER_PORT \
109 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
110 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
111 + -s $PLUTO_PEER $S_PEER_PORT \
112 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
113 + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
114 + -s $PLUTO_PEER $S_PEER_PORT \
115 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
116 + if [ $VPN_LOGGING ]
117 + then
118 + logger -t $TAG -p $FAC_PRIO \
119 + "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
120 + fi
121 +
122 + # Add source nat so also the gateway can access the other nets
123 + src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
124 + iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
125 + logger -t $TAG -p $FAC_PRIO \
126 + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
127 +
128 ;;
129 down-client:iptables)
130 # connection to client subnet, with (left/right)firewall=yes, going down
131 @@ -463,11 +487,11 @@
132 # ones, so do not mess with it; see CAUTION comment up at top.
133 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
134 then
135 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
136 + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
137 -s $PLUTO_MY_CLIENT $S_MY_PORT \
138 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
139 - $IPSEC_POLICY_OUT -j ACCEPT
140 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
141 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
142 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
143 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
144 -d $PLUTO_MY_CLIENT $D_MY_PORT \
145 $IPSEC_POLICY_IN -j ACCEPT
146 @@ -477,14 +501,14 @@
147 # or sometimes host access via the internal IP is needed
148 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
149 then
150 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
151 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
152 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
153 -d $PLUTO_MY_CLIENT $D_MY_PORT \
154 $IPSEC_POLICY_IN -j ACCEPT
155 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
156 + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
157 -s $PLUTO_MY_CLIENT $S_MY_PORT \
158 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
159 - $IPSEC_POLICY_OUT -j ACCEPT
160 + $IPSEC_POLICY_OUT -j MARK --set-mark 50
161 fi
162 #
163 # log IPsec client connection teardown
164 @@ -493,12 +517,36 @@
165 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
166 then
167 logger -t $TAG -p $FAC_PRIO -- \
168 - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
169 + "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
170 else
171 logger -t $TAG -p $FAC_PRIO -- \
172 - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
173 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
174 fi
175 fi
176 +
177 + #
178 + # Close Firewall for IPinIP + AH + ESP Traffic
179 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
180 + -s $PLUTO_PEER $S_PEER_PORT \
181 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
182 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
183 + -s $PLUTO_PEER $S_PEER_PORT \
184 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
185 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
186 + -s $PLUTO_PEER $S_PEER_PORT \
187 + -d $PLUTO_ME $D_MY_PORT -j ACCEPT
188 + if [ $VPN_LOGGING ]
189 + then
190 + logger -t $TAG -p $FAC_PRIO \
191 + "tunnel- $PLUTO_PEER -- $PLUTO_ME"
192 + fi
193 +
194 + # remove source nat
195 + src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
196 + iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
197 + logger -t $TAG -p $FAC_PRIO \
198 + "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
199 +
200 ;;
201 #
202 # IPv6
203 @@ -533,10 +581,10 @@
204 # connection to me, with (left/right)firewall=yes, coming up
205 # This is used only by the default updown script, not by your custom
206 # ones, so do not mess with it; see CAUTION comment up at top.
207 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
208 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
209 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
210 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
211 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
212 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
213 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
214 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
215 #
216 @@ -557,10 +605,10 @@
217 # connection to me, with (left/right)firewall=yes, going down
218 # This is used only by the default updown script, not by your custom
219 # ones, so do not mess with it; see CAUTION comment up at top.
220 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
221 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
222 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
223 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
224 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
225 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
226 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
227 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
228 #
229 @@ -583,10 +631,10 @@
230 # ones, so do not mess with it; see CAUTION comment up at top.
231 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
232 then
233 - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
234 + ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
235 -s $PLUTO_MY_CLIENT $S_MY_PORT \
236 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
237 - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
238 + ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
239 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
240 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
241 fi
242 @@ -595,10 +643,10 @@
243 # or sometimes host access via the internal IP is needed
244 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
245 then
246 - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
247 + ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
248 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
249 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
250 - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
251 + ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
252 -s $PLUTO_MY_CLIENT $S_MY_PORT \
253 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
254 fi
255 @@ -622,11 +670,11 @@
256 # ones, so do not mess with it; see CAUTION comment up at top.
257 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
258 then
259 - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
260 + ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
261 -s $PLUTO_MY_CLIENT $S_MY_PORT \
262 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
263 $IPSEC_POLICY_OUT -j ACCEPT
264 - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
265 + ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
266 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
267 -d $PLUTO_MY_CLIENT $D_MY_PORT \
268 $IPSEC_POLICY_IN -j ACCEPT
269 @@ -636,11 +684,11 @@
270 # or sometimes host access via the internal IP is needed
271 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
272 then
273 - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
274 + ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
275 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
276 -d $PLUTO_MY_CLIENT $D_MY_PORT \
277 $IPSEC_POLICY_IN -j ACCEPT
278 - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
279 + ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
280 -s $PLUTO_MY_CLIENT $S_MY_PORT \
281 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
282 $IPSEC_POLICY_OUT -j ACCEPT
Peter's tree of IPFire 2.x