This is a more general name for a script that will be extended
soon to do more than just add blocking rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
VPN_CONFIG="/var/ipfire/vpn/config"
VPN_CONFIG="/var/ipfire/vpn/config"
+VARS=(
+ id status name lefthost type ctype x1 x2 x3 leftsubnets
+ x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
+ x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
+ route rest
+)
+
block_subnet() {
local subnet="${1}"
local action="${2}"
block_subnet() {
local subnet="${1}"
local action="${2}"
# Flush all exists rules
iptables -F IPSECBLOCK
# Flush all exists rules
iptables -F IPSECBLOCK
- local action
-
- local vars="id status name lefthost type ctype x1 x2 x3 leftsubnets"
- vars="${vars} x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12"
- vars="${vars} x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24"
- vars="${vars} route rest"
-
# Register local variables
# Register local variables
+ local "${VARS[@]}"
+ local action
- while IFS="," read -r ${vars}; do
+ while IFS="," read -r "${VARS[@]}"; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
+install_policy || exit $?
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
#usr/lib
usr/lib/firewall
usr/lib/firewall/firewall-lib.pl
-usr/lib/firewall/ipsec-block
+usr/lib/firewall/ipsec-policy
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
usr/lib/firewall/rules.pl
#usr/lib/libgcc_s.so
usr/lib/libgcc_s.so.1
/usr/lib/firewall/rules.pl
install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \
/usr/lib/firewall/firewall-lib.pl
/usr/lib/firewall/rules.pl
install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \
/usr/lib/firewall/firewall-lib.pl
- install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \
- /usr/lib/firewall/ipsec-block
+ install -m 755 $(DIR_SRC)/config/firewall/ipsec-policy \
+ /usr/lib/firewall/ipsec-policy
# Nobody user
-mkdir -p /home/nobody
# Nobody user
-mkdir -p /home/nobody
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
- # Populate IPsec block chain
- /usr/lib/firewall/ipsec-block
+ # Populate IPsec chains
+ /usr/lib/firewall/ipsec-policy
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
- // Reload the IPsec block chain
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ // Reload the IPsec firewall policy
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
// Reload the configuration into the daemon (#10339).
ipsec_reload();
// Reload the configuration into the daemon (#10339).
ipsec_reload();
// Reload, so the connection is dropped.
ipsec_reload();
// Reload, so the connection is dropped.
ipsec_reload();
- // Reload the IPsec block chain
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ // Reload the IPsec firewall policy
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
}
int main(int argc, char *argv[]) {
}
int main(int argc, char *argv[]) {
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
- safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
+ safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}
safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}