strongswan: Do not create any NAT rules when using VTI/GRE

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/lfs/strongswan b/lfs/strongswan
index 99261ce934a545f6eac4bd368287493cd70acd24..4174f78fe5b2fa2e8bbaef1580e8b4140a7832d3 100644 (file)
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
 
        cd $(DIR_APP) && ./configure \
                --prefix="/usr" \

diff --git a/src/patches/strongswan-ipfire-interfaces.patch b/src/patches/strongswan-ipfire-interfaces.patch
new file mode 100644 (file)
index 0000000..5ec96a4
--- /dev/null
+++ b/src/patches/strongswan-ipfire-interfaces.patch
@@ -0,0 +1,72 @@
+--- strongswan-5.7.0/src/_updown/_updown.in.bak        2019-02-06 18:19:25.723893992 +0000
++++ strongswan-5.7.0/src/_updown/_updown.in    2019-02-06 18:28:21.520560665 +0000
+@@ -130,6 +130,13 @@
+ #              address family.
+ #
+ 
++VARS=(
++      id status name lefthost type ctype psk local local_id leftsubnets
++      remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
++      x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
++      route x23 mode interface_mode interface_address interface_mtu rest
++)
++
+ function ip_encode() {
+       local IFS=.
+ 
+@@ -319,6 +326,13 @@
+       fi
+       ;;
+ up-client:iptables)
++      # Read IPsec configuration
++      while IFS="," read -r "${VARS[@]}"; do
++              if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
++                      break
++              fi
++      done < /var/ipfire/vpn/config
++
+       # connection to client subnet, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -383,23 +397,25 @@
+             "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+       fi
+ 
+-      # Add source nat so also the gateway can access the other nets
+-      eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-      for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-              ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-              if [ $? -eq 0 ]; then
+-                      src=${_src}
+-                      break
++      if [ -z "${interface_mode}" ]; then
++              # Add source nat so also the gateway can access the other nets
++              eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
++              for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
++                      ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
++                      if [ $? -eq 0 ]; then
++                              src=${_src}
++                              break
++                      fi
++              done
++
++              if [ -n "${src}" ]; then
++                      iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++                      logger -t $TAG -p $FAC_PRIO \
++                              "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
++              else
++                      logger -t $TAG -p $FAC_PRIO \
++                              "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+               fi
+-      done
+-
+-      if [ -n "${src}" ]; then
+-              iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-              logger -t $TAG -p $FAC_PRIO \
+-                      "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-      else
+-              logger -t $TAG -p $FAC_PRIO \
+-                      "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+       fi
+ 
+       # Flush routing cache