From: Arne Fitzenreiter Date: Mon, 21 Dec 2009 00:19:08 +0000 (+0100) Subject: Patch to make ipsec peers reachable from the ipfire. X-Git-Tag: v2.9-beta1~562 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=72c63a153127df4cf560cbcef67b9944f4cb68b2;hp=ee09e47e6da5d6934bce8dc676a9e81f0fc105f3;ds=sidebyside Patch to make ipsec peers reachable from the ipfire. --- diff --git a/config/rootfiles/core/34/filelists/files b/config/rootfiles/core/34/filelists/files index ef7f6cc39c..f221a69d14 100644 --- a/config/rootfiles/core/34/filelists/files +++ b/config/rootfiles/core/34/filelists/files @@ -17,3 +17,4 @@ var/ipfire/langs/list var/ipfire/outgoing/bin/outgoingfw.pl var/ipfire/snort/oinkmaster.conf usr/local/sbin/setup +usr/lib/ipsec/_updown diff --git a/doc/packages-list.txt b/doc/packages-list.txt index 99bb006056..9fc3014504 100644 --- a/doc/packages-list.txt +++ b/doc/packages-list.txt @@ -36,17 +36,17 @@ * Unix-Syslog-0.100 * XML-Parser-2.34 * alsa-lib-1.0.21a -* alsa-lib-1.0.21a-kmod-2.6.27.41-ipfire +* alsa-lib-1.0.21a-kmod-2.6.27.42-ipfire * amavisd-new-2.5.2 * apcupsd-3.14.4 * applejuice-0.31 * arping-2.05 * as86-0.16.17 * asterisk-1.4.26.3 -* atl1c-kmod-2.6.27.41-ipfire -* atl1c-kmod-2.6.27.41-ipfire-xen -* atl2-2.0.5-kmod-2.6.27.41-ipfire -* atl2-2.0.5-kmod-2.6.27.41-ipfire-xen +* atl1c-kmod-2.6.27.42-ipfire +* atl1c-kmod-2.6.27.42-ipfire-xen +* atl2-2.0.5-kmod-2.6.27.42-ipfire +* atl2-2.0.5-kmod-2.6.27.42-ipfire-xen * autoconf-2.59 * automake-1.9.6 * backup-ipfire @@ -71,8 +71,8 @@ * clamav-0.95.3 * cmake-2.4.8 * collectd-4.5.3 -* compat-wireless-2.6.32-rc7-kmod-2.6.27.41-ipfire -* compat-wireless-2.6.32-rc7-kmod-2.6.27.41-ipfire-xen +* compat-wireless-2.6.32.2-kmod-2.6.27.42-ipfire +* compat-wireless-2.6.32.2-kmod-2.6.27.42-ipfire-xen * coreutils-5.96 * cpio-2.6 * cpufrequtils-005 @@ -81,8 +81,8 @@ * cyrus-imapd-2.2.12 * cyrus-sasl-2.1.21 * dahdi-2.2.0.2 -* dahdi-2.2.0.2-kmod-2.6.27.41-ipfire -* dahdi-2.2.0.2-kmod-2.6.27.41-ipfire-xen +* dahdi-2.2.0.2-kmod-2.6.27.42-ipfire +* dahdi-2.2.0.2-kmod-2.6.27.42-ipfire-xen * db-4.4.20 * dbus-1.0.3 * dhcp-3.1.0 @@ -90,8 +90,8 @@ * diffutils-2.8.1 * dnsmasq-2.45 * dosfstools-2.11 -* e1000e-1.0.2.5-kmod-2.6.27.41-ipfire -* e1000e-1.0.2.5-kmod-2.6.27.41-ipfire-xen +* e1000e-1.0.2.5-kmod-2.6.27.42-ipfire +* e1000e-1.0.2.5-kmod-2.6.27.42-ipfire-xen * e2fsprogs-1.39 * ebtables-v2.0.8-2 * ed-0.2 @@ -137,8 +137,8 @@ * hdparm-8.9 * hostapd-0.6.9 * hplip-2.7.10 -* hso-1.9-kmod-2.6.27.41-ipfire -* hso-1.9-kmod-2.6.27.41-ipfire-xen +* hso-1.9-kmod-2.6.27.42-ipfire +* hso-1.9-kmod-2.6.27.42-ipfire-xen * htop-0.8.1 * httpd-2.2.11 * hwdata @@ -162,10 +162,10 @@ * jpegsrc.v6b * kbd-1.12 * klibc-1.5.14 -* kqemu-1.4.0pre1-kmod-2.6.27.41-ipfire -* kqemu-1.4.0pre1-kmod-2.6.27.41-ipfire-xen +* kqemu-1.4.0pre1-kmod-2.6.27.42-ipfire +* kqemu-1.4.0pre1-kmod-2.6.27.42-ipfire-xen * kudzu-1.2.64 -* kvm-kmod-2.6.31.5-kmod-2.6.27.41-ipfire +* kvm-kmod-2.6.31.5-kmod-2.6.27.42-ipfire * l7-protocols-2009-05-10 * lame-3.97 * lcd4linux-0.10.1-RC2 @@ -195,8 +195,8 @@ * libwww-perl-5.803 * libxml2-2.6.26 * libxslt-1.1.17 -* linux-2.6.27.41-ipfire -* linux-2.6.27.41-ipfire-xen +* linux-2.6.27.42-ipfire +* linux-2.6.27.42-ipfire-xen * linux-atm-2.4.1 * linux-libc-headers-2.6.12.0 * lm_sensors-3.0.3 @@ -206,11 +206,11 @@ * lynis-1.2.6 * lzo-2.02 * m4-1.4.4 -* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.41-ipfire -* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.41-ipfire-xen +* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.42-ipfire +* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.42-ipfire-xen * mISDNuser.git-54928dec57bc846f2c2186f3640e69a053cd3641 -* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.41-ipfire -* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.41-ipfire-xen +* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.42-ipfire +* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.42-ipfire-xen * make-3.81 * man-db-2.4.3 * man-pages-2.34 @@ -258,8 +258,8 @@ * openssh-5.2p1 * openssl-0.9.8k * openswan-2.6.23 -* openswan-2.6.23-kmod-2.6.27.41-ipfire -* openswan-2.6.23-kmod-2.6.27.41-ipfire-xen +* openswan-2.6.23-kmod-2.6.27.42-ipfire +* openswan-2.6.23-kmod-2.6.27.42-ipfire-xen * openvpn-2.1_rc20 * p7zip_4.65 * pam_mysql-0.7RC1 @@ -280,12 +280,12 @@ * procps-3.2.6 * psmisc-22.2 * qemu-0.11.0 -* r8101-kmod-2.6.27.41-ipfire -* r8101-kmod-2.6.27.41-ipfire-xen -* r8168-8.014.00-kmod-2.6.27.41-ipfire -* r8168-8.014.00-kmod-2.6.27.41-ipfire-xen -* r8169-6.011.00-kmod-2.6.27.41-ipfire -* r8169-6.011.00-kmod-2.6.27.41-ipfire-xen +* r8101-kmod-2.6.27.42-ipfire +* r8101-kmod-2.6.27.42-ipfire-xen +* r8168-8.014.00-kmod-2.6.27.42-ipfire +* r8168-8.014.00-kmod-2.6.27.42-ipfire-xen +* r8169-6.011.00-kmod-2.6.27.42-ipfire +* r8169-6.011.00-kmod-2.6.27.42-ipfire-xen * readline-5.1 * reiser4progs-1.0.5 * reiserfsprogs-3.6.19 @@ -341,8 +341,8 @@ * usb_modeswitch-1.0.5 * usbutils-0.72 * util-linux-2.12r -* v4l-dvb-aba823ecaea6-kmod-2.6.27.41-ipfire -* v4l-dvb-aba823ecaea6-kmod-2.6.27.41-ipfire-xen +* v4l-dvb-aba823ecaea6-kmod-2.6.27.42-ipfire +* v4l-dvb-aba823ecaea6-kmod-2.6.27.42-ipfire-xen * vdr-1.6.0 * vdradmin-am-3.6.4 * vim-7.0 diff --git a/lfs/openswan b/lfs/openswan index a72596deba..f3e3a2fca9 100644 --- a/lfs/openswan +++ b/lfs/openswan @@ -115,6 +115,7 @@ else cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.16-startklips-1.patch cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.16-updown.klips-1.patch + cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch cd /etc/ipsec.d/policies && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.16-clear-1.patch endif #@rm -rf $(DIR_APP) diff --git a/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch b/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch new file mode 100644 index 0000000000..4d06228054 --- /dev/null +++ b/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch @@ -0,0 +1,24 @@ +--- /usr/lib/ipsec/_updown 2009-10-08 01:43:58.000000000 +0200 ++++ /usr/lib/ipsec/_updown 2009-12-20 23:13:24.000000000 +0100 +@@ -128,6 +128,21 @@ + 2.*) ;; + esac + ++# add/remove rules to reach vpn-peers from ipfire ++src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src)) ++ ++case "$PLUTO_VERB" in ++"route-client") ++ logger -t "ipsec_updown" "iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src" ++ /sbin/iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ ;; ++ ++"unroute-client") ++ logger -t "ipsec_updown" "iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src" ++ /sbin/iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ ;; ++esac ++ + if [ -x /usr/lib/ipsec/_updown.${PLUTO_STACK} ] + then + exec /usr/lib/ipsec/_updown.${PLUTO_STACK} $*