From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Mon, 21 Dec 2009 01:26:09 +0000 (+0100)
Subject: Move ipsec postrouting rules to a own chain.
X-Git-Tag: v2.9-beta1~561
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=b68e5c14b62726ce80e54f989ac8cfb11c6f3515

Move ipsec postrouting rules to a own chain.
---

diff --git a/config/rootfiles/core/34/filelists/files b/config/rootfiles/core/34/filelists/files
index f221a69d14..0e92145600 100644
--- a/config/rootfiles/core/34/filelists/files
+++ b/config/rootfiles/core/34/filelists/files
@@ -3,6 +3,7 @@ etc/rc.d/init.d/networking/red
 etc/rc.d/init.d/networking/dhcpcd.exe
 etc/rc.d/helper/getdnsfromdhcpc.pl
 etc/rc.d/init.d/tmpfs
+etc/rc.d/init.d/firewall
 boot/grub/grub.conf
 srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/mac.cgi
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 62da3120bc..1f400ad478 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -167,7 +167,9 @@ case "$1" in
 	/sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
 	/sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD"
 	/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
-	
+	/sbin/iptables -t nat -N IPSECPOSTROUTING
+	/sbin/iptables -t nat -A POSTROUTING -j IPSECPOSTROUTING
+
 	# Outgoing Firewall
 	/sbin/iptables -A FORWARD -j OUTGOINGFW
 
diff --git a/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch b/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch
index 4d06228054..20f85605c5 100644
--- a/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch
+++ b/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch
@@ -9,13 +9,13 @@
 +
 +case "$PLUTO_VERB" in
 +"route-client")
-+   logger -t "ipsec_updown" "iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
-+   /sbin/iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++   logger -t "ipsec_updown" "iptables -t nat -A IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
++   /sbin/iptables -t nat -A IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
 +   ;;
 +
 +"unroute-client")
-+   logger -t "ipsec_updown" "iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
-+   /sbin/iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++   logger -t "ipsec_updown" "iptables -t nat -D IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
++   /sbin/iptables -t nat -D IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
 +   ;;
 +esac
 +