From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sat, 27 Mar 2010 20:15:46 +0000 (+0100)
Subject: Some changes for strongswan.
X-Git-Tag: v2.9-beta1~412^2~13
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=db073a101e354ae047e1c5c113b50d03de1058de

Some changes for strongswan.
Still need a replacement for ipsec auto --replace
---

diff --git a/doc/packages-list.txt b/doc/packages-list.txt
index 1b7287db2d..3d8ff078f0 100644
--- a/doc/packages-list.txt
+++ b/doc/packages-list.txt
@@ -61,7 +61,7 @@
 * cacti-0.8.7e
 * calamaris-2.59
 * capi4k-utils-2005-07-18
-* ccache-2.4
+* ccache-3.0pre0
 * cdrtools-2.01.01
 * centerim-4.22.1
 * clamav-0.95.3
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
index 6a78baa9bc..dfe65bf81b 100644
--- a/html/cgi-bin/index.cgi
+++ b/html/cgi-bin/index.cgi
@@ -337,7 +337,7 @@ END
 	if ( `cat /var/ipfire/vpn/settings | grep ^ENABLED=on` ||
 	     `cat /var/ipfire/vpn/settings | grep ^ENABLED_BLUE=on` ) { 
 		my $ipsecip = `cat /var/ipfire/vpn/settings | grep ^VPN_IP= | cut -c 8-`;
-		my @status = `/usr/sbin/ipsec auto --status`;
+		my @status = `/usr/local/bin/ipsecctrl I`;
 		my %confighash = ();
 		&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 		print <<END;
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 9e75c69061..280055ebae 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2387,7 +2387,7 @@ EOF
     &General::readhasharray("${General::swroot}/vpn/config", \%confighash);
     $cgiparams{'CA_NAME'} = '';
 
-    my @status = `/usr/sbin/ipsec auto --status`;
+    my @status = `/usr/local/bin/ipsecctrl I`;
 
     # suggest a default name for this side
     if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 55bc066aae..9b708697f3 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -116,7 +116,8 @@ iptables_red() {
 			/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
 		fi
 
-		# Outgoing masquerading
+		# Outgoing masquerading (don't masqerade IPSEC (mark 50))
+		/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
 		/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
 
 	fi
diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index c46bc060ec..d443edccfc 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -30,21 +30,16 @@
 
 */
 
-#define phystable       "IPSECPHYSICAL"
-#define virtualtable    "IPSECVIRTUAL"
-
 void usage() {
         fprintf (stderr, "Usage:\n");
         fprintf (stderr, "\tipsecctrl S [connectionkey]\n");
         fprintf (stderr, "\tipsecctrl D [connectionkey]\n");
         fprintf (stderr, "\tipsecctrl R\n");
+        fprintf (stderr, "\tipsecctrl I\n");
         fprintf (stderr, "\t\tS : Start/Restart Connection\n");
         fprintf (stderr, "\t\tD : Stop Connection\n");
         fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");
-}
-
-void load_modules() {
-//        safe_system("/sbin/modprobe ipsec");
+        fprintf (stderr, "\t\tI : Print Statusinfo\n");
 }
 
 /*
@@ -54,108 +49,31 @@ void open_physical (char *interface, int nat_traversal_port) {
         char str[STRING_SIZE];
 
         // GRE ???
-        sprintf(str, "/sbin/iptables -A " phystable " -p 47  -i %s -j ACCEPT", interface);
+//        sprintf(str, "/sbin/iptables -A " phystable " -p 47  -i %s -j ACCEPT", interface);
 //        safe_system(str);
         // ESP
-        sprintf(str, "/sbin/iptables -A " phystable " -p 50  -i %s -j ACCEPT", interface);
+//        sprintf(str, "/sbin/iptables -A " phystable " -p 50  -i %s -j ACCEPT", interface);
 //        safe_system(str);
         // AH
-        sprintf(str, "/sbin/iptables -A " phystable " -p 51  -i %s -j ACCEPT", interface);
+//        sprintf(str, "/sbin/iptables -A " phystable " -p 51  -i %s -j ACCEPT", interface);
 //        safe_system(str);
         // IKE
-        sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
-//        safe_system(str);
+        sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
+        safe_system(str);
 
         if (! nat_traversal_port) 
             return;
 
-        sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
-//        safe_system(str);
-}
-
-/*
-    Basic control for what can flow from/to ipsecX interfaces.
-
-    rc.firewall call this chain just before ACCEPTing everything
-    from green (-i DEV_GREEN -j ACCEPT).
-*/
-void open_virtual (void) {
-        // allow anything from any ipsec to go on all interface, including other ipsec
-//        safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT");
-        //todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ?
+        sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+        safe_system(str);
 }
 
 void ipsec_norules() {
         /* clear input rules */
-//        safe_system("/sbin/iptables -F " phystable);
-//        safe_system("/sbin/iptables -F " virtualtable);
-
-        // unmap red alias ????
-}
-
-
-void add_alias_interfaces(char *configtype,
-                          char *redtype,
-                          char *redif,
-                          int offset)           //reserve room for ipsec0=red, ipsec1=green, ipsec2=orange,ipsec3=blue
-{
-        FILE *file = NULL;
-        char s[STRING_SIZE];
-        int alias=0;
-
-        /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,
-        * exit gracefully.  This is not an error... */
-        if (!((strcmp(configtype, "1")==0) || (strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || (strcmp(configtype, "4")==0)))
-                return;
-
-        /* Now check the RED_TYPE - aliases only work with STATIC. */
-        if (!(strcmp(redtype, "STATIC")==0))
-                return;
+        safe_system("/sbin/iptables -F IPSECINPUT");
+        safe_system("/sbin/iptables -F IPSECFORWARD");
+        safe_system("/sbin/iptables -F IPSECOUTPUT");
 
-        /* Now set up the new aliases from the config file */
-        if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r")))
-        {
-                fprintf(stderr, "Unable to open aliases configuration file\n");
-                return;
-        }
-        while (fgets(s, STRING_SIZE, file) != NULL && (offset+alias) < 16 )
-        {
-                if (s[strlen(s) - 1] == '\n')
-                        s[strlen(s) - 1] = '\0';
-                int count = 0;
-                char *aliasip=NULL;
-                char *enabled=NULL;
-                char *comment=NULL;
-                char *sptr = strtok(s, ",");
-                while (sptr)
-                {
-                        if (count == 0)
-                                aliasip = sptr;
-                        if (count == 1)
-                                enabled = sptr;
-                        else
-                                comment = sptr;
-                        count++;
-                        sptr = strtok(NULL, ",");
-                }
-
-                if (!(aliasip && enabled))
-                        continue;
-
-                if (!VALID_IP(aliasip))
-                {
-                        fprintf(stderr, "Bad alias : %s\n", aliasip);
-                        return;
-                }
-
-                if (strcmp(enabled, "on") == 0)
-                {
-                        memset(s, 0, STRING_SIZE);
-                        snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", offset+alias, redif, alias);
-//                        safe_system(s);
-                        alias++;
-                }
-        }
 }
 
 /*
@@ -220,7 +138,7 @@ int decode_line (char *s,
 void turn_connection_on (char *name, char *type) {
         char command[STRING_SIZE];
 
-        safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
+        safe_system("/usr/sbin/ipsec whack --rereadsecrets >/dev/null");
         memset(command, 0, STRING_SIZE);
         snprintf(command, STRING_SIZE - 1, 
                 "/usr/sbin/ipsec auto --replace %s >/dev/null", name);
@@ -228,7 +146,7 @@ void turn_connection_on (char *name, char *type) {
         if (strcmp(type, "net") == 0) {
                 memset(command, 0, STRING_SIZE);
                 snprintf(command, STRING_SIZE - 1, 
-                "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name);
+                "/usr/sbin/ipsec whack --asynchronous --name %s --initiate >/dev/null", name);
                 safe_system(command);
         }
 }
@@ -240,13 +158,13 @@ void turn_connection_off (char *name) {
 
         memset(command, 0, STRING_SIZE);
         snprintf(command, STRING_SIZE - 1, 
-                "/usr/sbin/ipsec auto --down %s >/dev/null", name);
+                "/usr/sbin/ipsec whack --name %s --terminate >/dev/null", name);
         safe_system(command);
         memset(command, 0, STRING_SIZE);
         snprintf(command, STRING_SIZE - 1, 
-                "/usr/sbin/ipsec auto --delete %s >/dev/null", name);
+                "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name);
         safe_system(command);
-        safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
+        safe_system("/usr/sbin/ipsec whack --rereadsecrets >/dev/null");
 }
 
 
@@ -291,9 +209,15 @@ int main(int argc, char *argv[]) {
                 }
 
                 if (strcmp(argv[1], "R") == 0) {
-                        safe_system("/usr/sbin/ipsec auto --rereadall");
+                        safe_system("/usr/sbin/ipsec whack --rereadall");
+                        exit(0);
+                }
+
+                if (strcmp(argv[1], "I") == 0) {
+                        safe_system("/usr/sbin/ipsec whack --status");
                         exit(0);
                 }
+
         }
 
         /* clear iptables vpn rules */
@@ -422,15 +346,9 @@ int main(int argc, char *argv[]) {
         if (enable_blue==2)
                 open_physical(if_blue, 4500);
 
-        // then open the ipsecX
-        open_virtual();
-
         // start the system
         if ((argc == 2) && strcmp(argv[1], "S") == 0) {
-                load_modules();
-                safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");
                 safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
-                add_alias_interfaces(configtype, redtype, if_red, (enable_red+enable_green+enable_orange+enable_blue) >>1 );
                 safe_system("/usr/local/bin/vpn-watch &");
                 exit(0);
         }
diff --git a/src/patches/strongswan-4.3.6_ipfire.patch b/src/patches/strongswan-4.3.6_ipfire.patch
index 69f2abaebb..26cc357438 100644
--- a/src/patches/strongswan-4.3.6_ipfire.patch
+++ b/src/patches/strongswan-4.3.6_ipfire.patch
@@ -1,7 +1,7 @@
 diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
 --- strongswan-4.3.6.org/src/_updown/_updown.in	2009-09-27 21:50:42.000000000 +0200
-+++ strongswan-4.3.6/src/_updown/_updown.in	2010-03-20 18:44:11.000000000 +0100
-@@ -374,10 +374,10 @@
++++ strongswan-4.3.6/src/_updown/_updown.in	2010-03-27 16:32:13.000000000 +0100
+@@ -374,12 +374,12 @@
  	# connection to me, with (left/right)firewall=yes, coming up
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -12,8 +12,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
 -	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 +	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
  	#
+ 	# log IPsec host connection setup
+ 	if [ $VPN_LOGGING ]
 @@ -387,10 +387,10 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
@@ -27,7 +30,7 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
  	  fi
  	fi
  	;;
-@@ -398,10 +398,10 @@
+@@ -398,12 +398,12 @@
  	# connection to me, with (left/right)firewall=yes, going down
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -38,8 +41,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
 -	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 +	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
  	#
+ 	# log IPsec host connection teardown
+ 	if [ $VPN_LOGGING ]
 @@ -411,10 +411,10 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
@@ -60,13 +66,14 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
 -	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 +	  iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
- 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
 +	  iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
  	fi
-@@ -436,10 +436,10 @@
+@@ -436,12 +436,12 @@
  	# or sometimes host access via the internal IP is needed
  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
  	then
@@ -77,8 +84,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
 -	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 +	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
- 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
++	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
  	fi
+ 	#
+ 	# log IPsec client connection setup
 @@ -450,12 +450,27 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
@@ -93,13 +103,13 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
  	fi
 +
 +	#
-+	# Open Firewall for ESP Traffic
++	# Open Firewall for AH + ESP Traffic
++	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++	      -s $PLUTO_PEER $S_PEER_PORT \
++	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
 +	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
 +	      -s $PLUTO_PEER $S_PEER_PORT \
 +	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
-+	      -d $PLUTO_PEER $S_PEER_PORT \
-+	      -s $PLUTO_ME $D_MY_PORT -j ACCEPT
 +	if [ $VPN_LOGGING ]
 +	then
 +	    logger -t $TAG -p $FAC_PRIO \
@@ -117,13 +127,14 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
 +	  iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- 	         $IPSEC_POLICY_OUT -j ACCEPT
+-	         $IPSEC_POLICY_OUT -j ACCEPT
 -	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
 +	  iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
  	         $IPSEC_POLICY_IN -j ACCEPT
-@@ -477,11 +492,11 @@
+@@ -477,14 +492,14 @@
  	# or sometimes host access via the internal IP is needed
  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
  	then
@@ -136,7 +147,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
 +	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- 	         $IPSEC_POLICY_OUT -j ACCEPT
+-	         $IPSEC_POLICY_OUT -j ACCEPT
++	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
+ 	fi
+ 	#
+ 	# log IPsec client connection teardown
 @@ -493,12 +508,27 @@
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
@@ -151,13 +166,13 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
  	fi
 +
 +	#
-+	# Close Firewall for ESP Traffic
++	# Close Firewall for AH+ESP Traffic
++	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
++	      -s $PLUTO_PEER $S_PEER_PORT \
++	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
 +	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
 +	      -s $PLUTO_PEER $S_PEER_PORT \
 +	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
-+	      -d $PLUTO_PEER $S_PEER_PORT \
-+	      -s $PLUTO_ME $D_MY_PORT -j ACCEPT
 +	if [ $VPN_LOGGING ]
 +	then
 +	    logger -t $TAG -p $FAC_PRIO \
@@ -247,71 +262,3 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
  	         $IPSEC_POLICY_OUT -j ACCEPT
-diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
---- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark	2009-09-27 21:50:42.000000000 +0200
-+++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark	2010-03-15 18:52:28.000000000 +0100
-@@ -247,10 +247,10 @@
- ESP_MARK=50
- 
- # add the following static rule to the INPUT chain in the mangle table
--# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
-+# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
- 
- # NAT traversal via UDP encapsulation is supported with the rule
--# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
-+# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
- 
- # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
- if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-@@ -325,10 +325,10 @@
- up-host:*)
- 	# connection to me coming up
- 	# If you are doing a custom version, firewall commands go here.
--	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- 	    -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
--	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	    -s $PLUTO_ME $S_MY_PORT \
- 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- 	#
-@@ -346,10 +346,10 @@
- 	# If you are doing a custom version, firewall commands go here.
- 	# connection to me going down
- 	# If you are doing a custom version, firewall commands go here.
--	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- 	    -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
--	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	    -s $PLUTO_ME $S_MY_PORT \
- 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- 	#
-@@ -365,10 +365,10 @@
- up-client:)
- 	# connection to my client subnet coming up
- 	# If you are doing a custom version, firewall commands go here.
--	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
--	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- 	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- 	       $CHECK_MARK -j ACCEPT
-@@ -385,10 +385,10 @@
- down-client:)
- 	# connection to my client subnet going down
- 	# If you are doing a custom version, firewall commands go here.
--	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+	iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- 	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
--	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+	iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- 	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- 	       $CHECK_MARK -j ACCEPT