[people/teissler/ipfire-2.x.git] / src / patches / strongswan-4.3.6_ipfire.patch

diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
--- strongswan-4.3.6.org/src/_updown/_updown.in	2009-09-27 21:50:42.000000000 +0200
+++ strongswan-4.3.6/src/_updown/_updown.in	2010-03-20 18:44:11.000000000 +0100
@@ -374,10 +374,10 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -387,10 +387,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -398,10 +398,10 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -411,10 +411,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -424,10 +424,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -436,10 +436,10 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -450,12 +450,27 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Open Firewall for ESP Traffic
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
+	      -d $PLUTO_PEER $S_PEER_PORT \
+	      -s $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "ESP+ $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
@@ -463,11 +478,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -477,11 +492,11 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
@@ -493,12 +508,27 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Close Firewall for ESP Traffic
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
+	      -d $PLUTO_PEER $S_PEER_PORT \
+	      -s $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "ESP- $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
 	;;
 #
 # IPv6
@@ -533,10 +563,10 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -557,10 +587,10 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -583,10 +613,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -595,10 +625,10 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -622,11 +652,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -636,11 +666,11 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
--- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark	2009-09-27 21:50:42.000000000 +0200
+++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark	2010-03-15 18:52:28.000000000 +0100
@@ -247,10 +247,10 @@
 ESP_MARK=50
 
 # add the following static rule to the INPUT chain in the mangle table
-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
+# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
 
 # NAT traversal via UDP encapsulation is supported with the rule
-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
+# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
 
 # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
@@ -325,10 +325,10 @@
 up-host:*)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT \
 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
 	#
@@ -346,10 +346,10 @@
 	# If you are doing a custom version, firewall commands go here.
 	# connection to me going down
 	# If you are doing a custom version, firewall commands go here.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT \
 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
 	#
@@ -365,10 +365,10 @@
 up-client:)
 	# connection to my client subnet coming up
 	# If you are doing a custom version, firewall commands go here.
-	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
 	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
 	       $CHECK_MARK -j ACCEPT
@@ -385,10 +385,10 @@
 down-client:)
 	# connection to my client subnet going down
 	# If you are doing a custom version, firewall commands go here.
-	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
 	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
 	    -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
 	       $CHECK_MARK -j ACCEPT
Commit	Line	Data
6652626c AF	1	diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
	2	--- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200
	3	+++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-20 18:44:11.000000000 +0100
	4	@@ -374,10 +374,10 @@
	5	# connection to me, with (left/right)firewall=yes, coming up
	6	# This is used only by the default updown script, not by your custom
	7	# ones, so do not mess with it; see CAUTION comment up at top.
	8	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	9	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	10	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	11	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	12	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	13	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	14	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	15	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	16	#
	17	@@ -387,10 +387,10 @@
	18	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	19	then
	20	logger -t $TAG -p $FAC_PRIO \
	21	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	22	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	23	else
	24	logger -t $TAG -p $FAC_PRIO \
	25	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	26	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	27	fi
	28	fi
	29	;;
	30	@@ -398,10 +398,10 @@
	31	# connection to me, with (left/right)firewall=yes, going down
	32	# This is used only by the default updown script, not by your custom
	33	# ones, so do not mess with it; see CAUTION comment up at top.
	34	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	35	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	36	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	37	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	38	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	39	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	40	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	41	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	42	#
	43	@@ -411,10 +411,10 @@
	44	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	45	then
	46	logger -t $TAG -p $FAC_PRIO -- \
	47	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	48	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	49	else
	50	logger -t $TAG -p $FAC_PRIO -- \
	51	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	52	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	53	fi
	54	fi
	55	;;
	56	@@ -424,10 +424,10 @@
	57	# ones, so do not mess with it; see CAUTION comment up at top.
	58	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	59	then
	60	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	61	+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	62	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	63	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	64	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
65	+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
66	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
67	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
68	fi
69	@@ -436,10 +436,10 @@
70	# or sometimes host access via the internal IP is needed
71	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
72	then
73	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
74	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
75	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
76	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
77	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
78	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
79	-s $PLUTO_MY_CLIENT $S_MY_PORT \
80	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
81	fi
82	@@ -450,12 +450,27 @@
83	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
84	then
85	logger -t $TAG -p $FAC_PRIO \
86	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
87	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
88	else
89	logger -t $TAG -p $FAC_PRIO \
90	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
91	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
92	fi
93	fi
94	+
95	+ #
96	+ # Open Firewall for ESP Traffic
97	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
98	+ -s $PLUTO_PEER $S_PEER_PORT \
99	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
100	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
101	+ -d $PLUTO_PEER $S_PEER_PORT \
102	+ -s $PLUTO_ME $D_MY_PORT -j ACCEPT
103	+ if [ $VPN_LOGGING ]
104	+ then
105	+ logger -t $TAG -p $FAC_PRIO \
106	+ "ESP+ $PLUTO_PEER -- $PLUTO_ME"
107	+ fi
108	+
109	;;
110	down-client:iptables)
111	# connection to client subnet, with (left/right)firewall=yes, going down
112	@@ -463,11 +478,11 @@
113	# ones, so do not mess with it; see CAUTION comment up at top.
114	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
115	then
116	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
117	+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
118	-s $PLUTO_MY_CLIENT $S_MY_PORT \
119	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
120	$IPSEC_POLICY_OUT -j ACCEPT
121	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
122	+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
123	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
124	-d $PLUTO_MY_CLIENT $D_MY_PORT \
125	$IPSEC_POLICY_IN -j ACCEPT
126	@@ -477,11 +492,11 @@
127	# or sometimes host access via the internal IP is needed
128	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
129	then
130	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
131	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
132	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
133	-d $PLUTO_MY_CLIENT $D_MY_PORT \
134	$IPSEC_POLICY_IN -j ACCEPT
135	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
136	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
137	-s $PLUTO_MY_CLIENT $S_MY_PORT \
138	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
139	$IPSEC_POLICY_OUT -j ACCEPT
140	@@ -493,12 +508,27 @@
141	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
142	then
143	logger -t $TAG -p $FAC_PRIO -- \
144	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
145	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
146	else
147	logger -t $TAG -p $FAC_PRIO -- \
148	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
149	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
150	fi
151	fi
152	+
153	+ #
154	+ # Close Firewall for ESP Traffic
155	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
156	+ -s $PLUTO_PEER $S_PEER_PORT \
157	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
158	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
159	+ -d $PLUTO_PEER $S_PEER_PORT \
160	+ -s $PLUTO_ME $D_MY_PORT -j ACCEPT
161	+ if [ $VPN_LOGGING ]
162	+ then
163	+ logger -t $TAG -p $FAC_PRIO \
164	+ "ESP- $PLUTO_PEER -- $PLUTO_ME"
165	+ fi
166	+
167	;;
168	#
169	# IPv6
170	@@ -533,10 +563,10 @@
171	# connection to me, with (left/right)firewall=yes, coming up
172	# This is used only by the default updown script, not by your custom
173	# ones, so do not mess with it; see CAUTION comment up at top.
174	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
175	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
176	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
177	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
178	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
179	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
180	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
181	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
182	#
183	@@ -557,10 +587,10 @@
184	# connection to me, with (left/right)firewall=yes, going down
185	# This is used only by the default updown script, not by your custom
186	# ones, so do not mess with it; see CAUTION comment up at top.
187	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
188	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
189	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
190	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
191	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
192	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
193	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
194	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
195	#
196	@@ -583,10 +613,10 @@
197	# ones, so do not mess with it; see CAUTION comment up at top.
198	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
199	then
200	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
201	+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
202	-s $PLUTO_MY_CLIENT $S_MY_PORT \
203	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
204	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
205	+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
206	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
207	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
208	fi
209	@@ -595,10 +625,10 @@
210	# or sometimes host access via the internal IP is needed
211	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
212	then
213	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
214	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
215	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
216	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
217	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
218	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
219	-s $PLUTO_MY_CLIENT $S_MY_PORT \
220	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
221	fi
222	@@ -622,11 +652,11 @@
223	# ones, so do not mess with it; see CAUTION comment up at top.
224	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
225	then
226	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
227	+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
228	-s $PLUTO_MY_CLIENT $S_MY_PORT \
229	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
230	$IPSEC_POLICY_OUT -j ACCEPT
231	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
232	+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
233	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
234	-d $PLUTO_MY_CLIENT $D_MY_PORT \
235	$IPSEC_POLICY_IN -j ACCEPT
236	@@ -636,11 +666,11 @@
237	# or sometimes host access via the internal IP is needed
238	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
239	then
240	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
241	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
242	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
243	-d $PLUTO_MY_CLIENT $D_MY_PORT \
244	$IPSEC_POLICY_IN -j ACCEPT
245	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
246	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
247	-s $PLUTO_MY_CLIENT $S_MY_PORT \
248	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
249	$IPSEC_POLICY_OUT -j ACCEPT
250	diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
251	--- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark 2009-09-27 21:50:42.000000000 +0200
252	+++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark 2010-03-15 18:52:28.000000000 +0100
253	@@ -247,10 +247,10 @@
254	ESP_MARK=50
255
256	# add the following static rule to the INPUT chain in the mangle table
257	-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
258	+# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
259
260	# NAT traversal via UDP encapsulation is supported with the rule
261	-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
262	+# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
263
264	# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
265	if [ `echo "$PLUTO_INTERFACE" \| grep "ipsec"` ]
266	@@ -325,10 +325,10 @@
267	up-host:*)
268	# connection to me coming up
269	# If you are doing a custom version, firewall commands go here.
270	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
271	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
272	-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
273	-d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
274	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
275	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
276	-s $PLUTO_ME $S_MY_PORT \
277	-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
278	#
279	@@ -346,10 +346,10 @@
280	# If you are doing a custom version, firewall commands go here.
281	# connection to me going down
282	# If you are doing a custom version, firewall commands go here.
283	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
284	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
285	-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
286	-d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
287	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
288	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
289	-s $PLUTO_ME $S_MY_PORT \
290	-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
291	#
292	@@ -365,10 +365,10 @@
293	up-client:)
294	# connection to my client subnet coming up
295	# If you are doing a custom version, firewall commands go here.
296	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
297	+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
298	-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
299	-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
300	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
301	+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
302	-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
303	-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
304	$CHECK_MARK -j ACCEPT
305	@@ -385,10 +385,10 @@
306	down-client:)
307	# connection to my client subnet going down
308	# If you are doing a custom version, firewall commands go here.
309	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
310	+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
311	-s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
312	-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
313	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314	+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
315	-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
316	-d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
317	$CHECK_MARK -j ACCEPT