[people/teissler/ipfire-2.x.git] / src / patches / strongswan-4.4.0_ipfire.patch

diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in
--- strongswan-4.4.0.org/src/_updown/_updown.in	2010-03-15 21:52:51.000000000 +0100
+++ strongswan-4.4.0/src/_updown/_updown.in	2010-05-15 13:33:40.000000000 +0200
@@ -374,12 +374,12 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
@@ -387,10 +387,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -398,12 +398,12 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
@@ -411,10 +411,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -424,10 +424,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -436,12 +436,12 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# log IPsec client connection setup
@@ -450,12 +450,38 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# Add source nat so also the gateway can access the other nets
+	src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
+	iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+	logger -t $TAG -p $FAC_PRIO \
+		"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
@@ -463,11 +489,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -477,14 +503,14 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# log IPsec client connection teardown
@@ -493,12 +519,38 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# remove source nat
+	src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
+	iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+	logger -t $TAG -p $FAC_PRIO \
+		"snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 #
 # IPv6
@@ -533,10 +585,10 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -557,10 +609,10 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -583,10 +635,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -595,10 +647,10 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -622,11 +674,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -636,11 +688,11 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
50a488f4 AF	1	diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in
50a488f4 AF	2	--- strongswan-4.4.0.org/src/_updown/_updown.in 2010-03-15 21:52:51.000000000 +0100
bc4b68b4	3	+++ strongswan-4.4.0/src/_updown/_updown.in 2010-05-15 13:33:40.000000000 +0200
db073a10	4	@@ -374,12 +374,12 @@
6652626c AF	5	# connection to me, with (left/right)firewall=yes, coming up
	6	# This is used only by the default updown script, not by your custom
	7	# ones, so do not mess with it; see CAUTION comment up at top.
	8	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	9	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	10	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	11	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	12	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	13	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	14	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 AF	15	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
db073a10 AF	16	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c	17	#
db073a10 AF	18	# log IPsec host connection setup
db073a10 AF	19	if [ $VPN_LOGGING ]
6652626c AF	20	@@ -387,10 +387,10 @@
	21	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	22	then
	23	logger -t $TAG -p $FAC_PRIO \
	24	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	25	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	26	else
	27	logger -t $TAG -p $FAC_PRIO \
	28	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	29	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	30	fi
	31	fi
	32	;;
db073a10	33	@@ -398,12 +398,12 @@
6652626c AF	34	# connection to me, with (left/right)firewall=yes, going down
	35	# This is used only by the default updown script, not by your custom
	36	# ones, so do not mess with it; see CAUTION comment up at top.
	37	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	38	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	39	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	40	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	41	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	42	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	43	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 AF	44	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
db073a10 AF	45	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c	46	#
db073a10 AF	47	# log IPsec host connection teardown
db073a10 AF	48	if [ $VPN_LOGGING ]
6652626c AF	49	@@ -411,10 +411,10 @@
	50	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	51	then
	52	logger -t $TAG -p $FAC_PRIO -- \
	53	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	54	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	55	else
	56	logger -t $TAG -p $FAC_PRIO -- \
	57	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	58	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	59	fi
	60	fi
	61	;;
	62	@@ -424,10 +424,10 @@
	63	# ones, so do not mess with it; see CAUTION comment up at top.
	64	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	65	then
	66	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	67	+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	68	-s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	69	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c	70	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10	71	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c AF	72	+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	73	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	74	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	75	fi
db073a10	76	@@ -436,12 +436,12 @@
6652626c AF	77	# or sometimes host access via the internal IP is needed
	78	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	79	then
	80	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	81	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	82	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	83	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	84	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	85	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	86	-s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10 AF	87	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
db073a10 AF	88	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c	89	fi
db073a10 AF	90	#
db073a10 AF	91	# log IPsec client connection setup
bc4b68b4	92	@@ -450,12 +450,38 @@
6652626c AF	93	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	94	then
	95	logger -t $TAG -p $FAC_PRIO \
	96	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	97	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	98	else
	99	logger -t $TAG -p $FAC_PRIO \
	100	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	101	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	102	fi
	103	fi
	104	+
	105	+ #
50a488f4 AF	106	+ # Open Firewall for IPinIP + AH + ESP Traffic
	107	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
	108	+ -s $PLUTO_PEER $S_PEER_PORT \
	109	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10 AF	110	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
	111	+ -s $PLUTO_PEER $S_PEER_PORT \
	112	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	113	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
	114	+ -s $PLUTO_PEER $S_PEER_PORT \
	115	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	116	+ if [ $VPN_LOGGING ]
	117	+ then
	118	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	119	+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c	120	+ fi
c4cd0f7b AF	121	+
	122	+ # Add source nat so also the gateway can access the other nets
	123	+ src=$(/sbin/ip route\|grep $PLUTO_MY_CLIENT\|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
	124	+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	125	+ logger -t $TAG -p $FAC_PRIO \
	126	+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
6652626c	127	+
bc4b68b4 AF	128	+ # Flush routing cache
bc4b68b4 AF	129	+ ip route flush cache
6652626c AF	130	;;
	131	down-client:iptables)
	132	# connection to client subnet, with (left/right)firewall=yes, going down
bc4b68b4	133	@@ -463,11 +489,11 @@
6652626c AF	134	# ones, so do not mess with it; see CAUTION comment up at top.
	135	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	136	then
	137	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	138	+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	139	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	140	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	141	- $IPSEC_POLICY_OUT -j ACCEPT
6652626c	142	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10	143	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c AF	144	+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	145	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	146	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	147	$IPSEC_POLICY_IN -j ACCEPT
bc4b68b4	148	@@ -477,14 +503,14 @@
6652626c AF	149	# or sometimes host access via the internal IP is needed
	150	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	151	then
	152	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	153	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	154	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	155	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	156	$IPSEC_POLICY_IN -j ACCEPT
	157	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	158	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	159	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	160	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10 AF	161	- $IPSEC_POLICY_OUT -j ACCEPT
	162	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
	163	fi
	164	#
	165	# log IPsec client connection teardown
bc4b68b4	166	@@ -493,12 +519,38 @@
6652626c AF	167	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	168	then
	169	logger -t $TAG -p $FAC_PRIO -- \
	170	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	171	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	172	else
	173	logger -t $TAG -p $FAC_PRIO -- \
	174	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	175	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	176	fi
	177	fi
	178	+
	179	+ #
50a488f4 AF	180	+ # Close Firewall for IPinIP + AH + ESP Traffic
	181	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
	182	+ -s $PLUTO_PEER $S_PEER_PORT \
	183	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10 AF	184	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
	185	+ -s $PLUTO_PEER $S_PEER_PORT \
	186	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	187	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
	188	+ -s $PLUTO_PEER $S_PEER_PORT \
	189	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	190	+ if [ $VPN_LOGGING ]
	191	+ then
	192	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	193	+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c	194	+ fi
c4cd0f7b AF	195	+
	196	+ # remove source nat
	197	+ src=$(/sbin/ip route\|grep $PLUTO_MY_CLIENT\|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
	198	+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	199	+ logger -t $TAG -p $FAC_PRIO \
	200	+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
6652626c	201	+
bc4b68b4 AF	202	+ # Flush routing cache
bc4b68b4 AF	203	+ ip route flush cache
6652626c AF	204	;;
	205	#
	206	# IPv6
bc4b68b4	207	@@ -533,10 +585,10 @@
6652626c AF	208	# connection to me, with (left/right)firewall=yes, coming up
	209	# This is used only by the default updown script, not by your custom
	210	# ones, so do not mess with it; see CAUTION comment up at top.
	211	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	212	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	213	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	214	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	215	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	216	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	217	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	218	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	219	#
bc4b68b4	220	@@ -557,10 +609,10 @@
6652626c AF	221	# connection to me, with (left/right)firewall=yes, going down
	222	# This is used only by the default updown script, not by your custom
	223	# ones, so do not mess with it; see CAUTION comment up at top.
	224	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	225	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	226	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	227	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	228	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	229	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	230	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	231	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	232	#
bc4b68b4	233	@@ -583,10 +635,10 @@
6652626c AF	234	# ones, so do not mess with it; see CAUTION comment up at top.
	235	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	236	then
	237	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	238	+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	239	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	240	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	241	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	242	+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	243	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	244	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	245	fi
bc4b68b4	246	@@ -595,10 +647,10 @@
6652626c AF	247	# or sometimes host access via the internal IP is needed
	248	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	249	then
	250	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	251	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	252	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	253	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	254	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	255	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	256	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	257	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	258	fi
bc4b68b4	259	@@ -622,11 +674,11 @@
6652626c AF	260	# ones, so do not mess with it; see CAUTION comment up at top.
	261	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	262	then
	263	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	264	+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	265	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	266	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	267	$IPSEC_POLICY_OUT -j ACCEPT
	268	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	269	+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	270	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	271	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	272	$IPSEC_POLICY_IN -j ACCEPT
bc4b68b4	273	@@ -636,11 +688,11 @@
6652626c AF	274	# or sometimes host access via the internal IP is needed
	275	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	276	then
	277	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	278	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	279	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	280	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	281	$IPSEC_POLICY_IN -j ACCEPT
	282	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	283	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	284	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	285	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	286	$IPSEC_POLICY_OUT -j ACCEPT