core53: add log.dat to updater.
[people/teissler/ipfire-2.x.git] / src / patches / strongswan-4.4.0_ipfire.patch
CommitLineData
50a488f4
AF
1diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in
2--- strongswan-4.4.0.org/src/_updown/_updown.in 2010-03-15 21:52:51.000000000 +0100
bc4b68b4 3+++ strongswan-4.4.0/src/_updown/_updown.in 2010-05-15 13:33:40.000000000 +0200
db073a10 4@@ -374,12 +374,12 @@
6652626c
AF
5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
9+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
13+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
14 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10
AF
15- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
16+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c 17 #
db073a10
AF
18 # log IPsec host connection setup
19 if [ $VPN_LOGGING ]
6652626c
AF
20@@ -387,10 +387,10 @@
21 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
22 then
23 logger -t $TAG -p $FAC_PRIO \
24- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
25+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
26 else
27 logger -t $TAG -p $FAC_PRIO \
28- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
29+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
30 fi
31 fi
32 ;;
db073a10 33@@ -398,12 +398,12 @@
6652626c
AF
34 # connection to me, with (left/right)firewall=yes, going down
35 # This is used only by the default updown script, not by your custom
36 # ones, so do not mess with it; see CAUTION comment up at top.
37- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
38+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
39 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
40 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
41- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
42+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
43 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10
AF
44- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
45+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c 46 #
db073a10
AF
47 # log IPsec host connection teardown
48 if [ $VPN_LOGGING ]
6652626c
AF
49@@ -411,10 +411,10 @@
50 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
51 then
52 logger -t $TAG -p $FAC_PRIO -- \
53- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
54+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
55 else
56 logger -t $TAG -p $FAC_PRIO -- \
57- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
58+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
59 fi
60 fi
61 ;;
62@@ -424,10 +424,10 @@
63 # ones, so do not mess with it; see CAUTION comment up at top.
64 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
65 then
66- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
67+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
68 -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10 69- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c 70- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10 71+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c
AF
72+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
73 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
74 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
75 fi
db073a10 76@@ -436,12 +436,12 @@
6652626c
AF
77 # or sometimes host access via the internal IP is needed
78 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
79 then
80- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
81+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
82 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
83 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
84- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
85+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
86 -s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10
AF
87- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
88+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c 89 fi
db073a10
AF
90 #
91 # log IPsec client connection setup
bc4b68b4 92@@ -450,12 +450,38 @@
6652626c
AF
93 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
94 then
95 logger -t $TAG -p $FAC_PRIO \
96- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
97+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
98 else
99 logger -t $TAG -p $FAC_PRIO \
100- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
101+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
102 fi
103 fi
104+
105+ #
50a488f4
AF
106+ # Open Firewall for IPinIP + AH + ESP Traffic
107+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
108+ -s $PLUTO_PEER $S_PEER_PORT \
109+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10
AF
110+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
111+ -s $PLUTO_PEER $S_PEER_PORT \
112+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF
113+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
114+ -s $PLUTO_PEER $S_PEER_PORT \
115+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF
116+ if [ $VPN_LOGGING ]
117+ then
118+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b 119+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c 120+ fi
c4cd0f7b
AF
121+
122+ # Add source nat so also the gateway can access the other nets
123+ src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
124+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
125+ logger -t $TAG -p $FAC_PRIO \
126+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
6652626c 127+
bc4b68b4
AF
128+ # Flush routing cache
129+ ip route flush cache
6652626c
AF
130 ;;
131 down-client:iptables)
132 # connection to client subnet, with (left/right)firewall=yes, going down
bc4b68b4 133@@ -463,11 +489,11 @@
6652626c
AF
134 # ones, so do not mess with it; see CAUTION comment up at top.
135 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
136 then
137- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
138+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
139 -s $PLUTO_MY_CLIENT $S_MY_PORT \
140 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10 141- $IPSEC_POLICY_OUT -j ACCEPT
6652626c 142- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10 143+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c
AF
144+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
145 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
146 -d $PLUTO_MY_CLIENT $D_MY_PORT \
147 $IPSEC_POLICY_IN -j ACCEPT
bc4b68b4 148@@ -477,14 +503,14 @@
6652626c
AF
149 # or sometimes host access via the internal IP is needed
150 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
151 then
152- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
153+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
154 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
155 -d $PLUTO_MY_CLIENT $D_MY_PORT \
156 $IPSEC_POLICY_IN -j ACCEPT
157- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
158+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
159 -s $PLUTO_MY_CLIENT $S_MY_PORT \
160 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10
AF
161- $IPSEC_POLICY_OUT -j ACCEPT
162+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
163 fi
164 #
165 # log IPsec client connection teardown
bc4b68b4 166@@ -493,12 +519,38 @@
6652626c
AF
167 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
168 then
169 logger -t $TAG -p $FAC_PRIO -- \
170- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
171+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
172 else
173 logger -t $TAG -p $FAC_PRIO -- \
174- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
175+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
176 fi
177 fi
178+
179+ #
50a488f4
AF
180+ # Close Firewall for IPinIP + AH + ESP Traffic
181+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
182+ -s $PLUTO_PEER $S_PEER_PORT \
183+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10
AF
184+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
185+ -s $PLUTO_PEER $S_PEER_PORT \
186+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF
187+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
188+ -s $PLUTO_PEER $S_PEER_PORT \
189+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c
AF
190+ if [ $VPN_LOGGING ]
191+ then
192+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b 193+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c 194+ fi
c4cd0f7b
AF
195+
196+ # remove source nat
197+ src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
198+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
199+ logger -t $TAG -p $FAC_PRIO \
200+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
6652626c 201+
bc4b68b4
AF
202+ # Flush routing cache
203+ ip route flush cache
6652626c
AF
204 ;;
205 #
206 # IPv6
bc4b68b4 207@@ -533,10 +585,10 @@
6652626c
AF
208 # connection to me, with (left/right)firewall=yes, coming up
209 # This is used only by the default updown script, not by your custom
210 # ones, so do not mess with it; see CAUTION comment up at top.
211- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
212+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
213 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
214 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
215- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
216+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
217 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
218 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
219 #
bc4b68b4 220@@ -557,10 +609,10 @@
6652626c
AF
221 # connection to me, with (left/right)firewall=yes, going down
222 # This is used only by the default updown script, not by your custom
223 # ones, so do not mess with it; see CAUTION comment up at top.
224- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
225+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
226 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
227 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
228- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
229+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
230 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
231 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
232 #
bc4b68b4 233@@ -583,10 +635,10 @@
6652626c
AF
234 # ones, so do not mess with it; see CAUTION comment up at top.
235 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
236 then
237- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
238+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
239 -s $PLUTO_MY_CLIENT $S_MY_PORT \
240 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
241- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
242+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
243 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
244 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
245 fi
bc4b68b4 246@@ -595,10 +647,10 @@
6652626c
AF
247 # or sometimes host access via the internal IP is needed
248 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
249 then
250- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
251+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
252 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
253 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
254- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
255+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
256 -s $PLUTO_MY_CLIENT $S_MY_PORT \
257 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
258 fi
bc4b68b4 259@@ -622,11 +674,11 @@
6652626c
AF
260 # ones, so do not mess with it; see CAUTION comment up at top.
261 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
262 then
263- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
264+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
265 -s $PLUTO_MY_CLIENT $S_MY_PORT \
266 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
267 $IPSEC_POLICY_OUT -j ACCEPT
268- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
269+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
270 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
271 -d $PLUTO_MY_CLIENT $D_MY_PORT \
272 $IPSEC_POLICY_IN -j ACCEPT
bc4b68b4 273@@ -636,11 +688,11 @@
6652626c
AF
274 # or sometimes host access via the internal IP is needed
275 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
276 then
277- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
278+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
279 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
280 -d $PLUTO_MY_CLIENT $D_MY_PORT \
281 $IPSEC_POLICY_IN -j ACCEPT
282- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
283+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
284 -s $PLUTO_MY_CLIENT $S_MY_PORT \
285 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
286 $IPSEC_POLICY_OUT -j ACCEPT