[people/teissler/ipfire-2.x.git] / src / patches / strongswan-5.0.2_ipfire.patch

--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -178,6 +178,29 @@
 	;;
 esac
 
+function ip_encode() {
+	local IFS=.
+
+	local int=0
+	for field in $1; do
+		int=$(( $(( $int << 8 )) | $field ))
+	done
+
+	echo $int
+}
+
+function ip_in_subnet() {
+	local netmask
+	netmask=$(_netmask $2)
+	[ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+}
+
+function _netmask() {
+	local vlsm
+	vlsm=${1#*/}
+	[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+}
+
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
 uproute() {
@@ -407,12 +430,12 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
 	# IPComp is used (for small inbound packets that are not compressed)
@@ -428,10 +451,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -439,12 +462,12 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
@@ -459,10 +482,10 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -472,24 +495,24 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
+	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# allow IPIP traffic because of the implicit SA created by the kernel if
@@ -497,7 +520,7 @@
 	# INPUT is correct here even for forwarded traffic.
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -507,12 +530,51 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# Add source nat so also the gateway can access the other nets
+	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+		if [ $? -eq 0 ]; then
+			src=${_src}
+			break
+		fi
+	done
+
+	if [ -n "${src}" ]; then
+		iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+		logger -t $TAG -p $FAC_PRIO \
+			"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+	else
+		logger -t $TAG -p $FAC_PRIO \
+			"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+	fi
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
@@ -520,34 +582,34 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
+	         $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	         $IPSEC_POLICY_IN -j RETURN
+	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# IPIP exception teardown
 	if [ -n "$PLUTO_IPCOMP" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
 	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
 	fi
 	#
@@ -557,12 +619,51 @@
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# remove source nat
+	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+		if [ $? -eq 0 ]; then
+			src=${_src}
+			break
+		fi
+	done
+
+	if [ -n "${src}" ]; then
+		iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+		logger -t $TAG -p $FAC_PRIO \
+			"snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+	else
+		logger -t $TAG -p $FAC_PRIO \
+			"Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+	fi
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 #
 # IPv6
@@ -597,10 +698,10 @@
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -621,10 +722,10 @@
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -647,10 +748,10 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -659,10 +760,10 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -686,11 +787,11 @@
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -700,11 +801,11 @@
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
dc33c23b AM	1	--- a/src/_updown/_updown.in
dc33c23b AM	2	+++ b/src/_updown/_updown.in
d7050fc0	3	@@ -178,6 +178,29 @@
7589902e AF	4	;;
	5	esac
	6
	7	+function ip_encode() {
	8	+ local IFS=.
	9	+
	10	+ local int=0
	11	+ for field in $1; do
	12	+ int=$(( $(( $int << 8 )) \| $field ))
	13	+ done
	14	+
	15	+ echo $int
	16	+}
	17	+
	18	+function ip_in_subnet() {
	19	+ local netmask
	20	+ netmask=$(_netmask $2)
	21	+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
	22	+}
	23	+
	24	+function _netmask() {
	25	+ local vlsm
	26	+ vlsm=${1#*/}
	27	+ [ $vlsm -eq 0 ] && echo 0 \|\| echo $(( -1 << $(( 32 - $vlsm )) ))
	28	+}
	29	+
	30	# utility functions for route manipulation
	31	# Meddling with this stuff should not be necessary and requires great care.
	32	uproute() {
d7050fc0	33	@@ -407,12 +430,12 @@
6652626c AF	34	# connection to me, with (left/right)firewall=yes, coming up
	35	# This is used only by the default updown script, not by your custom
	36	# ones, so do not mess with it; see CAUTION comment up at top.
	37	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	38	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	39	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	40	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	41	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	42	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	43	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 AF	44	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
db073a10 AF	45	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c	46	#
d7050fc0 MT	47	# allow IPIP traffic because of the implicit SA created by the kernel if
	48	# IPComp is used (for small inbound packets that are not compressed)
	49	@@ -428,10 +451,10 @@
6652626c AF	50	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	51	then
	52	logger -t $TAG -p $FAC_PRIO \
	53	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	54	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	55	else
	56	logger -t $TAG -p $FAC_PRIO \
	57	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	58	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	59	fi
	60	fi
	61	;;
d7050fc0	62	@@ -439,12 +462,12 @@
6652626c AF	63	# connection to me, with (left/right)firewall=yes, going down
	64	# This is used only by the default updown script, not by your custom
	65	# ones, so do not mess with it; see CAUTION comment up at top.
	66	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	67	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	68	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	69	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	70	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	71	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	72	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
db073a10 AF	73	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
db073a10 AF	74	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
6652626c	75	#
d7050fc0 MT	76	# IPIP exception teardown
	77	if [ -n "$PLUTO_IPCOMP" ]
	78	@@ -459,10 +482,10 @@
6652626c AF	79	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	80	then
	81	logger -t $TAG -p $FAC_PRIO -- \
	82	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	83	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	84	else
	85	logger -t $TAG -p $FAC_PRIO -- \
	86	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	87	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	88	fi
	89	fi
	90	;;
d7050fc0	91	@@ -472,24 +495,24 @@
6652626c AF	92	# ones, so do not mess with it; see CAUTION comment up at top.
	93	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	94	then
	95	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	96	+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	97	-s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10	98	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
6652626c	99	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10	100	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c AF	101	+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
6652626c AF	102	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
dc33c23b AM	103	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
dc33c23b AM	104	+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
6652626c	105	fi
dc33c23b AM	106	#
dc33c23b AM	107	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c AF	108	# or sometimes host access via the internal IP is needed
	109	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	110	then
	111	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	112	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	113	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
d7050fc0	114	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
6652626c	115	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d7050fc0	116	+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
6652626c AF	117	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
6652626c AF	118	-s $PLUTO_MY_CLIENT $S_MY_PORT \
db073a10 AF	119	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
db073a10 AF	120	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c	121	fi
db073a10	122	#
d7050fc0 MT	123	# allow IPIP traffic because of the implicit SA created by the kernel if
	124	@@ -497,7 +520,7 @@
	125	# INPUT is correct here even for forwarded traffic.
	126	if [ -n "$PLUTO_IPCOMP" ]
	127	then
	128	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
	129	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
	130	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	131	fi
	132	#
	133	@@ -507,12 +530,51 @@
6652626c AF	134	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	135	then
	136	logger -t $TAG -p $FAC_PRIO \
	137	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	138	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	139	else
	140	logger -t $TAG -p $FAC_PRIO \
	141	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	142	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	143	fi
	144	fi
	145	+
	146	+ #
50a488f4 AF	147	+ # Open Firewall for IPinIP + AH + ESP Traffic
	148	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
	149	+ -s $PLUTO_PEER $S_PEER_PORT \
	150	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10 AF	151	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
	152	+ -s $PLUTO_PEER $S_PEER_PORT \
	153	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	154	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
	155	+ -s $PLUTO_PEER $S_PEER_PORT \
	156	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	157	+ if [ $VPN_LOGGING ]
	158	+ then
	159	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	160	+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
6652626c	161	+ fi
c4cd0f7b AF	162	+
c4cd0f7b AF	163	+ # Add source nat so also the gateway can access the other nets
7589902e AF	164	+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	165	+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	166	+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	167	+ if [ $? -eq 0 ]; then
	168	+ src=${_src}
	169	+ break
	170	+ fi
	171	+ done
	172	+
	173	+ if [ -n "${src}" ]; then
	174	+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	175	+ logger -t $TAG -p $FAC_PRIO \
	176	+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
	177	+ else
	178	+ logger -t $TAG -p $FAC_PRIO \
	179	+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
	180	+ fi
6652626c	181	+
bc4b68b4 AF	182	+ # Flush routing cache
bc4b68b4 AF	183	+ ip route flush cache
6652626c AF	184	;;
	185	down-client:iptables)
	186	# connection to client subnet, with (left/right)firewall=yes, going down
d7050fc0	187	@@ -520,34 +582,34 @@
6652626c AF	188	# ones, so do not mess with it; see CAUTION comment up at top.
	189	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	190	then
	191	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	192	+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	193	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	194	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10	195	- $IPSEC_POLICY_OUT -j ACCEPT
6652626c	196	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
db073a10	197	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
6652626c AF	198	+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	199	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	200	-d $PLUTO_MY_CLIENT $D_MY_PORT \
dc33c23b AM	201	- $IPSEC_POLICY_IN -j ACCEPT
	202	+ $IPSEC_POLICY_IN -j RETURN
	203	fi
	204	#
	205	# a virtual IP requires an INPUT and OUTPUT rule on the host
6652626c AF	206	# or sometimes host access via the internal IP is needed
	207	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	208	then
	209	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	210	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	211	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	212	-d $PLUTO_MY_CLIENT $D_MY_PORT \
d7050fc0	213	- $IPSEC_POLICY_IN -j ACCEPT
6652626c	214	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
d7050fc0	215	+ $IPSEC_POLICY_IN -j RETURN
6652626c AF	216	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	217	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	218	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
db073a10 AF	219	- $IPSEC_POLICY_OUT -j ACCEPT
	220	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
	221	fi
	222	#
d7050fc0 MT	223	# IPIP exception teardown
	224	if [ -n "$PLUTO_IPCOMP" ]
	225	then
	226	- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
	227	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
	228	-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
	229	fi
	230	#
	231	@@ -557,12 +619,51 @@
6652626c AF	232	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	233	then
	234	logger -t $TAG -p $FAC_PRIO -- \
	235	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	236	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	237	else
	238	logger -t $TAG -p $FAC_PRIO -- \
	239	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	240	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	241	fi
	242	fi
	243	+
	244	+ #
50a488f4 AF	245	+ # Close Firewall for IPinIP + AH + ESP Traffic
	246	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
	247	+ -s $PLUTO_PEER $S_PEER_PORT \
	248	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
db073a10 AF	249	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
	250	+ -s $PLUTO_PEER $S_PEER_PORT \
	251	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	252	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
	253	+ -s $PLUTO_PEER $S_PEER_PORT \
	254	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
6652626c AF	255	+ if [ $VPN_LOGGING ]
	256	+ then
	257	+ logger -t $TAG -p $FAC_PRIO \
c4cd0f7b	258	+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
6652626c	259	+ fi
c4cd0f7b AF	260	+
c4cd0f7b AF	261	+ # remove source nat
7589902e AF	262	+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	263	+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	264	+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	265	+ if [ $? -eq 0 ]; then
	266	+ src=${_src}
	267	+ break
	268	+ fi
	269	+ done
	270	+
	271	+ if [ -n "${src}" ]; then
	272	+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	273	+ logger -t $TAG -p $FAC_PRIO \
	274	+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
	275	+ else
	276	+ logger -t $TAG -p $FAC_PRIO \
	277	+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
	278	+ fi
6652626c	279	+
bc4b68b4 AF	280	+ # Flush routing cache
bc4b68b4 AF	281	+ ip route flush cache
6652626c AF	282	;;
	283	#
	284	# IPv6
d7050fc0	285	@@ -597,10 +698,10 @@
6652626c AF	286	# connection to me, with (left/right)firewall=yes, coming up
	287	# This is used only by the default updown script, not by your custom
	288	# ones, so do not mess with it; see CAUTION comment up at top.
	289	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	290	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	291	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	292	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	293	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	294	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	295	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	296	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	297	#
d7050fc0	298	@@ -621,10 +722,10 @@
6652626c AF	299	# connection to me, with (left/right)firewall=yes, going down
	300	# This is used only by the default updown script, not by your custom
	301	# ones, so do not mess with it; see CAUTION comment up at top.
	302	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	303	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	304	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	305	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	306	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	307	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	308	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	309	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	310	#
d7050fc0	311	@@ -647,10 +748,10 @@
6652626c AF	312	# ones, so do not mess with it; see CAUTION comment up at top.
	313	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	314	then
	315	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	316	+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	317	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	318	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	319	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	320	+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	321	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	322	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	323	fi
d7050fc0	324	@@ -659,10 +760,10 @@
6652626c AF	325	# or sometimes host access via the internal IP is needed
	326	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	327	then
	328	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	329	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	330	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	331	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	332	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	333	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	334	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	335	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	336	fi
d7050fc0	337	@@ -686,11 +787,11 @@
6652626c AF	338	# ones, so do not mess with it; see CAUTION comment up at top.
	339	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	340	then
	341	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	342	+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	343	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	344	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	345	$IPSEC_POLICY_OUT -j ACCEPT
	346	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	347	+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	348	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	349	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	350	$IPSEC_POLICY_IN -j ACCEPT
d7050fc0	351	@@ -700,11 +801,11 @@
6652626c AF	352	# or sometimes host access via the internal IP is needed
	353	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	354	then
	355	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	356	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	357	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	358	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	359	$IPSEC_POLICY_IN -j ACCEPT
	360	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	361	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	362	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	363	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	364	$IPSEC_POLICY_OUT -j ACCEPT