[people/teissler/ipfire-2.x.git] / src / patches / strongswan-5.0.2_ipfire.patch

diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 3a40e21..d9f3ea0 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -193,6 +193,29 @@ custom:*)		# custom parameters (see above CAUTION comment)
 	;;
 esac
 
+function ip_encode() {
+	local IFS=.
+
+	local int=0
+	for field in $1; do
+		int=$(( $(( $int << 8 )) | $field ))
+	done
+
+	echo $int
+}
+
+function ip_in_subnet() {
+	local netmask
+	netmask=$(_netmask $2)
+	[ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+}
+
+function _netmask() {
+	local vlsm
+	vlsm=${1#*/}
+	[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+}
+
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
 uproute() {
@@ -397,12 +420,12 @@ up-host:iptables)
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
@@ -410,10 +433,10 @@ up-host:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	      "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -421,12 +444,12 @@ down-host:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
 	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
@@ -434,10 +457,10 @@ down-host:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	      "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	    "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
 	  fi
 	fi
 	;;
@@ -447,24 +470,24 @@ up-client:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
-	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# log IPsec client connection setup
@@ -473,12 +496,51 @@ up-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO \
-	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Open Firewall for IPinIP + AH + ESP Traffic
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# Add source nat so also the gateway can access the other nets
+	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+		if [ $? -eq 0 ]; then
+			src=${_src}
+			break
+		fi
+	done
+
+	if [ -n "${src}" ]; then
+		iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+		logger -t $TAG -p $FAC_PRIO \
+			"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+	else
+		logger -t $TAG -p $FAC_PRIO \
+			"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+	fi
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 down-client:iptables)
 	# connection to client subnet, with (left/right)firewall=yes, going down
@@ -486,28 +548,28 @@ down-client:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
+	  iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
-	         $IPSEC_POLICY_IN -j ACCEPT
+	         $IPSEC_POLICY_IN -j RETURN
 	fi
 	#
 	# a virtual IP requires an INPUT and OUTPUT rule on the host
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
-	         $IPSEC_POLICY_OUT -j ACCEPT
+	         $IPSEC_POLICY_OUT -j MARK --set-mark 50
 	fi
 	#
 	# log IPsec client connection teardown
@@ -516,12 +578,51 @@ down-client:iptables)
 	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
 	  then
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  else
 	    logger -t $TAG -p $FAC_PRIO -- \
-	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
 	  fi
 	fi
+
+	#
+	# Close Firewall for IPinIP + AH + ESP Traffic
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	  iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+	      -s $PLUTO_PEER $S_PEER_PORT \
+	      -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	if [ $VPN_LOGGING ]
+	then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+	fi
+
+	# remove source nat
+	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+		if [ $? -eq 0 ]; then
+			src=${_src}
+			break
+		fi
+	done
+
+	if [ -n "${src}" ]; then
+		iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+		logger -t $TAG -p $FAC_PRIO \
+			"snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+	else
+		logger -t $TAG -p $FAC_PRIO \
+			"Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+	fi
+
+	# Flush routing cache
+	ip route flush cache
 	;;
 #
 # IPv6
@@ -556,10 +657,10 @@ up-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, coming up
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -580,10 +681,10 @@ down-host-v6:iptables)
 	# connection to me, with (left/right)firewall=yes, going down
 	# This is used only by the default updown script, not by your custom
 	# ones, so do not mess with it; see CAUTION comment up at top.
-	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
@@ -606,10 +707,10 @@ up-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
 	fi
@@ -618,10 +719,10 @@ up-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
@@ -645,11 +746,11 @@ down-client-v6:iptables)
 	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
 	then
-	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
-	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
@@ -659,11 +760,11 @@ down-client-v6:iptables)
 	# or sometimes host access via the internal IP is needed
 	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
 	then
-	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	  ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
 	         $IPSEC_POLICY_IN -j ACCEPT
-	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	  ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
 	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
 	         $IPSEC_POLICY_OUT -j ACCEPT
Commit	Line	Data
	1	diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
	2	index 3a40e21..d9f3ea0 100644
	3	--- a/src/_updown/_updown.in
	4	+++ b/src/_updown/_updown.in
	5	@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment)
	6	;;
	7	esac
	8
	9	+function ip_encode() {
	10	+ local IFS=.
	11	+
	12	+ local int=0
	13	+ for field in $1; do
	14	+ int=$(( $(( $int << 8 )) \| $field ))
	15	+ done
	16	+
	17	+ echo $int
	18	+}
	19	+
	20	+function ip_in_subnet() {
	21	+ local netmask
	22	+ netmask=$(_netmask $2)
	23	+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
	24	+}
	25	+
	26	+function _netmask() {
	27	+ local vlsm
	28	+ vlsm=${1#*/}
	29	+ [ $vlsm -eq 0 ] && echo 0 \|\| echo $(( -1 << $(( 32 - $vlsm )) ))
	30	+}
	31	+
	32	# utility functions for route manipulation
	33	# Meddling with this stuff should not be necessary and requires great care.
	34	uproute() {
	35	@@ -397,12 +420,12 @@ up-host:iptables)
	36	# connection to me, with (left/right)firewall=yes, coming up
	37	# This is used only by the default updown script, not by your custom
	38	# ones, so do not mess with it; see CAUTION comment up at top.
	39	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	40	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	41	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	42	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	43	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	44	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	45	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	46	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	47	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
	48	#
	49	# log IPsec host connection setup
	50	if [ $VPN_LOGGING ]
	51	@@ -410,10 +433,10 @@ up-host:iptables)
	52	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	53	then
	54	logger -t $TAG -p $FAC_PRIO \
	55	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	56	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	57	else
	58	logger -t $TAG -p $FAC_PRIO \
	59	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	60	+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	61	fi
	62	fi
	63	;;
	64	@@ -421,12 +444,12 @@ down-host:iptables)
	65	# connection to me, with (left/right)firewall=yes, going down
	66	# This is used only by the default updown script, not by your custom
	67	# ones, so do not mess with it; see CAUTION comment up at top.
	68	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	69	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	70	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	71	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	72	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	73	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	74	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	75	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	76	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
	77	#
	78	# log IPsec host connection teardown
	79	if [ $VPN_LOGGING ]
	80	@@ -434,10 +457,10 @@ down-host:iptables)
	81	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	82	then
	83	logger -t $TAG -p $FAC_PRIO -- \
	84	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	85	+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
	86	else
	87	logger -t $TAG -p $FAC_PRIO -- \
	88	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	89	+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
	90	fi
	91	fi
	92	;;
	93	@@ -447,24 +470,24 @@ up-client:iptables)
	94	# ones, so do not mess with it; see CAUTION comment up at top.
	95	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	96	then
	97	- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	98	+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	99	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	100	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	101	- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	102	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
	103	+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	104	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	105	- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	106	+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
	107	fi
	108	#
	109	# a virtual IP requires an INPUT and OUTPUT rule on the host
	110	# or sometimes host access via the internal IP is needed
	111	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	112	then
	113	- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	114	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	115	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	116	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	117	- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	118	+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	119	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	120	- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	121	+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
	122	fi
	123	#
	124	# log IPsec client connection setup
	125	@@ -473,12 +496,51 @@ up-client:iptables)
	126	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	127	then
	128	logger -t $TAG -p $FAC_PRIO \
	129	- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	130	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	131	else
	132	logger -t $TAG -p $FAC_PRIO \
	133	- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	134	+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	135	fi
	136	fi
	137	+
	138	+ #
	139	+ # Open Firewall for IPinIP + AH + ESP Traffic
	140	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
	141	+ -s $PLUTO_PEER $S_PEER_PORT \
	142	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	143	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
	144	+ -s $PLUTO_PEER $S_PEER_PORT \
	145	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	146	+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
	147	+ -s $PLUTO_PEER $S_PEER_PORT \
	148	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	149	+ if [ $VPN_LOGGING ]
	150	+ then
	151	+ logger -t $TAG -p $FAC_PRIO \
	152	+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
	153	+ fi
	154	+
	155	+ # Add source nat so also the gateway can access the other nets
	156	+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	157	+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	158	+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	159	+ if [ $? -eq 0 ]; then
	160	+ src=${_src}
	161	+ break
	162	+ fi
	163	+ done
	164	+
	165	+ if [ -n "${src}" ]; then
	166	+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	167	+ logger -t $TAG -p $FAC_PRIO \
	168	+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
	169	+ else
	170	+ logger -t $TAG -p $FAC_PRIO \
	171	+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
	172	+ fi
	173	+
	174	+ # Flush routing cache
	175	+ ip route flush cache
	176	;;
	177	down-client:iptables)
	178	# connection to client subnet, with (left/right)firewall=yes, going down
	179	@@ -486,28 +548,28 @@ down-client:iptables)
	180	# ones, so do not mess with it; see CAUTION comment up at top.
	181	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
	182	then
	183	- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	184	+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	185	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	186	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	187	- $IPSEC_POLICY_OUT -j ACCEPT
	188	- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	189	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
	190	+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	191	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	192	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	193	- $IPSEC_POLICY_IN -j ACCEPT
	194	+ $IPSEC_POLICY_IN -j RETURN
	195	fi
	196	#
	197	# a virtual IP requires an INPUT and OUTPUT rule on the host
	198	# or sometimes host access via the internal IP is needed
	199	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	200	then
	201	- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	202	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	203	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	204	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	205	$IPSEC_POLICY_IN -j ACCEPT
	206	- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	207	+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	208	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	209	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	210	- $IPSEC_POLICY_OUT -j ACCEPT
	211	+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
	212	fi
	213	#
	214	# log IPsec client connection teardown
	215	@@ -516,12 +578,51 @@ down-client:iptables)
	216	if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
	217	then
	218	logger -t $TAG -p $FAC_PRIO -- \
	219	- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	220	+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	221	else
	222	logger -t $TAG -p $FAC_PRIO -- \
	223	- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	224	+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
	225	fi
	226	fi
	227	+
	228	+ #
	229	+ # Close Firewall for IPinIP + AH + ESP Traffic
	230	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
	231	+ -s $PLUTO_PEER $S_PEER_PORT \
	232	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	233	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
	234	+ -s $PLUTO_PEER $S_PEER_PORT \
	235	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	236	+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
	237	+ -s $PLUTO_PEER $S_PEER_PORT \
	238	+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
	239	+ if [ $VPN_LOGGING ]
	240	+ then
	241	+ logger -t $TAG -p $FAC_PRIO \
	242	+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
	243	+ fi
	244	+
	245	+ # remove source nat
	246	+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
	247	+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	248	+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
	249	+ if [ $? -eq 0 ]; then
	250	+ src=${_src}
	251	+ break
	252	+ fi
	253	+ done
	254	+
	255	+ if [ -n "${src}" ]; then
	256	+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
	257	+ logger -t $TAG -p $FAC_PRIO \
	258	+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
	259	+ else
	260	+ logger -t $TAG -p $FAC_PRIO \
	261	+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
	262	+ fi
	263	+
	264	+ # Flush routing cache
	265	+ ip route flush cache
	266	;;
	267	#
	268	# IPv6
	269	@@ -556,10 +657,10 @@ up-host-v6:iptables)
	270	# connection to me, with (left/right)firewall=yes, coming up
	271	# This is used only by the default updown script, not by your custom
	272	# ones, so do not mess with it; see CAUTION comment up at top.
	273	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	274	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	275	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	276	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	277	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	278	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	279	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	280	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	281	#
	282	@@ -580,10 +681,10 @@ down-host-v6:iptables)
	283	# connection to me, with (left/right)firewall=yes, going down
	284	# This is used only by the default updown script, not by your custom
	285	# ones, so do not mess with it; see CAUTION comment up at top.
	286	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	287	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	288	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	289	-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	290	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	291	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	292	-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
	293	-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
	294	#
	295	@@ -606,10 +707,10 @@ up-client-v6:iptables)
	296	# ones, so do not mess with it; see CAUTION comment up at top.
	297	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	298	then
	299	- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	300	+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	301	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	302	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	303	- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	304	+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	305	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	306	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	307	fi
	308	@@ -618,10 +719,10 @@ up-client-v6:iptables)
	309	# or sometimes host access via the internal IP is needed
	310	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	311	then
	312	- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	313	+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	314	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	315	-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
	316	- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	317	+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	318	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	319	-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
	320	fi
	321	@@ -645,11 +746,11 @@ down-client-v6:iptables)
	322	# ones, so do not mess with it; see CAUTION comment up at top.
	323	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
	324	then
	325	- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	326	+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	327	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	328	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	329	$IPSEC_POLICY_OUT -j ACCEPT
	330	- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	331	+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	332	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	333	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	334	$IPSEC_POLICY_IN -j ACCEPT
	335	@@ -659,11 +760,11 @@ down-client-v6:iptables)
	336	# or sometimes host access via the internal IP is needed
	337	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
	338	then
	339	- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	340	+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
	341	-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
	342	-d $PLUTO_MY_CLIENT $D_MY_PORT \
	343	$IPSEC_POLICY_IN -j ACCEPT
	344	- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	345	+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
	346	-s $PLUTO_MY_CLIENT $S_MY_PORT \
	347	-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
	348	$IPSEC_POLICY_OUT -j ACCEPT