Move ipsec postrouting rules to a own chain.

author Arne Fitzenreiter <arne_f@ipfire.org>

Mon, 21 Dec 2009 01:26:09 +0000 (02:26 +0100)

committer Arne Fitzenreiter <arne_f@ipfire.org>

Mon, 21 Dec 2009 01:26:09 +0000 (02:26 +0100)
author Arne Fitzenreiter <arne_f@ipfire.org>
Mon, 21 Dec 2009 01:26:09 +0000 (02:26 +0100)
committer Arne Fitzenreiter <arne_f@ipfire.org>
Mon, 21 Dec 2009 01:26:09 +0000 (02:26 +0100)
diff --git a/config/rootfiles/core/34/filelists/files b/config/rootfiles/core/34/filelists/files

index f221a69d14d60615a7f876c889a9e8d84fc7f9da..0e9214560038b3dcadc319aba9d6ab982047e168 100644 (file)
--- a/config/rootfiles/core/34/filelists/files
+++ b/config/rootfiles/core/34/filelists/files
@@ -3,6 +3,7 @@ etc/rc.d/init.d/networking/red
  etc/rc.d/init.d/networking/dhcpcd.exe
  etc/rc.d/helper/getdnsfromdhcpc.pl
  etc/rc.d/init.d/tmpfs
+etc/rc.d/init.d/firewall
  boot/grub/grub.conf
  srv/web/ipfire/cgi-bin/index.cgi
  srv/web/ipfire/cgi-bin/mac.cgi
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall

index 62da3120bce7cb2ba05b63a65dba7006597481ee..1f400ad47837ae2048c54ba87c3ae7b90dbcf548 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -167,7 +167,9 @@ case "$1" in
         /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
         /sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD"
         /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
-       
+       /sbin/iptables -t nat -N IPSECPOSTROUTING
+       /sbin/iptables -t nat -A POSTROUTING -j IPSECPOSTROUTING
+
         # Outgoing Firewall
         /sbin/iptables -A FORWARD -j OUTGOINGFW
  
diff --git a/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch b/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch

index 4d06228054aa8cf4b535f74e9e0dd933d151e5f8..20f85605c5d2d3a618bac11e8876cb8f474e9cf0 100644 (file)
--- a/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch
+++ b/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch
@@ -9,13 +9,13 @@
  +
  +case "$PLUTO_VERB" in
  +"route-client")
-+   logger -t "ipsec_updown" "iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
-+   /sbin/iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++   logger -t "ipsec_updown" "iptables -t nat -A IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
++   /sbin/iptables -t nat -A IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
  +   ;;
  +
  +"unroute-client")
-+   logger -t "ipsec_updown" "iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
-+   /sbin/iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++   logger -t "ipsec_updown" "iptables -t nat -D IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
++   /sbin/iptables -t nat -D IPSECPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
  +   ;;
  +esac
  +
author	Arne Fitzenreiter <arne_f@ipfire.org>
	Mon, 21 Dec 2009 01:26:09 +0000 (02:26 +0100)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Mon, 21 Dec 2009 01:26:09 +0000 (02:26 +0100)
config/rootfiles/core/34/filelists/files		patch \| blob \| blame \| history
src/initscripts/init.d/firewall		patch \| blob \| blame \| history
src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch		patch \| blob \| blame \| history