]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/_updown/_updown.in
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
updown: Pass interface ID to updown script
[thirdparty/strongswan.git] / src / _updown / _updown.in
CommitLineData
fd25fb31
TB		 1#!/bin/sh
2# default updown script
997358a6
MW		 3#
4# Copyright (C) 2003-2004 Nigel Meteringham
5# Copyright (C) 2003-2004 Tuomo Soini
6# Copyright (C) 2002-2004 Michael Richardson
ef014519 7# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
8b3b4a24 8#
997358a6
MW		 9# This program is free software; you can redistribute it and/or modify it
10# under the terms of the GNU General Public License as published by the
11# Free Software Foundation; either version 2 of the License, or (at your
12# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8b3b4a24 13#
997358a6
MW		 14# This program is distributed in the hope that it will be useful, but
15# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17# for more details.
997358a6
MW		 18
19# CAUTION: Installing a new version of strongSwan will install a new
20# copy of this script, wiping out any custom changes you make. If
21# you need changes, make a copy of this under another name, and customize
22# that, and use the (left/right)updown parameters in ipsec.conf to make
23# strongSwan use yours instead of this default one.
24
997358a6
MW		 25# PLUTO_VERSION
26# indicates what version of this interface is being
27# used. This document describes version 1.1. This
28# is upwardly compatible with version 1.0.
29#
30# PLUTO_VERB
31# specifies the name of the operation to be performed
32# (prepare-host, prepare-client, up-host, up-client,
33# down-host, or down-client). If the address family
8af25c56 34# for security gateway to security gateway communica-
997358a6
MW		 35# tions is IPv6, then a suffix of -v6 is added to the
36# verb.
37#
38# PLUTO_CONNECTION
39# is the name of the connection for which we are
40# routing.
41#
997358a6
MW		 42# PLUTO_INTERFACE
43# is the name of the ipsec interface to be used.
44#
45# PLUTO_REQID
c5d9b133
MW		 46# is the requid of the AH|ESP policy
47#
48# PLUTO_PROTO
49# is the negotiated IPsec protocol, ah|esp
997358a6 50#
cf4a7395
TB		 51# PLUTO_IPCOMP
52# is not empty if IPComp was negotiated
53#
2ce40343
EH		 54# PLUTO_UNIQUEID
55# is the unique identifier of the associated IKE_SA
56#
997358a6
MW		 57# PLUTO_ME
58# is the IP address of our host.
59#
60# PLUTO_MY_ID
61# is the ID of our host.
62#
63# PLUTO_MY_CLIENT
64# is the IP address / count of our client subnet. If
65# the client is just the host, this will be the
66# host's own IP address / max (where max is 32 for
67# IPv4 and 128 for IPv6).
68#
997358a6 69# PLUTO_MY_SOURCEIP
2df15595
MW		 70# PLUTO_MY_SOURCEIP4_$i
71# PLUTO_MY_SOURCEIP6_$i
72# contains IPv4/IPv6 virtual IP received from a responder,
73# $i enumerates from 1 to the number of IP per address family.
1de31bcc 74# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
2df15595 75# virtual IP, IPv4 or IPv6.
997358a6
MW		 76#
77# PLUTO_MY_PROTOCOL
78# is the IP protocol that will be transported.
79#
80# PLUTO_MY_PORT
81# is the UDP/TCP port to which the IPsec SA is
9739a0bf
TB		 82# restricted on our side. For ICMP/ICMPv6 this contains the
83# message type, and PLUTO_PEER_PORT the message code.
997358a6
MW		 84#
85# PLUTO_PEER
86# is the IP address of our peer.
87#
88# PLUTO_PEER_ID
89# is the ID of our peer.
90#
997358a6 91# PLUTO_PEER_CLIENT
8af25c56 92# is the IP address / count of the peer's client sub-
997358a6
MW		 93# net. If the client is just the peer, this will be
94# the peer's own IP address / max (where max is 32
95# for IPv4 and 128 for IPv6).
96#
1de31bcc
TB		 97# PLUTO_PEER_SOURCEIP
98# PLUTO_PEER_SOURCEIP4_$i
99# PLUTO_PEER_SOURCEIP6_$i
100# contains IPv4/IPv6 virtual IP sent to an initiator,
101# $i enumerates from 1 to the number of IP per address family.
102# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
103# virtual IP, IPv4 or IPv6.
104#
997358a6
MW		 105# PLUTO_PEER_PROTOCOL
106# is the IP protocol that will be transported.
107#
108# PLUTO_PEER_PORT
109# is the UDP/TCP port to which the IPsec SA is
9739a0bf
TB		 110# restricted on the peer side. For ICMP/ICMPv6 this contains the
111# message code, and PLUTO_MY_PORT the message type.
997358a6 112#
16c97c8e
AS		 113# PLUTO_XAUTH_ID
114# is an optional user ID employed by the XAUTH protocol
115#
116# PLUTO_MARK_IN
117# is an optional XFRM mark set on the inbound IPsec SA
118#
119# PLUTO_MARK_OUT
120# is an optional XFRM mark set on the outbound IPsec SA
121#
3fa8c3e5
TB		 122# PLUTO_IF_ID_IN
123# is an optional XFRM interface ID set on the inbound IPsec SA
124#
125# PLUTO_IF_ID_OUT
126# is an optional XFRM interface ID set on the outbound IPsec SA
127#
6d71f4dc 128# PLUTO_UDP_ENC
16c97c8e
AS		 129# contains the remote UDP port in the case of ESP_IN_UDP
130# encapsulation
964f6372 131#
2b08ae45
MW		 132# PLUTO_DNS4_$i
133# PLUTO_DNS6_$i
134# contains IPv4/IPv6 DNS server attribute received from a
135# responder, $i enumerates from 1 to the number of servers per
136# address family.
137#
997358a6 138
c2bb1eca 139# define a minimum PATH environment in case it is not set
b7b56533 140PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
c2bb1eca
AS		 141export PATH
142
dcae0a39 143# comment to disable logging VPN connections to syslog
997358a6
MW		 144VPN_LOGGING=1
145#
146# tag put in front of each log entry:
147TAG=vpn
148#
149# syslog facility and priority used:
150FAC_PRIO=local0.notice
151#
152# to create a special vpn logging file, put the following line into
153# the syslog configuration file /etc/syslog.conf:
154#
155# local0.notice -/var/log/vpn
f6f55adb 156
997358a6
MW		 157# check interface version
158case "$PLUTO_VERSION" in
fd25fb31 1591.[0|1]) # Older release?!? Play it safe, script may be using new features.
997358a6 160 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
fd25fb31 161 echo "$0: called by obsolete release?" >&2
997358a6
MW		 162 exit 2
163 ;;
1641.*) ;;
165*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
166 exit 2
167 ;;
168esac
169
170# check parameter(s)
171case "$1:$*" in
172':') # no parameters
173 ;;
174iptables:iptables) # due to (left/right)firewall; for default script only
175 ;;
176custom:*) # custom parameters (see above CAUTION comment)
177 ;;
178*) echo "$0: unknown parameters \`$*'" >&2
179 exit 2
180 ;;
181esac
182
fd25fb31
TB		 183IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
184IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
185IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
997358a6 186
4c185d11
TB		 187# use protocol specific options to set ports
188case "$PLUTO_MY_PROTOCOL" in
1891) # ICMP
190 ICMP_TYPE_OPTION="--icmp-type"
191 ;;
19258) # ICMPv6
193 ICMP_TYPE_OPTION="--icmpv6-type"
194 ;;
195*)
196 ;;
197esac
198
997358a6
MW		 199# are there port numbers?
200if [ "$PLUTO_MY_PORT" != 0 ]
201then
4c185d11
TB		 202 if [ -n "$ICMP_TYPE_OPTION" ]
203 then
204 S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
205 D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
206 else
207 S_MY_PORT="--sport $PLUTO_MY_PORT"
208 D_MY_PORT="--dport $PLUTO_MY_PORT"
209 fi
997358a6
MW		 210fi
211if [ "$PLUTO_PEER_PORT" != 0 ]
212then
4c185d11
TB		 213 if [ -n "$ICMP_TYPE_OPTION" ]
214 then
215 # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
216 S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
217 D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
218 else
219 S_PEER_PORT="--sport $PLUTO_PEER_PORT"
220 D_PEER_PORT="--dport $PLUTO_PEER_PORT"
221 fi
997358a6
MW		 222fi
223
997358a6 224case "$PLUTO_VERB:$1" in
997358a6
MW		 225up-host:)
226 # connection to me coming up
227 # If you are doing a custom version, firewall commands go here.
228 ;;
229down-host:)
230 # connection to me going down
231 # If you are doing a custom version, firewall commands go here.
232 ;;
233up-client:)
234 # connection to my client subnet coming up
235 # If you are doing a custom version, firewall commands go here.
236 ;;
237down-client:)
238 # connection to my client subnet going down
239 # If you are doing a custom version, firewall commands go here.
240 ;;
241up-host:iptables)
242 # connection to me, with (left/right)firewall=yes, coming up
243 # This is used only by the default updown script, not by your custom
244 # ones, so do not mess with it; see CAUTION comment up at top.
245 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768 246 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
997358a6
MW		 247 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
248 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
249 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
b14a8768 250 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
997358a6 251 #
6d1198e7
TB		 252 # allow IPIP traffic because of the implicit SA created by the kernel if
253 # IPComp is used (for small inbound packets that are not compressed)
254 if [ -n "$PLUTO_IPCOMP" ]
255 then
256 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
257 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
258 fi
259 #
997358a6
MW		 260 # log IPsec host connection setup
261 if [ $VPN_LOGGING ]
262 then
bb7b613b 263 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 264 then
265 logger -t $TAG -p $FAC_PRIO \
bb7b613b 266 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 267 else
268 logger -t $TAG -p $FAC_PRIO \
bb7b613b 269 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
997358a6 270 fi
8b3b4a24 271 fi
997358a6
MW		 272 ;;
273down-host:iptables)
274 # connection to me, with (left/right)firewall=yes, going down
275 # This is used only by the default updown script, not by your custom
276 # ones, so do not mess with it; see CAUTION comment up at top.
277 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768 278 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
997358a6
MW		 279 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
280 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
281 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
b14a8768 282 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
997358a6 283 #
6d1198e7
TB		 284 # IPIP exception teardown
285 if [ -n "$PLUTO_IPCOMP" ]
286 then
287 iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
288 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
289 fi
290 #
997358a6
MW		 291 # log IPsec host connection teardown
292 if [ $VPN_LOGGING ]
293 then
bb7b613b 294 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 295 then
296 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 297 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 298 else
299 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 300 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
997358a6
MW		 301 fi
302 fi
303 ;;
304up-client:iptables)
305 # connection to client subnet, with (left/right)firewall=yes, coming up
306 # This is used only by the default updown script, not by your custom
307 # ones, so do not mess with it; see CAUTION comment up at top.
308 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
309 then
310 iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 311 -s $PLUTO_MY_CLIENT $S_MY_PORT \
312 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
997358a6 313 iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 314 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
315 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
997358a6
MW		 316 fi
317 #
318 # a virtual IP requires an INPUT and OUTPUT rule on the host
319 # or sometimes host access via the internal IP is needed
320 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
321 then
322 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 323 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
324 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
997358a6 325 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 326 -s $PLUTO_MY_CLIENT $S_MY_PORT \
327 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
997358a6
MW		 328 fi
329 #
6d1198e7
TB		 330 # allow IPIP traffic because of the implicit SA created by the kernel if
331 # IPComp is used (for small inbound packets that are not compressed).
332 # INPUT is correct here even for forwarded traffic.
333 if [ -n "$PLUTO_IPCOMP" ]
334 then
335 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
336 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
337 fi
338 #
997358a6
MW		 339 # log IPsec client connection setup
340 if [ $VPN_LOGGING ]
341 then
bb7b613b 342 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 343 then
344 logger -t $TAG -p $FAC_PRIO \
bb7b613b 345 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 346 else
347 logger -t $TAG -p $FAC_PRIO \
bb7b613b 348 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 349 fi
350 fi
351 ;;
352down-client:iptables)
353 # connection to client subnet, with (left/right)firewall=yes, going down
354 # This is used only by the default updown script, not by your custom
355 # ones, so do not mess with it; see CAUTION comment up at top.
356 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
357 then
358 iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 359 -s $PLUTO_MY_CLIENT $S_MY_PORT \
360 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
997358a6
MW		 361 $IPSEC_POLICY_OUT -j ACCEPT
362 iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 363 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
364 -d $PLUTO_MY_CLIENT $D_MY_PORT \
997358a6
MW		 365 $IPSEC_POLICY_IN -j ACCEPT
366 fi
367 #
368 # a virtual IP requires an INPUT and OUTPUT rule on the host
369 # or sometimes host access via the internal IP is needed
370 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
371 then
372 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
b14a8768
AS		 373 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
374 -d $PLUTO_MY_CLIENT $D_MY_PORT \
997358a6
MW		 375 $IPSEC_POLICY_IN -j ACCEPT
376 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
b14a8768
AS		 377 -s $PLUTO_MY_CLIENT $S_MY_PORT \
378 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
997358a6
MW		 379 $IPSEC_POLICY_OUT -j ACCEPT
380 fi
381 #
6d1198e7
TB		 382 # IPIP exception teardown
383 if [ -n "$PLUTO_IPCOMP" ]
384 then
385 iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
386 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
387 fi
388 #
997358a6
MW		 389 # log IPsec client connection teardown
390 if [ $VPN_LOGGING ]
391 then
bb7b613b 392 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
997358a6
MW		 393 then
394 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 395 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 396 else
397 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 398 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
997358a6
MW		 399 fi
400 fi
401 ;;
402#
403# IPv6
404#
b14a8768 405up-host-v6:)
997358a6
MW		 406 # connection to me coming up
407 # If you are doing a custom version, firewall commands go here.
408 ;;
b14a8768 409down-host-v6:)
997358a6
MW		 410 # connection to me going down
411 # If you are doing a custom version, firewall commands go here.
412 ;;
b14a8768 413up-client-v6:)
997358a6
MW		 414 # connection to my client subnet coming up
415 # If you are doing a custom version, firewall commands go here.
416 ;;
b14a8768 417down-client-v6:)
997358a6
MW		 418 # connection to my client subnet going down
419 # If you are doing a custom version, firewall commands go here.
420 ;;
b14a8768
AS		 421up-host-v6:iptables)
422 # connection to me, with (left/right)firewall=yes, coming up
423 # This is used only by the default updown script, not by your custom
424 # ones, so do not mess with it; see CAUTION comment up at top.
425 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
426 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
427 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
428 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
429 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
430 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
431 #
382f8a33
TB		 432 # allow IP6IP6 traffic because of the implicit SA created by the kernel if
433 # IPComp is used (for small inbound packets that are not compressed)
434 if [ -n "$PLUTO_IPCOMP" ]
435 then
436 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
437 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
438 fi
439 #
b14a8768
AS		 440 # log IPsec host connection setup
441 if [ $VPN_LOGGING ]
442 then
bb7b613b 443 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 444 then
445 logger -t $TAG -p $FAC_PRIO \
bb7b613b 446 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 447 else
448 logger -t $TAG -p $FAC_PRIO \
bb7b613b 449 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
b14a8768 450 fi
8b3b4a24 451 fi
b14a8768
AS		 452 ;;
453down-host-v6:iptables)
454 # connection to me, with (left/right)firewall=yes, going down
455 # This is used only by the default updown script, not by your custom
456 # ones, so do not mess with it; see CAUTION comment up at top.
457 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
458 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
459 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
460 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
461 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
462 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
463 #
382f8a33
TB		 464 # IP6IP6 exception teardown
465 if [ -n "$PLUTO_IPCOMP" ]
466 then
467 ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
468 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
469 fi
470 #
b14a8768
AS		 471 # log IPsec host connection teardown
472 if [ $VPN_LOGGING ]
473 then
bb7b613b 474 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 475 then
476 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 477 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 478 else
479 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 480 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
b14a8768
AS		 481 fi
482 fi
483 ;;
484up-client-v6:iptables)
485 # connection to client subnet, with (left/right)firewall=yes, coming up
486 # This is used only by the default updown script, not by your custom
487 # ones, so do not mess with it; see CAUTION comment up at top.
488 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
489 then
490 ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
491 -s $PLUTO_MY_CLIENT $S_MY_PORT \
492 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
493 ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
494 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
495 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
496 fi
497 #
498 # a virtual IP requires an INPUT and OUTPUT rule on the host
499 # or sometimes host access via the internal IP is needed
500 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
501 then
502 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
503 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
504 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
505 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
506 -s $PLUTO_MY_CLIENT $S_MY_PORT \
507 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
508 fi
509 #
382f8a33
TB		 510 # allow IP6IP6 traffic because of the implicit SA created by the kernel if
511 # IPComp is used (for small inbound packets that are not compressed).
512 # INPUT is correct here even for forwarded traffic.
513 if [ -n "$PLUTO_IPCOMP" ]
514 then
515 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
516 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
517 fi
518 #
b14a8768
AS		 519 # log IPsec client connection setup
520 if [ $VPN_LOGGING ]
521 then
bb7b613b 522 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 523 then
524 logger -t $TAG -p $FAC_PRIO \
bb7b613b 525 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 526 else
527 logger -t $TAG -p $FAC_PRIO \
bb7b613b 528 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 529 fi
530 fi
531 ;;
532down-client-v6:iptables)
533 # connection to client subnet, with (left/right)firewall=yes, going down
534 # This is used only by the default updown script, not by your custom
535 # ones, so do not mess with it; see CAUTION comment up at top.
536 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
537 then
538 ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
539 -s $PLUTO_MY_CLIENT $S_MY_PORT \
540 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
541 $IPSEC_POLICY_OUT -j ACCEPT
542 ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
543 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
544 -d $PLUTO_MY_CLIENT $D_MY_PORT \
545 $IPSEC_POLICY_IN -j ACCEPT
546 fi
547 #
548 # a virtual IP requires an INPUT and OUTPUT rule on the host
549 # or sometimes host access via the internal IP is needed
550 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
551 then
552 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
553 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
554 -d $PLUTO_MY_CLIENT $D_MY_PORT \
555 $IPSEC_POLICY_IN -j ACCEPT
556 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
557 -s $PLUTO_MY_CLIENT $S_MY_PORT \
558 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
559 $IPSEC_POLICY_OUT -j ACCEPT
560 fi
561 #
382f8a33
TB		 562 # IP6IP6 exception teardown
563 if [ -n "$PLUTO_IPCOMP" ]
564 then
565 ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
566 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
567 fi
568 #
b14a8768
AS		 569 # log IPsec client connection teardown
570 if [ $VPN_LOGGING ]
571 then
bb7b613b 572 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
b14a8768
AS		 573 then
574 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 575 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 576 else
577 logger -t $TAG -p $FAC_PRIO -- \
bb7b613b 578 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
b14a8768
AS		 579 fi
580 fi
581 ;;
997358a6
MW		 582*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
583 exit 1
584 ;;
585esac
Unnamed repository; edit this file 'description' to name the repository.