]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/_updown/_updown.in
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
updown: Pass interface ID to updown script
[thirdparty/strongswan.git] / src / _updown / _updown.in
1 #!/bin/sh
2 # default updown script
3 #
4 # Copyright (C) 2003-2004 Nigel Meteringham
5 # Copyright (C) 2003-2004 Tuomo Soini
6 # Copyright (C) 2002-2004 Michael Richardson
7 # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
8 #
9 # This program is free software; you can redistribute it and/or modify it
10 # under the terms of the GNU General Public License as published by the
11 # Free Software Foundation; either version 2 of the License, or (at your
12 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 #
14 # This program is distributed in the hope that it will be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 # for more details.
18
19 # CAUTION: Installing a new version of strongSwan will install a new
20 # copy of this script, wiping out any custom changes you make. If
21 # you need changes, make a copy of this under another name, and customize
22 # that, and use the (left/right)updown parameters in ipsec.conf to make
23 # strongSwan use yours instead of this default one.
24
25 # PLUTO_VERSION
26 # indicates what version of this interface is being
27 # used. This document describes version 1.1. This
28 # is upwardly compatible with version 1.0.
29 #
30 # PLUTO_VERB
31 # specifies the name of the operation to be performed
32 # (prepare-host, prepare-client, up-host, up-client,
33 # down-host, or down-client). If the address family
34 # for security gateway to security gateway communica-
35 # tions is IPv6, then a suffix of -v6 is added to the
36 # verb.
37 #
38 # PLUTO_CONNECTION
39 # is the name of the connection for which we are
40 # routing.
41 #
42 # PLUTO_INTERFACE
43 # is the name of the ipsec interface to be used.
44 #
45 # PLUTO_REQID
46 # is the requid of the AH|ESP policy
47 #
48 # PLUTO_PROTO
49 # is the negotiated IPsec protocol, ah|esp
50 #
51 # PLUTO_IPCOMP
52 # is not empty if IPComp was negotiated
53 #
54 # PLUTO_UNIQUEID
55 # is the unique identifier of the associated IKE_SA
56 #
57 # PLUTO_ME
58 # is the IP address of our host.
59 #
60 # PLUTO_MY_ID
61 # is the ID of our host.
62 #
63 # PLUTO_MY_CLIENT
64 # is the IP address / count of our client subnet. If
65 # the client is just the host, this will be the
66 # host's own IP address / max (where max is 32 for
67 # IPv4 and 128 for IPv6).
68 #
69 # PLUTO_MY_SOURCEIP
70 # PLUTO_MY_SOURCEIP4_$i
71 # PLUTO_MY_SOURCEIP6_$i
72 # contains IPv4/IPv6 virtual IP received from a responder,
73 # $i enumerates from 1 to the number of IP per address family.
74 # PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
75 # virtual IP, IPv4 or IPv6.
76 #
77 # PLUTO_MY_PROTOCOL
78 # is the IP protocol that will be transported.
79 #
80 # PLUTO_MY_PORT
81 # is the UDP/TCP port to which the IPsec SA is
82 # restricted on our side. For ICMP/ICMPv6 this contains the
83 # message type, and PLUTO_PEER_PORT the message code.
84 #
85 # PLUTO_PEER
86 # is the IP address of our peer.
87 #
88 # PLUTO_PEER_ID
89 # is the ID of our peer.
90 #
91 # PLUTO_PEER_CLIENT
92 # is the IP address / count of the peer's client sub-
93 # net. If the client is just the peer, this will be
94 # the peer's own IP address / max (where max is 32
95 # for IPv4 and 128 for IPv6).
96 #
97 # PLUTO_PEER_SOURCEIP
98 # PLUTO_PEER_SOURCEIP4_$i
99 # PLUTO_PEER_SOURCEIP6_$i
100 # contains IPv4/IPv6 virtual IP sent to an initiator,
101 # $i enumerates from 1 to the number of IP per address family.
102 # PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
103 # virtual IP, IPv4 or IPv6.
104 #
105 # PLUTO_PEER_PROTOCOL
106 # is the IP protocol that will be transported.
107 #
108 # PLUTO_PEER_PORT
109 # is the UDP/TCP port to which the IPsec SA is
110 # restricted on the peer side. For ICMP/ICMPv6 this contains the
111 # message code, and PLUTO_MY_PORT the message type.
112 #
113 # PLUTO_XAUTH_ID
114 # is an optional user ID employed by the XAUTH protocol
115 #
116 # PLUTO_MARK_IN
117 # is an optional XFRM mark set on the inbound IPsec SA
118 #
119 # PLUTO_MARK_OUT
120 # is an optional XFRM mark set on the outbound IPsec SA
121 #
122 # PLUTO_IF_ID_IN
123 # is an optional XFRM interface ID set on the inbound IPsec SA
124 #
125 # PLUTO_IF_ID_OUT
126 # is an optional XFRM interface ID set on the outbound IPsec SA
127 #
128 # PLUTO_UDP_ENC
129 # contains the remote UDP port in the case of ESP_IN_UDP
130 # encapsulation
131 #
132 # PLUTO_DNS4_$i
133 # PLUTO_DNS6_$i
134 # contains IPv4/IPv6 DNS server attribute received from a
135 # responder, $i enumerates from 1 to the number of servers per
136 # address family.
137 #
138
139 # define a minimum PATH environment in case it is not set
140 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
141 export PATH
142
143 # comment to disable logging VPN connections to syslog
144 VPN_LOGGING=1
145 #
146 # tag put in front of each log entry:
147 TAG=vpn
148 #
149 # syslog facility and priority used:
150 FAC_PRIO=local0.notice
151 #
152 # to create a special vpn logging file, put the following line into
153 # the syslog configuration file /etc/syslog.conf:
154 #
155 # local0.notice -/var/log/vpn
156
157 # check interface version
158 case "$PLUTO_VERSION" in
159 1.[0|1]) # Older release?!? Play it safe, script may be using new features.
160 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
161 echo "$0: called by obsolete release?" >&2
162 exit 2
163 ;;
164 1.*) ;;
165 *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
166 exit 2
167 ;;
168 esac
169
170 # check parameter(s)
171 case "$1:$*" in
172 ':') # no parameters
173 ;;
174 iptables:iptables) # due to (left/right)firewall; for default script only
175 ;;
176 custom:*) # custom parameters (see above CAUTION comment)
177 ;;
178 *) echo "$0: unknown parameters \`$*'" >&2
179 exit 2
180 ;;
181 esac
182
183 IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
184 IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
185 IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
186
187 # use protocol specific options to set ports
188 case "$PLUTO_MY_PROTOCOL" in
189 1) # ICMP
190 ICMP_TYPE_OPTION="--icmp-type"
191 ;;
192 58) # ICMPv6
193 ICMP_TYPE_OPTION="--icmpv6-type"
194 ;;
195 *)
196 ;;
197 esac
198
199 # are there port numbers?
200 if [ "$PLUTO_MY_PORT" != 0 ]
201 then
202 if [ -n "$ICMP_TYPE_OPTION" ]
203 then
204 S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
205 D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
206 else
207 S_MY_PORT="--sport $PLUTO_MY_PORT"
208 D_MY_PORT="--dport $PLUTO_MY_PORT"
209 fi
210 fi
211 if [ "$PLUTO_PEER_PORT" != 0 ]
212 then
213 if [ -n "$ICMP_TYPE_OPTION" ]
214 then
215 # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
216 S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
217 D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
218 else
219 S_PEER_PORT="--sport $PLUTO_PEER_PORT"
220 D_PEER_PORT="--dport $PLUTO_PEER_PORT"
221 fi
222 fi
223
224 case "$PLUTO_VERB:$1" in
225 up-host:)
226 # connection to me coming up
227 # If you are doing a custom version, firewall commands go here.
228 ;;
229 down-host:)
230 # connection to me going down
231 # If you are doing a custom version, firewall commands go here.
232 ;;
233 up-client:)
234 # connection to my client subnet coming up
235 # If you are doing a custom version, firewall commands go here.
236 ;;
237 down-client:)
238 # connection to my client subnet going down
239 # If you are doing a custom version, firewall commands go here.
240 ;;
241 up-host:iptables)
242 # connection to me, with (left/right)firewall=yes, coming up
243 # This is used only by the default updown script, not by your custom
244 # ones, so do not mess with it; see CAUTION comment up at top.
245 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
246 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
247 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
248 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
249 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
250 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
251 #
252 # allow IPIP traffic because of the implicit SA created by the kernel if
253 # IPComp is used (for small inbound packets that are not compressed)
254 if [ -n "$PLUTO_IPCOMP" ]
255 then
256 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
257 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
258 fi
259 #
260 # log IPsec host connection setup
261 if [ $VPN_LOGGING ]
262 then
263 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
264 then
265 logger -t $TAG -p $FAC_PRIO \
266 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
267 else
268 logger -t $TAG -p $FAC_PRIO \
269 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
270 fi
271 fi
272 ;;
273 down-host:iptables)
274 # connection to me, with (left/right)firewall=yes, going down
275 # This is used only by the default updown script, not by your custom
276 # ones, so do not mess with it; see CAUTION comment up at top.
277 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
278 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
279 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
280 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
281 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
282 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
283 #
284 # IPIP exception teardown
285 if [ -n "$PLUTO_IPCOMP" ]
286 then
287 iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
288 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
289 fi
290 #
291 # log IPsec host connection teardown
292 if [ $VPN_LOGGING ]
293 then
294 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
295 then
296 logger -t $TAG -p $FAC_PRIO -- \
297 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
298 else
299 logger -t $TAG -p $FAC_PRIO -- \
300 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
301 fi
302 fi
303 ;;
304 up-client:iptables)
305 # connection to client subnet, with (left/right)firewall=yes, coming up
306 # This is used only by the default updown script, not by your custom
307 # ones, so do not mess with it; see CAUTION comment up at top.
308 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
309 then
310 iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
311 -s $PLUTO_MY_CLIENT $S_MY_PORT \
312 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
313 iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
315 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
316 fi
317 #
318 # a virtual IP requires an INPUT and OUTPUT rule on the host
319 # or sometimes host access via the internal IP is needed
320 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
321 then
322 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
323 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
324 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
325 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
326 -s $PLUTO_MY_CLIENT $S_MY_PORT \
327 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
328 fi
329 #
330 # allow IPIP traffic because of the implicit SA created by the kernel if
331 # IPComp is used (for small inbound packets that are not compressed).
332 # INPUT is correct here even for forwarded traffic.
333 if [ -n "$PLUTO_IPCOMP" ]
334 then
335 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
336 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
337 fi
338 #
339 # log IPsec client connection setup
340 if [ $VPN_LOGGING ]
341 then
342 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
343 then
344 logger -t $TAG -p $FAC_PRIO \
345 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
346 else
347 logger -t $TAG -p $FAC_PRIO \
348 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
349 fi
350 fi
351 ;;
352 down-client:iptables)
353 # connection to client subnet, with (left/right)firewall=yes, going down
354 # This is used only by the default updown script, not by your custom
355 # ones, so do not mess with it; see CAUTION comment up at top.
356 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
357 then
358 iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
359 -s $PLUTO_MY_CLIENT $S_MY_PORT \
360 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
361 $IPSEC_POLICY_OUT -j ACCEPT
362 iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
363 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
364 -d $PLUTO_MY_CLIENT $D_MY_PORT \
365 $IPSEC_POLICY_IN -j ACCEPT
366 fi
367 #
368 # a virtual IP requires an INPUT and OUTPUT rule on the host
369 # or sometimes host access via the internal IP is needed
370 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
371 then
372 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
373 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
374 -d $PLUTO_MY_CLIENT $D_MY_PORT \
375 $IPSEC_POLICY_IN -j ACCEPT
376 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
377 -s $PLUTO_MY_CLIENT $S_MY_PORT \
378 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
379 $IPSEC_POLICY_OUT -j ACCEPT
380 fi
381 #
382 # IPIP exception teardown
383 if [ -n "$PLUTO_IPCOMP" ]
384 then
385 iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
386 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
387 fi
388 #
389 # log IPsec client connection teardown
390 if [ $VPN_LOGGING ]
391 then
392 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
393 then
394 logger -t $TAG -p $FAC_PRIO -- \
395 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
396 else
397 logger -t $TAG -p $FAC_PRIO -- \
398 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
399 fi
400 fi
401 ;;
402 #
403 # IPv6
404 #
405 up-host-v6:)
406 # connection to me coming up
407 # If you are doing a custom version, firewall commands go here.
408 ;;
409 down-host-v6:)
410 # connection to me going down
411 # If you are doing a custom version, firewall commands go here.
412 ;;
413 up-client-v6:)
414 # connection to my client subnet coming up
415 # If you are doing a custom version, firewall commands go here.
416 ;;
417 down-client-v6:)
418 # connection to my client subnet going down
419 # If you are doing a custom version, firewall commands go here.
420 ;;
421 up-host-v6:iptables)
422 # connection to me, with (left/right)firewall=yes, coming up
423 # This is used only by the default updown script, not by your custom
424 # ones, so do not mess with it; see CAUTION comment up at top.
425 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
426 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
427 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
428 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
429 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
430 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
431 #
432 # allow IP6IP6 traffic because of the implicit SA created by the kernel if
433 # IPComp is used (for small inbound packets that are not compressed)
434 if [ -n "$PLUTO_IPCOMP" ]
435 then
436 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
437 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
438 fi
439 #
440 # log IPsec host connection setup
441 if [ $VPN_LOGGING ]
442 then
443 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
444 then
445 logger -t $TAG -p $FAC_PRIO \
446 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
447 else
448 logger -t $TAG -p $FAC_PRIO \
449 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
450 fi
451 fi
452 ;;
453 down-host-v6:iptables)
454 # connection to me, with (left/right)firewall=yes, going down
455 # This is used only by the default updown script, not by your custom
456 # ones, so do not mess with it; see CAUTION comment up at top.
457 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
458 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
459 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
460 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
461 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
462 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
463 #
464 # IP6IP6 exception teardown
465 if [ -n "$PLUTO_IPCOMP" ]
466 then
467 ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
468 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
469 fi
470 #
471 # log IPsec host connection teardown
472 if [ $VPN_LOGGING ]
473 then
474 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
475 then
476 logger -t $TAG -p $FAC_PRIO -- \
477 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
478 else
479 logger -t $TAG -p $FAC_PRIO -- \
480 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
481 fi
482 fi
483 ;;
484 up-client-v6:iptables)
485 # connection to client subnet, with (left/right)firewall=yes, coming up
486 # This is used only by the default updown script, not by your custom
487 # ones, so do not mess with it; see CAUTION comment up at top.
488 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
489 then
490 ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
491 -s $PLUTO_MY_CLIENT $S_MY_PORT \
492 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
493 ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
494 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
495 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
496 fi
497 #
498 # a virtual IP requires an INPUT and OUTPUT rule on the host
499 # or sometimes host access via the internal IP is needed
500 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
501 then
502 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
503 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
504 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
505 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
506 -s $PLUTO_MY_CLIENT $S_MY_PORT \
507 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
508 fi
509 #
510 # allow IP6IP6 traffic because of the implicit SA created by the kernel if
511 # IPComp is used (for small inbound packets that are not compressed).
512 # INPUT is correct here even for forwarded traffic.
513 if [ -n "$PLUTO_IPCOMP" ]
514 then
515 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
516 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
517 fi
518 #
519 # log IPsec client connection setup
520 if [ $VPN_LOGGING ]
521 then
522 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
523 then
524 logger -t $TAG -p $FAC_PRIO \
525 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
526 else
527 logger -t $TAG -p $FAC_PRIO \
528 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
529 fi
530 fi
531 ;;
532 down-client-v6:iptables)
533 # connection to client subnet, with (left/right)firewall=yes, going down
534 # This is used only by the default updown script, not by your custom
535 # ones, so do not mess with it; see CAUTION comment up at top.
536 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
537 then
538 ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
539 -s $PLUTO_MY_CLIENT $S_MY_PORT \
540 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
541 $IPSEC_POLICY_OUT -j ACCEPT
542 ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
543 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
544 -d $PLUTO_MY_CLIENT $D_MY_PORT \
545 $IPSEC_POLICY_IN -j ACCEPT
546 fi
547 #
548 # a virtual IP requires an INPUT and OUTPUT rule on the host
549 # or sometimes host access via the internal IP is needed
550 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
551 then
552 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
553 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
554 -d $PLUTO_MY_CLIENT $D_MY_PORT \
555 $IPSEC_POLICY_IN -j ACCEPT
556 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
557 -s $PLUTO_MY_CLIENT $S_MY_PORT \
558 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
559 $IPSEC_POLICY_OUT -j ACCEPT
560 fi
561 #
562 # IP6IP6 exception teardown
563 if [ -n "$PLUTO_IPCOMP" ]
564 then
565 ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
566 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
567 fi
568 #
569 # log IPsec client connection teardown
570 if [ $VPN_LOGGING ]
571 then
572 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
573 then
574 logger -t $TAG -p $FAC_PRIO -- \
575 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
576 else
577 logger -t $TAG -p $FAC_PRIO -- \
578 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
579 fi
580 fi
581 ;;
582 *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
583 exit 1
584 ;;
585 esac
Unnamed repository; edit this file 'description' to name the repository.