2 # iproute2 version, default updown script
4 # Copyright (C) 2003-2004 Nigel Meteringham
5 # Copyright (C) 2003-2004 Tuomo Soini
6 # Copyright (C) 2002-2004 Michael Richardson
7 # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
9 # This program is free software; you can redistribute it and/or modify it
10 # under the terms of the GNU General Public License as published by the
11 # Free Software Foundation; either version 2 of the License, or (at your
12 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 # This program is distributed in the hope that it will be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 # CAUTION: Installing a new version of strongSwan will install a new
20 # copy of this script, wiping out any custom changes you make. If
21 # you need changes, make a copy of this under another name, and customize
22 # that, and use the (left/right)updown parameters in ipsec.conf to make
23 # strongSwan use yours instead of this default one.
25 # things that this script gets (from ipsec_pluto(8) man page)
28 # indicates what version of this interface is being
29 # used. This document describes version 1.1. This
30 # is upwardly compatible with version 1.0.
33 # specifies the name of the operation to be performed
34 # (prepare-host, prepare-client, up-host, up-client,
35 # down-host, or down-client). If the address family
36 # for security gateway to security gateway communica-
37 # tions is IPv6, then a suffix of -v6 is added to the
41 # is the name of the connection for which we are
45 # is the name of the ipsec interface to be used.
48 # is the requid of the AH|ESP policy
51 # is the negotiated IPsec protocol, ah|esp
54 # is not empty if IPComp was negotiated
57 # is the unique identifier of the associated IKE_SA
60 # is the IP address of our host.
63 # is the ID of our host.
66 # is the IP address / count of our client subnet. If
67 # the client is just the host, this will be the
68 # host's own IP address / max (where max is 32 for
69 # IPv4 and 128 for IPv6).
72 # PLUTO_MY_SOURCEIP4_$i
73 # PLUTO_MY_SOURCEIP6_$i
74 # contains IPv4/IPv6 virtual IP received from a responder,
75 # $i enumerates from 1 to the number of IP per address family.
76 # PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
77 # virtual IP, IPv4 or IPv6.
80 # is the IP protocol that will be transported.
83 # is the UDP/TCP port to which the IPsec SA is
84 # restricted on our side. For ICMP/ICMPv6 this contains the
85 # message type, and PLUTO_PEER_PORT the message code.
88 # is the IP address of our peer.
91 # is the ID of our peer.
94 # is the IP address / count of the peer's client sub-
95 # net. If the client is just the peer, this will be
96 # the peer's own IP address / max (where max is 32
97 # for IPv4 and 128 for IPv6).
100 # is the IP protocol that will be transported.
103 # is the UDP/TCP port to which the IPsec SA is
104 # restricted on the peer side. For ICMP/ICMPv6 this contains the
105 # message code, and PLUTO_MY_PORT the message type.
108 # is an optional user ID employed by the XAUTH protocol
111 # is an optional XFRM mark set on the inbound IPsec SA
114 # is an optional XFRM mark set on the outbound IPsec SA
117 # contains the remote UDP port in the case of ESP_IN_UDP
122 # contains IPv4/IPv6 DNS server attribute received from a
123 # responder, $i enumerates from 1 to the number of servers per
127 # define a minimum PATH environment in case it is not set
128 PATH
="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
131 # uncomment to log VPN connections
134 # tag put in front of each log entry:
137 # syslog facility and priority used:
138 FAC_PRIO
=local0.notice
140 # to create a special vpn logging file, put the following line into
141 # the syslog configuration file /etc/syslog.conf:
143 # local0.notice -/var/log/vpn
145 # in order to use source IP routing the Linux kernel options
146 # CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
149 # special routing table for sourceip routes
150 SOURCEIP_ROUTING_TABLE
=@routing_table@
152 # priority of the sourceip routing table
153 SOURCEIP_ROUTING_TABLE_PRIO
=@routing_table_prio@
155 # check interface version
156 case "$PLUTO_VERSION" in
157 1.
[0|
1]) # Older Pluto?!? Play it safe, script may be using new features.
158 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
159 echo "$0: called by obsolete Pluto?" >&2
163 *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
172 iptables
:iptables
) # due to (left/right)firewall; for default script only
174 custom
:*) # custom parameters (see above CAUTION comment)
176 *) echo "$0: unknown parameters \`$*'" >&2
181 # utility functions for route manipulation
182 # Meddling with this stuff should not be necessary and requires great care.
194 if ! ip
-o route get
${PLUTO_MY_SOURCEIP%/*} |
grep -q ^
local
196 it
="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
197 oops
="`eval $it 2>&1`"
199 if test " $oops" = " " -a " $st" != " 0"
201 oops
="silent error, exit status $st"
203 if test " $oops" != " " -o " $st" != " 0"
205 echo "$0: addsource \`$it' failed ($oops)" >&2
214 if [ -z "$PLUTO_MY_SOURCEIP" ]
216 for dir
in /etc
/sysconfig
/etc
/conf.d
; do
217 if [ -f "$dir/defaultsource" ]
219 .
"$dir/defaultsource"
223 if [ -n "$DEFAULTSOURCE" ]
225 PLUTO_MY_SOURCEIP
=$DEFAULTSOURCE
229 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
231 # leave because no route entry is required
235 parms1
="$PLUTO_PEER_CLIENT"
237 if [ -n "$PLUTO_NEXT_HOP" ]
239 parms2
="via $PLUTO_NEXT_HOP"
241 parms2
="via $PLUTO_PEER"
243 parms2
="$parms2 dev $PLUTO_INTERFACE"
246 if [ -n "$PLUTO_MY_SOURCEIP" ]
251 if ! ip rule list |
grep -q "lookup $SOURCEIP_ROUTING_TABLE"
253 ip rule add pref
$SOURCEIP_ROUTING_TABLE_PRIO table
$SOURCEIP_ROUTING_TABLE
256 parms3
="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
259 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
261 # opportunistic encryption work around
262 # need to provide route that eclipses default, without
264 it
="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
265 ip route $1 128.0.0.0/1 $parms2 $parms3"
267 *) it
="ip route $1 $parms1 $parms2 $parms3"
270 oops
="`eval $it 2>&1`"
272 if test " $oops" = " " -a " $st" != " 0"
274 oops
="silent error, exit status $st"
276 if test " $oops" != " " -o " $st" != " 0"
278 echo "$0: doroute \`$it' failed ($oops)" >&2
283 # in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
284 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
291 IPSEC_POLICY
="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
292 IPSEC_POLICY_IN
="$IPSEC_POLICY --dir in"
293 IPSEC_POLICY_OUT
="$IPSEC_POLICY --dir out"
296 # use protocol specific options to set ports
297 case "$PLUTO_MY_PROTOCOL" in
299 ICMP_TYPE_OPTION
="--icmp-type"
302 ICMP_TYPE_OPTION
="--icmpv6-type"
308 # are there port numbers?
309 if [ "$PLUTO_MY_PORT" != 0 ]
311 if [ -n "$ICMP_TYPE_OPTION" ]
313 S_MY_PORT
="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
314 D_MY_PORT
="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
316 S_MY_PORT
="--sport $PLUTO_MY_PORT"
317 D_MY_PORT
="--dport $PLUTO_MY_PORT"
320 if [ "$PLUTO_PEER_PORT" != 0 ]
322 if [ -n "$ICMP_TYPE_OPTION" ]
324 # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
325 S_MY_PORT
="$S_MY_PORT/$PLUTO_PEER_PORT"
326 D_MY_PORT
="$D_MY_PORT/$PLUTO_PEER_PORT"
328 S_PEER_PORT
="--sport $PLUTO_PEER_PORT"
329 D_PEER_PORT
="--dport $PLUTO_PEER_PORT"
333 # resolve octal escape sequences
334 PLUTO_MY_ID
=`printf "$PLUTO_MY_ID"`
335 PLUTO_PEER_ID
=`printf "$PLUTO_PEER_ID"`
338 case "$PLUTO_VERB:$1" in
339 prepare-host
:*|prepare-client
:*)
340 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
342 # exit because no route will be added,
343 # so that existing routes can stay
347 # delete possibly-existing route (preliminary to adding a route)
348 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
350 # need to provide route that eclipses default, without
354 it
="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
355 oops
="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
358 parms
="$PLUTO_PEER_CLIENT"
359 it
="ip route delete $parms 2>&1"
360 oops
="`ip route delete $parms 2>&1`"
364 if test " $oops" = " " -a " $status" != " 0"
366 oops
="silent error, exit status $status"
369 *'RTNETLINK answers: No such process'*)
370 # This is what route (currently -- not documented!) gives
371 # for "could not find such a route".
376 if test " $oops" != " " -o " $status" != " 0"
378 echo "$0: \`$it' failed ($oops)" >&2
382 route-host
:*|route-client
:*)
383 # connection to me or my client subnet being routed
386 unroute-host
:*|unroute-client
:*)
387 # connection to me or my client subnet being unrouted
391 # connection to me coming up
392 # If you are doing a custom version, firewall commands go here.
395 # connection to me going down
396 # If you are doing a custom version, firewall commands go here.
399 # connection to my client subnet coming up
400 # If you are doing a custom version, firewall commands go here.
403 # connection to my client subnet going down
404 # If you are doing a custom version, firewall commands go here.
407 # connection to me, with (left/right)firewall=yes, coming up
408 # This is used only by the default updown script, not by your custom
409 # ones, so do not mess with it; see CAUTION comment up at top.
410 iptables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
411 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
412 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
413 iptables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
414 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
415 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
417 # log IPsec host connection setup
420 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
422 logger
-t $TAG -p $FAC_PRIO \
423 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
425 logger
-t $TAG -p $FAC_PRIO \
426 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
431 # connection to me, with (left/right)firewall=yes, going down
432 # This is used only by the default updown script, not by your custom
433 # ones, so do not mess with it; see CAUTION comment up at top.
434 iptables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
435 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
436 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
437 iptables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
438 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
439 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
441 # log IPsec host connection teardown
444 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
446 logger
-t $TAG -p $FAC_PRIO -- \
447 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
449 logger
-t $TAG -p $FAC_PRIO -- \
450 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
455 # connection to client subnet, with (left/right)firewall=yes, coming up
456 # This is used only by the default updown script, not by your custom
457 # ones, so do not mess with it; see CAUTION comment up at top.
458 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
460 iptables
-I FORWARD
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
461 -s $PLUTO_MY_CLIENT $S_MY_PORT \
462 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
463 iptables
-I FORWARD
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
464 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
465 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
468 # a virtual IP requires an INPUT and OUTPUT rule on the host
469 # or sometimes host access via the internal IP is needed
470 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
472 iptables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
473 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
474 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
475 iptables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
476 -s $PLUTO_MY_CLIENT $S_MY_PORT \
477 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
480 # log IPsec client connection setup
483 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
485 logger
-t $TAG -p $FAC_PRIO \
486 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
488 logger
-t $TAG -p $FAC_PRIO \
489 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
493 down-client
:iptables
)
494 # connection to client subnet, with (left/right)firewall=yes, going down
495 # This is used only by the default updown script, not by your custom
496 # ones, so do not mess with it; see CAUTION comment up at top.
497 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
499 iptables
-D FORWARD
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
500 -s $PLUTO_MY_CLIENT $S_MY_PORT \
501 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
502 $IPSEC_POLICY_OUT -j ACCEPT
503 iptables
-D FORWARD
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
504 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
505 -d $PLUTO_MY_CLIENT $D_MY_PORT \
506 $IPSEC_POLICY_IN -j ACCEPT
509 # a virtual IP requires an INPUT and OUTPUT rule on the host
510 # or sometimes host access via the internal IP is needed
511 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
513 iptables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
514 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
515 -d $PLUTO_MY_CLIENT $D_MY_PORT \
516 $IPSEC_POLICY_IN -j ACCEPT
517 iptables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
518 -s $PLUTO_MY_CLIENT $S_MY_PORT \
519 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
520 $IPSEC_POLICY_OUT -j ACCEPT
523 # log IPsec client connection teardown
526 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
528 logger
-t $TAG -p $FAC_PRIO -- \
529 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
531 logger
-t $TAG -p $FAC_PRIO -- \
532 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
539 prepare-host-v6
:*|prepare-client-v6
:*)
541 route-host-v6
:*|route-client-v6
:*)
542 # connection to me or my client subnet being routed
545 unroute-host-v6
:*|unroute-client-v6
:*)
546 # connection to me or my client subnet being unrouted
550 # connection to me coming up
551 # If you are doing a custom version, firewall commands go here.
554 # connection to me going down
555 # If you are doing a custom version, firewall commands go here.
558 # connection to my client subnet coming up
559 # If you are doing a custom version, firewall commands go here.
562 # connection to my client subnet going down
563 # If you are doing a custom version, firewall commands go here.
566 # connection to me, with (left/right)firewall=yes, coming up
567 # This is used only by the default updown script, not by your custom
568 # ones, so do not mess with it; see CAUTION comment up at top.
569 ip6tables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
570 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
571 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
572 ip6tables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
573 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
574 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
576 # log IPsec host connection setup
579 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
581 logger
-t $TAG -p $FAC_PRIO \
582 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
584 logger
-t $TAG -p $FAC_PRIO \
585 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
589 down-host-v6
:iptables
)
590 # connection to me, with (left/right)firewall=yes, going down
591 # This is used only by the default updown script, not by your custom
592 # ones, so do not mess with it; see CAUTION comment up at top.
593 ip6tables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
594 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
595 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
596 ip6tables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
597 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
598 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
600 # log IPsec host connection teardown
603 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
605 logger
-t $TAG -p $FAC_PRIO -- \
606 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
608 logger
-t $TAG -p $FAC_PRIO -- \
609 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
613 up-client-v6
:iptables
)
614 # connection to client subnet, with (left/right)firewall=yes, coming up
615 # This is used only by the default updown script, not by your custom
616 # ones, so do not mess with it; see CAUTION comment up at top.
617 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
619 ip6tables
-I FORWARD
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
620 -s $PLUTO_MY_CLIENT $S_MY_PORT \
621 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
622 ip6tables
-I FORWARD
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
623 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
624 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
627 # a virtual IP requires an INPUT and OUTPUT rule on the host
628 # or sometimes host access via the internal IP is needed
629 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
631 ip6tables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
632 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
633 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
634 ip6tables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
635 -s $PLUTO_MY_CLIENT $S_MY_PORT \
636 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
639 # log IPsec client connection setup
642 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
644 logger
-t $TAG -p $FAC_PRIO \
645 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
647 logger
-t $TAG -p $FAC_PRIO \
648 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
652 down-client-v6
:iptables
)
653 # connection to client subnet, with (left/right)firewall=yes, going down
654 # This is used only by the default updown script, not by your custom
655 # ones, so do not mess with it; see CAUTION comment up at top.
656 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
658 ip6tables
-D FORWARD
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
659 -s $PLUTO_MY_CLIENT $S_MY_PORT \
660 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
661 $IPSEC_POLICY_OUT -j ACCEPT
662 ip6tables
-D FORWARD
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
663 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
664 -d $PLUTO_MY_CLIENT $D_MY_PORT \
665 $IPSEC_POLICY_IN -j ACCEPT
668 # a virtual IP requires an INPUT and OUTPUT rule on the host
669 # or sometimes host access via the internal IP is needed
670 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
672 ip6tables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
673 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
674 -d $PLUTO_MY_CLIENT $D_MY_PORT \
675 $IPSEC_POLICY_IN -j ACCEPT
676 ip6tables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
677 -s $PLUTO_MY_CLIENT $S_MY_PORT \
678 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
679 $IPSEC_POLICY_OUT -j ACCEPT
682 # log IPsec client connection teardown
685 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
687 logger
-t $TAG -p $FAC_PRIO -- \
688 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
690 logger
-t $TAG -p $FAC_PRIO -- \
691 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
695 *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2