]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/_updown/_updown.in
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiated
[thirdparty/strongswan.git] / src / _updown / _updown.in
1 #! /bin/sh
2 # iproute2 version, default updown script
3 #
4 # Copyright (C) 2003-2004 Nigel Meteringham
5 # Copyright (C) 2003-2004 Tuomo Soini
6 # Copyright (C) 2002-2004 Michael Richardson
7 # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
8 #
9 # This program is free software; you can redistribute it and/or modify it
10 # under the terms of the GNU General Public License as published by the
11 # Free Software Foundation; either version 2 of the License, or (at your
12 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 #
14 # This program is distributed in the hope that it will be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 # for more details.
18
19 # CAUTION: Installing a new version of strongSwan will install a new
20 # copy of this script, wiping out any custom changes you make. If
21 # you need changes, make a copy of this under another name, and customize
22 # that, and use the (left/right)updown parameters in ipsec.conf to make
23 # strongSwan use yours instead of this default one.
24
25 # things that this script gets (from ipsec_pluto(8) man page)
26 #
27 # PLUTO_VERSION
28 # indicates what version of this interface is being
29 # used. This document describes version 1.1. This
30 # is upwardly compatible with version 1.0.
31 #
32 # PLUTO_VERB
33 # specifies the name of the operation to be performed
34 # (prepare-host, prepare-client, up-host, up-client,
35 # down-host, or down-client). If the address family
36 # for security gateway to security gateway communica-
37 # tions is IPv6, then a suffix of -v6 is added to the
38 # verb.
39 #
40 # PLUTO_CONNECTION
41 # is the name of the connection for which we are
42 # routing.
43 #
44 # PLUTO_INTERFACE
45 # is the name of the ipsec interface to be used.
46 #
47 # PLUTO_REQID
48 # is the requid of the AH|ESP policy
49 #
50 # PLUTO_PROTO
51 # is the negotiated IPsec protocol, ah|esp
52 #
53 # PLUTO_IPCOMP
54 # is not empty if IPComp was negotiated
55 #
56 # PLUTO_UNIQUEID
57 # is the unique identifier of the associated IKE_SA
58 #
59 # PLUTO_ME
60 # is the IP address of our host.
61 #
62 # PLUTO_MY_ID
63 # is the ID of our host.
64 #
65 # PLUTO_MY_CLIENT
66 # is the IP address / count of our client subnet. If
67 # the client is just the host, this will be the
68 # host's own IP address / max (where max is 32 for
69 # IPv4 and 128 for IPv6).
70 #
71 # PLUTO_MY_SOURCEIP
72 # PLUTO_MY_SOURCEIP4_$i
73 # PLUTO_MY_SOURCEIP6_$i
74 # contains IPv4/IPv6 virtual IP received from a responder,
75 # $i enumerates from 1 to the number of IP per address family.
76 # PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
77 # virtual IP, IPv4 or IPv6.
78 #
79 # PLUTO_MY_PROTOCOL
80 # is the IP protocol that will be transported.
81 #
82 # PLUTO_MY_PORT
83 # is the UDP/TCP port to which the IPsec SA is
84 # restricted on our side. For ICMP/ICMPv6 this contains the
85 # message type, and PLUTO_PEER_PORT the message code.
86 #
87 # PLUTO_PEER
88 # is the IP address of our peer.
89 #
90 # PLUTO_PEER_ID
91 # is the ID of our peer.
92 #
93 # PLUTO_PEER_CLIENT
94 # is the IP address / count of the peer's client sub-
95 # net. If the client is just the peer, this will be
96 # the peer's own IP address / max (where max is 32
97 # for IPv4 and 128 for IPv6).
98 #
99 # PLUTO_PEER_PROTOCOL
100 # is the IP protocol that will be transported.
101 #
102 # PLUTO_PEER_PORT
103 # is the UDP/TCP port to which the IPsec SA is
104 # restricted on the peer side. For ICMP/ICMPv6 this contains the
105 # message code, and PLUTO_MY_PORT the message type.
106 #
107 # PLUTO_XAUTH_ID
108 # is an optional user ID employed by the XAUTH protocol
109 #
110 # PLUTO_MARK_IN
111 # is an optional XFRM mark set on the inbound IPsec SA
112 #
113 # PLUTO_MARK_OUT
114 # is an optional XFRM mark set on the outbound IPsec SA
115 #
116 # PLUTO_UDP_ENC
117 # contains the remote UDP port in the case of ESP_IN_UDP
118 # encapsulation
119 #
120 # PLUTO_DNS4_$i
121 # PLUTO_DNS6_$i
122 # contains IPv4/IPv6 DNS server attribute received from a
123 # responder, $i enumerates from 1 to the number of servers per
124 # address family.
125 #
126
127 # define a minimum PATH environment in case it is not set
128 PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
129 export PATH
130
131 # uncomment to log VPN connections
132 VPN_LOGGING=1
133 #
134 # tag put in front of each log entry:
135 TAG=vpn
136 #
137 # syslog facility and priority used:
138 FAC_PRIO=local0.notice
139 #
140 # to create a special vpn logging file, put the following line into
141 # the syslog configuration file /etc/syslog.conf:
142 #
143 # local0.notice -/var/log/vpn
144
145 # in order to use source IP routing the Linux kernel options
146 # CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
147 # must be enabled
148 #
149 # special routing table for sourceip routes
150 SOURCEIP_ROUTING_TABLE=@routing_table@
151 #
152 # priority of the sourceip routing table
153 SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@
154
155 # check interface version
156 case "$PLUTO_VERSION" in
157 1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
158 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
159 echo "$0: called by obsolete Pluto?" >&2
160 exit 2
161 ;;
162 1.*) ;;
163 *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
164 exit 2
165 ;;
166 esac
167
168 # check parameter(s)
169 case "$1:$*" in
170 ':') # no parameters
171 ;;
172 iptables:iptables) # due to (left/right)firewall; for default script only
173 ;;
174 custom:*) # custom parameters (see above CAUTION comment)
175 ;;
176 *) echo "$0: unknown parameters \`$*'" >&2
177 exit 2
178 ;;
179 esac
180
181 # utility functions for route manipulation
182 # Meddling with this stuff should not be necessary and requires great care.
183 uproute() {
184 doroute add
185 ip route flush cache
186 }
187 downroute() {
188 doroute delete
189 ip route flush cache
190 }
191
192 addsource() {
193 st=0
194 if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
195 then
196 it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
197 oops="`eval $it 2>&1`"
198 st=$?
199 if test " $oops" = " " -a " $st" != " 0"
200 then
201 oops="silent error, exit status $st"
202 fi
203 if test " $oops" != " " -o " $st" != " 0"
204 then
205 echo "$0: addsource \`$it' failed ($oops)" >&2
206 fi
207 fi
208 return $st
209 }
210
211 doroute() {
212 st=0
213
214 if [ -z "$PLUTO_MY_SOURCEIP" ]
215 then
216 for dir in /etc/sysconfig /etc/conf.d; do
217 if [ -f "$dir/defaultsource" ]
218 then
219 . "$dir/defaultsource"
220 fi
221 done
222
223 if [ -n "$DEFAULTSOURCE" ]
224 then
225 PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
226 fi
227 fi
228
229 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
230 then
231 # leave because no route entry is required
232 return $st
233 fi
234
235 parms1="$PLUTO_PEER_CLIENT"
236
237 if [ -n "$PLUTO_NEXT_HOP" ]
238 then
239 parms2="via $PLUTO_NEXT_HOP"
240 else
241 parms2="via $PLUTO_PEER"
242 fi
243 parms2="$parms2 dev $PLUTO_INTERFACE"
244
245 parms3=
246 if [ -n "$PLUTO_MY_SOURCEIP" ]
247 then
248 if test "$1" = "add"
249 then
250 addsource
251 if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
252 then
253 ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
254 fi
255 fi
256 parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
257 fi
258
259 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
260 "0.0.0.0/0.0.0.0")
261 # opportunistic encryption work around
262 # need to provide route that eclipses default, without
263 # replacing it.
264 it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
265 ip route $1 128.0.0.0/1 $parms2 $parms3"
266 ;;
267 *) it="ip route $1 $parms1 $parms2 $parms3"
268 ;;
269 esac
270 oops="`eval $it 2>&1`"
271 st=$?
272 if test " $oops" = " " -a " $st" != " 0"
273 then
274 oops="silent error, exit status $st"
275 fi
276 if test " $oops" != " " -o " $st" != " 0"
277 then
278 echo "$0: doroute \`$it' failed ($oops)" >&2
279 fi
280 return $st
281 }
282
283 # in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
284 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
285 then
286 KLIPS=1
287 IPSEC_POLICY_IN=""
288 IPSEC_POLICY_OUT=""
289 else
290 KLIPS=
291 IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
292 IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
293 IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
294 fi
295
296 # use protocol specific options to set ports
297 case "$PLUTO_MY_PROTOCOL" in
298 1) # ICMP
299 ICMP_TYPE_OPTION="--icmp-type"
300 ;;
301 58) # ICMPv6
302 ICMP_TYPE_OPTION="--icmpv6-type"
303 ;;
304 *)
305 ;;
306 esac
307
308 # are there port numbers?
309 if [ "$PLUTO_MY_PORT" != 0 ]
310 then
311 if [ -n "$ICMP_TYPE_OPTION" ]
312 then
313 S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
314 D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
315 else
316 S_MY_PORT="--sport $PLUTO_MY_PORT"
317 D_MY_PORT="--dport $PLUTO_MY_PORT"
318 fi
319 fi
320 if [ "$PLUTO_PEER_PORT" != 0 ]
321 then
322 if [ -n "$ICMP_TYPE_OPTION" ]
323 then
324 # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
325 S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
326 D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
327 else
328 S_PEER_PORT="--sport $PLUTO_PEER_PORT"
329 D_PEER_PORT="--dport $PLUTO_PEER_PORT"
330 fi
331 fi
332
333 # resolve octal escape sequences
334 PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
335 PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
336
337 # the big choice
338 case "$PLUTO_VERB:$1" in
339 prepare-host:*|prepare-client:*)
340 if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
341 then
342 # exit because no route will be added,
343 # so that existing routes can stay
344 exit 0
345 fi
346
347 # delete possibly-existing route (preliminary to adding a route)
348 case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
349 "0.0.0.0/0.0.0.0")
350 # need to provide route that eclipses default, without
351 # replacing it.
352 parms1="0.0.0.0/1"
353 parms2="128.0.0.0/1"
354 it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
355 oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
356 ;;
357 *)
358 parms="$PLUTO_PEER_CLIENT"
359 it="ip route delete $parms 2>&1"
360 oops="`ip route delete $parms 2>&1`"
361 ;;
362 esac
363 status="$?"
364 if test " $oops" = " " -a " $status" != " 0"
365 then
366 oops="silent error, exit status $status"
367 fi
368 case "$oops" in
369 *'RTNETLINK answers: No such process'*)
370 # This is what route (currently -- not documented!) gives
371 # for "could not find such a route".
372 oops=
373 status=0
374 ;;
375 esac
376 if test " $oops" != " " -o " $status" != " 0"
377 then
378 echo "$0: \`$it' failed ($oops)" >&2
379 fi
380 exit $status
381 ;;
382 route-host:*|route-client:*)
383 # connection to me or my client subnet being routed
384 uproute
385 ;;
386 unroute-host:*|unroute-client:*)
387 # connection to me or my client subnet being unrouted
388 downroute
389 ;;
390 up-host:)
391 # connection to me coming up
392 # If you are doing a custom version, firewall commands go here.
393 ;;
394 down-host:)
395 # connection to me going down
396 # If you are doing a custom version, firewall commands go here.
397 ;;
398 up-client:)
399 # connection to my client subnet coming up
400 # If you are doing a custom version, firewall commands go here.
401 ;;
402 down-client:)
403 # connection to my client subnet going down
404 # If you are doing a custom version, firewall commands go here.
405 ;;
406 up-host:iptables)
407 # connection to me, with (left/right)firewall=yes, coming up
408 # This is used only by the default updown script, not by your custom
409 # ones, so do not mess with it; see CAUTION comment up at top.
410 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
411 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
412 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
413 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
414 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
415 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
416 #
417 # log IPsec host connection setup
418 if [ $VPN_LOGGING ]
419 then
420 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
421 then
422 logger -t $TAG -p $FAC_PRIO \
423 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
424 else
425 logger -t $TAG -p $FAC_PRIO \
426 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
427 fi
428 fi
429 ;;
430 down-host:iptables)
431 # connection to me, with (left/right)firewall=yes, going down
432 # This is used only by the default updown script, not by your custom
433 # ones, so do not mess with it; see CAUTION comment up at top.
434 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
435 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
436 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
437 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
438 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
439 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
440 #
441 # log IPsec host connection teardown
442 if [ $VPN_LOGGING ]
443 then
444 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
445 then
446 logger -t $TAG -p $FAC_PRIO -- \
447 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
448 else
449 logger -t $TAG -p $FAC_PRIO -- \
450 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
451 fi
452 fi
453 ;;
454 up-client:iptables)
455 # connection to client subnet, with (left/right)firewall=yes, coming up
456 # This is used only by the default updown script, not by your custom
457 # ones, so do not mess with it; see CAUTION comment up at top.
458 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
459 then
460 iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
461 -s $PLUTO_MY_CLIENT $S_MY_PORT \
462 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
463 iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
464 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
465 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
466 fi
467 #
468 # a virtual IP requires an INPUT and OUTPUT rule on the host
469 # or sometimes host access via the internal IP is needed
470 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
471 then
472 iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
473 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
474 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
475 iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
476 -s $PLUTO_MY_CLIENT $S_MY_PORT \
477 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
478 fi
479 #
480 # log IPsec client connection setup
481 if [ $VPN_LOGGING ]
482 then
483 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
484 then
485 logger -t $TAG -p $FAC_PRIO \
486 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
487 else
488 logger -t $TAG -p $FAC_PRIO \
489 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
490 fi
491 fi
492 ;;
493 down-client:iptables)
494 # connection to client subnet, with (left/right)firewall=yes, going down
495 # This is used only by the default updown script, not by your custom
496 # ones, so do not mess with it; see CAUTION comment up at top.
497 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
498 then
499 iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
500 -s $PLUTO_MY_CLIENT $S_MY_PORT \
501 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
502 $IPSEC_POLICY_OUT -j ACCEPT
503 iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
504 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
505 -d $PLUTO_MY_CLIENT $D_MY_PORT \
506 $IPSEC_POLICY_IN -j ACCEPT
507 fi
508 #
509 # a virtual IP requires an INPUT and OUTPUT rule on the host
510 # or sometimes host access via the internal IP is needed
511 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
512 then
513 iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
514 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
515 -d $PLUTO_MY_CLIENT $D_MY_PORT \
516 $IPSEC_POLICY_IN -j ACCEPT
517 iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
518 -s $PLUTO_MY_CLIENT $S_MY_PORT \
519 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
520 $IPSEC_POLICY_OUT -j ACCEPT
521 fi
522 #
523 # log IPsec client connection teardown
524 if [ $VPN_LOGGING ]
525 then
526 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
527 then
528 logger -t $TAG -p $FAC_PRIO -- \
529 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
530 else
531 logger -t $TAG -p $FAC_PRIO -- \
532 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
533 fi
534 fi
535 ;;
536 #
537 # IPv6
538 #
539 prepare-host-v6:*|prepare-client-v6:*)
540 ;;
541 route-host-v6:*|route-client-v6:*)
542 # connection to me or my client subnet being routed
543 #uproute_v6
544 ;;
545 unroute-host-v6:*|unroute-client-v6:*)
546 # connection to me or my client subnet being unrouted
547 #downroute_v6
548 ;;
549 up-host-v6:)
550 # connection to me coming up
551 # If you are doing a custom version, firewall commands go here.
552 ;;
553 down-host-v6:)
554 # connection to me going down
555 # If you are doing a custom version, firewall commands go here.
556 ;;
557 up-client-v6:)
558 # connection to my client subnet coming up
559 # If you are doing a custom version, firewall commands go here.
560 ;;
561 down-client-v6:)
562 # connection to my client subnet going down
563 # If you are doing a custom version, firewall commands go here.
564 ;;
565 up-host-v6:iptables)
566 # connection to me, with (left/right)firewall=yes, coming up
567 # This is used only by the default updown script, not by your custom
568 # ones, so do not mess with it; see CAUTION comment up at top.
569 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
570 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
571 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
572 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
573 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
574 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
575 #
576 # log IPsec host connection setup
577 if [ $VPN_LOGGING ]
578 then
579 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
580 then
581 logger -t $TAG -p $FAC_PRIO \
582 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
583 else
584 logger -t $TAG -p $FAC_PRIO \
585 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
586 fi
587 fi
588 ;;
589 down-host-v6:iptables)
590 # connection to me, with (left/right)firewall=yes, going down
591 # This is used only by the default updown script, not by your custom
592 # ones, so do not mess with it; see CAUTION comment up at top.
593 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
594 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
595 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
596 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
597 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
598 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
599 #
600 # log IPsec host connection teardown
601 if [ $VPN_LOGGING ]
602 then
603 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
604 then
605 logger -t $TAG -p $FAC_PRIO -- \
606 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
607 else
608 logger -t $TAG -p $FAC_PRIO -- \
609 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
610 fi
611 fi
612 ;;
613 up-client-v6:iptables)
614 # connection to client subnet, with (left/right)firewall=yes, coming up
615 # This is used only by the default updown script, not by your custom
616 # ones, so do not mess with it; see CAUTION comment up at top.
617 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
618 then
619 ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
620 -s $PLUTO_MY_CLIENT $S_MY_PORT \
621 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
622 ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
623 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
624 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
625 fi
626 #
627 # a virtual IP requires an INPUT and OUTPUT rule on the host
628 # or sometimes host access via the internal IP is needed
629 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
630 then
631 ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
632 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
633 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
634 ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
635 -s $PLUTO_MY_CLIENT $S_MY_PORT \
636 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
637 fi
638 #
639 # log IPsec client connection setup
640 if [ $VPN_LOGGING ]
641 then
642 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
643 then
644 logger -t $TAG -p $FAC_PRIO \
645 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
646 else
647 logger -t $TAG -p $FAC_PRIO \
648 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
649 fi
650 fi
651 ;;
652 down-client-v6:iptables)
653 # connection to client subnet, with (left/right)firewall=yes, going down
654 # This is used only by the default updown script, not by your custom
655 # ones, so do not mess with it; see CAUTION comment up at top.
656 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
657 then
658 ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
659 -s $PLUTO_MY_CLIENT $S_MY_PORT \
660 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
661 $IPSEC_POLICY_OUT -j ACCEPT
662 ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
663 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
664 -d $PLUTO_MY_CLIENT $D_MY_PORT \
665 $IPSEC_POLICY_IN -j ACCEPT
666 fi
667 #
668 # a virtual IP requires an INPUT and OUTPUT rule on the host
669 # or sometimes host access via the internal IP is needed
670 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
671 then
672 ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
673 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
674 -d $PLUTO_MY_CLIENT $D_MY_PORT \
675 $IPSEC_POLICY_IN -j ACCEPT
676 ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
677 -s $PLUTO_MY_CLIENT $S_MY_PORT \
678 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
679 $IPSEC_POLICY_OUT -j ACCEPT
680 fi
681 #
682 # log IPsec client connection teardown
683 if [ $VPN_LOGGING ]
684 then
685 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
686 then
687 logger -t $TAG -p $FAC_PRIO -- \
688 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
689 else
690 logger -t $TAG -p $FAC_PRIO -- \
691 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
692 fi
693 fi
694 ;;
695 *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
696 exit 1
697 ;;
698 esac
Unnamed repository; edit this file 'description' to name the repository.