Added facility to program entire device from SD-Card
[openwrt.git] / package / strongswan / patches / 210-updown.patch
1 diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
2 --- strongswan-2.8.2-orig/programs/_updown/_updown.8 2006-04-17 02:48:49.000000000 -0400
3 +++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500
4 @@ -8,8 +8,23 @@
5 .I _updown
6 is invoked by pluto when it has brought up a new connection. This script
7 is used to insert the appropriate routing entries for IPsec operation.
8 -It can also be used to insert and delete dynamic iptables firewall rules.
9 -The interface to the script is documented in the pluto man page.
10 +It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
11 +By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
12 +tables. Most distributions will want to change that to provide more
13 +flexibility in their firewall configuration.
14 +The script looks for the environment variables
15 +.B IPSEC_UPDOWN_RULE_IN
16 +for the iptables table it should insert into,
17 +.B IPSEC_UPDOWN_DEST_IN
18 +for where the rule should -j jump to,
19 +.B IPSEC_UPDOWN_RULE_OUT
20 +.B IPSEC_UPDOWN_DEST_OUT
21 +for the same on outgoing packets, and
22 +.B IPSEC_UPDOWN_FWD_RULE_IN
23 +.B IPSEC_UPDOWN_FWD_DEST_IN
24 +.B IPSEC_UPDOWN_FWD_RULE_OUT
25 +.B IPSEC_UPDOWN_FWD_DEST_OUT
26 +respectively for packets being forwarded to/from the local networks.
27 .SH "SEE ALSO"
28 ipsec(8), ipsec_pluto(8).
29 .SH HISTORY
30 diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
31 --- strongswan-2.8.2-orig/programs/_updown/_updown.in 2006-04-17 11:06:29.000000000 -0400
32 +++ strongswan-2.8.2/programs/_updown/_updown.in 2007-02-05 02:08:24.969100428 -0500
33 @@ -5,6 +5,7 @@
34 # Copyright (C) 2003-2004 Tuomo Soini
35 # Copyright (C) 2002-2004 Michael Richardson
36 # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
37 +# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
38 #
39 # This program is free software; you can redistribute it and/or modify it
40 # under the terms of the GNU General Public License as published by the
41 @@ -118,20 +119,61 @@
42 # restricted on the peer side.
43 #
44
45 -# uncomment to log VPN connections
46 -VPN_LOGGING=1
47 -#
48 +# set to /bin/true to silence log messages
49 +LOGGER=logger
50 +
51 # tag put in front of each log entry:
52 TAG=vpn
53 -#
54 +
55 # syslog facility and priority used:
56 -FAC_PRIO=local0.notice
57 -#
58 -# to create a special vpn logging file, put the following line into
59 -# the syslog configuration file /etc/syslog.conf:
60 -#
61 -# local0.notice -/var/log/vpn
62 -#
63 +FAC_PRIO=authpriv.info
64 +
65 +
66 +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
67 +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
68 + IPSEC_POLICY_IN=""
69 + IPSEC_POLICY_OUT=""
70 +else
71 + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
72 + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
73 + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
74 +fi
75 +
76 +# are there port numbers?
77 +if [ "$PLUTO_MY_PORT" != 0 ] ; then
78 + S_MY_PORT="--sport $PLUTO_MY_PORT"
79 + D_MY_PORT="--dport $PLUTO_MY_PORT"
80 +fi
81 +
82 +if [ "$PLUTO_PEER_PORT" != 0 ] ; then
83 + S_PEER_PORT="--sport $PLUTO_PEER_PORT"
84 + D_PEER_PORT="--dport $PLUTO_PEER_PORT"
85 +fi
86 +
87 +# import firewall behavior
88 +IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
89 +IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
90 +IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
91 +IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
92 +
93 +# import forwarding behavior
94 +FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
95 +FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
96 +FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
97 +FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
98 +
99 +# default firewall behavior
100 +[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
101 +[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
102 +[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
103 +[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
104 +
105 +# default forwarding behavior
106 +[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
107 +[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
108 +[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
109 +[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
110 +
111
112 # check interface version
113 case "$PLUTO_VERSION" in
114 @@ -150,8 +192,6 @@
115 case "$1:$*" in
116 ':') # no parameters
117 ;;
118 -iptables:iptables) # due to (left/right)firewall; for default script only
119 - ;;
120 custom:*) # custom parameters (see above CAUTION comment)
121 ;;
122 *) echo "$0: unknown parameters \`$*'" >&2
123 @@ -159,345 +199,307 @@
124 ;;
125 esac
126
127 +
128 # utility functions for route manipulation
129 # Meddling with this stuff should not be necessary and requires great care.
130 +
131 uproute() {
132 doroute add
133 ip route flush cache
134 }
135 +
136 downroute() {
137 doroute delete
138 ip route flush cache
139 }
140
141 +upfirewall() {
142 + in_rule=$1
143 + in_dest=$2
144 + out_rule=$3
145 + out_dest=$4
146 +
147 + [ -n "$in_rule" -a -n "$in_dest" ] && \
148 + iptables -I $in_rule 1 \
149 + -i $PLUTO_INTERFACE \
150 + -p $PLUTO_MY_PROTOCOL \
151 + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
152 + -d $PLUTO_MY_CLIENT $D_MY_PORT \
153 + $IPSEC_POLICY_IN \
154 + -j $in_dest
155 +
156 + [ -n "$out_rule" -a -n "$out_dest" ] && \
157 + iptables -I $out_rule 1 \
158 + -o $PLUTO_INTERFACE \
159 + -p $PLUTO_PEER_PROTOCOL \
160 + -s $PLUTO_MY_CLIENT $S_MY_PORT \
161 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
162 + $IPSEC_POLICY_OUT \
163 + -j $out_dest
164 +
165 +}
166 +
167 +downfirewall() {
168 + in_rule=$1
169 + in_dest=$2
170 + out_rule=$3
171 + out_dest=$4
172 +
173 + [ -n "$in_rule" -a -n "$in_dest" ] && \
174 + iptables -D $in_rule \
175 + -i $PLUTO_INTERFACE \
176 + -p $PLUTO_MY_PROTOCOL \
177 + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
178 + -d $PLUTO_MY_CLIENT $D_MY_PORT \
179 + $IPSEC_POLICY_IN \
180 + -j $in_dest
181 +
182 + [ -n "$out_rule" -a -n "$out_dest" ] && \
183 + iptables -D $out_rule \
184 + -o $PLUTO_INTERFACE \
185 + -p $PLUTO_PEER_PROTOCOL \
186 + -s $PLUTO_MY_CLIENT $S_MY_PORT \
187 + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
188 + $IPSEC_POLICY_OUT \
189 + -j $out_dest
190 +
191 +}
192 +
193 addsource() {
194 st=0
195 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
196 - then
197 +
198 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
199 +
200 it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
201 oops="`eval $it 2>&1`"
202 st=$?
203 - if test " $oops" = " " -a " $st" != " 0"
204 - then
205 +
206 + if [ " $oops" = " " -a " $st" != " 0" ] ; then
207 oops="silent error, exit status $st"
208 fi
209 - if test " $oops" != " " -o " $st" != " 0"
210 - then
211 +
212 + if [ " $oops" != " " -o " $st" != " 0" ] ; then
213 echo "$0: addsource \`$it' failed ($oops)" >&2
214 fi
215 fi
216 +
217 return $st
218 }
219
220 doroute() {
221 st=0
222 parms="$PLUTO_PEER_CLIENT"
223 + parms2="dev $PLUTO_INTERFACE"
224
225 - parms2=
226 - if [ -n "$PLUTO_NEXT_HOP" ]
227 - then
228 - parms2="via $PLUTO_NEXT_HOP"
229 - fi
230 - parms2="$parms2 dev $PLUTO_INTERFACE"
231 -
232 - if [ -z "$PLUTO_MY_SOURCEIP" ]
233 - then
234 - if [ -f /etc/sysconfig/defaultsource ]
235 - then
236 - . /etc/sysconfig/defaultsource
237 - fi
238 + if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
239
240 - if [ -f /etc/conf.d/defaultsource ]
241 - then
242 - . /etc/conf.d/defaultsource
243 - fi
244 + [ -f /etc/sysconfig/defaultsource ] && \
245 + . /etc/sysconfig/defaultsource
246 +
247 + [ -f /etc/conf.d/defaultsource ] && \
248 + . /etc/conf.d/defaultsource
249 +
250 + [ -n "$DEFAULTSOURCE" ] && \
251 + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
252
253 - if [ -n "$DEFAULTSOURCE" ]
254 - then
255 - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
256 - fi
257 fi
258
259 parms3=
260 - if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
261 - then
262 + if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
263 addsource
264 parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
265 fi
266
267 - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
268 - "0.0.0.0/0.0.0.0")
269 + if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
270 + "0.0.0.0/0.0.0.0" ] ; then
271 # opportunistic encryption work around
272 # need to provide route that eclipses default, without
273 # replacing it.
274 - it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
275 - ip route $1 128.0.0.0/1 $parms2 $parms3"
276 - ;;
277 - *) it="ip route $1 $parms $parms2 $parms3"
278 - ;;
279 - esac
280 + it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
281 + ip route $1 128.0.0.0/1 $parms2 $parms3"
282 + else
283 + it="ip route $1 $parms $parms2 $parms3"
284 + fi
285 +
286 oops="`eval $it 2>&1`"
287 st=$?
288 - if test " $oops" = " " -a " $st" != " 0"
289 - then
290 - oops="silent error, exit status $st"
291 - fi
292 - if test " $oops" != " " -o " $st" != " 0"
293 - then
294 - echo "$0: doroute \`$it' failed ($oops)" >&2
295 +
296 + if [ " $oops" = " " -a " $st" != " 0" ] ; then
297 + oops="silent error, exit status $st"
298 fi
299 +
300 + if [ " $oops" != " " -o " $st" != " 0" ] ; then
301 + echo "$0: doroute \`$it' failed ($oops)" >&2
302 + fi
303 +
304 return $st
305 }
306 -
307 -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
308 -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
309 -then
310 - IPSEC_POLICY_IN=""
311 - IPSEC_POLICY_OUT=""
312 -else
313 - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
314 - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
315 - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
316 -fi
317
318 -# are there port numbers?
319 -if [ "$PLUTO_MY_PORT" != 0 ]
320 -then
321 - S_MY_PORT="--sport $PLUTO_MY_PORT"
322 - D_MY_PORT="--dport $PLUTO_MY_PORT"
323 -fi
324 -if [ "$PLUTO_PEER_PORT" != 0 ]
325 -then
326 - S_PEER_PORT="--sport $PLUTO_PEER_PORT"
327 - D_PEER_PORT="--dport $PLUTO_PEER_PORT"
328 -fi
329 +dologentry() {
330 + action=$1
331 +
332 + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
333 + rem="$PLUTO_PEER"
334 + else
335 + rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
336 + fi
337 +
338 + if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
339 + loc="$PLUTO_ME"
340 + else
341 + loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
342 + fi
343 +
344 + $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
345 +}
346 +
347
348 # the big choice
349 +
350 case "$PLUTO_VERB:$1" in
351 prepare-host:*|prepare-client:*)
352 # delete possibly-existing route (preliminary to adding a route)
353 - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
354 - "0.0.0.0/0.0.0.0")
355 - # need to provide route that eclipses default, without
356 +
357 + if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
358 + "0.0.0.0/0.0.0.0" ] ; then
359 + # need to remove the route that eclipses default, without
360 # replacing it.
361 - parms1="0.0.0.0/1"
362 - parms2="128.0.0.0/1"
363 - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
364 - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
365 - ;;
366 - *)
367 - parms="$PLUTO_PEER_CLIENT"
368 - it="ip route delete $parms 2>&1"
369 - oops="`ip route delete $parms 2>&1`"
370 - ;;
371 - esac
372 - status="$?"
373 - if test " $oops" = " " -a " $status" != " 0"
374 - then
375 - oops="silent error, exit status $status"
376 + it="( ip route delete 0.0.0.0/1 ;
377 + ip route delete 128.0.0.0/1 )"
378 + else
379 + it="ip route delete $PLUTO_PEER_CLIENT"
380 + fi
381 +
382 + oops="`$it 2>&1`"
383 + st="$?"
384 +
385 + if [ " $oops" = " " -a " $st" != " 0" ] ; then
386 + oops="silent error, exit status $st"
387 fi
388 +
389 case "$oops" in
390 *'RTNETLINK answers: No such process'*)
391 # This is what route (currently -- not documented!) gives
392 # for "could not find such a route".
393 oops=
394 - status=0
395 + st=0
396 ;;
397 esac
398 - if test " $oops" != " " -o " $status" != " 0"
399 - then
400 +
401 + if [ " $oops" != " " -o " $st" != " 0" ] ; then
402 echo "$0: \`$it' failed ($oops)" >&2
403 fi
404 - exit $status
405 +
406 + exit $st
407 +
408 ;;
409 route-host:*|route-client:*)
410 # connection to me or my client subnet being routed
411 +
412 + ipsec _showstatus valid
413 uproute
414 +
415 ;;
416 unroute-host:*|unroute-client:*)
417 # connection to me or my client subnet being unrouted
418 +
419 + ipsec _showstatus invalid
420 downroute
421 +
422 ;;
423 -up-host:)
424 +up-host:*)
425 # connection to me coming up
426 - # If you are doing a custom version, firewall commands go here.
427 +
428 + ipsec _showstatus up
429 + upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
430 + dologentry "VPN-UP"
431 +
432 ;;
433 -down-host:)
434 +down-host:*)
435 # connection to me going down
436 - # If you are doing a custom version, firewall commands go here.
437 - ;;
438 -up-client:)
439 - # connection to my client subnet coming up
440 - # If you are doing a custom version, firewall commands go here.
441 - ;;
442 -down-client:)
443 - # connection to my client subnet going down
444 - # If you are doing a custom version, firewall commands go here.
445 +
446 + ipsec _showstatus down
447 + downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
448 + dologentry "VPN-DN"
449 +
450 ;;
451 -up-host:iptables)
452 - # connection to me, with (left/right)firewall=yes, coming up
453 - # This is used only by the default updown script, not by your custom
454 - # ones, so do not mess with it; see CAUTION comment up at top.
455 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
456 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
457 - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
458 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
459 - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
460 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
461 - #
462 - # log IPsec host connection setup
463 - if [ $VPN_LOGGING ]
464 - then
465 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
466 - then
467 - logger -t $TAG -p $FAC_PRIO \
468 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
469 - else
470 - logger -t $TAG -p $FAC_PRIO \
471 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
472 - fi
473 - fi
474 - ;;
475 -down-host:iptables)
476 - # connection to me, with (left/right)firewall=yes, going down
477 - # This is used only by the default updown script, not by your custom
478 - # ones, so do not mess with it; see CAUTION comment up at top.
479 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
480 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
481 - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
482 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
483 - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
484 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
485 - #
486 - # log IPsec host connection teardown
487 - if [ $VPN_LOGGING ]
488 - then
489 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
490 - then
491 - logger -t $TAG -p $FAC_PRIO -- \
492 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
493 - else
494 - logger -t $TAG -p $FAC_PRIO -- \
495 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
496 - fi
497 - fi
498 - ;;
499 -up-client:iptables)
500 - # connection to client subnet, with (left/right)firewall=yes, coming up
501 - # This is used only by the default updown script, not by your custom
502 - # ones, so do not mess with it; see CAUTION comment up at top.
503 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
504 - then
505 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
506 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
507 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
508 - $IPSEC_POLICY_OUT -j ACCEPT
509 - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
510 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
511 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
512 - $IPSEC_POLICY_IN -j ACCEPT
513 +up-client:*)
514 + # connection to client subnet coming up
515 +
516 + ipsec _showstatus up
517 +
518 + if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
519 + "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
520 + upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
521 fi
522 - #
523 +
524 # a virtual IP requires an INPUT and OUTPUT rule on the host
525 # or sometimes host access via the internal IP is needed
526 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
527 - then
528 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
529 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
530 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
531 - $IPSEC_POLICY_IN -j ACCEPT
532 - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
533 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
534 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
535 - $IPSEC_POLICY_OUT -j ACCEPT
536 - fi
537 - #
538 - # log IPsec client connection setup
539 - if [ $VPN_LOGGING ]
540 - then
541 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
542 - then
543 - logger -t $TAG -p $FAC_PRIO \
544 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
545 - else
546 - logger -t $TAG -p $FAC_PRIO \
547 - "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
548 - fi
549 - fi
550 - ;;
551 -down-client:iptables)
552 - # connection to client subnet, with (left/right)firewall=yes, going down
553 - # This is used only by the default updown script, not by your custom
554 - # ones, so do not mess with it; see CAUTION comment up at top.
555 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
556 - then
557 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
558 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
559 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
560 - $IPSEC_POLICY_OUT -j ACCEPT
561 - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
562 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
563 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
564 - $IPSEC_POLICY_IN -j ACCEPT
565 + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
566 + upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
567 + fi
568 +
569 + dologentry "VPN-UP"
570 +
571 + ;;
572 +down-client:*)
573 + # connection to client subnet going down
574 +
575 + ipsec _showstatus down
576 +
577 + if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
578 + "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
579 + downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
580 fi
581 - #
582 +
583 # a virtual IP requires an INPUT and OUTPUT rule on the host
584 # or sometimes host access via the internal IP is needed
585 - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
586 - then
587 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
588 - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
589 - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
590 - $IPSEC_POLICY_IN -j ACCEPT
591 - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
592 - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
593 - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
594 - $IPSEC_POLICY_OUT -j ACCEPT
595 - fi
596 - #
597 - # log IPsec client connection teardown
598 - if [ $VPN_LOGGING ]
599 - then
600 - if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
601 - then
602 - logger -t $TAG -p $FAC_PRIO -- \
603 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
604 - else
605 - logger -t $TAG -p $FAC_PRIO -- \
606 - "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
607 - fi
608 + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
609 + downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
610 fi
611 +
612 + dologentry "VPN-DN"
613 +
614 ;;
615 -#
616 -# IPv6
617 -#
618 prepare-host-v6:*|prepare-client-v6:*)
619 +
620 ;;
621 route-host-v6:*|route-client-v6:*)
622 # connection to me or my client subnet being routed
623 +
624 #uproute_v6
625 +
626 ;;
627 unroute-host-v6:*|unroute-client-v6:*)
628 # connection to me or my client subnet being unrouted
629 +
630 #downroute_v6
631 +
632 ;;
633 up-host-v6:*)
634 # connection to me coming up
635 # If you are doing a custom version, firewall commands go here.
636 +
637 ;;
638 down-host-v6:*)
639 # connection to me going down
640 # If you are doing a custom version, firewall commands go here.
641 +
642 ;;
643 up-client-v6:)
644 # connection to my client subnet coming up
645 # If you are doing a custom version, firewall commands go here.
646 +
647 ;;
648 down-client-v6:)
649 # connection to my client subnet going down
650 # If you are doing a custom version, firewall commands go here.
651 +
652 ;;
653 -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
654 +*)
655 + echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
656 exit 1
657 +
658 ;;
659 esac
660 +
This page took 0.067248 seconds and 5 git commands to generate.