From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH v2] squid: Exclude OpenVPN remote subnets from transparent proxy
Date: Tue, 19 Jun 2018 16:41:08 +0200
Message-ID: <1529419268-17541-1-git-send-email-erik.kapfer@ipfire.org>
In-Reply-To: <7ead9291191f6a2b41aecc2393b21a00597992c3.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8755488637520790013=="
List-Id: <development.lists.ipfire.org>

--===============8755488637520790013==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Fix for bug #11614
Set other variable name for better understanding.
Set another variable for remote subnet searcher to make the IPTables command =
better understandable.
Deleted COUNTER lines since they are never used.
Deleted variable to VPN configuration files since both are used only once.
All changes has also been applied to IPSec section.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 src/initscripts/system/squid | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid
index 7255c0a..81a132b 100644
--- a/src/initscripts/system/squid
+++ b/src/initscripts/system/squid
@@ -25,17 +25,25 @@ transparent() {
 			exit 1
 		fi
=20
-		COUNT=3D1
-		FILE=3D/var/ipfire/vpn/config
+		# Exclude IPSec N2N remote subnets from transparent proxy
+		while read IPSECREMOTENET; do
+			CONN_TYPE=3D$(echo "$IPSECREMOTENET" | awk -F, '{ print $5 }')
+			IPSEC_REMOTE_SUBNET=3D$(echo "$IPSECREMOTENET" | awk -F, '{ print $13 }')
+			if [ "$CONN_TYPE" !=3D "net" ]; then
+				continue
+			fi
+			iptables -t nat -A SQUID -i $1 -p tcp -d ${IPSEC_REMOTE_SUBNET} --dport 8=
0 -j RETURN
+		done < /var/ipfire/vpn/config
=20
-		while read LINE; do
-			let COUNT=3D$COUNT+1
-			CONN_TYPE=3D`echo "$LINE" | awk -F, '{ print $5 }'`
+		# Exclude OpenVPN N2N remote subnets from transparent proxy
+		while read OVPNREMOTENET; do
+			CONN_TYPE=3D$(echo "$OVPNREMOTENET" | awk -F, '{ print $5 }')
+			OVPN_REMOTE_SUBNET=3D$(echo "$OVPNREMOTENET" | awk -F, '{ print $13 }')
 			if [ "$CONN_TYPE" !=3D "net" ]; then
 				continue
 			fi
-		iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print =
$13 }'` --dport 80 -j RETURN
-		done < $FILE
+			iptables -t nat -A SQUID -i $1 -p tcp -d ${OVPN_REMOTE_SUBNET} --dport 80=
 -j RETURN
+		done < /var/ipfire/ovpn/ovpnconfig
=20
 		if [ "$RED_TYPE" =3D=3D "STATIC" ]; then
 			iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --d=
port 80 -j RETURN
--=20
2.7.4


--===============8755488637520790013==--