From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] squid: Exclude OpenVPN remote subnets from transparent proxy
Date: Tue, 19 Jun 2018 20:23:33 +0200 [thread overview]
Message-ID: <1529432613.13577.3.camel@ipfire.org> (raw)
In-Reply-To: <d892a3e1-ad77-91f7-fd47-a41e6ac463d1@rymes.com>
[-- Attachment #1: Type: text/plain, Size: 2643 bytes --]
Hi Tom,
i donĀ“t think so since the internal vpn configs do their config field
separation via comma. In this case only the 13th field will be read
out.
Erik
Am Dienstag, den 19.06.2018, 11:04 -0400 schrieb Tom Rymes:
> Does this properly handle IPSec tunnels with multiple, comma
> separated,
> subnets defined?
>
>
> On 06/19/2018 10:41 AM, Erik Kapfer wrote:
> >
> > Fix for bug #11614
> > Set other variable name for better understanding.
> > Set another variable for remote subnet searcher to make the
> > IPTables command better understandable.
> > Deleted COUNTER lines since they are never used.
> > Deleted variable to VPN configuration files since both are used
> > only once.
> > All changes has also been applied to IPSec section.
> >
> > Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > ---
> > src/initscripts/system/squid | 22 +++++++++++++++-------
> > 1 file changed, 15 insertions(+), 7 deletions(-)
> >
> > diff --git a/src/initscripts/system/squid
> > b/src/initscripts/system/squid
> > index 7255c0a..81a132b 100644
> > --- a/src/initscripts/system/squid
> > +++ b/src/initscripts/system/squid
> > @@ -25,17 +25,25 @@ transparent() {
> > exit 1
> > fi
> >
> > - COUNT=1
> > - FILE=/var/ipfire/vpn/config
> > + # Exclude IPSec N2N remote subnets from
> > transparent proxy
> > + while read IPSECREMOTENET; do
> > + CONN_TYPE=$(echo "$IPSECREMOTENET" | awk
> > -F, '{ print $5 }')
> > + IPSEC_REMOTE_SUBNET=$(echo
> > "$IPSECREMOTENET" | awk -F, '{ print $13 }')
> > + if [ "$CONN_TYPE" != "net" ]; then
> > + continue
> > + fi
> > + iptables -t nat -A SQUID -i $1 -p tcp -d
> > ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN
> > + done < /var/ipfire/vpn/config
> >
> > - while read LINE; do
> > - let COUNT=$COUNT+1
> > - CONN_TYPE=`echo "$LINE" | awk -F, '{ print
> > $5 }'`
> > + # Exclude OpenVPN N2N remote subnets from
> > transparent proxy
> > + while read OVPNREMOTENET; do
> > + CONN_TYPE=$(echo "$OVPNREMOTENET" | awk
> > -F, '{ print $5 }')
> > + OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET"
> > | awk -F, '{ print $13 }')
> > if [ "$CONN_TYPE" != "net" ]; then
> > continue
> > fi
> > - iptables -t nat -A SQUID -i $1 -p tcp -d `echo
> > "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
> > - done < $FILE
> > + iptables -t nat -A SQUID -i $1 -p tcp -d
> > ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN
> > + done < /var/ipfire/ovpn/ovpnconfig
> >
> > if [ "$RED_TYPE" == "STATIC" ]; then
> > iptables -t nat -A SQUID -i $1 -p tcp -d
> > $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
> >
next parent reply other threads:[~2018-06-19 18:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <d892a3e1-ad77-91f7-fd47-a41e6ac463d1@rymes.com>
2018-06-19 18:23 ` ummeegge [this message]
2018-06-19 10:39 [PATCH] Squid: Exclude remote OpenVPN-N2N subnet " Michael Tremer
2018-06-19 14:41 ` [PATCH v2] squid: Exclude OpenVPN remote subnets " Erik Kapfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1529432613.13577.3.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox