From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH v2] squid: Exclude OpenVPN remote subnets from transparent proxy Date: Tue, 19 Jun 2018 20:23:33 +0200 Message-ID: <1529432613.13577.3.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3321001675188394202==" List-Id: --===============3321001675188394202== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi Tom, i don´t think so since the internal vpn configs do their config field separation via comma. In this case only the 13th field will be read out. Erik Am Dienstag, den 19.06.2018, 11:04 -0400 schrieb Tom Rymes: > Does this properly handle IPSec tunnels with multiple, comma > separated,  > subnets defined? > > > On 06/19/2018 10:41 AM, Erik Kapfer wrote: > > > > Fix for bug #11614 > > Set other variable name for better understanding. > > Set another variable for remote subnet searcher to make the > > IPTables command better understandable. > > Deleted COUNTER lines since they are never used. > > Deleted variable to VPN configuration files since both are used > > only once. > > All changes has also been applied to IPSec section. > > > > Signed-off-by: Erik Kapfer > > --- > >   src/initscripts/system/squid | 22 +++++++++++++++------- > >   1 file changed, 15 insertions(+), 7 deletions(-) > > > > diff --git a/src/initscripts/system/squid > > b/src/initscripts/system/squid > > index 7255c0a..81a132b 100644 > > --- a/src/initscripts/system/squid > > +++ b/src/initscripts/system/squid > > @@ -25,17 +25,25 @@ transparent() { > >    exit 1 > >    fi > >    > > - COUNT=1 > > - FILE=/var/ipfire/vpn/config > > + # Exclude IPSec N2N remote subnets from > > transparent proxy > > + while read IPSECREMOTENET; do > > + CONN_TYPE=$(echo "$IPSECREMOTENET" | awk > > -F, '{ print $5 }') > > + IPSEC_REMOTE_SUBNET=$(echo > > "$IPSECREMOTENET" | awk -F, '{ print $13 }') > > + if [ "$CONN_TYPE" != "net" ]; then > > + continue > > + fi > > + iptables -t nat -A SQUID -i $1 -p tcp -d > > ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN > > + done < /var/ipfire/vpn/config > >    > > - while read LINE; do > > - let COUNT=$COUNT+1 > > - CONN_TYPE=`echo "$LINE" | awk -F, '{ print > > $5 }'` > > + # Exclude OpenVPN N2N remote subnets from > > transparent proxy > > + while read OVPNREMOTENET; do > > + CONN_TYPE=$(echo "$OVPNREMOTENET" | awk > > -F, '{ print $5 }') > > + OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET" > > | awk -F, '{ print $13 }') > >    if [ "$CONN_TYPE" != "net" ]; then > >    continue > >    fi > > - iptables -t nat -A SQUID -i $1 -p tcp -d `echo > > "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN > > - done < $FILE > > + iptables -t nat -A SQUID -i $1 -p tcp -d > > ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN > > + done < /var/ipfire/ovpn/ovpnconfig > >    > >    if [ "$RED_TYPE" == "STATIC" ]; then > >    iptables -t nat -A SQUID -i $1 -p tcp -d > > $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN > > --===============3321001675188394202==--