Re: [PATCH v2] squid: Exclude OpenVPN remote subnets from transparent proxy

Hi Tom, i don´t think so since the internal vpn configs do their config field separation via comma. In this case only the 13th field will be read out.

Erik

Am Dienstag, den 19.06.2018, 11:04 -0400 schrieb Tom Rymes:

Does this properly handle IPSec tunnels with multiple, comma separated,  subnets defined?

On 06/19/2018 10:41 AM, Erik Kapfer wrote:

...

Fix for bug #11614 Set other variable name for better understanding. Set another variable for remote subnet searcher to make the IPTables command better understandable. Deleted COUNTER lines since they are never used. Deleted variable to VPN configuration files since both are used only once. All changes has also been applied to IPSec section.

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org

src/initscripts/system/squid | 22 +++++++++++++++-------   1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid index 7255c0a..81a132b 100644 --- a/src/initscripts/system/squid +++ b/src/initscripts/system/squid @@ -25,17 +25,25 @@ transparent() {    exit 1    fi

• COUNT=1
  

• FILE=/var/ipfire/vpn/config
  

• # Exclude IPSec N2N remote subnets from
  

transparent proxy

• while read IPSECREMOTENET; do
  

• 	CONN_TYPE=$(echo "$IPSECREMOTENET" | awk
  

-F, '{ print $5 }')

• 	IPSEC_REMOTE_SUBNET=$(echo
  

"$IPSECREMOTENET" | awk -F, '{ print $13 }')

• 	if [ "$CONN_TYPE" != "net" ]; then
  

• 		continue
  

• 	fi
  

• 	iptables -t nat -A SQUID -i $1 -p tcp -d
  

${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN

• done < /var/ipfire/vpn/config
  

• while read LINE; do
  

• 	let COUNT=$COUNT+1
  

• 	CONN_TYPE=`echo "$LINE" | awk -F, '{ print
  

$5 }'`

• # Exclude OpenVPN N2N remote subnets from
  

transparent proxy

• while read OVPNREMOTENET; do
  

• 	CONN_TYPE=$(echo "$OVPNREMOTENET" | awk
  

-F, '{ print $5 }')

• 	OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET"
  

| awk -F, '{ print $13 }')    if [ "$CONN_TYPE" != "net" ]; then    continue    fi

• iptables -t nat -A SQUID -i $1 -p tcp -d `echo
  

"$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN

• done < $FILE
  

• 	iptables -t nat -A SQUID -i $1 -p tcp -d
  

${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN

• done < /var/ipfire/ovpn/ovpnconfig
  

if [ "$RED_TYPE" == "STATIC" ]; then    iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN