This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 918ee4a4cf5bb8d2a3ade16aac0dd643215c47e2 (commit)
from c557356ea4878f7f6d0d9431246bfc8e75018672 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 918ee4a4cf5bb8d2a3ade16aac0dd643215c47e2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 8 16:41:24 2019 +0100
strongswan: Manually install all routes for non-routed VPNs
This is a regression from disabling charon.install_routes.
VPNs are routing fine as long as traffic is passing through
the firewall. Traps are not propertly used as long as these
routes are not present and therefore we won't trigger any
tunnels when traffic originates from the firewall.
Fixes: #12045
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
lfs/strongswan | 1 +
src/patches/strongswan-ipfire-revert.patch | 113 +++++++++++++++++++++++++++++
src/scripts/ipsec-interfaces | 97 +++++++++++++++++++++++++
3 files changed, 211 insertions(+)
create mode 100644 src/patches/strongswan-ipfire-revert.patch
Difference in files:
diff --git a/lfs/strongswan b/lfs/strongswan
index 4174f78fe..714537e36 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch
cd $(DIR_APP) && ./configure \
--prefix="/usr" \
diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch
new file mode 100644
index 000000000..91c76212e
--- /dev/null
+++ b/src/patches/strongswan-ipfire-revert.patch
@@ -0,0 +1,113 @@
+--- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
++++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
+@@ -130,36 +130,6 @@
+ # address family.
+ #
+
+-VARS=(
+- id status name lefthost type ctype psk local local_id leftsubnets
+- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+- route x23 mode interface_mode interface_address interface_mtu rest
+-)
+-
+-function ip_encode() {
+- local IFS=.
+-
+- local int=0
+- for field in $1; do
+- int=$(( $(( $int << 8 )) | $field ))
+- done
+-
+- echo $int
+-}
+-
+-function ip_in_subnet() {
+- local netmask
+- netmask=$(_netmask $2)
+- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+- local vlsm
+- vlsm=${1#*/}
+- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+ export PATH
+@@ -326,13 +296,6 @@
+ fi
+ ;;
+ up-client:iptables)
+- # Read IPsec configuration
+- while IFS="," read -r "${VARS[@]}"; do
+- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+- break
+- fi
+- done < /var/ipfire/vpn/config
+-
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+@@ -396,30 +359,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- if [ -z "${interface_mode}" ]; then
+- # Add source nat so also the gateway can access the other nets
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+- fi
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+@@ -487,28 +426,6 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ fi
+-
+- # remove source nat
+- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+- if [ $? -eq 0 ]; then
+- src=${_src}
+- break
+- fi
+- done
+-
+- if [ -n "${src}" ]; then
+- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+- logger -t $TAG -p $FAC_PRIO \
+- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+- fi
+-
+- # Flush routing cache
+- ip route flush cache
+ ;;
+ #
+ # IPv6
diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces
index cb55fdf79..2546f8927 100644
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -23,9 +23,19 @@ shopt -s nullglob
VPN_CONFIG="/var/ipfire/vpn/config"
+ROUTE_TABLE="220"
+ROUTE_TABLE_PRIO="128"
+
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+# Get RED interface name
+if [ -r "/var/ipfire/red/iface" ]; then
+ RED_INTF="$(</var/ipfire/red/iface)"
+else
+ RED_INTF="red0"
+fi
+
VARS=(
id status name lefthost type ctype psk local local_id leftsubnets
remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
@@ -43,6 +53,52 @@ resolve_hostname() {
dig +short A "${hostname}" | tail -n1
}
+ip_encode() {
+ local address="${1}"
+
+ local int=0
+ for field in ${address//./ }; do
+ int=$(( $(( ${int} << 8 )) | ${field} ))
+ done
+
+ echo ${int}
+}
+
+function ip_in_subnet() {
+ local address="${1}"
+ local subnet="${2}"
+
+ local netmask="${subnet#*/}"
+
+ # Convert netmask to prefix if necessary
+ case "${netmask}" in
+ [0-9]+)
+ ;;
+ *)
+ netmask="$(netmask2prefix "${netmask}")"
+ ;;
+ esac
+
+ local vlsm=$(( -1 << $(( 32 - ${netmask} )) ))
+
+ [ "$(( $(ip_encode "${address}") & ${vlsm} ))" -eq "$(( $(ip_encode "${subnet%/*}") & ${vlsm} ))" ]
+}
+
+netmask2prefix() {
+ local netmask="${1}"
+ local mask="$(ip_encode "${netmask}")"
+
+ local cidr=0
+ local x="$(( 128 << 24 ))" # 0x80000000
+
+ while [ $(( ${x} & ${mask} )) -ne 0 ]; do
+ [ ${mask} -eq ${x} ] && mask=0 || mask=$(( ${mask} << 1 ))
+ cidr=$(( ${cidr} + 1 ))
+ done
+
+ echo "${cidr}"
+}
+
main() {
# Register local variables
local "${VARS[@]}"
@@ -50,8 +106,17 @@ main() {
local interfaces=()
+ # Flush IPsec routes
+ ip route flush table "${ROUTE_TABLE}"
+
+ # Remove lookups
+ ip rule del lookup "${ROUTE_TABLE}"
+
# We are done when IPsec is not enabled
if [ "${ENABLED}" = "on" ]; then
+ # Enable route table lookup
+ ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}"
+
while IFS="," read -r "${VARS[@]}"; do
# Check if the connection is enabled
[ "${status}" = "on" ] || continue
@@ -65,6 +130,38 @@ main() {
local intf="${interface_mode}${id}"
;;
*)
+ # Install routes
+ local address
+
+ local _address
+ for _address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+ local leftsubnet
+ for leftsubnet in ${leftsubnets//\|/ }; do
+ if ip_in_subnet "${_address}" "${leftsubnet}"; then
+ address="${_address}"
+ break
+ fi
+ done
+
+ # End loop when address is set
+ [ -n "${address}" ] && break
+ done
+
+ local rightsubnet
+ for rightsubnet in ${rightsubnets//\|/ }; do
+ # Ignore default
+ case "${rightsubnet}" in
+ 0.0.0.0/*)
+ continue
+ ;;
+ esac
+
+ log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})"
+ ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \
+ dev "${RED_INTF}" src "${address}"
+ done
+
+ # No interface processing required
continue
;;
esac
hooks/post-receive
--
IPFire 2.x development tree