This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via e137ec4ecf166320ce92d5068e864034e19b8f48 (commit) via 84aed1ea54ea5e482d3e7dcd7075188062ae85b1 (commit) via 546f69c87df84eece09b55197a6968640a991f66 (commit) via 80756cd34478312d43c44dcb76df2532136dec3b (commit) via b05f4b20d6cde15485bba7b491d28b82c36c2537 (commit) via 4236ab005deb102af5ed35a6af6a7686c51a5f48 (commit) via c72709443139371255ed8b4637fef8711aedaa5a (commit) via 706371540dc4fa6b98a0b6f0236f1e5c1c6ff12e (commit) via 07590904f3f340434e057f1513d83e560bbf2db3 (commit) via 5485de953c93e39e96d18f2351390086b8b92c82 (commit) via fa0bb39f77d3e5bbb5e178dd911f2347d6356277 (commit) via 736d1ed96ec00bafb3635f67673796151de02774 (commit) via 509d6c572633e475520f2ab4ba5da36a026678ec (commit) via c0c9df130fbb3c5080755822d227277627605196 (commit) via 828aaba2ac9d211f76ac9fef95e1dbd19c2315cb (commit) via f1f39aea071c0660f87cbd04b385bb77cb70cf00 (commit) via 7589902e644345a8b383d604cf5e16c786352f59 (commit) via 38ce4769ab38fdef7fc5892b4fe554de968d8d47 (commit) via 0f0db884a9bc1524c69c040cd84b8f23bb2c85dd (commit) via 1a140b78980fe0f488e25a3b2dd92256e3751ab0 (commit) via 79231dc50fd71d392ae0f6d54cfb8ec8de2bbcfe (commit) via a01ce24dae2a6ce2438c2dd603de05af4eecbbbe (commit) via 84f23fd9bf9d915473b49ec759099be26c903a07 (commit) via 39017f76e77fb77fd47c17cc89da69f3b3f0e946 (commit) from 8fb6ecda94638e10b5607bddce2881d6e4b2ed17 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit e137ec4ecf166320ce92d5068e864034e19b8f48 Merge: 84aed1e 546f69c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 2 21:27:09 2011 +0200
Merge commit 'origin/master' into next
Conflicts: lfs/libevent2 lfs/transmission src/paks/transmission/install.sh src/paks/transmission/uninstall.sh
commit 84aed1ea54ea5e482d3e7dcd7075188062ae85b1 Merge: 8fb6ecd fa0bb39 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 2 21:17:10 2011 +0200
Merge commit 'origin/master' into next
Conflicts: make.sh
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/{52 => 53}/filelists/apache2 | 0 config/rootfiles/core/53/filelists/files | 8 +- config/rootfiles/core/53/filelists/kvm-kmod | 6 + config/rootfiles/core/53/update.sh | 4 +- config/rootfiles/core/{53 => 54}/exclude | 0 config/rootfiles/core/54/filelists/files | 2 + config/rootfiles/core/{52 => 54}/meta | 0 config/rootfiles/{oldcore/49 => core/54}/update.sh | 9 +- config/rootfiles/{common => packages}/libevent2 | 0 html/cgi-bin/logs.cgi/log.dat | 2 +- lfs/apache2 | 4 +- lfs/libevent2 | 9 ++- lfs/strongswan | 2 +- lfs/transmission | 2 +- make.sh | 4 +- src/paks/transmission/install.sh | 8 +- src/paks/transmission/uninstall.sh | 2 + .../gcc-4.1.2-fix_linker_version_detection.patch | 2 +- ..._ipfire.patch => strongswan-4.5.3_ipfire.patch} | 110 +++++++++++++++----- 19 files changed, 124 insertions(+), 50 deletions(-) copy config/rootfiles/core/{52 => 53}/filelists/apache2 (100%) create mode 100644 config/rootfiles/core/53/filelists/kvm-kmod copy config/rootfiles/core/{53 => 54}/exclude (100%) create mode 100644 config/rootfiles/core/54/filelists/files copy config/rootfiles/core/{52 => 54}/meta (100%) copy config/rootfiles/{oldcore/49 => core/54}/update.sh (93%) copy config/rootfiles/{common => packages}/libevent2 (100%) rename src/patches/{strongswan-4.4.0_ipfire.patch => strongswan-4.5.3_ipfire.patch} (83%)
Difference in files: diff --git a/config/rootfiles/core/53/filelists/apache2 b/config/rootfiles/core/53/filelists/apache2 new file mode 120000 index 0000000..eef95ef --- /dev/null +++ b/config/rootfiles/core/53/filelists/apache2 @@ -0,0 +1 @@ +../../../common/apache2 \ No newline at end of file diff --git a/config/rootfiles/core/53/filelists/files b/config/rootfiles/core/53/filelists/files index cdd78c2..2d47486 100644 --- a/config/rootfiles/core/53/filelists/files +++ b/config/rootfiles/core/53/filelists/files @@ -13,15 +13,13 @@ srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi -var/ipfire/langs/de.pl -var/ipfire/langs/en.pl -var/ipfire/langs/es.pl -var/ipfire/langs/fr.pl -var/ipfire/langs/pl.pl +srv/web/ipfire/cgi-bin/logs.cgi/log.dat +var/ipfire/langs/ usr/local/bin/ipsecctrl usr/local/bin/openvpnctrl usr/local/bin/vpn-watch usr/local/bin/rebuildroutes +usr/local/sbin/setup var/ipfire/main/routing var/ipfire/menu.d/30-network.menu opt/pakfire/etc/pakfire.conf diff --git a/config/rootfiles/core/53/filelists/kvm-kmod b/config/rootfiles/core/53/filelists/kvm-kmod new file mode 100644 index 0000000..ec75215 --- /dev/null +++ b/config/rootfiles/core/53/filelists/kvm-kmod @@ -0,0 +1,6 @@ +lib/modules/2.6.32.45-ipfire/kernel/arch/x86/kvm/kvm.ko +lib/modules/2.6.32.45-ipfire/kernel/arch/x86/kvm/kvm-amd.ko +lib/modules/2.6.32.45-ipfire/kernel/arch/x86/kvm/kvm-intel.ko +lib/modules/2.6.32.45-ipfire-pae/kernel/arch/x86/kvm/kvm.ko +lib/modules/2.6.32.45-ipfire-pae/kernel/arch/x86/kvm/kvm-amd.ko +lib/modules/2.6.32.45-ipfire-pae/kernel/arch/x86/kvm/kvm-intel.ko diff --git a/config/rootfiles/core/53/update.sh b/config/rootfiles/core/53/update.sh index 10b45b9..a9e3dcb 100644 --- a/config/rootfiles/core/53/update.sh +++ b/config/rootfiles/core/53/update.sh @@ -26,7 +26,7 @@
# # Remove old core updates from pakfire cache to save space... -core=52 +core=53 for (( i=1; i<=$core; i++ )) do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire @@ -36,6 +36,7 @@ done #Stop services
/etc/init.d/ipsec stop +/etc/init.d/apache stop
# # Remove old strongswan libs @@ -65,6 +66,7 @@ sed -i -e "s|^options cfg80211 ieee80211_regdom=EU|#options cfg80211 ieee80211_r # #Start services
+/etc/init.d/apache start if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then /etc/init.d/ipsec start fi diff --git a/config/rootfiles/core/54/exclude b/config/rootfiles/core/54/exclude new file mode 100644 index 0000000..ca3adf5 --- /dev/null +++ b/config/rootfiles/core/54/exclude @@ -0,0 +1,9 @@ +srv/web/ipfire/html/proxy.pac +etc/udev/rules.d/30-persistent-network.rules +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/updatecache +etc/localtime +var/ipfire/ovpn diff --git a/config/rootfiles/core/54/filelists/files b/config/rootfiles/core/54/filelists/files new file mode 100644 index 0000000..409e5fe --- /dev/null +++ b/config/rootfiles/core/54/filelists/files @@ -0,0 +1,2 @@ +etc/system-release +etc/issue diff --git a/config/rootfiles/core/54/meta b/config/rootfiles/core/54/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/54/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/54/update.sh b/config/rootfiles/core/54/update.sh new file mode 100644 index 0000000..38e157e --- /dev/null +++ b/config/rootfiles/core/54/update.sh @@ -0,0 +1,60 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2011 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=54 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +#Stop services + +# +#Extract files +extract_files + +# +#Start services + + +# +#Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +#Rebuild module dep's +#depmod 2.6.32.45-ipfire >/dev/null 2>&1 +#depmod 2.6.32.45-ipfire-pae >/dev/null 2>&1 +#depmod 2.6.32.45-ipfire-xen >/dev/null 2>&1 + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +#Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/packages/libevent2 b/config/rootfiles/packages/libevent2 new file mode 100644 index 0000000..fb3d8bd --- /dev/null +++ b/config/rootfiles/packages/libevent2 @@ -0,0 +1,45 @@ +#usr/include/event2 +#usr/include/event2/buffer.h +#usr/include/event2/buffer_compat.h +#usr/include/event2/bufferevent.h +#usr/include/event2/bufferevent_compat.h +#usr/include/event2/bufferevent_ssl.h +#usr/include/event2/bufferevent_struct.h +#usr/include/event2/dns.h +#usr/include/event2/dns_compat.h +#usr/include/event2/dns_struct.h +#usr/include/event2/event-config.h +#usr/include/event2/event.h +#usr/include/event2/event_compat.h +#usr/include/event2/event_struct.h +#usr/include/event2/http.h +#usr/include/event2/http_compat.h +#usr/include/event2/http_struct.h +#usr/include/event2/keyvalq_struct.h +#usr/include/event2/listener.h +#usr/include/event2/rpc.h +#usr/include/event2/rpc_compat.h +#usr/include/event2/rpc_struct.h +#usr/include/event2/tag.h +#usr/include/event2/tag_compat.h +#usr/include/event2/thread.h +#usr/include/event2/util.h +usr/lib/libevent-2.0.so.5 +usr/lib/libevent-2.0.so.5.1.2 +usr/lib/libevent_core-2.0.so.5 +usr/lib/libevent_core-2.0.so.5.1.2 +usr/lib/libevent_extra-2.0.so.5 +usr/lib/libevent_extra-2.0.so.5.1.2 +usr/lib/libevent_openssl-2.0.so.5 +usr/lib/libevent_openssl-2.0.so.5.1.2 +#usr/lib/libevent_openssl.a +#usr/lib/libevent_openssl.la +#usr/lib/libevent_openssl.so +usr/lib/libevent_pthreads-2.0.so.5 +usr/lib/libevent_pthreads-2.0.so.5.1.2 +#usr/lib/libevent_pthreads.a +#usr/lib/libevent_pthreads.la +#usr/lib/libevent_pthreads.so +#usr/lib/pkgconfig/libevent.pc +#usr/lib/pkgconfig/libevent_openssl.pc +#usr/lib/pkgconfig/libevent_pthreads.pc diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat index c0da266..e2d0244 100644 --- a/html/cgi-bin/logs.cgi/log.dat +++ b/html/cgi-bin/logs.cgi/log.dat @@ -61,7 +61,7 @@ my %sections = ( 'auth' => '(\w+(pam_unix)[.*]: )', 'kernel' => '(kernel: (?!DROP_))', 'ipsec' => '(ipsec_[\w_]+: |pluto[.*]: |charon: |vpnwatch: )', - 'openvpn' => '(openvpnserver)[.*]: ', + 'openvpn' => '(openvpnserver[.*]: |.*n2n[.*]: )', 'pakfire' => '(pakfire:) ', 'wireless' => '(hostapd:|kernel: ath.*:|kernel: wifi[0-9]:) ' ); diff --git a/lfs/apache2 b/lfs/apache2 index c5fd754..f548271 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -25,7 +25,7 @@
include Config
-VER = 2.2.20 +VER = 2.2.21
THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -47,7 +47,7 @@ objects = $(DL_FILE) \ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) httpd-2.2.2-config-1.patch = $(DL_FROM)/httpd-2.2.2-config-1.patch
-$(DL_FILE)_MD5 = 1ac251431c8c4285f6b085c1d156bb56 +$(DL_FILE)_MD5 = 1696ae62cd879ab1d4dd9ff021a470f2 httpd-2.2.2-config-1.patch_MD5 = e02a3ec5925eb9e111400b9aa229f822
install : $(TARGET) diff --git a/lfs/libevent2 b/lfs/libevent2 index 1fbc7db..0756ab1 100644 --- a/lfs/libevent2 +++ b/lfs/libevent2 @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2011 IPFire Team info@ipfire.de # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -32,6 +32,11 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
+PROG = libevent2 +PAK_VER = 1 + +DEPS = "" + ############################################################################### # Top-level Rules ############################################################################### @@ -63,6 +68,8 @@ $(patsubst %,$(DIR_DL)/%,$(objects)) : $(subst %,%_MD5,$(objects)) : @$(MD5)
+dist: + @$(PAK) ############################################################################### # Installation Details ############################################################################### diff --git a/lfs/strongswan b/lfs/strongswan index 1efd283..cb97bf7 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -71,7 +71,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.4.0_ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc" \ --enable-cisco-quirks \ diff --git a/lfs/transmission b/lfs/transmission index b4ba4c4..d15631f 100644 --- a/lfs/transmission +++ b/lfs/transmission @@ -34,7 +34,7 @@ TARGET = $(DIR_INFO)/$(THISAPP) PROG = transmission PAK_VER = 1
-DEPS = "" +DEPS = "libevent2"
############################################################################### # Top-level Rules diff --git a/make.sh b/make.sh index 161319d..84597c2 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.11" # Version number -CORE="53" # Core Level (Filename) -PAKFIRE_CORE="52" # Core Level (PAKFIRE) +CORE="54" # Core Level (Filename) +PAKFIRE_CORE="53" # Core Level (PAKFIRE) GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir diff --git a/src/paks/transmission/install.sh b/src/paks/transmission/install.sh index c5907d4..6efa67e 100644 --- a/src/paks/transmission/install.sh +++ b/src/paks/transmission/install.sh @@ -24,18 +24,18 @@ . /opt/pakfire/lib/functions.sh
extract_files - +restore_backup ${NAME} # Create download directories if they do not yet exist. mkdir -p /var/transmission/{downloads,incomplete} 2>/dev/null
# Adjust permissions. chown nobody.nobody /etc/transmission /var/transmission
-# Start the service. -/etc/init.d/transmission start - +# create startlinks ln -sf ../init.d/transmission /etc/rc.d/rc0.d/K20transmission ln -sf ../init.d/transmission /etc/rc.d/rc3.d/S99transmission ln -sf ../init.d/transmission /etc/rc.d/rc6.d/K20transmission
+# Start the service. +start_service --background ${NAME} exit 0 diff --git a/src/paks/transmission/uninstall.sh b/src/paks/transmission/uninstall.sh index 5a2e708..85d7565 100644 --- a/src/paks/transmission/uninstall.sh +++ b/src/paks/transmission/uninstall.sh @@ -22,6 +22,8 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh +stop_service ${NAME} +make_backup ${NAME} remove_files
# Remove all start links. diff --git a/src/patches/gcc-4.1.2-fix_linker_version_detection.patch b/src/patches/gcc-4.1.2-fix_linker_version_detection.patch index c2f43be..36a756c 100644 --- a/src/patches/gcc-4.1.2-fix_linker_version_detection.patch +++ b/src/patches/gcc-4.1.2-fix_linker_version_detection.patch @@ -6,7 +6,7 @@ diff -Naur gcc-4.1.2.org/libstdc++-v3/configure gcc-4.1.2/libstdc++-v3/configure
ldver=`$LD --version 2>/dev/null | head -1 | \ - sed -e 's/GNU ld version ([0-9.][0-9.]*).*/\1/'` -+ sed -e 's/GNU ld (GNU binutils) ([0-9.][0-9.]*).*/\1/'` ++ sed -e 's/GNU ld .*) ([0-9.][0-9.]*).*/\1/'`
glibcxx_gnu_ld_version=`echo $ldver | \ $AWK -F. '{ if (NF<3) $3=0; print ($1*100+$2)*100+$3 }'` diff --git a/src/patches/strongswan-4.4.0_ipfire.patch b/src/patches/strongswan-4.4.0_ipfire.patch deleted file mode 100644 index 298a1e3..0000000 --- a/src/patches/strongswan-4.4.0_ipfire.patch +++ /dev/null @@ -1,286 +0,0 @@ -diff -Naur strongswan-4.4.0.org/src/_updown/_updown.in strongswan-4.4.0/src/_updown/_updown.in ---- strongswan-4.4.0.org/src/_updown/_updown.in 2010-03-15 21:52:51.000000000 +0100 -+++ strongswan-4.4.0/src/_updown/_updown.in 2010-05-15 13:33:40.000000000 +0200 -@@ -374,12 +374,12 @@ - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] -@@ -387,10 +387,10 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" -+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -@@ -398,12 +398,12 @@ - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] -@@ -411,10 +411,10 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" -+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -@@ -424,10 +424,10 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then -- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT -- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 -+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi -@@ -436,12 +436,12 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 - fi - # - # log IPsec client connection setup -@@ -450,12 +450,38 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ -- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi -+ -+ # -+ # Open Firewall for IPinIP + AH + ESP Traffic -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ if [ $VPN_LOGGING ] -+ then -+ logger -t $TAG -p $FAC_PRIO \ -+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME" -+ fi -+ -+ # Add source nat so also the gateway can access the other nets -+ src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src)) -+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src -+ logger -t $TAG -p $FAC_PRIO \ -+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" -+ -+ # Flush routing cache -+ ip route flush cache - ;; - down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down -@@ -463,11 +489,11 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then -- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ $IPSEC_POLICY_OUT -j MARK --set-mark 50 -+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -@@ -477,14 +503,14 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -+ $IPSEC_POLICY_OUT -j MARK --set-mark 50 - fi - # - # log IPsec client connection teardown -@@ -493,12 +519,38 @@ - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ -- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi -+ -+ # -+ # Close Firewall for IPinIP + AH + ESP Traffic -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ -+ -s $PLUTO_PEER $S_PEER_PORT \ -+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ if [ $VPN_LOGGING ] -+ then -+ logger -t $TAG -p $FAC_PRIO \ -+ "tunnel- $PLUTO_PEER -- $PLUTO_ME" -+ fi -+ -+ # remove source nat -+ src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src)) -+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src -+ logger -t $TAG -p $FAC_PRIO \ -+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" -+ -+ # Flush routing cache -+ ip route flush cache - ;; - # - # IPv6 -@@ -533,10 +585,10 @@ - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # -@@ -557,10 +609,10 @@ - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. -- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # -@@ -583,10 +635,10 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then -- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT -- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi -@@ -595,10 +647,10 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi -@@ -622,11 +674,11 @@ - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then -- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT -- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -@@ -636,11 +688,11 @@ - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then -- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT -- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT diff --git a/src/patches/strongswan-4.5.3_ipfire.patch b/src/patches/strongswan-4.5.3_ipfire.patch new file mode 100644 index 0000000..2ba975b --- /dev/null +++ b/src/patches/strongswan-4.5.3_ipfire.patch @@ -0,0 +1,342 @@ +diff -Naur strongswan-4.5.3.org/src/_updown/_updown.in strongswan-4.5.3/src/_updown/_updown.in +--- strongswan-4.5.3.org/src/_updown/_updown.in 2010-10-22 16:33:30.000000000 +0200 ++++ strongswan-4.5.3/src/_updown/_updown.in 2011-09-13 14:19:31.000000000 +0200 +@@ -183,6 +183,29 @@ + ;; + esac + ++function ip_encode() { ++ local IFS=. ++ ++ local int=0 ++ for field in $1; do ++ int=$(( $(( $int << 8 )) | $field )) ++ done ++ ++ echo $int ++} ++ ++function ip_in_subnet() { ++ local netmask ++ netmask=$(_netmask $2) ++ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] ++} ++ ++function _netmask() { ++ local vlsm ++ vlsm=${1#*/} ++ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) ++} ++ + # utility functions for route manipulation + # Meddling with this stuff should not be necessary and requires great care. + uproute() { +@@ -387,12 +410,12 @@ + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] +@@ -400,10 +423,10 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ++ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ++ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +@@ -411,12 +434,12 @@ + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] +@@ -424,10 +447,10 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ++ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ++ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +@@ -437,10 +460,10 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then +- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi +@@ -449,12 +472,12 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 + fi + # + # log IPsec client connection setup +@@ -463,12 +486,51 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi ++ ++ # ++ # Open Firewall for IPinIP + AH + ESP Traffic ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ if [ $VPN_LOGGING ] ++ then ++ logger -t $TAG -p $FAC_PRIO \ ++ "tunnel+ $PLUTO_PEER -- $PLUTO_ME" ++ fi ++ ++ # Add source nat so also the gateway can access the other nets ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" ++ fi ++ ++ # Flush routing cache ++ ip route flush cache + ;; + down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down +@@ -476,11 +538,11 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then +- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +@@ -490,14 +552,14 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT ++ $IPSEC_POLICY_OUT -j MARK --set-mark 50 + fi + # + # log IPsec client connection teardown +@@ -506,12 +568,51 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi ++ ++ # ++ # Close Firewall for IPinIP + AH + ESP Traffic ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ if [ $VPN_LOGGING ] ++ then ++ logger -t $TAG -p $FAC_PRIO \ ++ "tunnel- $PLUTO_PEER -- $PLUTO_ME" ++ fi ++ ++ # remove source nat ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot remove NAT rule because no IP of the IPFire does match the subnet." ++ fi ++ ++ # Flush routing cache ++ ip route flush cache + ;; + # + # IPv6 +@@ -546,10 +647,10 @@ + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -570,10 +671,10 @@ + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -596,10 +697,10 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then +- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi +@@ -608,10 +709,10 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi +@@ -635,11 +736,11 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then +- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT +- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +@@ -649,11 +750,11 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT
hooks/post-receive -- IPFire 2.x development tree