[IPFire-SCM] [git.ipfire.org] IPFire 2.x development tree branch, next, updated. db073a101e354ae047e1c5c113b50d03de1058de
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via db073a101e354ae047e1c5c113b50d03de1058de (commit) from 5e21bae9cdc9969058d068e5d024d6766c7413e9 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit db073a101e354ae047e1c5c113b50d03de1058de Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Mar 27 21:15:46 2010 +0100
Some changes for strongswan. Still need a replacement for ipsec auto --replace
-----------------------------------------------------------------------
Summary of changes: doc/packages-list.txt | 2 +- html/cgi-bin/index.cgi | 2 +- html/cgi-bin/vpnmain.cgi | 2 +- src/initscripts/init.d/firewall | 3 +- src/misc-progs/ipsecctrl.c | 130 +++++----------------------- src/patches/strongswan-4.3.6_ipfire.patch | 121 ++++++++------------------- 6 files changed, 63 insertions(+), 197 deletions(-)
Difference in files: diff --git a/doc/packages-list.txt b/doc/packages-list.txt index 1b7287d..3d8ff07 100644 --- a/doc/packages-list.txt +++ b/doc/packages-list.txt @@ -61,7 +61,7 @@ * cacti-0.8.7e * calamaris-2.59 * capi4k-utils-2005-07-18 -* ccache-2.4 +* ccache-3.0pre0 * cdrtools-2.01.01 * centerim-4.22.1 * clamav-0.95.3 diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 6a78baa..dfe65bf 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -337,7 +337,7 @@ END if ( `cat /var/ipfire/vpn/settings | grep ^ENABLED=on` || `cat /var/ipfire/vpn/settings | grep ^ENABLED_BLUE=on` ) { my $ipsecip = `cat /var/ipfire/vpn/settings | grep ^VPN_IP= | cut -c 8-`; - my @status = `/usr/sbin/ipsec auto --status`; + my @status = `/usr/local/bin/ipsecctrl I`; my %confighash = (); &General::readhasharray("${General::swroot}/vpn/config", %confighash); print <<END; diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 9e75c69..280055e 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2387,7 +2387,7 @@ EOF &General::readhasharray("${General::swroot}/vpn/config", %confighash); $cgiparams{'CA_NAME'} = '';
- my @status = `/usr/sbin/ipsec auto --status`; + my @status = `/usr/local/bin/ipsecctrl I`;
# suggest a default name for this side if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 55bc066..9b70869 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -116,7 +116,8 @@ iptables_red() { /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT fi
- # Outgoing masquerading + # Outgoing masquerading (don't masqerade IPSEC (mark 50)) + /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index c46bc06..d443edc 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -30,21 +30,16 @@
*/
-#define phystable "IPSECPHYSICAL" -#define virtualtable "IPSECVIRTUAL" - void usage() { fprintf (stderr, "Usage:\n"); fprintf (stderr, "\tipsecctrl S [connectionkey]\n"); fprintf (stderr, "\tipsecctrl D [connectionkey]\n"); fprintf (stderr, "\tipsecctrl R\n"); + fprintf (stderr, "\tipsecctrl I\n"); fprintf (stderr, "\t\tS : Start/Restart Connection\n"); fprintf (stderr, "\t\tD : Stop Connection\n"); fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n"); -} - -void load_modules() { -// safe_system("/sbin/modprobe ipsec"); + fprintf (stderr, "\t\tI : Print Statusinfo\n"); }
/* @@ -54,108 +49,31 @@ void open_physical (char *interface, int nat_traversal_port) { char str[STRING_SIZE];
// GRE ??? - sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface); +// sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface); // safe_system(str); // ESP - sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface); +// sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface); // safe_system(str); // AH - sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface); +// sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface); // safe_system(str); // IKE - sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface); -// safe_system(str); + sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface); + safe_system(str);
if (! nat_traversal_port) return;
- sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); -// safe_system(str); -} - -/* - Basic control for what can flow from/to ipsecX interfaces. - - rc.firewall call this chain just before ACCEPTing everything - from green (-i DEV_GREEN -j ACCEPT). -*/ -void open_virtual (void) { - // allow anything from any ipsec to go on all interface, including other ipsec -// safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT"); - //todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ? + sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); + safe_system(str); }
void ipsec_norules() { /* clear input rules */ -// safe_system("/sbin/iptables -F " phystable); -// safe_system("/sbin/iptables -F " virtualtable); - - // unmap red alias ???? -} - - -void add_alias_interfaces(char *configtype, - char *redtype, - char *redif, - int offset) //reserve room for ipsec0=red, ipsec1=green, ipsec2=orange,ipsec3=blue -{ - FILE *file = NULL; - char s[STRING_SIZE]; - int alias=0; - - /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not, - * exit gracefully. This is not an error... */ - if (!((strcmp(configtype, "1")==0) || (strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || (strcmp(configtype, "4")==0))) - return; - - /* Now check the RED_TYPE - aliases only work with STATIC. */ - if (!(strcmp(redtype, "STATIC")==0)) - return; + safe_system("/sbin/iptables -F IPSECINPUT"); + safe_system("/sbin/iptables -F IPSECFORWARD"); + safe_system("/sbin/iptables -F IPSECOUTPUT");
- /* Now set up the new aliases from the config file */ - if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r"))) - { - fprintf(stderr, "Unable to open aliases configuration file\n"); - return; - } - while (fgets(s, STRING_SIZE, file) != NULL && (offset+alias) < 16 ) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - int count = 0; - char *aliasip=NULL; - char *enabled=NULL; - char *comment=NULL; - char *sptr = strtok(s, ","); - while (sptr) - { - if (count == 0) - aliasip = sptr; - if (count == 1) - enabled = sptr; - else - comment = sptr; - count++; - sptr = strtok(NULL, ","); - } - - if (!(aliasip && enabled)) - continue; - - if (!VALID_IP(aliasip)) - { - fprintf(stderr, "Bad alias : %s\n", aliasip); - return; - } - - if (strcmp(enabled, "on") == 0) - { - memset(s, 0, STRING_SIZE); - snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", offset+alias, redif, alias); -// safe_system(s); - alias++; - } - } }
/* @@ -220,7 +138,7 @@ int decode_line (char *s, void turn_connection_on (char *name, char *type) { char command[STRING_SIZE];
- safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null"); + safe_system("/usr/sbin/ipsec whack --rereadsecrets >/dev/null"); memset(command, 0, STRING_SIZE); snprintf(command, STRING_SIZE - 1, "/usr/sbin/ipsec auto --replace %s >/dev/null", name); @@ -228,7 +146,7 @@ void turn_connection_on (char *name, char *type) { if (strcmp(type, "net") == 0) { memset(command, 0, STRING_SIZE); snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name); + "/usr/sbin/ipsec whack --asynchronous --name %s --initiate >/dev/null", name); safe_system(command); } } @@ -240,13 +158,13 @@ void turn_connection_off (char *name) {
memset(command, 0, STRING_SIZE); snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --down %s >/dev/null", name); + "/usr/sbin/ipsec whack --name %s --terminate >/dev/null", name); safe_system(command); memset(command, 0, STRING_SIZE); snprintf(command, STRING_SIZE - 1, - "/usr/sbin/ipsec auto --delete %s >/dev/null", name); + "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name); safe_system(command); - safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null"); + safe_system("/usr/sbin/ipsec whack --rereadsecrets >/dev/null"); }
@@ -291,9 +209,15 @@ int main(int argc, char *argv[]) { }
if (strcmp(argv[1], "R") == 0) { - safe_system("/usr/sbin/ipsec auto --rereadall"); + safe_system("/usr/sbin/ipsec whack --rereadall"); + exit(0); + } + + if (strcmp(argv[1], "I") == 0) { + safe_system("/usr/sbin/ipsec whack --status"); exit(0); } + }
/* clear iptables vpn rules */ @@ -422,15 +346,9 @@ int main(int argc, char *argv[]) { if (enable_blue==2) open_physical(if_blue, 4500);
- // then open the ipsecX - open_virtual(); - // start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { - load_modules(); - safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null"); safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); - add_alias_interfaces(configtype, redtype, if_red, (enable_red+enable_green+enable_orange+enable_blue) >>1 ); safe_system("/usr/local/bin/vpn-watch &"); exit(0); } diff --git a/src/patches/strongswan-4.3.6_ipfire.patch b/src/patches/strongswan-4.3.6_ipfire.patch index 69f2aba..26cc357 100644 --- a/src/patches/strongswan-4.3.6_ipfire.patch +++ b/src/patches/strongswan-4.3.6_ipfire.patch @@ -1,7 +1,7 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in --- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200 -+++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-20 18:44:11.000000000 +0100 -@@ -374,10 +374,10 @@ ++++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-27 16:32:13.000000000 +0100 +@@ -374,12 +374,12 @@ # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -12,8 +12,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 # + # log IPsec host connection setup + if [ $VPN_LOGGING ] @@ -387,10 +387,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then @@ -27,7 +30,7 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd fi fi ;; -@@ -398,10 +398,10 @@ +@@ -398,12 +398,12 @@ # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -38,8 +41,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] @@ -411,10 +411,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then @@ -60,13 +66,14 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 + iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -436,10 +436,10 @@ +@@ -436,12 +436,12 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -77,8 +84,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 fi + # + # log IPsec client connection setup @@ -450,12 +450,27 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then @@ -93,13 +103,13 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd fi + + # -+ # Open Firewall for ESP Traffic ++ # Open Firewall for AH + ESP Traffic ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ + -s $PLUTO_PEER $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \ -+ -d $PLUTO_PEER $S_PEER_PORT \ -+ -s $PLUTO_ME $D_MY_PORT -j ACCEPT + if [ $VPN_LOGGING ] + then + logger -t $TAG -p $FAC_PRIO \ @@ -117,13 +127,14 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd + iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT +- $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ $IPSEC_POLICY_OUT -j MARK --set-mark 50 + iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -477,11 +492,11 @@ +@@ -477,14 +492,14 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -136,7 +147,11 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT +- $IPSEC_POLICY_OUT -j ACCEPT ++ $IPSEC_POLICY_OUT -j MARK --set-mark 50 + fi + # + # log IPsec client connection teardown @@ -493,12 +508,27 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then @@ -151,13 +166,13 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd fi + + # -+ # Close Firewall for ESP Traffic ++ # Close Firewall for AH+ESP Traffic ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ + -s $PLUTO_PEER $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \ -+ -d $PLUTO_PEER $S_PEER_PORT \ -+ -s $PLUTO_ME $D_MY_PORT -j ACCEPT + if [ $VPN_LOGGING ] + then + logger -t $TAG -p $FAC_PRIO \ @@ -247,71 +262,3 @@ diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_upd -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ $IPSEC_POLICY_OUT -j ACCEPT -diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark ---- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark 2009-09-27 21:50:42.000000000 +0200 -+++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark 2010-03-15 18:52:28.000000000 +0100 -@@ -247,10 +247,10 @@ - ESP_MARK=50 - - # add the following static rule to the INPUT chain in the mangle table --# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50 -+# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50 - - # NAT traversal via UDP encapsulation is supported with the rule --# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50 -+# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50 - - # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules - if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -@@ -325,10 +325,10 @@ - up-host:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # -@@ -346,10 +346,10 @@ - # If you are doing a custom version, firewall commands go here. - # connection to me going down - # If you are doing a custom version, firewall commands go here. -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT - # -@@ -365,10 +365,10 @@ - up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. -- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT -- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $CHECK_MARK -j ACCEPT -@@ -385,10 +385,10 @@ - down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. -- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT -- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ - $CHECK_MARK -j ACCEPT
hooks/post-receive -- IPFire 2.x development tree
-
git@ipfire.org