* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 962ac5bdc6d8abd09819c2a43d4bf2cbd5fc5336
@ 2015-05-07 20:42 git
0 siblings, 0 replies; only message in thread
From: git @ 2015-05-07 20:42 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 18154 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 962ac5bdc6d8abd09819c2a43d4bf2cbd5fc5336 (commit)
via d81456730cbb515711e9ea796f14048b0c4009f5 (commit)
via a9600358d86b78d144376fffc8c3b91da6c29e26 (commit)
via d9e80e0b0914f71c90f1bf743be0bc412afe1115 (commit)
from 086eb9b58233ec19e555a9ded97d00a863fef404 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 962ac5bdc6d8abd09819c2a43d4bf2cbd5fc5336
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 7 22:42:04 2015 +0200
core90: Ship changed ipsecctrl
commit d81456730cbb515711e9ea796f14048b0c4009f5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 7 22:40:08 2015 +0200
strongswan: Use --wait option for iptables commands
commit a9600358d86b78d144376fffc8c3b91da6c29e26
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 7 21:06:44 2015 +0200
ipsecctrl: Use --wait switch for all iptables commands
commit d9e80e0b0914f71c90f1bf743be0bc412afe1115
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 7 21:05:50 2015 +0200
ipsecctrl: Remove unused code block
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/90/filelists/files | 1 +
src/misc-progs/ipsecctrl.c | 24 ++++-------
src/patches/strongswan-ipfire.patch | 68 ++++++++++++++++----------------
3 files changed, 42 insertions(+), 51 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/90/filelists/files b/config/rootfiles/core/90/filelists/files
index d36ece0..431dcd6 100644
--- a/config/rootfiles/core/90/filelists/files
+++ b/config/rootfiles/core/90/filelists/files
@@ -25,6 +25,7 @@ usr/lib/firewall/firewall-lib.pl
usr/lib/firewall/rules.pl
usr/local/bin/backupiso
usr/local/bin/ddnsctrl
+usr/local/bin/ipsecctrl
usr/local/bin/xt_geoip_build
usr/local/bin/xt_geoip_update
var/ipfire/general-functions.pl
diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index eb3fc49..e99202d 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -58,36 +58,26 @@ static void ipsec_reload() {
void open_physical (char *interface, int nat_traversal_port) {
char str[STRING_SIZE];
- // GRE ???
-// sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
-// safe_system(str);
- // ESP
-// sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
-// safe_system(str);
- // AH
-// sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
-// safe_system(str);
// IKE
-
- sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+ sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
safe_system(str);
- sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
+ sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
safe_system(str);
if (! nat_traversal_port)
return;
- sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+ sprintf(str, "/sbin/iptables --wait -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
safe_system(str);
- sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+ sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
safe_system(str);
}
void ipsec_norules() {
/* clear input rules */
- safe_system("/sbin/iptables -F IPSECINPUT");
- safe_system("/sbin/iptables -F IPSECFORWARD");
- safe_system("/sbin/iptables -F IPSECOUTPUT");
+ safe_system("/sbin/iptables --wait -F IPSECINPUT");
+ safe_system("/sbin/iptables --wait -F IPSECFORWARD");
+ safe_system("/sbin/iptables --wait -F IPSECOUTPUT");
}
/*
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 79bee04..7071983 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -35,11 +35,11 @@
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
@@ -64,11 +64,11 @@
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
@@ -93,12 +93,12 @@
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
-+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
@@ -109,12 +109,12 @@
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
-+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
@@ -126,7 +126,7 @@
if [ -n "$PLUTO_IPCOMP" ]
then
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
@@ -145,13 +145,13 @@
+
+ #
+ # Open Firewall for IPinIP + AH + ESP Traffic
-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ if [ $VPN_LOGGING ]
@@ -171,7 +171,7 @@
+ done
+
+ if [ -n "${src}" ]; then
-+ iptables -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+ logger -t $TAG -p $FAC_PRIO \
+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+ else
@@ -189,13 +189,13 @@
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
-+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
@@ -207,13 +207,13 @@
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ $IPSEC_POLICY_IN -j RETURN
-+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
@@ -224,7 +224,7 @@
if [ -n "$PLUTO_IPCOMP" ]
then
- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
@@ -243,13 +243,13 @@
+
+ #
+ # Close Firewall for IPinIP + AH + ESP Traffic
-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
+ -s $PLUTO_PEER $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ if [ $VPN_LOGGING ]
@@ -269,7 +269,7 @@
+ done
+
+ if [ -n "${src}" ]; then
-+ iptables -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++ iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+ logger -t $TAG -p $FAC_PRIO \
+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+ else
@@ -287,11 +287,11 @@
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
@@ -300,11 +300,11 @@
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
@@ -313,11 +313,11 @@
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
@@ -326,11 +326,11 @@
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
@@ -339,12 +339,12 @@
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
$IPSEC_POLICY_OUT -j ACCEPT
- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
@@ -353,12 +353,12 @@
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
$IPSEC_POLICY_OUT -j ACCEPT
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-05-07 20:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-07 20:42 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 962ac5bdc6d8abd09819c2a43d4bf2cbd5fc5336 git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox