* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 80909fb6da64a911c900df50805fd5866685faf0
@ 2021-10-18 16:58 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2021-10-18 16:58 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 21549 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 80909fb6da64a911c900df50805fd5866685faf0 (commit)
from 819fdfb17a3cbc7c25ce098be83896bcd3311567 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 80909fb6da64a911c900df50805fd5866685faf0
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Mon Oct 18 18:57:18 2021 +0200
strongswan: update _updown to use conmark for QoS
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
lfs/strongswan | 2 -
src/patches/strongswan-ipfire-interfaces.patch | 72 -------------
src/patches/strongswan-ipfire-revert.patch | 113 -------------------
src/patches/strongswan-ipfire.patch | 143 ++++++++-----------------
4 files changed, 45 insertions(+), 285 deletions(-)
delete mode 100644 src/patches/strongswan-ipfire-interfaces.patch
delete mode 100644 src/patches/strongswan-ipfire-revert.patch
Difference in files:
diff --git a/lfs/strongswan b/lfs/strongswan
index 3b481ac2e..46c0309fb 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -72,8 +72,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure \
diff --git a/src/patches/strongswan-ipfire-interfaces.patch b/src/patches/strongswan-ipfire-interfaces.patch
deleted file mode 100644
index 5ec96a48a..000000000
--- a/src/patches/strongswan-ipfire-interfaces.patch
+++ /dev/null
@@ -1,72 +0,0 @@
---- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000
-+++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000
-@@ -130,6 +130,13 @@
- # address family.
- #
-
-+VARS=(
-+ id status name lefthost type ctype psk local local_id leftsubnets
-+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
-+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
-+ route x23 mode interface_mode interface_address interface_mtu rest
-+)
-+
- function ip_encode() {
- local IFS=.
-
-@@ -319,6 +326,13 @@
- fi
- ;;
- up-client:iptables)
-+ # Read IPsec configuration
-+ while IFS="," read -r "${VARS[@]}"; do
-+ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
-+ break
-+ fi
-+ done < /var/ipfire/vpn/config
-+
- # connection to client subnet, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
-@@ -383,23 +397,25 @@
- "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
- fi
-
-- # Add source nat so also the gateway can access the other nets
-- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-- if [ $? -eq 0 ]; then
-- src=${_src}
-- break
-+ if [ -z "${interface_mode}" ]; then
-+ # Add source nat so also the gateway can access the other nets
-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-+ if [ $? -eq 0 ]; then
-+ src=${_src}
-+ break
-+ fi
-+ done
-+
-+ if [ -n "${src}" ]; then
-+ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-+ logger -t $TAG -p $FAC_PRIO \
-+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-+ else
-+ logger -t $TAG -p $FAC_PRIO \
-+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
- fi
-- done
--
-- if [ -n "${src}" ]; then
-- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-- logger -t $TAG -p $FAC_PRIO \
-- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
- fi
-
- # Flush routing cache
diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch
deleted file mode 100644
index 91c76212e..000000000
--- a/src/patches/strongswan-ipfire-revert.patch
+++ /dev/null
@@ -1,113 +0,0 @@
---- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100
-+++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100
-@@ -130,36 +130,6 @@
- # address family.
- #
-
--VARS=(
-- id status name lefthost type ctype psk local local_id leftsubnets
-- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
-- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
-- route x23 mode interface_mode interface_address interface_mtu rest
--)
--
--function ip_encode() {
-- local IFS=.
--
-- local int=0
-- for field in $1; do
-- int=$(( $(( $int << 8 )) | $field ))
-- done
--
-- echo $int
--}
--
--function ip_in_subnet() {
-- local netmask
-- netmask=$(_netmask $2)
-- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
--}
--
--function _netmask() {
-- local vlsm
-- vlsm=${1#*/}
-- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
--}
--
- # define a minimum PATH environment in case it is not set
- PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
- export PATH
-@@ -326,13 +296,6 @@
- fi
- ;;
- up-client:iptables)
-- # Read IPsec configuration
-- while IFS="," read -r "${VARS[@]}"; do
-- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
-- break
-- fi
-- done < /var/ipfire/vpn/config
--
- # connection to client subnet, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
-@@ -396,30 +359,6 @@
- logger -t $TAG -p $FAC_PRIO \
- "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
- fi
--
-- if [ -z "${interface_mode}" ]; then
-- # Add source nat so also the gateway can access the other nets
-- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-- if [ $? -eq 0 ]; then
-- src=${_src}
-- break
-- fi
-- done
--
-- if [ -n "${src}" ]; then
-- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-- logger -t $TAG -p $FAC_PRIO \
-- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
-- fi
-- fi
--
-- # Flush routing cache
-- ip route flush cache
- ;;
- down-client:iptables)
- # connection to client subnet, with (left/right)firewall=yes, going down
-@@ -487,28 +426,6 @@
- logger -t $TAG -p $FAC_PRIO \
- "tunnel- $PLUTO_PEER -- $PLUTO_ME"
- fi
--
-- # remove source nat
-- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-- if [ $? -eq 0 ]; then
-- src=${_src}
-- break
-- fi
-- done
--
-- if [ -n "${src}" ]; then
-- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-- logger -t $TAG -p $FAC_PRIO \
-- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-- else
-- logger -t $TAG -p $FAC_PRIO \
-- "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
-- fi
--
-- # Flush routing cache
-- ip route flush cache
- ;;
- #
- # IPv6
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 17c40b025..38202c1ec 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -1,36 +1,7 @@
---- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000
-+++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000
-@@ -122,6 +122,29 @@
- # address family.
- #
-
-+function ip_encode() {
-+ local IFS=.
-+
-+ local int=0
-+ for field in $1; do
-+ int=$(( $(( $int << 8 )) | $field ))
-+ done
-+
-+ echo $int
-+}
-+
-+function ip_in_subnet() {
-+ local netmask
-+ netmask=$(_netmask $2)
-+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
-+}
-+
-+function _netmask() {
-+ local vlsm
-+ vlsm=${1#*/}
-+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
-+}
-+
- # define a minimum PATH environment in case it is not set
- PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
- export PATH
-@@ -232,12 +255,12 @@
+diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
+--- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
++++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-18 14:51:34.446203334 +0200
+@@ -242,12 +242,15 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -39,14 +10,17 @@
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
#
# allow IPIP traffic because of the implicit SA created by the kernel if
# IPComp is used (for small inbound packets that are not compressed)
-@@ -253,10 +276,10 @@
+@@ -263,10 +266,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -59,11 +33,14 @@
fi
fi
;;
-@@ -264,12 +287,12 @@
+@@ -274,12 +277,15 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -71,11 +48,11 @@
+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
#
# IPIP exception teardown
if [ -n "$PLUTO_IPCOMP" ]
-@@ -284,10 +307,10 @@
+@@ -294,10 +300,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -88,20 +65,23 @@
fi
fi
;;
-@@ -297,24 +320,24 @@
+@@ -307,24 +313,30 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
+ iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
fi
#
# a virtual IP requires an INPUT and OUTPUT rule on the host
@@ -114,14 +94,17 @@
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
-+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
fi
#
# allow IPIP traffic because of the implicit SA created by the kernel if
-@@ -322,7 +345,7 @@
+@@ -332,7 +344,7 @@
# INPUT is correct here even for forwarded traffic.
if [ -n "$PLUTO_IPCOMP" ]
then
@@ -130,7 +113,7 @@
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -332,12 +355,51 @@
+@@ -342,12 +354,29 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -159,32 +142,10 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ fi
-+
-+ # Add source nat so also the gateway can access the other nets
-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-+ if [ $? -eq 0 ]; then
-+ src=${_src}
-+ break
-+ fi
-+ done
-+
-+ if [ -n "${src}" ]; then
-+ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-+ logger -t $TAG -p $FAC_PRIO \
-+ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-+ else
-+ logger -t $TAG -p $FAC_PRIO \
-+ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
-+ fi
-+
-+ # Flush routing cache
-+ ip route flush cache
;;
down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
-@@ -345,34 +407,34 @@
+@@ -355,34 +384,42 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
@@ -194,11 +155,15 @@
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-+ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
++ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
++ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j RETURN
fi
#
@@ -212,12 +177,16 @@
-d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j RETURN
+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
- $IPSEC_POLICY_OUT -j ACCEPT
-+ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000
++ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
fi
#
# IPIP exception teardown
@@ -228,7 +197,7 @@
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -382,12 +444,51 @@
+@@ -392,12 +429,29 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -257,32 +226,10 @@
+ logger -t $TAG -p $FAC_PRIO \
+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ fi
-+
-+ # remove source nat
-+ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-+ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
-+ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
-+ if [ $? -eq 0 ]; then
-+ src=${_src}
-+ break
-+ fi
-+ done
-+
-+ if [ -n "${src}" ]; then
-+ iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
-+ logger -t $TAG -p $FAC_PRIO \
-+ "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
-+ else
-+ logger -t $TAG -p $FAC_PRIO \
-+ "Cannot remove NAT rule because no IP of the IPFire does match the subnet."
-+ fi
-+
-+ # Flush routing cache
-+ ip route flush cache
;;
#
# IPv6
-@@ -412,10 +513,10 @@
+@@ -422,10 +476,10 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -295,7 +242,7 @@
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -436,10 +537,10 @@
+@@ -454,10 +508,10 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -308,7 +255,7 @@
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -462,10 +563,10 @@
+@@ -487,10 +541,10 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -321,7 +268,7 @@
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
-@@ -474,10 +575,10 @@
+@@ -499,10 +553,10 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -334,7 +281,7 @@
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
-@@ -501,11 +602,11 @@
+@@ -535,11 +589,11 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -348,7 +295,7 @@
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
-@@ -515,11 +616,11 @@
+@@ -549,11 +603,11 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-18 16:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-18 16:58 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 80909fb6da64a911c900df50805fd5866685faf0 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox