From: "Peter Müller" <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 28f659f75cfbbf21cd0fb8dd55b41af4203a0ecc
Date: Tue, 22 Mar 2022 13:42:27 +0000 [thread overview]
Message-ID: <4KNCN41RhZz2xPC@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 10453 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 28f659f75cfbbf21cd0fb8dd55b41af4203a0ecc (commit)
from 2188812cb0747d16415f7f2d307ea93a45d8ce78 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 28f659f75cfbbf21cd0fb8dd55b41af4203a0ecc
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 22 10:42:51 2022 +0000
strongswan: Remove redundant iptables rules
We used to create some iptables rules that permitted traffic to the
firewall from IPsec peers. This however doesn't work due to changes in
iana-etc and it looks like those rules are entirely absolete now.
This patch removes them which should not cause any functional changes.
Fixes: #12808
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
src/patches/strongswan-ipfire.patch | 93 +++++++++++++------------------------
1 file changed, 32 insertions(+), 61 deletions(-)
Difference in files:
diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 0f137ca2a..0f2be7483 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -1,7 +1,16 @@
-diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
---- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
-+++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-25 17:30:15.669773781 +0200
-@@ -242,12 +242,9 @@
+commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027
+Author: Michael Tremer <michael.tremer(a)ipfire.org>
+Date: Mon Mar 21 19:49:02 2022 +0000
+
+ IPFire modifications to _updown script
+
+ Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
+
+diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
+index 34eaf68c7..514ecb578 100644
+--- a/src/_updown/_updown.in
++++ b/src/_updown/_updown.in
+@@ -242,10 +242,10 @@ up-host:iptables)
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -10,12 +19,11 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
- # allow IPIP traffic because of the implicit SA created by the kernel if
- # IPComp is used (for small inbound packets that are not compressed)
-@@ -263,10 +260,10 @@
+@@ -263,10 +263,10 @@ up-host:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -28,7 +36,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
fi
fi
;;
-@@ -274,12 +271,9 @@
+@@ -274,10 +274,10 @@ down-host:iptables)
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -37,12 +45,11 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
- # IPIP exception teardown
- if [ -n "$PLUTO_IPCOMP" ]
-@@ -294,10 +288,10 @@
+@@ -294,10 +294,10 @@ down-host:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -55,7 +62,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
fi
fi
;;
-@@ -305,34 +299,16 @@
+@@ -305,34 +305,16 @@ up-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -91,7 +98,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -342,47 +318,42 @@
+@@ -342,10 +324,10 @@ up-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -103,25 +110,8 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
fi
-+
-+ #
-+ # Open Firewall for IPinIP + AH + ESP Traffic
-+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IP \
-+ -s $PLUTO_PEER $S_PEER_PORT \
-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
-+ -s $PLUTO_PEER $S_PEER_PORT \
-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
-+ -s $PLUTO_PEER $S_PEER_PORT \
-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ if [ $VPN_LOGGING ]
-+ then
-+ logger -t $TAG -p $FAC_PRIO \
-+ "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
-+ fi
;;
- down-client:iptables)
+@@ -353,36 +335,14 @@ down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -159,7 +149,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -392,12 +363,29 @@
+@@ -392,10 +352,10 @@ down-client:iptables)
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -171,27 +161,8 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
fi
fi
-+
-+ #
-+ # Close Firewall for IPinIP + AH + ESP Traffic
-+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IP \
-+ -s $PLUTO_PEER $S_PEER_PORT \
-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
-+ -s $PLUTO_PEER $S_PEER_PORT \
-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
-+ -s $PLUTO_PEER $S_PEER_PORT \
-+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
-+ if [ $VPN_LOGGING ]
-+ then
-+ logger -t $TAG -p $FAC_PRIO \
-+ "tunnel- $PLUTO_PEER -- $PLUTO_ME"
-+ fi
;;
- #
- # IPv6
-@@ -422,10 +410,10 @@
+@@ -422,10 +382,10 @@ up-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -204,7 +175,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -454,10 +442,10 @@
+@@ -454,10 +414,10 @@ down-host-v6:iptables)
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -217,7 +188,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -487,10 +475,10 @@
+@@ -487,10 +447,10 @@ up-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -230,7 +201,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
-@@ -499,10 +487,10 @@
+@@ -499,10 +459,10 @@ up-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -243,7 +214,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
-@@ -535,11 +523,11 @@
+@@ -535,11 +495,11 @@ down-client-v6:iptables)
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -257,7 +228,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
-@@ -549,11 +537,11 @@
+@@ -549,11 +509,11 @@ down-client-v6:iptables)
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2022-03-22 13:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4KNCN41RhZz2xPC@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox