Annotation of embedaddon/strongswan/src/_updown/_updown.in, revision 1.1
1.1 ! misho 1: #!/bin/sh
! 2: # default updown script
! 3: #
! 4: # Copyright (C) 2003-2004 Nigel Meteringham
! 5: # Copyright (C) 2003-2004 Tuomo Soini
! 6: # Copyright (C) 2002-2004 Michael Richardson
! 7: # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
! 8: #
! 9: # This program is free software; you can redistribute it and/or modify it
! 10: # under the terms of the GNU General Public License as published by the
! 11: # Free Software Foundation; either version 2 of the License, or (at your
! 12: # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 13: #
! 14: # This program is distributed in the hope that it will be useful, but
! 15: # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 16: # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 17: # for more details.
! 18:
! 19: # CAUTION: Installing a new version of strongSwan will install a new
! 20: # copy of this script, wiping out any custom changes you make. If
! 21: # you need changes, make a copy of this under another name, and customize
! 22: # that, and use the (left/right)updown parameters in ipsec.conf to make
! 23: # strongSwan use yours instead of this default one.
! 24:
! 25: # PLUTO_VERSION
! 26: # indicates what version of this interface is being
! 27: # used. This document describes version 1.1. This
! 28: # is upwardly compatible with version 1.0.
! 29: #
! 30: # PLUTO_VERB
! 31: # specifies the name of the operation to be performed
! 32: # (prepare-host, prepare-client, up-host, up-client,
! 33: # down-host, or down-client). If the address family
! 34: # for security gateway to security gateway communica-
! 35: # tions is IPv6, then a suffix of -v6 is added to the
! 36: # verb.
! 37: #
! 38: # PLUTO_CONNECTION
! 39: # is the name of the connection for which we are
! 40: # routing.
! 41: #
! 42: # PLUTO_INTERFACE
! 43: # is the name of the ipsec interface to be used.
! 44: #
! 45: # PLUTO_REQID
! 46: # is the requid of the AH|ESP policy
! 47: #
! 48: # PLUTO_PROTO
! 49: # is the negotiated IPsec protocol, ah|esp
! 50: #
! 51: # PLUTO_IPCOMP
! 52: # is not empty if IPComp was negotiated
! 53: #
! 54: # PLUTO_UNIQUEID
! 55: # is the unique identifier of the associated IKE_SA
! 56: #
! 57: # PLUTO_ME
! 58: # is the IP address of our host.
! 59: #
! 60: # PLUTO_MY_ID
! 61: # is the ID of our host.
! 62: #
! 63: # PLUTO_MY_CLIENT
! 64: # is the IP address / count of our client subnet. If
! 65: # the client is just the host, this will be the
! 66: # host's own IP address / max (where max is 32 for
! 67: # IPv4 and 128 for IPv6).
! 68: #
! 69: # PLUTO_MY_SOURCEIP
! 70: # PLUTO_MY_SOURCEIP4_$i
! 71: # PLUTO_MY_SOURCEIP6_$i
! 72: # contains IPv4/IPv6 virtual IP received from a responder,
! 73: # $i enumerates from 1 to the number of IP per address family.
! 74: # PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
! 75: # virtual IP, IPv4 or IPv6.
! 76: #
! 77: # PLUTO_MY_PROTOCOL
! 78: # is the IP protocol that will be transported.
! 79: #
! 80: # PLUTO_MY_PORT
! 81: # is the UDP/TCP port to which the IPsec SA is
! 82: # restricted on our side. For ICMP/ICMPv6 this contains the
! 83: # message type, and PLUTO_PEER_PORT the message code.
! 84: #
! 85: # PLUTO_PEER
! 86: # is the IP address of our peer.
! 87: #
! 88: # PLUTO_PEER_ID
! 89: # is the ID of our peer.
! 90: #
! 91: # PLUTO_PEER_CLIENT
! 92: # is the IP address / count of the peer's client sub-
! 93: # net. If the client is just the peer, this will be
! 94: # the peer's own IP address / max (where max is 32
! 95: # for IPv4 and 128 for IPv6).
! 96: #
! 97: # PLUTO_PEER_SOURCEIP
! 98: # PLUTO_PEER_SOURCEIP4_$i
! 99: # PLUTO_PEER_SOURCEIP6_$i
! 100: # contains IPv4/IPv6 virtual IP sent to an initiator,
! 101: # $i enumerates from 1 to the number of IP per address family.
! 102: # PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
! 103: # virtual IP, IPv4 or IPv6.
! 104: #
! 105: # PLUTO_PEER_PROTOCOL
! 106: # is the IP protocol that will be transported.
! 107: #
! 108: # PLUTO_PEER_PORT
! 109: # is the UDP/TCP port to which the IPsec SA is
! 110: # restricted on the peer side. For ICMP/ICMPv6 this contains the
! 111: # message code, and PLUTO_MY_PORT the message type.
! 112: #
! 113: # PLUTO_XAUTH_ID
! 114: # is an optional user ID employed by the XAUTH protocol
! 115: #
! 116: # PLUTO_MARK_IN
! 117: # is an optional XFRM mark set on the inbound IPsec SA
! 118: #
! 119: # PLUTO_MARK_OUT
! 120: # is an optional XFRM mark set on the outbound IPsec SA
! 121: #
! 122: # PLUTO_IF_ID_IN
! 123: # is an optional XFRM interface ID set on the inbound IPsec SA
! 124: #
! 125: # PLUTO_IF_ID_OUT
! 126: # is an optional XFRM interface ID set on the outbound IPsec SA
! 127: #
! 128: # PLUTO_UDP_ENC
! 129: # contains the remote UDP port in the case of ESP_IN_UDP
! 130: # encapsulation
! 131: #
! 132: # PLUTO_DNS4_$i
! 133: # PLUTO_DNS6_$i
! 134: # contains IPv4/IPv6 DNS server attribute received from a
! 135: # responder, $i enumerates from 1 to the number of servers per
! 136: # address family.
! 137: #
! 138:
! 139: # define a minimum PATH environment in case it is not set
! 140: PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
! 141: export PATH
! 142:
! 143: # comment to disable logging VPN connections to syslog
! 144: VPN_LOGGING=1
! 145: #
! 146: # tag put in front of each log entry:
! 147: TAG=vpn
! 148: #
! 149: # syslog facility and priority used:
! 150: FAC_PRIO=local0.notice
! 151: #
! 152: # to create a special vpn logging file, put the following line into
! 153: # the syslog configuration file /etc/syslog.conf:
! 154: #
! 155: # local0.notice -/var/log/vpn
! 156:
! 157: # check interface version
! 158: case "$PLUTO_VERSION" in
! 159: 1.[0|1]) # Older release?!? Play it safe, script may be using new features.
! 160: echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
! 161: echo "$0: called by obsolete release?" >&2
! 162: exit 2
! 163: ;;
! 164: 1.*) ;;
! 165: *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
! 166: exit 2
! 167: ;;
! 168: esac
! 169:
! 170: # check parameter(s)
! 171: case "$1:$*" in
! 172: ':') # no parameters
! 173: ;;
! 174: iptables:iptables) # due to (left/right)firewall; for default script only
! 175: ;;
! 176: custom:*) # custom parameters (see above CAUTION comment)
! 177: ;;
! 178: *) echo "$0: unknown parameters \`$*'" >&2
! 179: exit 2
! 180: ;;
! 181: esac
! 182:
! 183: IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
! 184: IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
! 185: IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
! 186:
! 187: # use protocol specific options to set ports
! 188: case "$PLUTO_MY_PROTOCOL" in
! 189: 1) # ICMP
! 190: ICMP_TYPE_OPTION="--icmp-type"
! 191: ;;
! 192: 58) # ICMPv6
! 193: ICMP_TYPE_OPTION="--icmpv6-type"
! 194: ;;
! 195: *)
! 196: ;;
! 197: esac
! 198:
! 199: # are there port numbers?
! 200: if [ "$PLUTO_MY_PORT" != 0 ]
! 201: then
! 202: if [ -n "$ICMP_TYPE_OPTION" ]
! 203: then
! 204: S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
! 205: D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
! 206: else
! 207: S_MY_PORT="--sport $PLUTO_MY_PORT"
! 208: D_MY_PORT="--dport $PLUTO_MY_PORT"
! 209: fi
! 210: fi
! 211: if [ "$PLUTO_PEER_PORT" != 0 ]
! 212: then
! 213: if [ -n "$ICMP_TYPE_OPTION" ]
! 214: then
! 215: # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
! 216: S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
! 217: D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
! 218: else
! 219: S_PEER_PORT="--sport $PLUTO_PEER_PORT"
! 220: D_PEER_PORT="--dport $PLUTO_PEER_PORT"
! 221: fi
! 222: fi
! 223:
! 224: case "$PLUTO_VERB:$1" in
! 225: up-host:)
! 226: # connection to me coming up
! 227: # If you are doing a custom version, firewall commands go here.
! 228: ;;
! 229: down-host:)
! 230: # connection to me going down
! 231: # If you are doing a custom version, firewall commands go here.
! 232: ;;
! 233: up-client:)
! 234: # connection to my client subnet coming up
! 235: # If you are doing a custom version, firewall commands go here.
! 236: ;;
! 237: down-client:)
! 238: # connection to my client subnet going down
! 239: # If you are doing a custom version, firewall commands go here.
! 240: ;;
! 241: up-host:iptables)
! 242: # connection to me, with (left/right)firewall=yes, coming up
! 243: # This is used only by the default updown script, not by your custom
! 244: # ones, so do not mess with it; see CAUTION comment up at top.
! 245: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 246: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 247: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 248: iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 249: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
! 250: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
! 251: #
! 252: # allow IPIP traffic because of the implicit SA created by the kernel if
! 253: # IPComp is used (for small inbound packets that are not compressed)
! 254: if [ -n "$PLUTO_IPCOMP" ]
! 255: then
! 256: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
! 257: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 258: fi
! 259: #
! 260: # log IPsec host connection setup
! 261: if [ $VPN_LOGGING ]
! 262: then
! 263: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
! 264: then
! 265: logger -t $TAG -p $FAC_PRIO \
! 266: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
! 267: else
! 268: logger -t $TAG -p $FAC_PRIO \
! 269: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
! 270: fi
! 271: fi
! 272: ;;
! 273: down-host:iptables)
! 274: # connection to me, with (left/right)firewall=yes, going down
! 275: # This is used only by the default updown script, not by your custom
! 276: # ones, so do not mess with it; see CAUTION comment up at top.
! 277: iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 278: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 279: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 280: iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 281: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
! 282: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
! 283: #
! 284: # IPIP exception teardown
! 285: if [ -n "$PLUTO_IPCOMP" ]
! 286: then
! 287: iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
! 288: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 289: fi
! 290: #
! 291: # log IPsec host connection teardown
! 292: if [ $VPN_LOGGING ]
! 293: then
! 294: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
! 295: then
! 296: logger -t $TAG -p $FAC_PRIO -- \
! 297: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
! 298: else
! 299: logger -t $TAG -p $FAC_PRIO -- \
! 300: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
! 301: fi
! 302: fi
! 303: ;;
! 304: up-client:iptables)
! 305: # connection to client subnet, with (left/right)firewall=yes, coming up
! 306: # This is used only by the default updown script, not by your custom
! 307: # ones, so do not mess with it; see CAUTION comment up at top.
! 308: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
! 309: then
! 310: iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 311: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 312: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
! 313: iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 314: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 315: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 316: fi
! 317: #
! 318: # a virtual IP requires an INPUT and OUTPUT rule on the host
! 319: # or sometimes host access via the internal IP is needed
! 320: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
! 321: then
! 322: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 323: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 324: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 325: iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 326: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 327: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
! 328: fi
! 329: #
! 330: # allow IPIP traffic because of the implicit SA created by the kernel if
! 331: # IPComp is used (for small inbound packets that are not compressed).
! 332: # INPUT is correct here even for forwarded traffic.
! 333: if [ -n "$PLUTO_IPCOMP" ]
! 334: then
! 335: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
! 336: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 337: fi
! 338: #
! 339: # log IPsec client connection setup
! 340: if [ $VPN_LOGGING ]
! 341: then
! 342: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
! 343: then
! 344: logger -t $TAG -p $FAC_PRIO \
! 345: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 346: else
! 347: logger -t $TAG -p $FAC_PRIO \
! 348: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 349: fi
! 350: fi
! 351: ;;
! 352: down-client:iptables)
! 353: # connection to client subnet, with (left/right)firewall=yes, going down
! 354: # This is used only by the default updown script, not by your custom
! 355: # ones, so do not mess with it; see CAUTION comment up at top.
! 356: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
! 357: then
! 358: iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 359: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 360: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
! 361: $IPSEC_POLICY_OUT -j ACCEPT
! 362: iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 363: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 364: -d $PLUTO_MY_CLIENT $D_MY_PORT \
! 365: $IPSEC_POLICY_IN -j ACCEPT
! 366: fi
! 367: #
! 368: # a virtual IP requires an INPUT and OUTPUT rule on the host
! 369: # or sometimes host access via the internal IP is needed
! 370: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
! 371: then
! 372: iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 373: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 374: -d $PLUTO_MY_CLIENT $D_MY_PORT \
! 375: $IPSEC_POLICY_IN -j ACCEPT
! 376: iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 377: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 378: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
! 379: $IPSEC_POLICY_OUT -j ACCEPT
! 380: fi
! 381: #
! 382: # IPIP exception teardown
! 383: if [ -n "$PLUTO_IPCOMP" ]
! 384: then
! 385: iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
! 386: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 387: fi
! 388: #
! 389: # log IPsec client connection teardown
! 390: if [ $VPN_LOGGING ]
! 391: then
! 392: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
! 393: then
! 394: logger -t $TAG -p $FAC_PRIO -- \
! 395: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 396: else
! 397: logger -t $TAG -p $FAC_PRIO -- \
! 398: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 399: fi
! 400: fi
! 401: ;;
! 402: #
! 403: # IPv6
! 404: #
! 405: up-host-v6:)
! 406: # connection to me coming up
! 407: # If you are doing a custom version, firewall commands go here.
! 408: ;;
! 409: down-host-v6:)
! 410: # connection to me going down
! 411: # If you are doing a custom version, firewall commands go here.
! 412: ;;
! 413: up-client-v6:)
! 414: # connection to my client subnet coming up
! 415: # If you are doing a custom version, firewall commands go here.
! 416: ;;
! 417: down-client-v6:)
! 418: # connection to my client subnet going down
! 419: # If you are doing a custom version, firewall commands go here.
! 420: ;;
! 421: up-host-v6:iptables)
! 422: # connection to me, with (left/right)firewall=yes, coming up
! 423: # This is used only by the default updown script, not by your custom
! 424: # ones, so do not mess with it; see CAUTION comment up at top.
! 425: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 426: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 427: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 428: ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 429: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
! 430: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
! 431: #
! 432: # allow IP6IP6 traffic because of the implicit SA created by the kernel if
! 433: # IPComp is used (for small inbound packets that are not compressed)
! 434: if [ -n "$PLUTO_IPCOMP" ]
! 435: then
! 436: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
! 437: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 438: fi
! 439: #
! 440: # log IPsec host connection setup
! 441: if [ $VPN_LOGGING ]
! 442: then
! 443: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
! 444: then
! 445: logger -t $TAG -p $FAC_PRIO \
! 446: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
! 447: else
! 448: logger -t $TAG -p $FAC_PRIO \
! 449: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
! 450: fi
! 451: fi
! 452: ;;
! 453: down-host-v6:iptables)
! 454: # connection to me, with (left/right)firewall=yes, going down
! 455: # This is used only by the default updown script, not by your custom
! 456: # ones, so do not mess with it; see CAUTION comment up at top.
! 457: ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 458: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 459: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 460: ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 461: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
! 462: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
! 463: #
! 464: # IP6IP6 exception teardown
! 465: if [ -n "$PLUTO_IPCOMP" ]
! 466: then
! 467: ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
! 468: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 469: fi
! 470: #
! 471: # log IPsec host connection teardown
! 472: if [ $VPN_LOGGING ]
! 473: then
! 474: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
! 475: then
! 476: logger -t $TAG -p $FAC_PRIO -- \
! 477: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
! 478: else
! 479: logger -t $TAG -p $FAC_PRIO -- \
! 480: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
! 481: fi
! 482: fi
! 483: ;;
! 484: up-client-v6:iptables)
! 485: # connection to client subnet, with (left/right)firewall=yes, coming up
! 486: # This is used only by the default updown script, not by your custom
! 487: # ones, so do not mess with it; see CAUTION comment up at top.
! 488: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
! 489: then
! 490: ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 491: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 492: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
! 493: ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 494: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 495: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 496: fi
! 497: #
! 498: # a virtual IP requires an INPUT and OUTPUT rule on the host
! 499: # or sometimes host access via the internal IP is needed
! 500: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
! 501: then
! 502: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 503: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 504: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
! 505: ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 506: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 507: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
! 508: fi
! 509: #
! 510: # allow IP6IP6 traffic because of the implicit SA created by the kernel if
! 511: # IPComp is used (for small inbound packets that are not compressed).
! 512: # INPUT is correct here even for forwarded traffic.
! 513: if [ -n "$PLUTO_IPCOMP" ]
! 514: then
! 515: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
! 516: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 517: fi
! 518: #
! 519: # log IPsec client connection setup
! 520: if [ $VPN_LOGGING ]
! 521: then
! 522: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
! 523: then
! 524: logger -t $TAG -p $FAC_PRIO \
! 525: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 526: else
! 527: logger -t $TAG -p $FAC_PRIO \
! 528: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 529: fi
! 530: fi
! 531: ;;
! 532: down-client-v6:iptables)
! 533: # connection to client subnet, with (left/right)firewall=yes, going down
! 534: # This is used only by the default updown script, not by your custom
! 535: # ones, so do not mess with it; see CAUTION comment up at top.
! 536: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
! 537: then
! 538: ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 539: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 540: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
! 541: $IPSEC_POLICY_OUT -j ACCEPT
! 542: ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 543: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 544: -d $PLUTO_MY_CLIENT $D_MY_PORT \
! 545: $IPSEC_POLICY_IN -j ACCEPT
! 546: fi
! 547: #
! 548: # a virtual IP requires an INPUT and OUTPUT rule on the host
! 549: # or sometimes host access via the internal IP is needed
! 550: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
! 551: then
! 552: ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
! 553: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
! 554: -d $PLUTO_MY_CLIENT $D_MY_PORT \
! 555: $IPSEC_POLICY_IN -j ACCEPT
! 556: ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
! 557: -s $PLUTO_MY_CLIENT $S_MY_PORT \
! 558: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
! 559: $IPSEC_POLICY_OUT -j ACCEPT
! 560: fi
! 561: #
! 562: # IP6IP6 exception teardown
! 563: if [ -n "$PLUTO_IPCOMP" ]
! 564: then
! 565: ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
! 566: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
! 567: fi
! 568: #
! 569: # log IPsec client connection teardown
! 570: if [ $VPN_LOGGING ]
! 571: then
! 572: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
! 573: then
! 574: logger -t $TAG -p $FAC_PRIO -- \
! 575: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 576: else
! 577: logger -t $TAG -p $FAC_PRIO -- \
! 578: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
! 579: fi
! 580: fi
! 581: ;;
! 582: *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
! 583: exit 1
! 584: ;;
! 585: esac
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to _updown.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / _updown