Return to _updown.in CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / _updown |
1.1 ! misho 1: #!/bin/sh ! 2: # default updown script ! 3: # ! 4: # Copyright (C) 2003-2004 Nigel Meteringham ! 5: # Copyright (C) 2003-2004 Tuomo Soini ! 6: # Copyright (C) 2002-2004 Michael Richardson ! 7: # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> ! 8: # ! 9: # This program is free software; you can redistribute it and/or modify it ! 10: # under the terms of the GNU General Public License as published by the ! 11: # Free Software Foundation; either version 2 of the License, or (at your ! 12: # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. ! 13: # ! 14: # This program is distributed in the hope that it will be useful, but ! 15: # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ! 16: # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ! 17: # for more details. ! 18: ! 19: # CAUTION: Installing a new version of strongSwan will install a new ! 20: # copy of this script, wiping out any custom changes you make. If ! 21: # you need changes, make a copy of this under another name, and customize ! 22: # that, and use the (left/right)updown parameters in ipsec.conf to make ! 23: # strongSwan use yours instead of this default one. ! 24: ! 25: # PLUTO_VERSION ! 26: # indicates what version of this interface is being ! 27: # used. This document describes version 1.1. This ! 28: # is upwardly compatible with version 1.0. ! 29: # ! 30: # PLUTO_VERB ! 31: # specifies the name of the operation to be performed ! 32: # (prepare-host, prepare-client, up-host, up-client, ! 33: # down-host, or down-client). If the address family ! 34: # for security gateway to security gateway communica- ! 35: # tions is IPv6, then a suffix of -v6 is added to the ! 36: # verb. ! 37: # ! 38: # PLUTO_CONNECTION ! 39: # is the name of the connection for which we are ! 40: # routing. ! 41: # ! 42: # PLUTO_INTERFACE ! 43: # is the name of the ipsec interface to be used. ! 44: # ! 45: # PLUTO_REQID ! 46: # is the requid of the AH|ESP policy ! 47: # ! 48: # PLUTO_PROTO ! 49: # is the negotiated IPsec protocol, ah|esp ! 50: # ! 51: # PLUTO_IPCOMP ! 52: # is not empty if IPComp was negotiated ! 53: # ! 54: # PLUTO_UNIQUEID ! 55: # is the unique identifier of the associated IKE_SA ! 56: # ! 57: # PLUTO_ME ! 58: # is the IP address of our host. ! 59: # ! 60: # PLUTO_MY_ID ! 61: # is the ID of our host. ! 62: # ! 63: # PLUTO_MY_CLIENT ! 64: # is the IP address / count of our client subnet. If ! 65: # the client is just the host, this will be the ! 66: # host's own IP address / max (where max is 32 for ! 67: # IPv4 and 128 for IPv6). ! 68: # ! 69: # PLUTO_MY_SOURCEIP ! 70: # PLUTO_MY_SOURCEIP4_$i ! 71: # PLUTO_MY_SOURCEIP6_$i ! 72: # contains IPv4/IPv6 virtual IP received from a responder, ! 73: # $i enumerates from 1 to the number of IP per address family. ! 74: # PLUTO_MY_SOURCEIP is a legacy variable and equal to the first ! 75: # virtual IP, IPv4 or IPv6. ! 76: # ! 77: # PLUTO_MY_PROTOCOL ! 78: # is the IP protocol that will be transported. ! 79: # ! 80: # PLUTO_MY_PORT ! 81: # is the UDP/TCP port to which the IPsec SA is ! 82: # restricted on our side. For ICMP/ICMPv6 this contains the ! 83: # message type, and PLUTO_PEER_PORT the message code. ! 84: # ! 85: # PLUTO_PEER ! 86: # is the IP address of our peer. ! 87: # ! 88: # PLUTO_PEER_ID ! 89: # is the ID of our peer. ! 90: # ! 91: # PLUTO_PEER_CLIENT ! 92: # is the IP address / count of the peer's client sub- ! 93: # net. If the client is just the peer, this will be ! 94: # the peer's own IP address / max (where max is 32 ! 95: # for IPv4 and 128 for IPv6). ! 96: # ! 97: # PLUTO_PEER_SOURCEIP ! 98: # PLUTO_PEER_SOURCEIP4_$i ! 99: # PLUTO_PEER_SOURCEIP6_$i ! 100: # contains IPv4/IPv6 virtual IP sent to an initiator, ! 101: # $i enumerates from 1 to the number of IP per address family. ! 102: # PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first ! 103: # virtual IP, IPv4 or IPv6. ! 104: # ! 105: # PLUTO_PEER_PROTOCOL ! 106: # is the IP protocol that will be transported. ! 107: # ! 108: # PLUTO_PEER_PORT ! 109: # is the UDP/TCP port to which the IPsec SA is ! 110: # restricted on the peer side. For ICMP/ICMPv6 this contains the ! 111: # message code, and PLUTO_MY_PORT the message type. ! 112: # ! 113: # PLUTO_XAUTH_ID ! 114: # is an optional user ID employed by the XAUTH protocol ! 115: # ! 116: # PLUTO_MARK_IN ! 117: # is an optional XFRM mark set on the inbound IPsec SA ! 118: # ! 119: # PLUTO_MARK_OUT ! 120: # is an optional XFRM mark set on the outbound IPsec SA ! 121: # ! 122: # PLUTO_IF_ID_IN ! 123: # is an optional XFRM interface ID set on the inbound IPsec SA ! 124: # ! 125: # PLUTO_IF_ID_OUT ! 126: # is an optional XFRM interface ID set on the outbound IPsec SA ! 127: # ! 128: # PLUTO_UDP_ENC ! 129: # contains the remote UDP port in the case of ESP_IN_UDP ! 130: # encapsulation ! 131: # ! 132: # PLUTO_DNS4_$i ! 133: # PLUTO_DNS6_$i ! 134: # contains IPv4/IPv6 DNS server attribute received from a ! 135: # responder, $i enumerates from 1 to the number of servers per ! 136: # address family. ! 137: # ! 138: ! 139: # define a minimum PATH environment in case it is not set ! 140: PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" ! 141: export PATH ! 142: ! 143: # comment to disable logging VPN connections to syslog ! 144: VPN_LOGGING=1 ! 145: # ! 146: # tag put in front of each log entry: ! 147: TAG=vpn ! 148: # ! 149: # syslog facility and priority used: ! 150: FAC_PRIO=local0.notice ! 151: # ! 152: # to create a special vpn logging file, put the following line into ! 153: # the syslog configuration file /etc/syslog.conf: ! 154: # ! 155: # local0.notice -/var/log/vpn ! 156: ! 157: # check interface version ! 158: case "$PLUTO_VERSION" in ! 159: 1.[0|1]) # Older release?!? Play it safe, script may be using new features. ! 160: echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 ! 161: echo "$0: called by obsolete release?" >&2 ! 162: exit 2 ! 163: ;; ! 164: 1.*) ;; ! 165: *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 ! 166: exit 2 ! 167: ;; ! 168: esac ! 169: ! 170: # check parameter(s) ! 171: case "$1:$*" in ! 172: ':') # no parameters ! 173: ;; ! 174: iptables:iptables) # due to (left/right)firewall; for default script only ! 175: ;; ! 176: custom:*) # custom parameters (see above CAUTION comment) ! 177: ;; ! 178: *) echo "$0: unknown parameters \`$*'" >&2 ! 179: exit 2 ! 180: ;; ! 181: esac ! 182: ! 183: IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" ! 184: IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" ! 185: IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" ! 186: ! 187: # use protocol specific options to set ports ! 188: case "$PLUTO_MY_PROTOCOL" in ! 189: 1) # ICMP ! 190: ICMP_TYPE_OPTION="--icmp-type" ! 191: ;; ! 192: 58) # ICMPv6 ! 193: ICMP_TYPE_OPTION="--icmpv6-type" ! 194: ;; ! 195: *) ! 196: ;; ! 197: esac ! 198: ! 199: # are there port numbers? ! 200: if [ "$PLUTO_MY_PORT" != 0 ] ! 201: then ! 202: if [ -n "$ICMP_TYPE_OPTION" ] ! 203: then ! 204: S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" ! 205: D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" ! 206: else ! 207: S_MY_PORT="--sport $PLUTO_MY_PORT" ! 208: D_MY_PORT="--dport $PLUTO_MY_PORT" ! 209: fi ! 210: fi ! 211: if [ "$PLUTO_PEER_PORT" != 0 ] ! 212: then ! 213: if [ -n "$ICMP_TYPE_OPTION" ] ! 214: then ! 215: # the syntax is --icmp[v6]-type type[/code], so add it to the existing option ! 216: S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" ! 217: D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" ! 218: else ! 219: S_PEER_PORT="--sport $PLUTO_PEER_PORT" ! 220: D_PEER_PORT="--dport $PLUTO_PEER_PORT" ! 221: fi ! 222: fi ! 223: ! 224: case "$PLUTO_VERB:$1" in ! 225: up-host:) ! 226: # connection to me coming up ! 227: # If you are doing a custom version, firewall commands go here. ! 228: ;; ! 229: down-host:) ! 230: # connection to me going down ! 231: # If you are doing a custom version, firewall commands go here. ! 232: ;; ! 233: up-client:) ! 234: # connection to my client subnet coming up ! 235: # If you are doing a custom version, firewall commands go here. ! 236: ;; ! 237: down-client:) ! 238: # connection to my client subnet going down ! 239: # If you are doing a custom version, firewall commands go here. ! 240: ;; ! 241: up-host:iptables) ! 242: # connection to me, with (left/right)firewall=yes, coming up ! 243: # This is used only by the default updown script, not by your custom ! 244: # ones, so do not mess with it; see CAUTION comment up at top. ! 245: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 246: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 247: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 248: iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 249: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ ! 250: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ! 251: # ! 252: # allow IPIP traffic because of the implicit SA created by the kernel if ! 253: # IPComp is used (for small inbound packets that are not compressed) ! 254: if [ -n "$PLUTO_IPCOMP" ] ! 255: then ! 256: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ ! 257: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 258: fi ! 259: # ! 260: # log IPsec host connection setup ! 261: if [ $VPN_LOGGING ] ! 262: then ! 263: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] ! 264: then ! 265: logger -t $TAG -p $FAC_PRIO \ ! 266: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ! 267: else ! 268: logger -t $TAG -p $FAC_PRIO \ ! 269: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ! 270: fi ! 271: fi ! 272: ;; ! 273: down-host:iptables) ! 274: # connection to me, with (left/right)firewall=yes, going down ! 275: # This is used only by the default updown script, not by your custom ! 276: # ones, so do not mess with it; see CAUTION comment up at top. ! 277: iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 278: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 279: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 280: iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 281: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ ! 282: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ! 283: # ! 284: # IPIP exception teardown ! 285: if [ -n "$PLUTO_IPCOMP" ] ! 286: then ! 287: iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ ! 288: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 289: fi ! 290: # ! 291: # log IPsec host connection teardown ! 292: if [ $VPN_LOGGING ] ! 293: then ! 294: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] ! 295: then ! 296: logger -t $TAG -p $FAC_PRIO -- \ ! 297: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ! 298: else ! 299: logger -t $TAG -p $FAC_PRIO -- \ ! 300: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ! 301: fi ! 302: fi ! 303: ;; ! 304: up-client:iptables) ! 305: # connection to client subnet, with (left/right)firewall=yes, coming up ! 306: # This is used only by the default updown script, not by your custom ! 307: # ones, so do not mess with it; see CAUTION comment up at top. ! 308: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ! 309: then ! 310: iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 311: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 312: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT ! 313: iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 314: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 315: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 316: fi ! 317: # ! 318: # a virtual IP requires an INPUT and OUTPUT rule on the host ! 319: # or sometimes host access via the internal IP is needed ! 320: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ! 321: then ! 322: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 323: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 324: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 325: iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 326: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 327: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT ! 328: fi ! 329: # ! 330: # allow IPIP traffic because of the implicit SA created by the kernel if ! 331: # IPComp is used (for small inbound packets that are not compressed). ! 332: # INPUT is correct here even for forwarded traffic. ! 333: if [ -n "$PLUTO_IPCOMP" ] ! 334: then ! 335: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ ! 336: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 337: fi ! 338: # ! 339: # log IPsec client connection setup ! 340: if [ $VPN_LOGGING ] ! 341: then ! 342: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] ! 343: then ! 344: logger -t $TAG -p $FAC_PRIO \ ! 345: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 346: else ! 347: logger -t $TAG -p $FAC_PRIO \ ! 348: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 349: fi ! 350: fi ! 351: ;; ! 352: down-client:iptables) ! 353: # connection to client subnet, with (left/right)firewall=yes, going down ! 354: # This is used only by the default updown script, not by your custom ! 355: # ones, so do not mess with it; see CAUTION comment up at top. ! 356: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ! 357: then ! 358: iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 359: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 360: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ! 361: $IPSEC_POLICY_OUT -j ACCEPT ! 362: iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 363: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 364: -d $PLUTO_MY_CLIENT $D_MY_PORT \ ! 365: $IPSEC_POLICY_IN -j ACCEPT ! 366: fi ! 367: # ! 368: # a virtual IP requires an INPUT and OUTPUT rule on the host ! 369: # or sometimes host access via the internal IP is needed ! 370: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ! 371: then ! 372: iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 373: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 374: -d $PLUTO_MY_CLIENT $D_MY_PORT \ ! 375: $IPSEC_POLICY_IN -j ACCEPT ! 376: iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 377: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 378: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ! 379: $IPSEC_POLICY_OUT -j ACCEPT ! 380: fi ! 381: # ! 382: # IPIP exception teardown ! 383: if [ -n "$PLUTO_IPCOMP" ] ! 384: then ! 385: iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ ! 386: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 387: fi ! 388: # ! 389: # log IPsec client connection teardown ! 390: if [ $VPN_LOGGING ] ! 391: then ! 392: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] ! 393: then ! 394: logger -t $TAG -p $FAC_PRIO -- \ ! 395: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 396: else ! 397: logger -t $TAG -p $FAC_PRIO -- \ ! 398: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 399: fi ! 400: fi ! 401: ;; ! 402: # ! 403: # IPv6 ! 404: # ! 405: up-host-v6:) ! 406: # connection to me coming up ! 407: # If you are doing a custom version, firewall commands go here. ! 408: ;; ! 409: down-host-v6:) ! 410: # connection to me going down ! 411: # If you are doing a custom version, firewall commands go here. ! 412: ;; ! 413: up-client-v6:) ! 414: # connection to my client subnet coming up ! 415: # If you are doing a custom version, firewall commands go here. ! 416: ;; ! 417: down-client-v6:) ! 418: # connection to my client subnet going down ! 419: # If you are doing a custom version, firewall commands go here. ! 420: ;; ! 421: up-host-v6:iptables) ! 422: # connection to me, with (left/right)firewall=yes, coming up ! 423: # This is used only by the default updown script, not by your custom ! 424: # ones, so do not mess with it; see CAUTION comment up at top. ! 425: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 426: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 427: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 428: ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 429: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ ! 430: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ! 431: # ! 432: # allow IP6IP6 traffic because of the implicit SA created by the kernel if ! 433: # IPComp is used (for small inbound packets that are not compressed) ! 434: if [ -n "$PLUTO_IPCOMP" ] ! 435: then ! 436: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ ! 437: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 438: fi ! 439: # ! 440: # log IPsec host connection setup ! 441: if [ $VPN_LOGGING ] ! 442: then ! 443: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] ! 444: then ! 445: logger -t $TAG -p $FAC_PRIO \ ! 446: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ! 447: else ! 448: logger -t $TAG -p $FAC_PRIO \ ! 449: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ! 450: fi ! 451: fi ! 452: ;; ! 453: down-host-v6:iptables) ! 454: # connection to me, with (left/right)firewall=yes, going down ! 455: # This is used only by the default updown script, not by your custom ! 456: # ones, so do not mess with it; see CAUTION comment up at top. ! 457: ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 458: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 459: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 460: ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 461: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ ! 462: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT ! 463: # ! 464: # IP6IP6 exception teardown ! 465: if [ -n "$PLUTO_IPCOMP" ] ! 466: then ! 467: ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ ! 468: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 469: fi ! 470: # ! 471: # log IPsec host connection teardown ! 472: if [ $VPN_LOGGING ] ! 473: then ! 474: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] ! 475: then ! 476: logger -t $TAG -p $FAC_PRIO -- \ ! 477: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ! 478: else ! 479: logger -t $TAG -p $FAC_PRIO -- \ ! 480: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ! 481: fi ! 482: fi ! 483: ;; ! 484: up-client-v6:iptables) ! 485: # connection to client subnet, with (left/right)firewall=yes, coming up ! 486: # This is used only by the default updown script, not by your custom ! 487: # ones, so do not mess with it; see CAUTION comment up at top. ! 488: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] ! 489: then ! 490: ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 491: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 492: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT ! 493: ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 494: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 495: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 496: fi ! 497: # ! 498: # a virtual IP requires an INPUT and OUTPUT rule on the host ! 499: # or sometimes host access via the internal IP is needed ! 500: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ! 501: then ! 502: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 503: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 504: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT ! 505: ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 506: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 507: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT ! 508: fi ! 509: # ! 510: # allow IP6IP6 traffic because of the implicit SA created by the kernel if ! 511: # IPComp is used (for small inbound packets that are not compressed). ! 512: # INPUT is correct here even for forwarded traffic. ! 513: if [ -n "$PLUTO_IPCOMP" ] ! 514: then ! 515: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ ! 516: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 517: fi ! 518: # ! 519: # log IPsec client connection setup ! 520: if [ $VPN_LOGGING ] ! 521: then ! 522: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] ! 523: then ! 524: logger -t $TAG -p $FAC_PRIO \ ! 525: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 526: else ! 527: logger -t $TAG -p $FAC_PRIO \ ! 528: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 529: fi ! 530: fi ! 531: ;; ! 532: down-client-v6:iptables) ! 533: # connection to client subnet, with (left/right)firewall=yes, going down ! 534: # This is used only by the default updown script, not by your custom ! 535: # ones, so do not mess with it; see CAUTION comment up at top. ! 536: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] ! 537: then ! 538: ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 539: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 540: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ! 541: $IPSEC_POLICY_OUT -j ACCEPT ! 542: ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 543: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 544: -d $PLUTO_MY_CLIENT $D_MY_PORT \ ! 545: $IPSEC_POLICY_IN -j ACCEPT ! 546: fi ! 547: # ! 548: # a virtual IP requires an INPUT and OUTPUT rule on the host ! 549: # or sometimes host access via the internal IP is needed ! 550: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ! 551: then ! 552: ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ! 553: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ! 554: -d $PLUTO_MY_CLIENT $D_MY_PORT \ ! 555: $IPSEC_POLICY_IN -j ACCEPT ! 556: ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ! 557: -s $PLUTO_MY_CLIENT $S_MY_PORT \ ! 558: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ! 559: $IPSEC_POLICY_OUT -j ACCEPT ! 560: fi ! 561: # ! 562: # IP6IP6 exception teardown ! 563: if [ -n "$PLUTO_IPCOMP" ] ! 564: then ! 565: ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ ! 566: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT ! 567: fi ! 568: # ! 569: # log IPsec client connection teardown ! 570: if [ $VPN_LOGGING ] ! 571: then ! 572: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] ! 573: then ! 574: logger -t $TAG -p $FAC_PRIO -- \ ! 575: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 576: else ! 577: logger -t $TAG -p $FAC_PRIO -- \ ! 578: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ! 579: fi ! 580: fi ! 581: ;; ! 582: *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 ! 583: exit 1 ! 584: ;; ! 585: esac