Annotation of embedaddon/strongswan/src/_updown/_updown.in, revision 1.1.1.2

1.1       misho       1: #!/bin/sh
                      2: # default updown script
                      3: #
                      4: # Copyright (C) 2003-2004 Nigel Meteringham
                      5: # Copyright (C) 2003-2004 Tuomo Soini
                      6: # Copyright (C) 2002-2004 Michael Richardson
                      7: # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
                      8: #
                      9: # This program is free software; you can redistribute it and/or modify it
                     10: # under the terms of the GNU General Public License as published by the
                     11: # Free Software Foundation; either version 2 of the License, or (at your
                     12: # option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
                     13: #
                     14: # This program is distributed in the hope that it will be useful, but
                     15: # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
                     16: # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
                     17: # for more details.
                     18: 
                     19: # CAUTION:  Installing a new version of strongSwan will install a new
                     20: # copy of this script, wiping out any custom changes you make.  If
                     21: # you need changes, make a copy of this under another name, and customize
                     22: # that, and use the (left/right)updown parameters in ipsec.conf to make
                     23: # strongSwan use yours instead of this default one.
                     24: 
                     25: #      PLUTO_VERSION
                     26: #              indicates  what  version of this interface is being
                     27: #              used.  This document describes version  1.1.   This
                     28: #              is upwardly compatible with version 1.0.
                     29: #
                     30: #       PLUTO_VERB
                     31: #              specifies the name of the operation to be performed
                     32: #              (prepare-host, prepare-client, up-host, up-client,
                     33: #              down-host, or down-client).  If the address family
                     34: #              for security gateway to security gateway communica-
                     35: #              tions is IPv6, then a suffix of -v6 is added to the
                     36: #              verb.
                     37: #
                     38: #       PLUTO_CONNECTION
                     39: #              is the name of the  connection  for  which  we  are
                     40: #              routing.
                     41: #
                     42: #       PLUTO_INTERFACE
                     43: #              is the name of the ipsec interface to be used.
                     44: #
                     45: #       PLUTO_REQID
1.1.1.2 ! misho      46: #              is the reqid of the AH|ESP policy
1.1       misho      47: #
                     48: #       PLUTO_PROTO
                     49: #              is the negotiated IPsec protocol, ah|esp
                     50: #
                     51: #       PLUTO_IPCOMP
                     52: #              is not empty if IPComp was negotiated
                     53: #
                     54: #       PLUTO_UNIQUEID
                     55: #              is the unique identifier of the associated IKE_SA
                     56: #
                     57: #       PLUTO_ME
                     58: #              is the IP address of our host.
                     59: #
                     60: #       PLUTO_MY_ID
                     61: #              is the ID of our host.
                     62: #
                     63: #       PLUTO_MY_CLIENT
                     64: #              is the IP address / count of our client subnet.  If
                     65: #              the  client  is  just  the  host,  this will be the
                     66: #              host's own IP address / max (where max  is  32  for
                     67: #              IPv4 and 128 for IPv6).
                     68: #
                     69: #       PLUTO_MY_SOURCEIP
                     70: #       PLUTO_MY_SOURCEIP4_$i
                     71: #       PLUTO_MY_SOURCEIP6_$i
                     72: #              contains IPv4/IPv6 virtual IP received from a responder,
                     73: #              $i enumerates from 1 to the number of IP per address family.
                     74: #              PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
                     75: #              virtual IP, IPv4 or IPv6.
                     76: #
                     77: #       PLUTO_MY_PROTOCOL
                     78: #              is the IP protocol that will be transported.
                     79: #
                     80: #       PLUTO_MY_PORT
                     81: #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
                     82: #              restricted on our side.  For ICMP/ICMPv6 this contains the
                     83: #              message type, and PLUTO_PEER_PORT the message code.
                     84: #
                     85: #       PLUTO_PEER
                     86: #              is the IP address of our peer.
                     87: #
                     88: #       PLUTO_PEER_ID
                     89: #              is the ID of our peer.
                     90: #
                     91: #       PLUTO_PEER_CLIENT
                     92: #              is the IP address / count of the peer's client sub-
                     93: #              net.   If the client is just the peer, this will be
                     94: #              the peer's own IP address / max (where  max  is  32
                     95: #              for IPv4 and 128 for IPv6).
                     96: #
                     97: #       PLUTO_PEER_SOURCEIP
                     98: #       PLUTO_PEER_SOURCEIP4_$i
                     99: #       PLUTO_PEER_SOURCEIP6_$i
                    100: #              contains IPv4/IPv6 virtual IP sent to an initiator,
                    101: #              $i enumerates from 1 to the number of IP per address family.
                    102: #              PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
                    103: #              virtual IP, IPv4 or IPv6.
                    104: #
                    105: #       PLUTO_PEER_PROTOCOL
                    106: #              is the IP protocol that will be transported.
                    107: #
                    108: #       PLUTO_PEER_PORT
                    109: #              is  the  UDP/TCP  port  to  which  the IPsec SA  is
                    110: #              restricted on the peer side.  For ICMP/ICMPv6 this contains the
                    111: #              message code, and PLUTO_MY_PORT the message type.
                    112: #
                    113: #       PLUTO_XAUTH_ID
                    114: #              is an optional user ID employed by the XAUTH protocol
                    115: #
                    116: #       PLUTO_MARK_IN
                    117: #              is an optional XFRM mark set on the inbound IPsec SA
                    118: #
                    119: #       PLUTO_MARK_OUT
                    120: #              is an optional XFRM mark set on the outbound IPsec SA
                    121: #
                    122: #       PLUTO_IF_ID_IN
                    123: #              is an optional XFRM interface ID set on the inbound IPsec SA
                    124: #
                    125: #       PLUTO_IF_ID_OUT
                    126: #              is an optional XFRM interface ID set on the outbound IPsec SA
                    127: #
                    128: #       PLUTO_UDP_ENC
                    129: #              contains the remote UDP port in the case of ESP_IN_UDP
                    130: #              encapsulation
                    131: #
                    132: #       PLUTO_DNS4_$i
                    133: #       PLUTO_DNS6_$i
                    134: #              contains IPv4/IPv6 DNS server attribute received from a
                    135: #              responder, $i enumerates from 1 to the number of servers per
                    136: #              address family.
                    137: #
                    138: 
                    139: # define a minimum PATH environment in case it is not set
                    140: PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
                    141: export PATH
                    142: 
                    143: # comment to disable logging VPN connections to syslog
                    144: VPN_LOGGING=1
                    145: #
                    146: # tag put in front of each log entry:
                    147: TAG=vpn
                    148: #
                    149: # syslog facility and priority used:
                    150: FAC_PRIO=local0.notice
                    151: #
                    152: # to create a special vpn logging file, put the following line into
                    153: # the syslog configuration file /etc/syslog.conf:
                    154: #
                    155: # local0.notice                   -/var/log/vpn
                    156: 
                    157: # check interface version
                    158: case "$PLUTO_VERSION" in
                    159: 1.[0|1])       # Older release?!?  Play it safe, script may be using new features.
                    160:        echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
                    161:        echo "$0:       called by obsolete release?" >&2
                    162:        exit 2
                    163:        ;;
                    164: 1.*)   ;;
                    165: *)     echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
                    166:        exit 2
                    167:        ;;
                    168: esac
                    169: 
                    170: # check parameter(s)
                    171: case "$1:$*" in
                    172: ':')                   # no parameters
                    173:        ;;
                    174: iptables:iptables)     # due to (left/right)firewall; for default script only
                    175:        ;;
                    176: custom:*)              # custom parameters (see above CAUTION comment)
                    177:        ;;
                    178: *)     echo "$0: unknown parameters \`$*'" >&2
                    179:        exit 2
                    180:        ;;
                    181: esac
                    182: 
                    183: IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
                    184: IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
                    185: IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
                    186: 
                    187: # use protocol specific options to set ports
                    188: case "$PLUTO_MY_PROTOCOL" in
                    189: 1)     # ICMP
                    190:        ICMP_TYPE_OPTION="--icmp-type"
                    191:        ;;
                    192: 58)    # ICMPv6
                    193:        ICMP_TYPE_OPTION="--icmpv6-type"
                    194:        ;;
                    195: *)
                    196:        ;;
                    197: esac
                    198: 
                    199: # are there port numbers?
                    200: if [ "$PLUTO_MY_PORT" != 0 ]
                    201: then
                    202:        if [ -n "$ICMP_TYPE_OPTION" ]
                    203:        then
                    204:                S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
                    205:                D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
                    206:        else
                    207:                S_MY_PORT="--sport $PLUTO_MY_PORT"
                    208:                D_MY_PORT="--dport $PLUTO_MY_PORT"
                    209:        fi
                    210: fi
                    211: if [ "$PLUTO_PEER_PORT" != 0 ]
                    212: then
                    213:        if [ -n "$ICMP_TYPE_OPTION" ]
                    214:        then
                    215:                # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
                    216:                S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
                    217:                D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
                    218:        else
                    219:                S_PEER_PORT="--sport $PLUTO_PEER_PORT"
                    220:                D_PEER_PORT="--dport $PLUTO_PEER_PORT"
                    221:        fi
                    222: fi
                    223: 
                    224: case "$PLUTO_VERB:$1" in
                    225: up-host:)
                    226:        # connection to me coming up
                    227:        # If you are doing a custom version, firewall commands go here.
                    228:        ;;
                    229: down-host:)
                    230:        # connection to me going down
                    231:        # If you are doing a custom version, firewall commands go here.
                    232:        ;;
                    233: up-client:)
                    234:        # connection to my client subnet coming up
                    235:        # If you are doing a custom version, firewall commands go here.
                    236:        ;;
                    237: down-client:)
                    238:        # connection to my client subnet going down
                    239:        # If you are doing a custom version, firewall commands go here.
                    240:        ;;
                    241: up-host:iptables)
                    242:        # connection to me, with (left/right)firewall=yes, coming up
                    243:        # This is used only by the default updown script, not by your custom
                    244:        # ones, so do not mess with it; see CAUTION comment up at top.
                    245:        iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    246:            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    247:            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    248:        iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    249:            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
                    250:            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
                    251:        #
                    252:        # allow IPIP traffic because of the implicit SA created by the kernel if
                    253:        # IPComp is used (for small inbound packets that are not compressed)
                    254:        if [ -n "$PLUTO_IPCOMP" ]
                    255:        then
                    256:          iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
                    257:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    258:        fi
                    259:        #
                    260:        # log IPsec host connection setup
                    261:        if [ $VPN_LOGGING ]
                    262:        then
                    263:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
                    264:          then
                    265:            logger -t $TAG -p $FAC_PRIO \
                    266:              "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
                    267:          else
                    268:            logger -t $TAG -p $FAC_PRIO \
                    269:              "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
                    270:          fi
                    271:        fi
                    272:        ;;
                    273: down-host:iptables)
                    274:        # connection to me, with (left/right)firewall=yes, going down
                    275:        # This is used only by the default updown script, not by your custom
                    276:        # ones, so do not mess with it; see CAUTION comment up at top.
                    277:        iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    278:            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    279:            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    280:        iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    281:            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
                    282:            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
                    283:        #
                    284:        # IPIP exception teardown
                    285:        if [ -n "$PLUTO_IPCOMP" ]
                    286:        then
                    287:          iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
                    288:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    289:        fi
                    290:        #
                    291:        # log IPsec host connection teardown
                    292:        if [ $VPN_LOGGING ]
                    293:        then
                    294:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
                    295:          then
                    296:            logger -t $TAG -p $FAC_PRIO -- \
                    297:              "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
                    298:          else
                    299:            logger -t $TAG -p $FAC_PRIO -- \
                    300:            "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
                    301:          fi
                    302:        fi
                    303:        ;;
                    304: up-client:iptables)
                    305:        # connection to client subnet, with (left/right)firewall=yes, coming up
                    306:        # This is used only by the default updown script, not by your custom
                    307:        # ones, so do not mess with it; see CAUTION comment up at top.
                    308:        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
                    309:        then
                    310:          iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    311:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    312:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
                    313:          iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    314:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    315:              -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    316:        fi
                    317:        #
                    318:        # a virtual IP requires an INPUT and OUTPUT rule on the host
                    319:        # or sometimes host access via the internal IP is needed
                    320:        if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
                    321:        then
                    322:          iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    323:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    324:              -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    325:          iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    326:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    327:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
                    328:        fi
                    329:        #
                    330:        # allow IPIP traffic because of the implicit SA created by the kernel if
                    331:        # IPComp is used (for small inbound packets that are not compressed).
                    332:        # INPUT is correct here even for forwarded traffic.
                    333:        if [ -n "$PLUTO_IPCOMP" ]
                    334:        then
                    335:          iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
                    336:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    337:        fi
                    338:        #
                    339:        # log IPsec client connection setup
                    340:        if [ $VPN_LOGGING ]
                    341:        then
                    342:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
                    343:          then
                    344:            logger -t $TAG -p $FAC_PRIO \
                    345:              "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    346:          else
                    347:            logger -t $TAG -p $FAC_PRIO \
                    348:              "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    349:          fi
                    350:        fi
                    351:        ;;
                    352: down-client:iptables)
                    353:        # connection to client subnet, with (left/right)firewall=yes, going down
                    354:        # This is used only by the default updown script, not by your custom
                    355:        # ones, so do not mess with it; see CAUTION comment up at top.
                    356:        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
                    357:        then
                    358:          iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    359:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    360:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
                    361:                 $IPSEC_POLICY_OUT -j ACCEPT
                    362:          iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    363:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    364:              -d $PLUTO_MY_CLIENT $D_MY_PORT \
                    365:                 $IPSEC_POLICY_IN -j ACCEPT
                    366:        fi
                    367:        #
                    368:        # a virtual IP requires an INPUT and OUTPUT rule on the host
                    369:        # or sometimes host access via the internal IP is needed
                    370:        if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
                    371:        then
                    372:          iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    373:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    374:              -d $PLUTO_MY_CLIENT $D_MY_PORT \
                    375:                 $IPSEC_POLICY_IN -j ACCEPT
                    376:          iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    377:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    378:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
                    379:                 $IPSEC_POLICY_OUT -j ACCEPT
                    380:        fi
                    381:        #
                    382:        # IPIP exception teardown
                    383:        if [ -n "$PLUTO_IPCOMP" ]
                    384:        then
                    385:          iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
                    386:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    387:        fi
                    388:        #
                    389:        # log IPsec client connection teardown
                    390:        if [ $VPN_LOGGING ]
                    391:        then
                    392:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
                    393:          then
                    394:            logger -t $TAG -p $FAC_PRIO -- \
                    395:              "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    396:          else
                    397:            logger -t $TAG -p $FAC_PRIO -- \
                    398:              "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    399:          fi
                    400:        fi
                    401:        ;;
                    402: #
                    403: # IPv6
                    404: #
                    405: up-host-v6:)
                    406:        # connection to me coming up
                    407:        # If you are doing a custom version, firewall commands go here.
                    408:        ;;
                    409: down-host-v6:)
                    410:        # connection to me going down
                    411:        # If you are doing a custom version, firewall commands go here.
                    412:        ;;
                    413: up-client-v6:)
                    414:        # connection to my client subnet coming up
                    415:        # If you are doing a custom version, firewall commands go here.
                    416:        ;;
                    417: down-client-v6:)
                    418:        # connection to my client subnet going down
                    419:        # If you are doing a custom version, firewall commands go here.
                    420:        ;;
                    421: up-host-v6:iptables)
                    422:        # connection to me, with (left/right)firewall=yes, coming up
                    423:        # This is used only by the default updown script, not by your custom
                    424:        # ones, so do not mess with it; see CAUTION comment up at top.
                    425:        ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    426:            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    427:            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    428:        ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    429:            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
                    430:            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
                    431:        #
                    432:        # allow IP6IP6 traffic because of the implicit SA created by the kernel if
                    433:        # IPComp is used (for small inbound packets that are not compressed)
                    434:        if [ -n "$PLUTO_IPCOMP" ]
                    435:        then
                    436:          ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
                    437:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    438:        fi
                    439:        #
                    440:        # log IPsec host connection setup
                    441:        if [ $VPN_LOGGING ]
                    442:        then
                    443:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
                    444:          then
                    445:            logger -t $TAG -p $FAC_PRIO \
                    446:              "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
                    447:          else
                    448:            logger -t $TAG -p $FAC_PRIO \
                    449:              "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
                    450:          fi
                    451:        fi
                    452:        ;;
                    453: down-host-v6:iptables)
                    454:        # connection to me, with (left/right)firewall=yes, going down
                    455:        # This is used only by the default updown script, not by your custom
                    456:        # ones, so do not mess with it; see CAUTION comment up at top.
                    457:        ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    458:            -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    459:            -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    460:        ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    461:            -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
                    462:            -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
                    463:        #
                    464:        # IP6IP6 exception teardown
                    465:        if [ -n "$PLUTO_IPCOMP" ]
                    466:        then
                    467:          ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
                    468:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    469:        fi
                    470:        #
                    471:        # log IPsec host connection teardown
                    472:        if [ $VPN_LOGGING ]
                    473:        then
                    474:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
                    475:          then
                    476:            logger -t $TAG -p $FAC_PRIO -- \
                    477:              "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
                    478:          else
                    479:            logger -t $TAG -p $FAC_PRIO -- \
                    480:            "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
                    481:          fi
                    482:        fi
                    483:        ;;
                    484: up-client-v6:iptables)
                    485:        # connection to client subnet, with (left/right)firewall=yes, coming up
                    486:        # This is used only by the default updown script, not by your custom
                    487:        # ones, so do not mess with it; see CAUTION comment up at top.
                    488:        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
                    489:        then
                    490:          ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    491:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    492:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
                    493:          ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    494:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    495:              -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    496:        fi
                    497:        #
                    498:        # a virtual IP requires an INPUT and OUTPUT rule on the host
                    499:        # or sometimes host access via the internal IP is needed
                    500:        if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
                    501:        then
                    502:          ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    503:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    504:              -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
                    505:          ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    506:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    507:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
                    508:        fi
                    509:        #
                    510:        # allow IP6IP6 traffic because of the implicit SA created by the kernel if
                    511:        # IPComp is used (for small inbound packets that are not compressed).
                    512:        # INPUT is correct here even for forwarded traffic.
                    513:        if [ -n "$PLUTO_IPCOMP" ]
                    514:        then
                    515:          ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
                    516:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    517:        fi
                    518:        #
                    519:        # log IPsec client connection setup
                    520:        if [ $VPN_LOGGING ]
                    521:        then
                    522:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
                    523:          then
                    524:            logger -t $TAG -p $FAC_PRIO \
                    525:              "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    526:          else
                    527:            logger -t $TAG -p $FAC_PRIO \
                    528:              "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    529:          fi
                    530:        fi
                    531:        ;;
                    532: down-client-v6:iptables)
                    533:        # connection to client subnet, with (left/right)firewall=yes, going down
                    534:        # This is used only by the default updown script, not by your custom
                    535:        # ones, so do not mess with it; see CAUTION comment up at top.
                    536:        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
                    537:        then
                    538:          ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    539:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    540:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
                    541:                 $IPSEC_POLICY_OUT -j ACCEPT
                    542:          ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    543:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    544:              -d $PLUTO_MY_CLIENT $D_MY_PORT \
                    545:                 $IPSEC_POLICY_IN -j ACCEPT
                    546:        fi
                    547:        #
                    548:        # a virtual IP requires an INPUT and OUTPUT rule on the host
                    549:        # or sometimes host access via the internal IP is needed
                    550:        if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
                    551:        then
                    552:          ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
                    553:              -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
                    554:              -d $PLUTO_MY_CLIENT $D_MY_PORT \
                    555:                 $IPSEC_POLICY_IN -j ACCEPT
                    556:          ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
                    557:              -s $PLUTO_MY_CLIENT $S_MY_PORT \
                    558:              -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
                    559:                 $IPSEC_POLICY_OUT -j ACCEPT
                    560:        fi
                    561:        #
                    562:        # IP6IP6 exception teardown
                    563:        if [ -n "$PLUTO_IPCOMP" ]
                    564:        then
                    565:          ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
                    566:              -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
                    567:        fi
                    568:        #
                    569:        # log IPsec client connection teardown
                    570:        if [ $VPN_LOGGING ]
                    571:        then
                    572:          if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
                    573:          then
                    574:            logger -t $TAG -p $FAC_PRIO -- \
                    575:              "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    576:          else
                    577:            logger -t $TAG -p $FAC_PRIO -- \
                    578:              "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
                    579:          fi
                    580:        fi
                    581:        ;;
                    582: *)     echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
                    583:        exit 1
                    584:        ;;
                    585: esac

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>