Annotation of embedaddon/strongswan/src/_updown/_updown.in, revision 1.1.1.2
1.1 misho 1: #!/bin/sh
2: # default updown script
3: #
4: # Copyright (C) 2003-2004 Nigel Meteringham
5: # Copyright (C) 2003-2004 Tuomo Soini
6: # Copyright (C) 2002-2004 Michael Richardson
7: # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
8: #
9: # This program is free software; you can redistribute it and/or modify it
10: # under the terms of the GNU General Public License as published by the
11: # Free Software Foundation; either version 2 of the License, or (at your
12: # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13: #
14: # This program is distributed in the hope that it will be useful, but
15: # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16: # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17: # for more details.
18:
19: # CAUTION: Installing a new version of strongSwan will install a new
20: # copy of this script, wiping out any custom changes you make. If
21: # you need changes, make a copy of this under another name, and customize
22: # that, and use the (left/right)updown parameters in ipsec.conf to make
23: # strongSwan use yours instead of this default one.
24:
25: # PLUTO_VERSION
26: # indicates what version of this interface is being
27: # used. This document describes version 1.1. This
28: # is upwardly compatible with version 1.0.
29: #
30: # PLUTO_VERB
31: # specifies the name of the operation to be performed
32: # (prepare-host, prepare-client, up-host, up-client,
33: # down-host, or down-client). If the address family
34: # for security gateway to security gateway communica-
35: # tions is IPv6, then a suffix of -v6 is added to the
36: # verb.
37: #
38: # PLUTO_CONNECTION
39: # is the name of the connection for which we are
40: # routing.
41: #
42: # PLUTO_INTERFACE
43: # is the name of the ipsec interface to be used.
44: #
45: # PLUTO_REQID
1.1.1.2 ! misho 46: # is the reqid of the AH|ESP policy
1.1 misho 47: #
48: # PLUTO_PROTO
49: # is the negotiated IPsec protocol, ah|esp
50: #
51: # PLUTO_IPCOMP
52: # is not empty if IPComp was negotiated
53: #
54: # PLUTO_UNIQUEID
55: # is the unique identifier of the associated IKE_SA
56: #
57: # PLUTO_ME
58: # is the IP address of our host.
59: #
60: # PLUTO_MY_ID
61: # is the ID of our host.
62: #
63: # PLUTO_MY_CLIENT
64: # is the IP address / count of our client subnet. If
65: # the client is just the host, this will be the
66: # host's own IP address / max (where max is 32 for
67: # IPv4 and 128 for IPv6).
68: #
69: # PLUTO_MY_SOURCEIP
70: # PLUTO_MY_SOURCEIP4_$i
71: # PLUTO_MY_SOURCEIP6_$i
72: # contains IPv4/IPv6 virtual IP received from a responder,
73: # $i enumerates from 1 to the number of IP per address family.
74: # PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
75: # virtual IP, IPv4 or IPv6.
76: #
77: # PLUTO_MY_PROTOCOL
78: # is the IP protocol that will be transported.
79: #
80: # PLUTO_MY_PORT
81: # is the UDP/TCP port to which the IPsec SA is
82: # restricted on our side. For ICMP/ICMPv6 this contains the
83: # message type, and PLUTO_PEER_PORT the message code.
84: #
85: # PLUTO_PEER
86: # is the IP address of our peer.
87: #
88: # PLUTO_PEER_ID
89: # is the ID of our peer.
90: #
91: # PLUTO_PEER_CLIENT
92: # is the IP address / count of the peer's client sub-
93: # net. If the client is just the peer, this will be
94: # the peer's own IP address / max (where max is 32
95: # for IPv4 and 128 for IPv6).
96: #
97: # PLUTO_PEER_SOURCEIP
98: # PLUTO_PEER_SOURCEIP4_$i
99: # PLUTO_PEER_SOURCEIP6_$i
100: # contains IPv4/IPv6 virtual IP sent to an initiator,
101: # $i enumerates from 1 to the number of IP per address family.
102: # PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
103: # virtual IP, IPv4 or IPv6.
104: #
105: # PLUTO_PEER_PROTOCOL
106: # is the IP protocol that will be transported.
107: #
108: # PLUTO_PEER_PORT
109: # is the UDP/TCP port to which the IPsec SA is
110: # restricted on the peer side. For ICMP/ICMPv6 this contains the
111: # message code, and PLUTO_MY_PORT the message type.
112: #
113: # PLUTO_XAUTH_ID
114: # is an optional user ID employed by the XAUTH protocol
115: #
116: # PLUTO_MARK_IN
117: # is an optional XFRM mark set on the inbound IPsec SA
118: #
119: # PLUTO_MARK_OUT
120: # is an optional XFRM mark set on the outbound IPsec SA
121: #
122: # PLUTO_IF_ID_IN
123: # is an optional XFRM interface ID set on the inbound IPsec SA
124: #
125: # PLUTO_IF_ID_OUT
126: # is an optional XFRM interface ID set on the outbound IPsec SA
127: #
128: # PLUTO_UDP_ENC
129: # contains the remote UDP port in the case of ESP_IN_UDP
130: # encapsulation
131: #
132: # PLUTO_DNS4_$i
133: # PLUTO_DNS6_$i
134: # contains IPv4/IPv6 DNS server attribute received from a
135: # responder, $i enumerates from 1 to the number of servers per
136: # address family.
137: #
138:
139: # define a minimum PATH environment in case it is not set
140: PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
141: export PATH
142:
143: # comment to disable logging VPN connections to syslog
144: VPN_LOGGING=1
145: #
146: # tag put in front of each log entry:
147: TAG=vpn
148: #
149: # syslog facility and priority used:
150: FAC_PRIO=local0.notice
151: #
152: # to create a special vpn logging file, put the following line into
153: # the syslog configuration file /etc/syslog.conf:
154: #
155: # local0.notice -/var/log/vpn
156:
157: # check interface version
158: case "$PLUTO_VERSION" in
159: 1.[0|1]) # Older release?!? Play it safe, script may be using new features.
160: echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
161: echo "$0: called by obsolete release?" >&2
162: exit 2
163: ;;
164: 1.*) ;;
165: *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
166: exit 2
167: ;;
168: esac
169:
170: # check parameter(s)
171: case "$1:$*" in
172: ':') # no parameters
173: ;;
174: iptables:iptables) # due to (left/right)firewall; for default script only
175: ;;
176: custom:*) # custom parameters (see above CAUTION comment)
177: ;;
178: *) echo "$0: unknown parameters \`$*'" >&2
179: exit 2
180: ;;
181: esac
182:
183: IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
184: IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
185: IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
186:
187: # use protocol specific options to set ports
188: case "$PLUTO_MY_PROTOCOL" in
189: 1) # ICMP
190: ICMP_TYPE_OPTION="--icmp-type"
191: ;;
192: 58) # ICMPv6
193: ICMP_TYPE_OPTION="--icmpv6-type"
194: ;;
195: *)
196: ;;
197: esac
198:
199: # are there port numbers?
200: if [ "$PLUTO_MY_PORT" != 0 ]
201: then
202: if [ -n "$ICMP_TYPE_OPTION" ]
203: then
204: S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
205: D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
206: else
207: S_MY_PORT="--sport $PLUTO_MY_PORT"
208: D_MY_PORT="--dport $PLUTO_MY_PORT"
209: fi
210: fi
211: if [ "$PLUTO_PEER_PORT" != 0 ]
212: then
213: if [ -n "$ICMP_TYPE_OPTION" ]
214: then
215: # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
216: S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
217: D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
218: else
219: S_PEER_PORT="--sport $PLUTO_PEER_PORT"
220: D_PEER_PORT="--dport $PLUTO_PEER_PORT"
221: fi
222: fi
223:
224: case "$PLUTO_VERB:$1" in
225: up-host:)
226: # connection to me coming up
227: # If you are doing a custom version, firewall commands go here.
228: ;;
229: down-host:)
230: # connection to me going down
231: # If you are doing a custom version, firewall commands go here.
232: ;;
233: up-client:)
234: # connection to my client subnet coming up
235: # If you are doing a custom version, firewall commands go here.
236: ;;
237: down-client:)
238: # connection to my client subnet going down
239: # If you are doing a custom version, firewall commands go here.
240: ;;
241: up-host:iptables)
242: # connection to me, with (left/right)firewall=yes, coming up
243: # This is used only by the default updown script, not by your custom
244: # ones, so do not mess with it; see CAUTION comment up at top.
245: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
246: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
247: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
248: iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
249: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
250: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
251: #
252: # allow IPIP traffic because of the implicit SA created by the kernel if
253: # IPComp is used (for small inbound packets that are not compressed)
254: if [ -n "$PLUTO_IPCOMP" ]
255: then
256: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
257: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
258: fi
259: #
260: # log IPsec host connection setup
261: if [ $VPN_LOGGING ]
262: then
263: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
264: then
265: logger -t $TAG -p $FAC_PRIO \
266: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
267: else
268: logger -t $TAG -p $FAC_PRIO \
269: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
270: fi
271: fi
272: ;;
273: down-host:iptables)
274: # connection to me, with (left/right)firewall=yes, going down
275: # This is used only by the default updown script, not by your custom
276: # ones, so do not mess with it; see CAUTION comment up at top.
277: iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
278: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
279: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
280: iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
281: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
282: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
283: #
284: # IPIP exception teardown
285: if [ -n "$PLUTO_IPCOMP" ]
286: then
287: iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
288: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
289: fi
290: #
291: # log IPsec host connection teardown
292: if [ $VPN_LOGGING ]
293: then
294: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
295: then
296: logger -t $TAG -p $FAC_PRIO -- \
297: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
298: else
299: logger -t $TAG -p $FAC_PRIO -- \
300: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
301: fi
302: fi
303: ;;
304: up-client:iptables)
305: # connection to client subnet, with (left/right)firewall=yes, coming up
306: # This is used only by the default updown script, not by your custom
307: # ones, so do not mess with it; see CAUTION comment up at top.
308: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
309: then
310: iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
311: -s $PLUTO_MY_CLIENT $S_MY_PORT \
312: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
313: iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
315: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
316: fi
317: #
318: # a virtual IP requires an INPUT and OUTPUT rule on the host
319: # or sometimes host access via the internal IP is needed
320: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
321: then
322: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
323: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
324: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
325: iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
326: -s $PLUTO_MY_CLIENT $S_MY_PORT \
327: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
328: fi
329: #
330: # allow IPIP traffic because of the implicit SA created by the kernel if
331: # IPComp is used (for small inbound packets that are not compressed).
332: # INPUT is correct here even for forwarded traffic.
333: if [ -n "$PLUTO_IPCOMP" ]
334: then
335: iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
336: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
337: fi
338: #
339: # log IPsec client connection setup
340: if [ $VPN_LOGGING ]
341: then
342: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
343: then
344: logger -t $TAG -p $FAC_PRIO \
345: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
346: else
347: logger -t $TAG -p $FAC_PRIO \
348: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
349: fi
350: fi
351: ;;
352: down-client:iptables)
353: # connection to client subnet, with (left/right)firewall=yes, going down
354: # This is used only by the default updown script, not by your custom
355: # ones, so do not mess with it; see CAUTION comment up at top.
356: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
357: then
358: iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
359: -s $PLUTO_MY_CLIENT $S_MY_PORT \
360: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
361: $IPSEC_POLICY_OUT -j ACCEPT
362: iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
363: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
364: -d $PLUTO_MY_CLIENT $D_MY_PORT \
365: $IPSEC_POLICY_IN -j ACCEPT
366: fi
367: #
368: # a virtual IP requires an INPUT and OUTPUT rule on the host
369: # or sometimes host access via the internal IP is needed
370: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
371: then
372: iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
373: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
374: -d $PLUTO_MY_CLIENT $D_MY_PORT \
375: $IPSEC_POLICY_IN -j ACCEPT
376: iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
377: -s $PLUTO_MY_CLIENT $S_MY_PORT \
378: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
379: $IPSEC_POLICY_OUT -j ACCEPT
380: fi
381: #
382: # IPIP exception teardown
383: if [ -n "$PLUTO_IPCOMP" ]
384: then
385: iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
386: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
387: fi
388: #
389: # log IPsec client connection teardown
390: if [ $VPN_LOGGING ]
391: then
392: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
393: then
394: logger -t $TAG -p $FAC_PRIO -- \
395: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
396: else
397: logger -t $TAG -p $FAC_PRIO -- \
398: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
399: fi
400: fi
401: ;;
402: #
403: # IPv6
404: #
405: up-host-v6:)
406: # connection to me coming up
407: # If you are doing a custom version, firewall commands go here.
408: ;;
409: down-host-v6:)
410: # connection to me going down
411: # If you are doing a custom version, firewall commands go here.
412: ;;
413: up-client-v6:)
414: # connection to my client subnet coming up
415: # If you are doing a custom version, firewall commands go here.
416: ;;
417: down-client-v6:)
418: # connection to my client subnet going down
419: # If you are doing a custom version, firewall commands go here.
420: ;;
421: up-host-v6:iptables)
422: # connection to me, with (left/right)firewall=yes, coming up
423: # This is used only by the default updown script, not by your custom
424: # ones, so do not mess with it; see CAUTION comment up at top.
425: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
426: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
427: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
428: ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
429: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
430: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
431: #
432: # allow IP6IP6 traffic because of the implicit SA created by the kernel if
433: # IPComp is used (for small inbound packets that are not compressed)
434: if [ -n "$PLUTO_IPCOMP" ]
435: then
436: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
437: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
438: fi
439: #
440: # log IPsec host connection setup
441: if [ $VPN_LOGGING ]
442: then
443: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
444: then
445: logger -t $TAG -p $FAC_PRIO \
446: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
447: else
448: logger -t $TAG -p $FAC_PRIO \
449: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
450: fi
451: fi
452: ;;
453: down-host-v6:iptables)
454: # connection to me, with (left/right)firewall=yes, going down
455: # This is used only by the default updown script, not by your custom
456: # ones, so do not mess with it; see CAUTION comment up at top.
457: ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
458: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
459: -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
460: ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
461: -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
462: -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
463: #
464: # IP6IP6 exception teardown
465: if [ -n "$PLUTO_IPCOMP" ]
466: then
467: ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
468: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
469: fi
470: #
471: # log IPsec host connection teardown
472: if [ $VPN_LOGGING ]
473: then
474: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
475: then
476: logger -t $TAG -p $FAC_PRIO -- \
477: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
478: else
479: logger -t $TAG -p $FAC_PRIO -- \
480: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
481: fi
482: fi
483: ;;
484: up-client-v6:iptables)
485: # connection to client subnet, with (left/right)firewall=yes, coming up
486: # This is used only by the default updown script, not by your custom
487: # ones, so do not mess with it; see CAUTION comment up at top.
488: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
489: then
490: ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
491: -s $PLUTO_MY_CLIENT $S_MY_PORT \
492: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
493: ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
494: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
495: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
496: fi
497: #
498: # a virtual IP requires an INPUT and OUTPUT rule on the host
499: # or sometimes host access via the internal IP is needed
500: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
501: then
502: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
503: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
504: -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
505: ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
506: -s $PLUTO_MY_CLIENT $S_MY_PORT \
507: -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
508: fi
509: #
510: # allow IP6IP6 traffic because of the implicit SA created by the kernel if
511: # IPComp is used (for small inbound packets that are not compressed).
512: # INPUT is correct here even for forwarded traffic.
513: if [ -n "$PLUTO_IPCOMP" ]
514: then
515: ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
516: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
517: fi
518: #
519: # log IPsec client connection setup
520: if [ $VPN_LOGGING ]
521: then
522: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
523: then
524: logger -t $TAG -p $FAC_PRIO \
525: "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
526: else
527: logger -t $TAG -p $FAC_PRIO \
528: "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
529: fi
530: fi
531: ;;
532: down-client-v6:iptables)
533: # connection to client subnet, with (left/right)firewall=yes, going down
534: # This is used only by the default updown script, not by your custom
535: # ones, so do not mess with it; see CAUTION comment up at top.
536: if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
537: then
538: ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
539: -s $PLUTO_MY_CLIENT $S_MY_PORT \
540: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
541: $IPSEC_POLICY_OUT -j ACCEPT
542: ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
543: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
544: -d $PLUTO_MY_CLIENT $D_MY_PORT \
545: $IPSEC_POLICY_IN -j ACCEPT
546: fi
547: #
548: # a virtual IP requires an INPUT and OUTPUT rule on the host
549: # or sometimes host access via the internal IP is needed
550: if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
551: then
552: ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
553: -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
554: -d $PLUTO_MY_CLIENT $D_MY_PORT \
555: $IPSEC_POLICY_IN -j ACCEPT
556: ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
557: -s $PLUTO_MY_CLIENT $S_MY_PORT \
558: -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
559: $IPSEC_POLICY_OUT -j ACCEPT
560: fi
561: #
562: # IP6IP6 exception teardown
563: if [ -n "$PLUTO_IPCOMP" ]
564: then
565: ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
566: -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
567: fi
568: #
569: # log IPsec client connection teardown
570: if [ $VPN_LOGGING ]
571: then
572: if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
573: then
574: logger -t $TAG -p $FAC_PRIO -- \
575: "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
576: else
577: logger -t $TAG -p $FAC_PRIO -- \
578: "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
579: fi
580: fi
581: ;;
582: *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
583: exit 1
584: ;;
585: esac
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to _updown.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / _updown