mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-28 11:43:25 +02:00
strongswan: remove CONNMARK rules.
the marks are not used by firewall and QoS anymore. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This commit is contained in:
Arne Fitzenreiter
@@ -1,7 +1,7 @@
|
|||||||
diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
|
diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_updown/_updown.in
|
||||||
--- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
|
--- strongswan-5.9.3.org/src/_updown/_updown.in 2020-12-09 19:01:30.000000000 +0100
|
||||||
+++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-18 14:51:34.446203334 +0200
|
+++ strongswan-5.9.3/src/_updown/_updown.in 2021-10-25 13:41:23.791826699 +0200
|
||||||
@@ -242,12 +242,15 @@
|
@@ -242,12 +242,9 @@
|
||||||
# connection to me, with (left/right)firewall=yes, coming up
|
# connection to me, with (left/right)firewall=yes, coming up
|
||||||
# This is used only by the default updown script, not by your custom
|
# This is used only by the default updown script, not by your custom
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
@@ -10,17 +10,12 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
||||||
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||||
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
||||||
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
||||||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
|
||||||
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||||
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
#
|
#
|
||||||
# allow IPIP traffic because of the implicit SA created by the kernel if
|
# allow IPIP traffic because of the implicit SA created by the kernel if
|
||||||
# IPComp is used (for small inbound packets that are not compressed)
|
# IPComp is used (for small inbound packets that are not compressed)
|
||||||
@@ -263,10 +266,10 @@
|
@@ -263,10 +260,10 @@
|
||||||
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
||||||
then
|
then
|
||||||
logger -t $TAG -p $FAC_PRIO \
|
logger -t $TAG -p $FAC_PRIO \
|
||||||
@@ -33,26 +28,21 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@@ -274,12 +277,15 @@
|
@@ -274,12 +271,9 @@
|
||||||
# connection to me, with (left/right)firewall=yes, going down
|
# connection to me, with (left/right)firewall=yes, going down
|
||||||
# This is used only by the default updown script, not by your custom
|
# This is used only by the default updown script, not by your custom
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
||||||
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
||||||
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
-d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
||||||
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
|
||||||
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||||
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
#
|
#
|
||||||
# IPIP exception teardown
|
# IPIP exception teardown
|
||||||
if [ -n "$PLUTO_IPCOMP" ]
|
if [ -n "$PLUTO_IPCOMP" ]
|
||||||
@@ -294,10 +300,10 @@
|
@@ -294,10 +288,10 @@
|
||||||
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
||||||
then
|
then
|
||||||
logger -t $TAG -p $FAC_PRIO -- \
|
logger -t $TAG -p $FAC_PRIO -- \
|
||||||
@@ -65,23 +55,18 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@@ -307,24 +313,30 @@
|
@@ -307,24 +301,18 @@
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
||||||
then
|
then
|
||||||
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
||||||
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
||||||
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
|
|
||||||
+ iptables --wait -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
||||||
-s $PLUTO_MY_CLIENT $S_MY_PORT \
|
|
||||||
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
+ iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
||||||
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
|
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
# a virtual IP requires an INPUT and OUTPUT rule on the host
|
# a virtual IP requires an INPUT and OUTPUT rule on the host
|
||||||
@@ -93,18 +78,13 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
||||||
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
|
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
||||||
+ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
||||||
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
||||||
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
+ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
||||||
-s $PLUTO_MY_CLIENT $S_MY_PORT \
|
|
||||||
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
|
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
# allow IPIP traffic because of the implicit SA created by the kernel if
|
# allow IPIP traffic because of the implicit SA created by the kernel if
|
||||||
@@ -332,7 +344,7 @@
|
@@ -332,7 +320,7 @@
|
||||||
# INPUT is correct here even for forwarded traffic.
|
# INPUT is correct here even for forwarded traffic.
|
||||||
if [ -n "$PLUTO_IPCOMP" ]
|
if [ -n "$PLUTO_IPCOMP" ]
|
||||||
then
|
then
|
||||||
@@ -113,7 +93,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@@ -342,12 +354,29 @@
|
@@ -342,12 +330,29 @@
|
||||||
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
||||||
then
|
then
|
||||||
logger -t $TAG -p $FAC_PRIO \
|
logger -t $TAG -p $FAC_PRIO \
|
||||||
@@ -145,25 +125,19 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
;;
|
;;
|
||||||
down-client:iptables)
|
down-client:iptables)
|
||||||
# connection to client subnet, with (left/right)firewall=yes, going down
|
# connection to client subnet, with (left/right)firewall=yes, going down
|
||||||
@@ -355,34 +384,42 @@
|
@@ -355,34 +360,26 @@
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
||||||
then
|
then
|
||||||
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
+ iptables --wait -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
||||||
-s $PLUTO_MY_CLIENT $S_MY_PORT \
|
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
||||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
|
||||||
- $IPSEC_POLICY_OUT -j ACCEPT
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
+ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
-d $PLUTO_MY_CLIENT $D_MY_PORT \
|
-d $PLUTO_MY_CLIENT $D_MY_PORT \
|
||||||
- $IPSEC_POLICY_IN -j ACCEPT
|
- $IPSEC_POLICY_IN -j ACCEPT
|
||||||
+ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
|
|
||||||
+ iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
|
||||||
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
||||||
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
|
|
||||||
+ $IPSEC_POLICY_IN -j RETURN
|
+ $IPSEC_POLICY_IN -j RETURN
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@@ -177,16 +151,10 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-d $PLUTO_MY_CLIENT $D_MY_PORT \
|
-d $PLUTO_MY_CLIENT $D_MY_PORT \
|
||||||
- $IPSEC_POLICY_IN -j ACCEPT
|
- $IPSEC_POLICY_IN -j ACCEPT
|
||||||
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
+ $IPSEC_POLICY_IN -j CONNMARK --set-xmark 0x00800000/0x00800000
|
- -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
||||||
+ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
||||||
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
|
||||||
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
|
|
||||||
+ $IPSEC_POLICY_IN -j RETURN
|
|
||||||
+ iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
|
||||||
-s $PLUTO_MY_CLIENT $S_MY_PORT \
|
|
||||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
|
||||||
- $IPSEC_POLICY_OUT -j ACCEPT
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
+ $IPSEC_POLICY_OUT -j CONNMARK --set-xmark 0x00800000/0x00800000
|
+ $IPSEC_POLICY_IN -j RETURN
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
# IPIP exception teardown
|
# IPIP exception teardown
|
||||||
@@ -197,7 +165,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@@ -392,12 +429,29 @@
|
@@ -392,12 +389,29 @@
|
||||||
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
|
||||||
then
|
then
|
||||||
logger -t $TAG -p $FAC_PRIO -- \
|
logger -t $TAG -p $FAC_PRIO -- \
|
||||||
@@ -229,7 +197,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
;;
|
;;
|
||||||
#
|
#
|
||||||
# IPv6
|
# IPv6
|
||||||
@@ -422,10 +476,10 @@
|
@@ -422,10 +436,10 @@
|
||||||
# connection to me, with (left/right)firewall=yes, coming up
|
# connection to me, with (left/right)firewall=yes, coming up
|
||||||
# This is used only by the default updown script, not by your custom
|
# This is used only by the default updown script, not by your custom
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
@@ -242,7 +210,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||||
#
|
#
|
||||||
@@ -454,10 +508,10 @@
|
@@ -454,10 +468,10 @@
|
||||||
# connection to me, with (left/right)firewall=yes, going down
|
# connection to me, with (left/right)firewall=yes, going down
|
||||||
# This is used only by the default updown script, not by your custom
|
# This is used only by the default updown script, not by your custom
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
@@ -255,7 +223,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
|
||||||
#
|
#
|
||||||
@@ -487,10 +541,10 @@
|
@@ -487,10 +501,10 @@
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
|
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
|
||||||
then
|
then
|
||||||
@@ -268,7 +236,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
||||||
fi
|
fi
|
||||||
@@ -499,10 +553,10 @@
|
@@ -499,10 +513,10 @@
|
||||||
# or sometimes host access via the internal IP is needed
|
# or sometimes host access via the internal IP is needed
|
||||||
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
||||||
then
|
then
|
||||||
@@ -281,7 +249,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_MY_CLIENT $S_MY_PORT \
|
-s $PLUTO_MY_CLIENT $S_MY_PORT \
|
||||||
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
fi
|
fi
|
||||||
@@ -535,11 +589,11 @@
|
@@ -535,11 +549,11 @@
|
||||||
# ones, so do not mess with it; see CAUTION comment up at top.
|
# ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
|
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
|
||||||
then
|
then
|
||||||
@@ -295,7 +263,7 @@ diff -Naur strongswan-5.9.3.org/src/_updown/_updown.in strongswan-5.9.3/src/_upd
|
|||||||
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
-d $PLUTO_MY_CLIENT $D_MY_PORT \
|
-d $PLUTO_MY_CLIENT $D_MY_PORT \
|
||||||
$IPSEC_POLICY_IN -j ACCEPT
|
$IPSEC_POLICY_IN -j ACCEPT
|
||||||
@@ -549,11 +603,11 @@
|
@@ -549,11 +563,11 @@
|
||||||
# or sometimes host access via the internal IP is needed
|
# or sometimes host access via the internal IP is needed
|
||||||
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
||||||
then
|
then
|
||||||
|
|||||||
Reference in New Issue
Block a user