/[smecontribs]/rpms/smeserver-openswan/contribs8/smeserver-openswan-fix-masq-templates.patch
ViewVC logotype

Annotation of /rpms/smeserver-openswan/contribs8/smeserver-openswan-fix-masq-templates.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Tue Mar 22 17:25:42 2016 UTC (8 years, 8 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-openswan-0_6-3_el5_sme 
* Tue Mar 22 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.6-3.sme
- Fix masq templates for missing db keys on install
- Move pluto.log to /var/log/pluto
- regenerate masq template on ipsec-update
- change wiki location page
- add sysctl.conf template
- modify masq templates for ipsec status enabled/disabled
- only load ipsec.conf rather than *.conf to avoid loading v6neighbor-hole.conf
1 reetspetit 1.1 diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan-0.6/createlinks
2     --- smeserver-openswan-0.6.old/createlinks 2015-12-05 13:03:18.000000000 +0100
3     +++ smeserver-openswan-0.6/createlinks 2016-03-22 18:24:42.670000613 +0100
4     @@ -12,6 +12,7 @@
5     /etc/ipsec.secrets
6     /etc/ipsec.d/ipsec.conf
7     /etc/ipsec.d/ipsec.secrets
8     + /etc/rc.d/init.d/masq
9     ))
10     {
11     templates2events("$_", qw(
12     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan-0.6/root/etc/e-smith/events/actions/ipsec-update
13     --- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update 2015-12-05 13:03:18.000000000 +0100
14     +++ smeserver-openswan-0.6/root/etc/e-smith/events/actions/ipsec-update 2016-03-22 18:24:42.669000612 +0100
15     @@ -43,8 +43,8 @@
16     if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) {
17    
18     # Do we check if it is already stopped ?
19     - # For now we stop it regradless
20     -
21     + # For now we stop it regardless
22     +
23     print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
24    
25     # First set ipsec access to private which disables firewall rule
26     @@ -264,16 +264,11 @@
27     or die("Ipsec Error - A problem occurred with sysctl: $?");
28     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
29     or die("Ipsec Error - A problem occurred with sysctl: $?");
30     -
31     - # I don't believe these are required
32     - # system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
33     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
34     - # system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
35     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
36     - # system("/sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects=0") == 0
37     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
38     - # system("/sbin/sysctl -w net.ipv4.conf.eth1.accept_redirects=0") == 0
39     - # or die("Ipsec Error - A problem occurred with sysctl: $?");
40     +
41     + system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
42     + or die("Ipsec Error - A problem occurred with sysctl: $?");
43     + system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
44     + or die("Ipsec Error - A problem occurred with sysctl: $?");
45    
46     system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
47     or die("Ipsec Error - A problem occurred with sysctl: $?");
48     @@ -291,7 +286,9 @@
49    
50     sub resetRedirects {
51    
52     -# system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
53     -# This should reset back to defaults
54     - system("/sbin/sysctl -p") == 0 or die("A problem occurred with sysctl: $?");
55     + # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
56     + # This should reset back to defaults
57     + system("/sbin/sysctl -p") == 0
58     + or die("Ipsec Error - A problem occurred with sysctl: $?");
59     }
60     +
61     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan-0.6/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
62     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2015-12-05 13:03:18.000000000 +0100
63     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-22 18:24:42.670000613 +0100
64     @@ -30,7 +30,7 @@
65     $OUT .= " protostack=netkey\n";
66     $OUT .= " #plutodebug=none\n";
67     $OUT .= " #klipsdebug=none\n";
68     - $OUT .= " plutostderrlog=/var/log/pluto.log\n";
69     + $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
70     $OUT .= " dumpdir=/var/run/pluto/\n";
71     $OUT .= " nat_traversal=yes\n";
72    
73     @@ -66,7 +66,7 @@
74     chop($virtual_private);
75     $OUT .= "$virtual_private\n";
76     $OUT .= "\n";
77     - $OUT .= "include /etc/ipsec.d/*.conf\n";
78     + $OUT .= "include /etc/ipsec.d/ipsec.conf\n";
79    
80     # End else
81     }
82     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto smeserver-openswan-0.6/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto
83     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2015-12-05 13:03:18.000000000 +0100
84     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-03-22 18:24:42.670000613 +0100
85     @@ -1,4 +1,4 @@
86     -/var/log/pluto.log \{
87     +/var/log/pluto/pluto.log \{
88     missingok
89     notifempty
90     compress
91     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
92     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2015-12-05 13:03:18.000000000 +0100
93     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:24:42.670000613 +0100
94     @@ -1,9 +1,16 @@
95     +# Required PostRouting for VPN
96     +
97     {
98     - my $ipsec_access = $ipsec{access};
99     + my $ipsec_status = $ipsec{status} || '';
100     +
101     +# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
102    
103     - if ( $ipsec_access eq 'public' ) {
104     + if ( $ipsec_status eq 'enabled' ) {
105     $OUT .= " # Do not NAT VPN traffic\n";
106     - $OUT .=
107     -" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
108     + $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
109     + }
110     +
111     + else {
112     + $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
113     }
114     }
115     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
116     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2015-12-05 13:03:18.000000000 +0100
117     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:24:42.670000613 +0100
118     @@ -1,14 +1,18 @@
119     # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
120    
121     {
122     -my $ipsec_access = $ipsec{access};
123     + my $ipsec_status = $ipsec{status} || '';
124    
125     -if ($ipsec_access eq 'public') {
126     +# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
127    
128     - $OUT .= " /sbin/iptables --new-chain esp-in\n";
129     - $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
130     - $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
131     - $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
132     - $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
133     - }
134     + if ( $ipsec_status eq 'enabled' ) {
135     + $OUT .= " /sbin/iptables --new-chain esp-in\n";
136     + $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
137     + $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
138     + $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
139     + $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
140     + }
141     + else {
142     + $OUT .= " # 56AllowESP disabled\n";
143     + }
144     }
145     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
146     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2015-12-05 13:03:18.000000000 +0100
147     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:24:42.670000613 +0100
148     @@ -1,12 +1,16 @@
149     # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
150     +
151     {
152     - my $ipsec_access = $ipsec{access};
153     - my $ipsec_status = $ipsec{status};
154     - if ( $ipsec_access eq 'public' ) {
155     -
156     - my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
157     + my $ipsec_status = $ipsec{status} || '';
158     +
159     +# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
160    
161     + if ( $ipsec_status eq 'enabled' ) {
162     + my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
163     $OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
164     $OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
165     }
166     + else {
167     + $OUT .= " # 90adjustESP disabled\n";
168     + }
169     }
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed