/[smecontribs]/rpms/smeserver-openswan/contribs8/smeserver-openswan-fix-masq-templates.patch
ViewVC logotype

Annotation of /rpms/smeserver-openswan/contribs8/smeserver-openswan-fix-masq-templates.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.2 - (hide annotations) (download)
Thu Mar 24 15:54:56 2016 UTC (8 years, 2 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-openswan-0_6-5_el5_sme, smeserver-openswan-0_6-6_el5_sme, smeserver-openswan-0_6-7_el5_sme, HEAD
Changes since 1.1: +0 -90 lines 
* Thu Mar 24 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.6-5.sme
- Add debug db key to /etc/ipsec.conf
- Remove setting public/private keys as they won't affect unless templates are re-expanded
- Set xfrm_larval_drop drop correctly
- minor formatting
1 reetspetit 1.1 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
2     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2015-12-05 13:03:18.000000000 +0100
3     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:24:42.670000613 +0100
4     @@ -1,9 +1,16 @@
5     +# Required PostRouting for VPN
6     +
7     {
8     - my $ipsec_access = $ipsec{access};
9     + my $ipsec_status = $ipsec{status} || '';
10     +
11     +# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
12    
13     - if ( $ipsec_access eq 'public' ) {
14     + if ( $ipsec_status eq 'enabled' ) {
15     $OUT .= " # Do not NAT VPN traffic\n";
16     - $OUT .=
17     -" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
18     + $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
19     + }
20     +
21     + else {
22     + $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
23     }
24     }
25     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
26     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2015-12-05 13:03:18.000000000 +0100
27     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:24:42.670000613 +0100
28     @@ -1,14 +1,18 @@
29     # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
30    
31     {
32     -my $ipsec_access = $ipsec{access};
33     + my $ipsec_status = $ipsec{status} || '';
34    
35     -if ($ipsec_access eq 'public') {
36     +# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
37    
38     - $OUT .= " /sbin/iptables --new-chain esp-in\n";
39     - $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
40     - $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
41     - $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
42     - $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
43     - }
44     + if ( $ipsec_status eq 'enabled' ) {
45     + $OUT .= " /sbin/iptables --new-chain esp-in\n";
46     + $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
47     + $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
48     + $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
49     + $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
50     + }
51     + else {
52     + $OUT .= " # 56AllowESP disabled\n";
53     + }
54     }
55     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
56     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2015-12-05 13:03:18.000000000 +0100
57     +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:24:42.670000613 +0100
58     @@ -1,12 +1,16 @@
59     # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
60     +
61     {
62     - my $ipsec_access = $ipsec{access};
63     - my $ipsec_status = $ipsec{status};
64     - if ( $ipsec_access eq 'public' ) {
65     -
66     - my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
67     + my $ipsec_status = $ipsec{status} || '';
68     +
69     +# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
70    
71     + if ( $ipsec_status eq 'enabled' ) {
72     + my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
73     $OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
74     $OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
75     }
76     + else {
77     + $OUT .= " # 90adjustESP disabled\n";
78     + }
79     }
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed