/[smecontribs]/rpms/smeserver-openswan/contribs8/smeserver-openswan-fix-masq-templates.patch
ViewVC logotype

Contents of /rpms/smeserver-openswan/contribs8/smeserver-openswan-fix-masq-templates.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (show annotations) (download)
Tue Mar 22 17:25:42 2016 UTC (8 years, 8 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-openswan-0_6-3_el5_sme 
* Tue Mar 22 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.6-3.sme
- Fix masq templates for missing db keys on install
- Move pluto.log to /var/log/pluto
- regenerate masq template on ipsec-update
- change wiki location page
- add sysctl.conf template
- modify masq templates for ipsec status enabled/disabled
- only load ipsec.conf rather than *.conf to avoid loading v6neighbor-hole.conf
1 diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan-0.6/createlinks
2 --- smeserver-openswan-0.6.old/createlinks 2015-12-05 13:03:18.000000000 +0100
3 +++ smeserver-openswan-0.6/createlinks 2016-03-22 18:24:42.670000613 +0100
4 @@ -12,6 +12,7 @@
5 /etc/ipsec.secrets
6 /etc/ipsec.d/ipsec.conf
7 /etc/ipsec.d/ipsec.secrets
8 + /etc/rc.d/init.d/masq
9 ))
10 {
11 templates2events("$_", qw(
12 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan-0.6/root/etc/e-smith/events/actions/ipsec-update
13 --- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update 2015-12-05 13:03:18.000000000 +0100
14 +++ smeserver-openswan-0.6/root/etc/e-smith/events/actions/ipsec-update 2016-03-22 18:24:42.669000612 +0100
15 @@ -43,8 +43,8 @@
16 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) {
17
18 # Do we check if it is already stopped ?
19 - # For now we stop it regradless
20 -
21 + # For now we stop it regardless
22 +
23 print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
24
25 # First set ipsec access to private which disables firewall rule
26 @@ -264,16 +264,11 @@
27 or die("Ipsec Error - A problem occurred with sysctl: $?");
28 system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
29 or die("Ipsec Error - A problem occurred with sysctl: $?");
30 -
31 - # I don't believe these are required
32 - # system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
33 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
34 - # system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
35 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
36 - # system("/sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects=0") == 0
37 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
38 - # system("/sbin/sysctl -w net.ipv4.conf.eth1.accept_redirects=0") == 0
39 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
40 +
41 + system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
42 + or die("Ipsec Error - A problem occurred with sysctl: $?");
43 + system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
44 + or die("Ipsec Error - A problem occurred with sysctl: $?");
45
46 system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
47 or die("Ipsec Error - A problem occurred with sysctl: $?");
48 @@ -291,7 +286,9 @@
49
50 sub resetRedirects {
51
52 -# system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
53 -# This should reset back to defaults
54 - system("/sbin/sysctl -p") == 0 or die("A problem occurred with sysctl: $?");
55 + # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
56 + # This should reset back to defaults
57 + system("/sbin/sysctl -p") == 0
58 + or die("Ipsec Error - A problem occurred with sysctl: $?");
59 }
60 +
61 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan-0.6/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
62 --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2015-12-05 13:03:18.000000000 +0100
63 +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-22 18:24:42.670000613 +0100
64 @@ -30,7 +30,7 @@
65 $OUT .= " protostack=netkey\n";
66 $OUT .= " #plutodebug=none\n";
67 $OUT .= " #klipsdebug=none\n";
68 - $OUT .= " plutostderrlog=/var/log/pluto.log\n";
69 + $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
70 $OUT .= " dumpdir=/var/run/pluto/\n";
71 $OUT .= " nat_traversal=yes\n";
72
73 @@ -66,7 +66,7 @@
74 chop($virtual_private);
75 $OUT .= "$virtual_private\n";
76 $OUT .= "\n";
77 - $OUT .= "include /etc/ipsec.d/*.conf\n";
78 + $OUT .= "include /etc/ipsec.d/ipsec.conf\n";
79
80 # End else
81 }
82 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto smeserver-openswan-0.6/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto
83 --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2015-12-05 13:03:18.000000000 +0100
84 +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-03-22 18:24:42.670000613 +0100
85 @@ -1,4 +1,4 @@
86 -/var/log/pluto.log \{
87 +/var/log/pluto/pluto.log \{
88 missingok
89 notifempty
90 compress
91 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
92 --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2015-12-05 13:03:18.000000000 +0100
93 +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:24:42.670000613 +0100
94 @@ -1,9 +1,16 @@
95 +# Required PostRouting for VPN
96 +
97 {
98 - my $ipsec_access = $ipsec{access};
99 + my $ipsec_status = $ipsec{status} || '';
100 +
101 +# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
102
103 - if ( $ipsec_access eq 'public' ) {
104 + if ( $ipsec_status eq 'enabled' ) {
105 $OUT .= " # Do not NAT VPN traffic\n";
106 - $OUT .=
107 -" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
108 + $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
109 + }
110 +
111 + else {
112 + $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
113 }
114 }
115 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
116 --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2015-12-05 13:03:18.000000000 +0100
117 +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:24:42.670000613 +0100
118 @@ -1,14 +1,18 @@
119 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
120
121 {
122 -my $ipsec_access = $ipsec{access};
123 + my $ipsec_status = $ipsec{status} || '';
124
125 -if ($ipsec_access eq 'public') {
126 +# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
127
128 - $OUT .= " /sbin/iptables --new-chain esp-in\n";
129 - $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
130 - $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
131 - $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
132 - $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
133 - }
134 + if ( $ipsec_status eq 'enabled' ) {
135 + $OUT .= " /sbin/iptables --new-chain esp-in\n";
136 + $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
137 + $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
138 + $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
139 + $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
140 + }
141 + else {
142 + $OUT .= " # 56AllowESP disabled\n";
143 + }
144 }
145 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
146 --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2015-12-05 13:03:18.000000000 +0100
147 +++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:24:42.670000613 +0100
148 @@ -1,12 +1,16 @@
149 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
150 +
151 {
152 - my $ipsec_access = $ipsec{access};
153 - my $ipsec_status = $ipsec{status};
154 - if ( $ipsec_access eq 'public' ) {
155 -
156 - my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
157 + my $ipsec_status = $ipsec{status} || '';
158 +
159 +# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
160
161 + if ( $ipsec_status eq 'enabled' ) {
162 + my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
163 $OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
164 $OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
165 }
166 + else {
167 + $OUT .= " # 90adjustESP disabled\n";
168 + }
169 }
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed