smeserver-openswan/contribs8/smeserver-openswan-fix-masq-templates.patch

diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec     2015-12-05 13:03:18.000000000 +0100
+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:24:42.670000613 +0100
@@ -1,9 +1,16 @@
+# Required PostRouting for VPN
+
 {
-    my $ipsec_access = $ipsec{access};
+    my $ipsec_status = $ipsec{status} || '';
+
+#   print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
 
-    if ( $ipsec_access eq 'public' ) {
+    if ( $ipsec_status eq 'enabled' ) {
         $OUT .= "  # Do not NAT VPN traffic\n";
-        $OUT .=
-"  /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
+        $OUT .= "  /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
+    }
+
+    else {
+        $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
     }
 }
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP       2015-12-05 13:03:18.000000000 +0100
+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP   2016-03-22 18:24:42.670000613 +0100
@@ -1,14 +1,18 @@
 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
 
 {
-my $ipsec_access = $ipsec{access};
+    my $ipsec_status = $ipsec{status} || '';
 
-if ($ipsec_access eq 'public')  {
+#    print "Ipsec Information - 56AllowESP - $ipsec_status\n";
 
-  $OUT .= "    /sbin/iptables --new-chain esp-in\n";
-  $OUT .= "    /sbin/iptables --append INPUT -p ESP -j esp-in\n";
-  $OUT .= "    /sbin/iptables --append INPUT -p ESP -j denylog\n";
-  $OUT .= "    /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
-  $OUT .= "    /sbin/iptables --append esp-in -j denylog\n";
- }
+    if ( $ipsec_status eq 'enabled' ) {
+        $OUT .= "    /sbin/iptables --new-chain esp-in\n";
+        $OUT .= "    /sbin/iptables --append INPUT -p ESP -j esp-in\n";
+        $OUT .= "    /sbin/iptables --append INPUT -p ESP -j denylog\n";
+        $OUT .= "    /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
+        $OUT .= "    /sbin/iptables --append esp-in -j denylog\n";
+    }
+    else {
+        $OUT .= " # 56AllowESP disabled\n";
+    }
 }
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP      2015-12-05 13:03:18.000000000 +0100
+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP  2016-03-22 18:24:42.670000613 +0100
@@ -1,12 +1,16 @@
 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
+
 {
-    my $ipsec_access = $ipsec{access};
-    my $ipsec_status = $ipsec{status};
-        if ( $ipsec_access eq 'public' ) {
-        
-        my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
+    my $ipsec_status = $ipsec{status} || '';
+
+#    print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
 
+    if ( $ipsec_status eq 'enabled' ) {
+        my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
         $OUT .= "    /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
         $OUT .= "    /sbin/iptables --replace esp-in 2 -j $target\n";
     }
+    else {
+        $OUT .= " # 90adjustESP disabled\n";
+    }
 }
1	diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
2	--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2015-12-05 13:03:18.000000000 +0100
3	+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:24:42.670000613 +0100
4	@@ -1,9 +1,16 @@
5	+# Required PostRouting for VPN
6	+
7	{
8	- my $ipsec_access = $ipsec{access};
9	+ my $ipsec_status = $ipsec{status} \|\| '';
10	+
11	+# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
12
13	- if ( $ipsec_access eq 'public' ) {
14	+ if ( $ipsec_status eq 'enabled' ) {
15	$OUT .= " # Do not NAT VPN traffic\n";
16	- $OUT .=
17	-" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
18	+ $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
19	+ }
20	+
21	+ else {
22	+ $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
23	}
24	}
25	diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
26	--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2015-12-05 13:03:18.000000000 +0100
27	+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:24:42.670000613 +0100
28	@@ -1,14 +1,18 @@
29	# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
30
31	{
32	-my $ipsec_access = $ipsec{access};
33	+ my $ipsec_status = $ipsec{status} \|\| '';
34
35	-if ($ipsec_access eq 'public') {
36	+# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
37
38	- $OUT .= " /sbin/iptables --new-chain esp-in\n";
39	- $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
40	- $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
41	- $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
42	- $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
43	- }
44	+ if ( $ipsec_status eq 'enabled' ) {
45	+ $OUT .= " /sbin/iptables --new-chain esp-in\n";
46	+ $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
47	+ $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
48	+ $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
49	+ $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
50	+ }
51	+ else {
52	+ $OUT .= " # 56AllowESP disabled\n";
53	+ }
54	}
55	diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
56	--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2015-12-05 13:03:18.000000000 +0100
57	+++ smeserver-openswan-0.6/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:24:42.670000613 +0100
58	@@ -1,12 +1,16 @@
59	# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
60	+
61	{
62	- my $ipsec_access = $ipsec{access};
63	- my $ipsec_status = $ipsec{status};
64	- if ( $ipsec_access eq 'public' ) {
65	-
66	- my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
67	+ my $ipsec_status = $ipsec{status} \|\| '';
68	+
69	+# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
70
71	+ if ( $ipsec_status eq 'enabled' ) {
72	+ my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
73	$OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
74	$OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
75	}
76	+ else {
77	+ $OUT .= " # 90adjustESP disabled\n";
78	+ }
79	}