Add strongswan (#1330)

[lede.git] / package / strongswan / patches / 210-updown.patch

diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
--- strongswan-2.8.2-orig/programs/_updown/_updown.8    2006-04-17 02:48:49.000000000 -0400
+++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500
@@ -8,8 +8,23 @@
 .I _updown
 is invoked by pluto when it has brought up a new connection. This script
 is used to insert the appropriate routing entries for IPsec operation.
-It can also be used to insert and delete dynamic iptables firewall rules.
-The interface to the script is documented in the pluto man page.
+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
+tables. Most distributions will want to change that to provide more
+flexibility in their firewall configuration.
+The script looks for the environment variables
+.B IPSEC_UPDOWN_RULE_IN
+for the iptables table it should insert into,
+.B IPSEC_UPDOWN_DEST_IN
+for where the rule should -j jump to,
+.B IPSEC_UPDOWN_RULE_OUT
+.B IPSEC_UPDOWN_DEST_OUT
+for the same on outgoing packets, and
+.B IPSEC_UPDOWN_FWD_RULE_IN
+.B IPSEC_UPDOWN_FWD_DEST_IN
+.B IPSEC_UPDOWN_FWD_RULE_OUT
+.B IPSEC_UPDOWN_FWD_DEST_OUT
+respectively for packets being forwarded to/from the local networks.
 .SH "SEE ALSO"
 ipsec(8), ipsec_pluto(8).
 .SH HISTORY
diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
--- strongswan-2.8.2-orig/programs/_updown/_updown.in   2006-04-17 11:06:29.000000000 -0400
+++ strongswan-2.8.2/programs/_updown/_updown.in        2007-02-05 02:08:24.969100428 -0500
@@ -5,6 +5,7 @@
 # Copyright (C) 2003-2004 Tuomo Soini
 # Copyright (C) 2002-2004 Michael Richardson
 # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
 # 
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -118,20 +119,61 @@
 #              restricted on the peer side.
 #
 
-# uncomment to log VPN connections
-VPN_LOGGING=1
-#
+# set to /bin/true to silence log messages
+LOGGER=logger
+
 # tag put in front of each log entry:
 TAG=vpn
-#
+
 # syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice                   -/var/log/vpn
-#
+FAC_PRIO=authpriv.info
+
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
+       IPSEC_POLICY_IN=""
+       IPSEC_POLICY_OUT=""
+else
+       IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+       IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+       IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ] ; then
+       S_MY_PORT="--sport $PLUTO_MY_PORT"
+       D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+
+if [ "$PLUTO_PEER_PORT" != 0 ] ; then
+       S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+       D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# import firewall behavior
+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
+
+# import forwarding behavior
+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
+
+# default firewall behavior
+[ -z "$IPT_RULE_IN"  ] && IPT_RULE_IN=INPUT
+[ -z "$IPT_DEST_IN"  ] && IPT_DEST_IN=ACCEPT
+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
+
+# default forwarding behavior
+[ -z "$FWD_RULE_IN"  ] && FWD_RULE_IN=FORWARD
+[ -z "$FWD_DEST_IN"  ] && FWD_DEST_IN=ACCEPT
+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
+
 
 # check interface version
 case "$PLUTO_VERSION" in
@@ -150,8 +192,6 @@
 case "$1:$*" in
 ':')                   # no parameters
        ;;
-iptables:iptables)     # due to (left/right)firewall; for default script only
-       ;;
 custom:*)              # custom parameters (see above CAUTION comment)
        ;;
 *)     echo "$0: unknown parameters \`$*'" >&2
@@ -159,345 +199,307 @@
        ;;
 esac
 
+
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
+
 uproute() {
        doroute add
        ip route flush cache
 }
+
 downroute() {
        doroute delete
        ip route flush cache
 }
 
+upfirewall() {
+       in_rule=$1
+       in_dest=$2
+       out_rule=$3
+       out_dest=$4
+
+       [ -n "$in_rule" -a -n "$in_dest" ] &&           \
+       iptables -I $in_rule 1                          \
+               -i $PLUTO_INTERFACE                     \
+               -p $PLUTO_MY_PROTOCOL                   \
+               -s $PLUTO_PEER_CLIENT   $S_PEER_PORT    \
+               -d $PLUTO_MY_CLIENT     $D_MY_PORT      \
+               $IPSEC_POLICY_IN                        \
+               -j $in_dest
+
+       [ -n "$out_rule" -a -n "$out_dest" ] &&         \
+       iptables -I $out_rule 1                         \
+               -o $PLUTO_INTERFACE                     \
+               -p $PLUTO_PEER_PROTOCOL                 \
+               -s $PLUTO_MY_CLIENT     $S_MY_PORT      \
+               -d $PLUTO_PEER_CLIENT   $D_PEER_PORT    \
+               $IPSEC_POLICY_OUT                       \
+               -j $out_dest
+
+}
+
+downfirewall() {
+       in_rule=$1
+       in_dest=$2
+       out_rule=$3
+       out_dest=$4
+
+       [ -n "$in_rule" -a -n "$in_dest" ] &&           \
+       iptables -D $in_rule                            \
+               -i $PLUTO_INTERFACE                     \
+               -p $PLUTO_MY_PROTOCOL                   \
+               -s $PLUTO_PEER_CLIENT   $S_PEER_PORT    \
+               -d $PLUTO_MY_CLIENT     $D_MY_PORT      \
+               $IPSEC_POLICY_IN                        \
+               -j $in_dest
+
+       [ -n "$out_rule" -a -n "$out_dest" ] &&         \
+       iptables -D $out_rule                           \
+               -o $PLUTO_INTERFACE                     \
+               -p $PLUTO_PEER_PROTOCOL                 \
+               -s $PLUTO_MY_CLIENT     $S_MY_PORT      \
+               -d $PLUTO_PEER_CLIENT   $D_PEER_PORT    \
+               $IPSEC_POLICY_OUT                       \
+               -j $out_dest
+
+}
+
 addsource() {
        st=0
-       if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-       then
+
+       if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
+
            it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
            oops="`eval $it 2>&1`"
            st=$?
-           if test " $oops" = " " -a " $st" != " 0"
-           then
+
+           if [ " $oops"  = " " -a " $st" != " 0" ] ; then
                oops="silent error, exit status $st"
            fi
-           if test " $oops" != " " -o " $st" != " 0"
-           then
+
+           if [ " $oops" != " " -o " $st" != " 0" ] ; then
                echo "$0: addsource \`$it' failed ($oops)" >&2
            fi
        fi
+
        return $st
 }
 
 doroute() {
        st=0
        parms="$PLUTO_PEER_CLIENT"
+       parms2="dev $PLUTO_INTERFACE"
 
-       parms2=
-       if [ -n "$PLUTO_NEXT_HOP" ]
-       then
-          parms2="via $PLUTO_NEXT_HOP"
-       fi
-       parms2="$parms2 dev $PLUTO_INTERFACE"
-
-       if [ -z "$PLUTO_MY_SOURCEIP" ]
-       then
-           if [ -f /etc/sysconfig/defaultsource ]
-           then
-               . /etc/sysconfig/defaultsource
-           fi
+       if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
 
-           if [ -f /etc/conf.d/defaultsource ]
-           then
-               . /etc/conf.d/defaultsource
-           fi
+               [ -f /etc/sysconfig/defaultsource ] && \
+                       . /etc/sysconfig/defaultsource
+
+               [ -f /etc/conf.d/defaultsource ] && \
+                       . /etc/conf.d/defaultsource
+
+               [ -n "$DEFAULTSOURCE" ] && \
+                       PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
 
-           if [ -n "$DEFAULTSOURCE" ]
-           then
-               PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-           fi
         fi
 
        parms3=
-       if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
-       then
+       if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
            addsource
            parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
        fi
 
-       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-       "0.0.0.0/0.0.0.0")
+       if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
+                                               "0.0.0.0/0.0.0.0" ] ; then
                # opportunistic encryption work around
                # need to provide route that eclipses default, without 
                # replacing it.
-               it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-                       ip route $1 128.0.0.0/1 $parms2 $parms3"
-               ;;
-       *)      it="ip route $1 $parms $parms2 $parms3"
-               ;;
-       esac
+               it="ip route $1   0.0.0.0/1 $parms2 $parms3 &&
+                   ip route $1 128.0.0.0/1 $parms2 $parms3"
+       else
+               it="ip route $1 $parms $parms2 $parms3"
+       fi
+
        oops="`eval $it 2>&1`"
        st=$?
-       if test " $oops" = " " -a " $st" != " 0"
-       then
-           oops="silent error, exit status $st"
-       fi
-       if test " $oops" != " " -o " $st" != " 0"
-       then
-           echo "$0: doroute \`$it' failed ($oops)" >&2
+
+       if [ " $oops" = " " -a " $st" != " 0" ] ; then
+               oops="silent error, exit status $st"
        fi
+
+       if [ " $oops" != " " -o " $st" != " 0" ] ; then
+               echo "$0: doroute \`$it' failed ($oops)" >&2
+       fi
+
        return $st
 }
- 
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
-       IPSEC_POLICY_IN=""
-       IPSEC_POLICY_OUT=""
-else
-       IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
-       IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
-       IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
 
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
-       S_MY_PORT="--sport $PLUTO_MY_PORT"
-       D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
-       S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-       D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
+dologentry() {
+       action=$1
+
+       if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
+               rem="$PLUTO_PEER"
+       else
+               rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
+       fi
+
+       if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
+               loc="$PLUTO_ME"
+       else
+               loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
+       fi
+
+       $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
+}
+
 
 # the big choice
+
 case "$PLUTO_VERB:$1" in
 prepare-host:*|prepare-client:*)
        # delete possibly-existing route (preliminary to adding a route)
-       case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-       "0.0.0.0/0.0.0.0")
-               # need to provide route that eclipses default, without 
+
+       if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
+                                               "0.0.0.0/0.0.0.0" ] ; then
+               # need to remove the route that eclipses default, without 
                # replacing it.
-               parms1="0.0.0.0/1"
-               parms2="128.0.0.0/1"
-               it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-               oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-               ;;
-       *)
-               parms="$PLUTO_PEER_CLIENT"
-               it="ip route delete $parms 2>&1"
-               oops="`ip route delete $parms 2>&1`"
-               ;;
-       esac
-       status="$?"
-       if test " $oops" = " " -a " $status" != " 0"
-       then
-               oops="silent error, exit status $status"
+               it="( ip route delete   0.0.0.0/1 ;
+                     ip route delete 128.0.0.0/1 )"
+       else
+               it="ip route delete $PLUTO_PEER_CLIENT"
+       fi
+
+       oops="`$it 2>&1`"
+       st="$?"
+
+       if [ " $oops" = " " -a " $st" != " 0" ] ; then
+               oops="silent error, exit status $st"
        fi
+
        case "$oops" in
        *'RTNETLINK answers: No such process'*) 
                # This is what route (currently -- not documented!) gives
                # for "could not find such a route".
                oops=
-               status=0
+               st=0
                ;;
        esac
-       if test " $oops" != " " -o " $status" != " 0"
-       then
+
+       if [ " $oops" != " " -o " $st" != " 0" ] ; then
                echo "$0: \`$it' failed ($oops)" >&2
        fi
-       exit $status
+
+       exit $st
+
        ;;
 route-host:*|route-client:*)
        # connection to me or my client subnet being routed
+
+       ipsec _showstatus valid
        uproute
+
        ;;
 unroute-host:*|unroute-client:*)
        # connection to me or my client subnet being unrouted
+
+       ipsec _showstatus invalid
        downroute
+
        ;;
-up-host:)
+up-host:*)
        # connection to me coming up
-       # If you are doing a custom version, firewall commands go here.
+
+       ipsec _showstatus up
+       upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+       dologentry "VPN-UP"
+
        ;;
-down-host:)
+down-host:*)
        # connection to me going down
-       # If you are doing a custom version, firewall commands go here.
-       ;;
-up-client:)
-       # connection to my client subnet coming up
-       # If you are doing a custom version, firewall commands go here.
-       ;;
-down-client:)
-       # connection to my client subnet going down
-       # If you are doing a custom version, firewall commands go here.
+
+       ipsec _showstatus down
+       downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+       dologentry "VPN-DN"
+
        ;;
-up-host:iptables)
-       # connection to me, with (left/right)firewall=yes, coming up
-       # This is used only by the default updown script, not by your custom
-       # ones, so do not mess with it; see CAUTION comment up at top.
-       iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-           -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-       iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-           -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-       #
-       # log IPsec host connection setup
-       if [ $VPN_LOGGING ]
-       then
-         if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-         then
-           logger -t $TAG -p $FAC_PRIO \
-             "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-         else
-           logger -t $TAG -p $FAC_PRIO \
-             "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-         fi
-       fi      
-       ;;
-down-host:iptables)
-       # connection to me, with (left/right)firewall=yes, going down
-       # This is used only by the default updown script, not by your custom
-       # ones, so do not mess with it; see CAUTION comment up at top.
-       iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-           -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
-       iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-           -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
-       #
-       # log IPsec host connection teardown
-       if [ $VPN_LOGGING ]
-       then
-         if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-         then
-           logger -t $TAG -p $FAC_PRIO -- \
-             "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
-         else
-           logger -t $TAG -p $FAC_PRIO -- \
-           "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
-         fi
-       fi
-       ;;
-up-client:iptables)
-       # connection to client subnet, with (left/right)firewall=yes, coming up
-       # This is used only by the default updown script, not by your custom
-       # ones, so do not mess with it; see CAUTION comment up at top.
-       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-       then
-         iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-                $IPSEC_POLICY_OUT -j ACCEPT
-         iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-                $IPSEC_POLICY_IN -j ACCEPT
+up-client:*)
+       # connection to client subnet coming up
+
+       ipsec _showstatus up
+
+       if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
+            "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
+               upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
        fi
-       #
+
        # a virtual IP requires an INPUT and OUTPUT rule on the host
        # or sometimes host access via the internal IP is needed
-       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-       then
-         iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-                $IPSEC_POLICY_IN -j ACCEPT
-         iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-                $IPSEC_POLICY_OUT -j ACCEPT
-       fi
-       #
-       # log IPsec client connection setup
-       if [ $VPN_LOGGING ]
-       then
-         if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-         then
-           logger -t $TAG -p $FAC_PRIO \
-             "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-         else
-           logger -t $TAG -p $FAC_PRIO \
-             "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-         fi
-       fi
-       ;;
-down-client:iptables)
-       # connection to client subnet, with (left/right)firewall=yes, going down
-       # This is used only by the default updown script, not by your custom
-       # ones, so do not mess with it; see CAUTION comment up at top.
-       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
-       then
-         iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-                $IPSEC_POLICY_OUT -j ACCEPT
-         iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-                $IPSEC_POLICY_IN -j ACCEPT
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
+               upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+       fi
+
+       dologentry "VPN-UP"
+
+       ;;
+down-client:*)
+       # connection to client subnet going down
+
+       ipsec _showstatus down
+
+       if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
+            "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
+               downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
        fi
-       #
+
        # a virtual IP requires an INPUT and OUTPUT rule on the host
        # or sometimes host access via the internal IP is needed
-       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
-       then
-         iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-             -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
-             -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
-                $IPSEC_POLICY_IN -j ACCEPT
-         iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-             -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
-             -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
-                $IPSEC_POLICY_OUT -j ACCEPT
-       fi
-       #
-       # log IPsec client connection teardown
-       if [ $VPN_LOGGING ]
-       then
-         if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
-         then
-           logger -t $TAG -p $FAC_PRIO -- \
-             "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-         else
-           logger -t $TAG -p $FAC_PRIO -- \
-             "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
-         fi
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
+               downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
        fi
+
+       dologentry "VPN-DN"
+
        ;;
-#
-# IPv6
-#
 prepare-host-v6:*|prepare-client-v6:*)
+
        ;;
 route-host-v6:*|route-client-v6:*)
        # connection to me or my client subnet being routed
+
        #uproute_v6
+
        ;;
 unroute-host-v6:*|unroute-client-v6:*)
        # connection to me or my client subnet being unrouted
+
        #downroute_v6
+
        ;;
 up-host-v6:*)
        # connection to me coming up
        # If you are doing a custom version, firewall commands go here.
+
        ;;
 down-host-v6:*)
        # connection to me going down
        # If you are doing a custom version, firewall commands go here.
+
        ;;
 up-client-v6:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall commands go here.
+
        ;;
 down-client-v6:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall commands go here.
+
        ;;
-*)     echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+*)
+       echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
        exit 1
+
        ;;
 esac
+