[Openswan dev] minor changes to _updown.ip2.in
Tuomo Soini
tis at foobar.fi
Sun May 30 01:20:25 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
These changes make it possible to use different routing table for ipsec
traffic (configurable via /etc/sysconfig/openswan) and make it again
possible not to use nexthop for non-OE connections.
And I added some documentation too.
- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAuP6ZTlrZKzwul1ERAtDVAJ40pV12GzmDC2cjSuONRFnvH9XGXQCgnPqV
wP2xoMuUqQlRQoRL793wqJs=
=9CLl
-----END PGP SIGNATURE-----
-------------- next part --------------
--- _updown.ip2.in~ 2004-05-29 23:34:35.000000000 +0300
+++ _updown.ip2.in 2004-05-29 23:59:23.000000000 +0300
@@ -73,6 +73,13 @@
# if non-empty, then the source address for the route will be
# set to this IP address.
#
+# PLUTO_MY_PROTOCOL
+# is the protocol for this connection. Useful for
+# firewalling.
+#
+# PLUTO_MY_PORT
+# is the port. Useful for firewalling.
+#
# PLUTO_PEER
# is the IP address of our peer.
#
@@ -92,8 +99,32 @@
# client is just the peer, this will be
# 255.255.255.255.
#
-# PLUTO_CONNECTION_TYPE
+# PLUTO_PEER_PROTOCOL
+# is the protocol set for remote end with port
+# selector.
+#
+# PLUTO_PEER_PORT
+# is the peer's port. Useful for firewalling.
+#
+
+# Import default configs if they exist
+#
+# Two variables can be set in this file:
#
+# DEFAULTSOURCE
+# is default value for PLUTO_MY_SOURCEIP
+# IPROUTETABLE
+# is default value for PLUTO_IPROUTETABLE
+#
+if [ -f /etc/sysconfig/openswan ]
+then
+ . /etc/sysconfig/openswan
+fi
+
+if [ -z "$PLUTO_IPROUTETABLE" ] && [ -n "$IPROUTETABLE" ]
+then
+ PLUTO_IPROUTETABLE="$IPROUTETABLE"
+fi
# check interface version
case "$PLUTO_VERSION" in
@@ -140,7 +171,7 @@
dorule add
fi
# virtual sourceip support
- if [ -n "$PLUTO_MY_SOURCEIP" ] && ["$PLUTO_MY_SOURCEIP" != "no" ]
+ if [ -n "$PLUTO_MY_SOURCEIP" ] && [ "$PLUTO_MY_SOURCEIP" != "no" ]
then
addsource
changesource
@@ -280,7 +311,7 @@
st=0
parms="$PLUTO_PEER_CLIENT"
parms2=
- if [ -n "$PLUTO_NEXT_HOP" ]
+ if [ -n "$PLUTO_NEXT_HOP" ] && [ "$PLUTO_NEXT_HOP" != "$PLUTO_PEER" ]
then
parms2="via $PLUTO_NEXT_HOP"
fi
@@ -291,16 +322,9 @@
parms3="table $PLUTO_IPROUTETABLE"
fi
- if [ -z "$PLUTO_MY_SOURCEIP" ]
+ if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
then
- if [ -f /etc/sysconfig/defaultsource ]
- then
- . /etc/sysconfig/defaultsource
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
fi
if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
@@ -382,18 +406,34 @@
;;
up-host:*)
# connection to me coming up
+ if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
+ then
+ uprule
+ fi
# If you are doing a custom version, firewall commands go here.
;;
down-host:*)
# connection to me going down
+ if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
+ then
+ downrule
+ fi
# If you are doing a custom version, firewall commands go here.
;;
up-client:)
# connection to my client subnet coming up
+ if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
+ then
+ uprule
+ fi
# If you are doing a custom version, firewall commands go here.
;;
down-client:)
# connection to my client subnet going down
+ if [ -n "$PLUTO_IPROUTETABLE" ] && [ "$PLUTO_IPROUTETABLE" != "main" ]
+ then
+ downrule
+ fi
# If you are doing a custom version, firewall commands go here.
;;
up-client:ipfwadm)
More information about the Dev
mailing list