From: Ruoyu Ying Date: Mon, 20 Dec 2021 14:43:28 +0000 (-0500) Subject: New changes in CNF X-Git-Tag: 21.12.02~7^2 X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=0beb2bb6145017054dcf13c984fdc7f9b649fd35;p=icn%2Fsdwan.git New changes in CNF * Update updown scripts for edge/hub * Upload rest of the changes in config resolution Change-Id: Ied71d169c167cfd3b4e4b8ce44024d5d44258e81 Signed-off-by: Ruoyu Ying --- diff --git a/platform/cnf-openwrt/src/ipsec_exec b/platform/cnf-openwrt/src/ipsec_exec index 49d3616..56c47fc 100755 --- a/platform/cnf-openwrt/src/ipsec_exec +++ b/platform/cnf-openwrt/src/ipsec_exec @@ -142,7 +142,6 @@ config_conn() { local dpddelay local inactivity local keyexchange - local closeaction config_get mode "$1" mode "route" config_get local_subnet "$1" local_subnet "" @@ -162,7 +161,6 @@ config_conn() { config_get dpddelay "$1" dpddelay "30s" config_get inactivity "$1" inactivity config_get keyexchange "$1" keyexchange "ikev2" - config_get closeaction "$1" closeaction "restart" config_get mark "$1" mark "" [ -n "$local_nat" ] && local_subnet=$local_nat @@ -183,7 +181,6 @@ config_conn() { ipsec_xappend " keyingtries=$keyingtries" ipsec_xappend " dpdaction=$dpdaction" ipsec_xappend " dpddelay=$dpddelay" - ipsec_xappend " closeaction=$closeaction" [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity" @@ -305,7 +302,7 @@ config_ipsec() { secret_xappend "# generated by /etc/init.d/ipsec" config_get debug "$1" debug 0 - config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1 + config_get_bool rtinstall_enabled "$1" rtinstall_enabled 0 config_get_bool vip_enabled "$1" vip_enabled 1 [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no [ $vip_enabled -eq 1 ] && install_virtual_ip=yes || install_virtual_ip=no diff --git a/platform/cnf-openwrt/src/rest_v1/cnfroute b/platform/cnf-openwrt/src/rest_v1/cnfroute new file mode 100644 index 0000000..99d3f28 --- /dev/null +++ b/platform/cnf-openwrt/src/rest_v1/cnfroute @@ -0,0 +1,70 @@ +#!/bin/sh +# Licensed to the public under the GNU General Public License v2. + +. /lib/functions.sh + +help() +{ + cat < check route rule for the interface + +EOF +} + +checkroute() +{ + config_get name "$1" name "" + config_get dst "$1" dst "" + config_get src "$1" src "" + config_get gw "$1" gw "" +# config_get dev "$1" dev "" + config_get dev "$1" dev_val "" + config_get table "$1" table "main" + + if [ $dev == $2 ]; then + if [ $table == "cnf" ]; then + rule=$(ip route show table 40 | grep $dev | grep $dst) + else + rule=$(ip route show | grep $dev | grep $dst) + fi + echo $rule + if [ -z "$rule" ]; then + cmd="ip route add " + if [ $table == "cnf" ]; then + cmd="$cmd table 40" + fi + cmd="$cmd $dst" + if [ -n "$gw" ]; then + cmd="$cmd via $gw" + fi + cmd="$cmd dev $dev" + if [ -n "$src" ]; then + cmd="$cmd src $src" + fi + echo $cmd + eval $cmd + fi + fi +} + +check() +{ + config_load route-cnf + + echo "Check route:" + config_foreach checkroute route $1 +} + +case "$1" in + check) + $* + ;; + *) + help + ;; +esac + +exit 0 diff --git a/platform/cnf-openwrt/src/rest_v1/ipsec_rest.lua b/platform/cnf-openwrt/src/rest_v1/ipsec_rest.lua index 6e21d10..d884593 100644 --- a/platform/cnf-openwrt/src/rest_v1/ipsec_rest.lua +++ b/platform/cnf-openwrt/src/rest_v1/ipsec_rest.lua @@ -135,7 +135,7 @@ function is_vti_enabled(value) uci:set(uci_conf, "@ipsec[0]", "rtinstall_enabled", 0) uci:set(uci_conf, "@ipsec[0]", "vip_enabled", 0) else - uci:set(uci_conf, "@ipsec[0]", "rtinstall_enabled", 1) + uci:set(uci_conf, "@ipsec[0]", "rtinstall_enabled", 0) uci:set(uci_conf, "@ipsec[0]", "vip_enabled", 1) end uci:save(uci_conf) diff --git a/platform/cnf-openwrt/src/rest_v1/route_rest.lua b/platform/cnf-openwrt/src/rest_v1/route_rest.lua index 5983a03..c95a8a9 100644 --- a/platform/cnf-openwrt/src/rest_v1/route_rest.lua +++ b/platform/cnf-openwrt/src/rest_v1/route_rest.lua @@ -15,11 +15,13 @@ uci_conf = "route-cnf" route_validator = { create_section_name=false, + object_validator=function(value) return check_route(value) end, {name="name"}, {name="dst", required=true, validator=function(value) return (value == "default") or utils.is_valid_ip(value) end, message="Invalid Destination IP Address"}, {name="src", validator=function(value) return utils.is_valid_ip_address(value) end, message="Invalid Source IP Address"}, {name="gw", validator=function(value) return utils.is_valid_ip_address(value) end, message="Invalid Gateway IP Address"}, - {name="dev", required=true, validator=function(value) return (value == "#default") or ifutil.is_interface_available(value) end, message="Invalid interface", code="428"}, + {name="dev", required=true}, + {name="dev_val"}, {name="table", validator=function(value) return utils.in_array(value, {"default", "cnf"}) end, message="Bad route table"}, } @@ -50,16 +52,33 @@ function handle_request() end end +function check_route(value) + local dev = value["dev"] + local dev_val = dev + if utils.start_with(dev, "#") then + local dev_name = string.sub(dev, 2, string.len(dev)) + if dev_name == "default" then + dev_val = ifutil.get_default_ifname() + else + dev_val = ifutil.get_name_by_ip(dev_name) + end + end + + if dev_val == nil or (not ifutil.is_interface_available(dev_val)) then + return false, "428:Field[dev] checked failed: Invalid interface" + end + + value["dev_val"] = dev_val + return true, value +end + -- generate command for route function route_command(route, op) local dst = route["dst"] local src = route["src"] local gw = route["gw"] - local dev = route["dev"] + local dev = route["dev_val"] local t = route["table"] - if dev == "#default" then - dev = ifutil.get_default_ifname() - end local comm = "ip route" if op == "create" then diff --git a/platform/cnf-openwrt/src/rest_v1/utils.lua b/platform/cnf-openwrt/src/rest_v1/utils.lua index 4376296..11fc015 100644 --- a/platform/cnf-openwrt/src/rest_v1/utils.lua +++ b/platform/cnf-openwrt/src/rest_v1/utils.lua @@ -688,7 +688,7 @@ function validate_and_set_data(validator, src) local default = v["default"] local target_name = name - if required == nil then + if required_lenth == nil then required = false end diff --git a/platform/cnf-openwrt/src/sdewan_svc.info b/platform/cnf-openwrt/src/sdewan_svc.info index 8b3c8b3..bc471be 100644 --- a/platform/cnf-openwrt/src/sdewan_svc.info +++ b/platform/cnf-openwrt/src/sdewan_svc.info @@ -1,2 +1 @@ -kubernetes kubernetes.default.svc.cluster.local 6443 6443 0.0.0.0 0 istio istio-ingressgateway.istio-system.svc.cluster.local 0 0 0.0.0.0 1 diff --git a/platform/cnf-openwrt/src/updown b/platform/cnf-openwrt/src/updown index fe4500e..3c99f73 100755 --- a/platform/cnf-openwrt/src/updown +++ b/platform/cnf-openwrt/src/updown @@ -7,19 +7,48 @@ set -o nounset set -o errexit -NET_IF=`ip a | grep ${PLUTO_ME} | grep inet | cut -d' ' -f 11` -VTI_IF="vti_${NET_IF}" +if [ ! -z "${PLUTO_PEER_SOURCEIP:-}" ] +then + VTI_IF="vti_${PLUTO_PEER_SOURCEIP}" +else + VTI_IF="vti_${PLUTO_PEER}" +fi +DEFAULT_PREFIX="localto" case "${PLUTO_VERB}" in up-host) - #ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote 0.0.0.0 mode vti \ ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \ key "${PLUTO_MARK_OUT%%/*}" ip link set "${VTI_IF}" up ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}" src "${PLUTO_ME}" sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" + if [ "${PLUTO_CONNECTION#*$DEFAULT_PREFIX}" != "$PLUTO_CONNECTION" ] + then + iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE + if [ $? == 1 ] + then + iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + fi + fi + iptables -t nat -A POSTROUTING -o "${VTI_IF}" -j SNAT --to-source "${PLUTO_MY_CLIENT%%/*}" + bash /etc/cnfroute check "${VTI_IF}" ;; down-host) + ip tunnel del "${VTI_IF}" + iptables -t nat -D POSTROUTING -o "${VTI_IF}" -j SNAT --to-source "${PLUTO_MY_CLIENT%%/*}" + ;; + up-client) + ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \ + key "${PLUTO_MARK_OUT%%/*}" + ip link set "${VTI_IF}" up + if [ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ] + then + ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}" src "${PLUTO_ME}" + fi + sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" + bash /etc/cnfroute check "${VTI_IF}" + ;; + down-client) ip tunnel del "${VTI_IF}" ;; esac diff --git a/platform/cnf-openwrt/src/updown_oip b/platform/cnf-openwrt/src/updown_oip index 4ab6148..f13dd31 100755 --- a/platform/cnf-openwrt/src/updown_oip +++ b/platform/cnf-openwrt/src/updown_oip @@ -1,30 +1,399 @@ -#!/bin/bash +#!/bin/sh # SPDX-License-Identifier: Apache-2.0 # Copyright (c) 2021 Intel Corporation -# set charon.install_virtual_ip = no to prevent the daemon from also installing the VIP +DEFAULT_PREFIX="localto" +DEFAULT_K8S_SVC="10.96.0.1:443" +DEFAULT_K8S_PORT="6443" -set -o nounset -set -o errexit +/sbin/hotplug-call ipsec "$1" -NET_IF=`ip a | grep ${PLUTO_ME} | grep inet | cut -d' ' -f 11` -VTI_IF="vti_${NET_IF}" +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_IF_ID_IN +# is an optional XFRM interface ID set on the inbound IPsec SA +# +# PLUTO_IF_ID_OUT +# is an optional XFRM interface ID set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# -case "${PLUTO_VERB}" in - up-client) - #ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \ - ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote 0.0.0.0 mode vti \ - key "${PLUTO_MARK_OUT%%/*}" - ip link set "${VTI_IF}" up - ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}" - ip rule add to "${PLUTO_MY_SOURCEIP}" table 40 - ip rule add from "${PLUTO_MY_SOURCEIP}" table 40 - ip route add "${PLUTO_PEER}" dev "${VTI_IF}" src "${PLUTO_MY_SOURCEIP}" table 40 - sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" ;; - down-client) - ip rule del from all to "${PLUTO_MY_SOURCEIP}" - ip rule del from "${PLUTO_MY_SOURCEIP}" - ip tunnel del "${VTI_IF}" +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) ;; esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "${PLUTO_CONNECTION#*$DEFAULT_PREFIX}" != "$PLUTO_CONNECTION" ] + then + iptables -t nat -A PREROUTING -p tcp -m tcp -d $PLUTO_MY_SOURCEIP \ + --dport $DEFAULT_K8S_PORT -j DNAT --to-dest $DEFAULT_K8S_SVC + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ip r add $PLUTO_MY_SOURCEIP dev $PLUTO_INTERFACE + ip r add $PLUTO_PEER dev $PLUTO_INTERFACE table 40 + bash /etc/cnfroute check "${PLUTO_INTERFACE}" + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "${PLUTO_CONNECTION#*$DEFAULT_PREFIX}" != "$PLUTO_CONNECTION" ] + then + iptables -t nat -D PREROUTING -p tcp -m tcp -d $PLUTO_MY_SOURCEIP \ + --dport $DEFAULT_K8S_PORT -j DNAT --to-dest $DEFAULT_K8S_SVC fi + + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +