summaryrefslogtreecommitdiff
path: root/testing/tests/libipsec/net2net-null/hosts/sun
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2016-07-16 15:19:53 +0200
committerYves-Alexis Perez <corsac@debian.org>2016-07-16 15:19:53 +0200
commitbf372706c469764d59e9f29c39e3ecbebd72b8d2 (patch)
tree0f0e296e2d50e4a7faf99ae6fa428d2681e81ea1 /testing/tests/libipsec/net2net-null/hosts/sun
parent518dd33c94e041db0444c7d1f33da363bb8e3faf (diff)
downloadvyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.tar.gz
vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.zip
Imported Upstream version 5.5.0
Diffstat (limited to 'testing/tests/libipsec/net2net-null/hosts/sun')
-rwxr-xr-xtesting/tests/libipsec/net2net-null/hosts/sun/etc/updown31
1 files changed, 31 insertions, 0 deletions
diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown
index 61f65311c..e7c3640d4 100755
--- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown
@@ -441,6 +441,14 @@ up-host-v6:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IP6IP6 traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -465,6 +473,13 @@ down-host-v6:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IP6IP6 exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -504,6 +519,15 @@ up-client-v6:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IP6IP6 traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -547,6 +571,13 @@ down-client-v6:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IP6IP6 exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then