diff mbox series

[v2] squid: Exclude OpenVPN remote subnets from transparent proxy

Message ID 1529419268-17541-1-git-send-email-erik.kapfer@ipfire.org
State Dropped
Headers
Series [v2] squid: Exclude OpenVPN remote subnets from transparent proxy |

Commit Message

Erik Kapfer June 20, 2018, 12:41 a.m. UTC 
  Fix for bug #11614
Set other variable name for better understanding.
Set another variable for remote subnet searcher to make the IPTables command better understandable.
Deleted COUNTER lines since they are never used.
Deleted variable to VPN configuration files since both are used only once.
All changes has also been applied to IPSec section.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 src/initscripts/system/squid | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

Comments

ummeegge June 20, 2018, 4:23 a.m. UTC | #1 
Hi Tom,
i don´t think so since the internal vpn configs do their config field
separation via comma. In this case only the 13th field will be read
out.

Erik

Am Dienstag, den 19.06.2018, 11:04 -0400 schrieb Tom Rymes:
> Does this properly handle IPSec tunnels with multiple, comma
> separated, 
> subnets defined?
> 
> 
> On 06/19/2018 10:41 AM, Erik Kapfer wrote:
> > 
> > Fix for bug #11614
> > Set other variable name for better understanding.
> > Set another variable for remote subnet searcher to make the
> > IPTables command better understandable.
> > Deleted COUNTER lines since they are never used.
> > Deleted variable to VPN configuration files since both are used
> > only once.
> > All changes has also been applied to IPSec section.
> > 
> > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
> > ---
> >   src/initscripts/system/squid | 22 +++++++++++++++-------
> >   1 file changed, 15 insertions(+), 7 deletions(-)
> > 
> > diff --git a/src/initscripts/system/squid
> > b/src/initscripts/system/squid
> > index 7255c0a..81a132b 100644
> > --- a/src/initscripts/system/squid
> > +++ b/src/initscripts/system/squid
> > @@ -25,17 +25,25 @@ transparent() {
> >   			exit 1
> >   		fi
> >   
> > -		COUNT=1
> > -		FILE=/var/ipfire/vpn/config
> > +		# Exclude IPSec N2N remote subnets from
> > transparent proxy
> > +		while read IPSECREMOTENET; do
> > +			CONN_TYPE=$(echo "$IPSECREMOTENET" | awk
> > -F, '{ print $5 }')
> > +			IPSEC_REMOTE_SUBNET=$(echo
> > "$IPSECREMOTENET" | awk -F, '{ print $13 }')
> > +			if [ "$CONN_TYPE" != "net" ]; then
> > +				continue
> > +			fi
> > +			iptables -t nat -A SQUID -i $1 -p tcp -d
> > ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN
> > +		done < /var/ipfire/vpn/config
> >   
> > -		while read LINE; do
> > -			let COUNT=$COUNT+1
> > -			CONN_TYPE=`echo "$LINE" | awk -F, '{ print
> > $5 }'`
> > +		# Exclude OpenVPN N2N remote subnets from
> > transparent proxy
> > +		while read OVPNREMOTENET; do
> > +			CONN_TYPE=$(echo "$OVPNREMOTENET" | awk
> > -F, '{ print $5 }')
> > +			OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET"
> > | awk -F, '{ print $13 }')
> >   			if [ "$CONN_TYPE" != "net" ]; then
> >   				continue
> >   			fi
> > -		iptables -t nat -A SQUID -i $1 -p tcp -d `echo
> > "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
> > -		done < $FILE
> > +			iptables -t nat -A SQUID -i $1 -p tcp -d
> > ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN
> > +		done < /var/ipfire/ovpn/ovpnconfig
> >   
> >   		if [ "$RED_TYPE" == "STATIC" ]; then
> >   			iptables -t nat -A SQUID -i $1 -p tcp -d
> > $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
> >
diff mbox series

Patch

diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid
index 7255c0a..81a132b 100644
--- a/src/initscripts/system/squid
+++ b/src/initscripts/system/squid
@@ -25,17 +25,25 @@  transparent() {
 			exit 1
 		fi
 
-		COUNT=1
-		FILE=/var/ipfire/vpn/config
+		# Exclude IPSec N2N remote subnets from transparent proxy
+		while read IPSECREMOTENET; do
+			CONN_TYPE=$(echo "$IPSECREMOTENET" | awk -F, '{ print $5 }')
+			IPSEC_REMOTE_SUBNET=$(echo "$IPSECREMOTENET" | awk -F, '{ print $13 }')
+			if [ "$CONN_TYPE" != "net" ]; then
+				continue
+			fi
+			iptables -t nat -A SQUID -i $1 -p tcp -d ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN
+		done < /var/ipfire/vpn/config
 
-		while read LINE; do
-			let COUNT=$COUNT+1
-			CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'`
+		# Exclude OpenVPN N2N remote subnets from transparent proxy
+		while read OVPNREMOTENET; do
+			CONN_TYPE=$(echo "$OVPNREMOTENET" | awk -F, '{ print $5 }')
+			OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET" | awk -F, '{ print $13 }')
 			if [ "$CONN_TYPE" != "net" ]; then
 				continue
 			fi
-		iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
-		done < $FILE
+			iptables -t nat -A SQUID -i $1 -p tcp -d ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN
+		done < /var/ipfire/ovpn/ovpnconfig
 
 		if [ "$RED_TYPE" == "STATIC" ]; then
 			iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN