From patchwork Tue Jun 19 23:53:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 1827
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id 75C4560726
	for <patchwork@web02.i.ipfire.org>;
	Tue, 19 Jun 2018 15:53:10 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [127.0.0.1])
	by mail01.ipfire.org (Postfix) with ESMTP id DF05E1127FEC;
	Tue, 19 Jun 2018 14:53:09 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1529416390;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=pH37Wsl/pn3RwHACWT3h3rwarnm7bvXc7aKQl2MOThw=;
	b=G8iAi34jHgTyFGjkFEsqtPUEmMUWJ1ukKVQvBcoN43BYnnOS5hVQ3DU+U3FC1yDN5anjHA
	/wnoFdkRYbaTIrnyCFoiYnBBG1Z6YEEl8FHBoI3mlJPCAZxOybzLSbopa8CyWbKE+fGrcb
	8G14lfN1f4il0wQMX5sMumICx34JYCxsLXaPZ8NA3vIj9WO4dmcyXmp/nqZY8bkxVpEzJy
	B2PYJeZv/95drdnRX7MFJG6inN3XFcGMJ607tPYLFhI8I5C5vcquo3HY+PBFi89oc4UdIB
	c7b12EFSHSbh28dWJmmNLXMxMSif1zmbH0B4RObtekh6vG/oE7epNLIAFathZw==
Received: from localhost.localdomain (i59F71567.versanet.de [89.247.21.103])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 20B2C1093708;
	Tue, 19 Jun 2018 14:53:08 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1529416388;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to: references:references;
	bh=pH37Wsl/pn3RwHACWT3h3rwarnm7bvXc7aKQl2MOThw=;
	b=uL06C485kjYcbadrN0LoatJruw9llpJqb9nRg3JV9QRK7QZti734D09D5XK5+CH5kCngM3
	vH9YVyW7wuEng/wCx4FuJpfLRkIz5mtSRb1MzSyEhtcBkftyq8XbalDEQNJqiaimgyI4kU
	XyAV785BnMpA+mtG6gnghNYZy0sIf/Y3BU4CQk8c15BC6GSC7eSWV+CgUpS0zvJZVNUZbB
	22WyjWnXNUc3zLjTedb6L7tk+AZFM8Vs9302f3/GldrN+b+8yOFkCj+ZP2gc4+WZqoHVfW
	jOpY2q4OBvV6Bep47Ug3/CnIdAWkjkqGfinZQHfZkOOYuJvcreYMI1j6RrTOOQ==
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] squid: Exclude OpenVPN remote subnets from transparent proxy
Date: Tue, 19 Jun 2018 15:53:05 +0200
Message-Id: <1529416385-19921-1-git-send-email-erik.kapfer@ipfire.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1529346727-14526-1-git-send-email-erik.kapfer@ipfire.org>
References: <1529346727-14526-1-git-send-email-erik.kapfer@ipfire.org>
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=ummeegge smtp.mailfrom=erik.kapfer@ipfire.org
X-Spamd-Result: default: False [-6.10 / 11.00]; FROM_EQ_ENVFROM(0.00)[];
	RCVD_TLS_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_SOME(0.00)[]; BAYES_HAM(-3.00)[100.00%]; ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2]; MIME_GOOD(-0.10)[text/plain];
	REPLY(-4.00)[]; MID_CONTAINS_FROM(1.00)[];
	RCVD_COUNT_ZERO(0.00)[0]; DKIM_SIGNED(0.00)[];
	FROM_HAS_DN(0.00)[];
	ASN(0.00)[asn:8881, ipnet:89.247.16.0/20, country:DE]
X-Spam-Status: No, score=-6.10
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Fix for bug #11614
Some cosmetics has also been done in the IPSec subnet exclusion section.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 src/initscripts/system/squid | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid
index 7255c0a..9c11255 100644
--- a/src/initscripts/system/squid
+++ b/src/initscripts/system/squid
@@ -25,17 +25,23 @@ transparent() {
 			exit 1
 		fi
 
-		COUNT=1
-		FILE=/var/ipfire/vpn/config
+		# Exclude IPSec N2N remote subnets from transparent proxy
+		while read IPSECREMOTESUBNET; do
+			CONN_TYPE=$(echo "$IPSECREMOTESUBNET" | awk -F, '{ print $5 }')
+			if [ "$CONN_TYPE" != "net" ]; then
+				continue
+			fi
+			iptables -t nat -A SQUID -i $1 -p tcp -d $(echo "$IPSECREMOTESUBNET" | awk -F, '{ print $13 }') --dport 80 -j RETURN
+		done < /var/ipfire/vpn/config
 
-		while read LINE; do
-			let COUNT=$COUNT+1
-			CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'`
+		# Exclude OpenVPN N2N remote subnets from transparent proxy
+		while read OVPNREMOTESUBNET; do
+			CONN_TYPE=$(echo "$OVPNREMOTESUBNET" | awk -F, '{ print $5 }')
 			if [ "$CONN_TYPE" != "net" ]; then
 				continue
 			fi
-		iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
-		done < $FILE
+			iptables -t nat -A SQUID -i $1 -p tcp -d $(echo "$OVPNREMOTESUBNET" | awk -F, '{ print $13 }') --dport 80 -j RETURN
+		done < /var/ipfire/ovpn/ovpnconfig
 
 		if [ "$RED_TYPE" == "STATIC" ]; then
 			iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN