From patchwork Wed May 18 17:49:00 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5625
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4L3L8M5glnz3yZD
	for <patchwork@web04.haj.ipfire.org>; Wed, 18 May 2022 17:49:07 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4L3L8L4JMrz17d;
	Wed, 18 May 2022 17:49:06 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4L3L8L3Bh1z2ysv;
	Wed, 18 May 2022 17:49:06 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4L3L8J6JS2z2xv9
 for <development@lists.ipfire.org>; Wed, 18 May 2022 17:49:04 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4L3L8J0WKYzWD
 for <development@lists.ipfire.org>; Wed, 18 May 2022 17:49:03 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1652896144;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=+CLUiJJSBs1jAeh2XY2DjZwk2BXs0JCFN0ZTWqEpDPU=;
 b=k/gGw+tTsMpZehDXVfbcdsUdOCvVU3+H/pbaKq0B/WSdzcsCAp/v1cQ3wRJXc5/cjkMjYi
 Xjmzcldapao/0zDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1652896144;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=+CLUiJJSBs1jAeh2XY2DjZwk2BXs0JCFN0ZTWqEpDPU=;
 b=gKj+tOtZEcqnAQuwC2jXfZfDFnmL3jN8L/ZW9KgSPsaEe4fWL+GX3Bvyvt99lHjDNBBlNz
 1BTFG4UHJ3vdESK3Y86W4Q8SAjLqPhN8E8VvqGQ/K4cotxZOA3YJuO1jRNPVsJJk9CsQo4
 A27zRI6ait3/Q2PWsimXxwdXSkUMqdD09jZft13KELk+twr+pgeSPu4GFkoygaT9DYrrAM
 Q1S+OKh9r2AS4b+z0t+knd9pVoxIYu0CvpIrvUy3KWoGz9thQO+GSpXDOB3JENFgKeeJVJ
 yiTFBJoDUcv0TH2zxBF2G7Jxzlo3r0+FV/koN/Wn4DT+Szo+Myc+v50jecm2/A==
Message-ID: <822918e4-0bf4-a9b3-536c-f98e62468aca@ipfire.org>
Date: Wed, 18 May 2022 17:49:00 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH v2] strongSwan: Bring back firewall rules for permitting
 IP-in-IP, ESP and AH traffic
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Fixes: #12866
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/patches/strongswan-ipfire.patch | 54 +++++++++++++++++++++--------
 1 file changed, 40 insertions(+), 14 deletions(-)

diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch
index 0f2be7483..d8e35cd52 100644
--- a/src/patches/strongswan-ipfire.patch
+++ b/src/patches/strongswan-ipfire.patch
@@ -1,13 +1,13 @@
-commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027
-Author: Michael Tremer <michael.tremer@ipfire.org>
-Date:   Mon Mar 21 19:49:02 2022 +0000
+commit b439f74361d393bcb85109b6c41a905cf613a296
+Author: Peter Müller <peter.mueller@ipfire.org>
+Date:   Wed May 18 17:46:57 2022 +0000
 
     IPFire modifications to _updown script
     
-    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+    Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
 
 diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
-index 34eaf68c7..514ecb578 100644
+index 34eaf68c7..9ed387a0a 100644
 --- a/src/_updown/_updown.in
 +++ b/src/_updown/_updown.in
 @@ -242,10 +242,10 @@ up-host:iptables)
@@ -98,7 +98,7 @@ index 34eaf68c7..514ecb578 100644
  	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
  	fi
  	#
-@@ -342,10 +324,10 @@ up-client:iptables)
+@@ -342,47 +324,37 @@ up-client:iptables)
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
  	    logger -t $TAG -p $FAC_PRIO \
@@ -110,8 +110,20 @@ index 34eaf68c7..514ecb578 100644
 +	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
  	  fi
  	fi
++
++	# Open Firewall for IPinIP + AH + ESP Traffic
++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
++		-s $PLUTO_PEER $S_PEER_PORT \
++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++		-s $PLUTO_PEER $S_PEER_PORT \
++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++		-s $PLUTO_PEER $S_PEER_PORT \
++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
++
  	;;
-@@ -353,36 +335,14 @@ down-client:iptables)
+ down-client:iptables)
  	# connection to client subnet, with (left/right)firewall=yes, going down
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -149,7 +161,7 @@ index 34eaf68c7..514ecb578 100644
  	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
  	fi
  	#
-@@ -392,10 +352,10 @@ down-client:iptables)
+@@ -392,12 +364,24 @@ down-client:iptables)
  	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
  	  then
  	    logger -t $TAG -p $FAC_PRIO -- \
@@ -161,8 +173,22 @@ index 34eaf68c7..514ecb578 100644
 +	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
  	  fi
  	fi
++
++	# Close Firewall for IPinIP + AH + ESP Traffic
++	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
++		-s $PLUTO_PEER $S_PEER_PORT \
++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
++	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
++		-s $PLUTO_PEER $S_PEER_PORT \
++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
++	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
++		-s $PLUTO_PEER $S_PEER_PORT \
++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
++
  	;;
-@@ -422,10 +382,10 @@ up-host-v6:iptables)
+ #
+ # IPv6
+@@ -422,10 +406,10 @@ up-host-v6:iptables)
  	# connection to me, with (left/right)firewall=yes, coming up
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -175,7 +201,7 @@ index 34eaf68c7..514ecb578 100644
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
  	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
  	#
-@@ -454,10 +414,10 @@ down-host-v6:iptables)
+@@ -454,10 +438,10 @@ down-host-v6:iptables)
  	# connection to me, with (left/right)firewall=yes, going down
  	# This is used only by the default updown script, not by your custom
  	# ones, so do not mess with it; see CAUTION comment up at top.
@@ -188,7 +214,7 @@ index 34eaf68c7..514ecb578 100644
  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
  	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
  	#
-@@ -487,10 +447,10 @@ up-client-v6:iptables)
+@@ -487,10 +471,10 @@ up-client-v6:iptables)
  	# ones, so do not mess with it; see CAUTION comment up at top.
  	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
  	then
@@ -201,7 +227,7 @@ index 34eaf68c7..514ecb578 100644
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
  	fi
-@@ -499,10 +459,10 @@ up-client-v6:iptables)
+@@ -499,10 +483,10 @@ up-client-v6:iptables)
  	# or sometimes host access via the internal IP is needed
  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
  	then
@@ -214,7 +240,7 @@ index 34eaf68c7..514ecb578 100644
  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
  	fi
-@@ -535,11 +495,11 @@ down-client-v6:iptables)
+@@ -535,11 +519,11 @@ down-client-v6:iptables)
  	# ones, so do not mess with it; see CAUTION comment up at top.
  	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
  	then
@@ -228,7 +254,7 @@ index 34eaf68c7..514ecb578 100644
  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
  	         $IPSEC_POLICY_IN -j ACCEPT
-@@ -549,11 +509,11 @@ down-client-v6:iptables)
+@@ -549,11 +533,11 @@ down-client-v6:iptables)
  	# or sometimes host access via the internal IP is needed
  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
  	then