From patchwork Wed Jun 20 00:41:08 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 1828 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id D1DE960726 for ; Tue, 19 Jun 2018 16:41:13 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [127.0.0.1]) by mail01.ipfire.org (Postfix) with ESMTP id 583121127FEC; Tue, 19 Jun 2018 15:41:13 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1529419273; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=xMww34AOOZmSWirgTBRv5vA2rsodgEs552odW/fRNUQ=; b=QG/hsb2bYFZngfW/+NXbpPMB+7DumtPWYkBKjgocAR427/DpoK0UWT9k9ucUW3dnxUCezk ggaMkTK4ZvWOXSKllkmyDPdCj8CjLNNruuJ/YKWMdy9IcHb5AYg5r0OFGYV0lo/A1FBnCg m+ZTHNRFa8egtvCb/AwSI5YlsEvQYLL4xiB0BlCQ348sBzU3qs5iaYXQKqP9n0COW8VX9J KOhr11rE75L8JtVmSr6aww2/Nw9DjWb2XXe6hhe2NyytVizEzwyjqajA+05ogj/18z56a4 i/wiJkeMddsQ5kym0FRPvyRMlhKBQgl/nnL4SFIqwP/Fc1mVmtNLA0TCPOH4qg== Received: from localhost.localdomain (i59F71567.versanet.de [89.247.21.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id CFB921093708; Tue, 19 Jun 2018 15:41:10 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1529419270; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=xMww34AOOZmSWirgTBRv5vA2rsodgEs552odW/fRNUQ=; b=E9ByhE/XFvQjSIhfzffGVb2WDXyaf4RrhNtEqyU/Jb0uH4ufo35tnd716hClzQxYe4EA2Z S29w9hz3mY2rt47AdNEYj0IhWPod8d195xSDCW7ktpQ04zDhoCX14pvzr4YN1r6XMph2Ku skEODIAOJt4PN3FVPY9sBeq1yQOGeTOZEoU9Jk0Qp+iey5d35mW6cf9NABypnubVsb9sd6 K5q2HJC1JzdLLCpMk0dXgz9L0hS01oTcyGr82NZW8mHbYMKJXF6ZI1H7NPsuKCvCcHnOtX I0/fgRpzRBQOVi9H2p1U1sVCtPkzMSa/+gfDxryBMnT6cdipSsmEqxIYC4yaFw== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH v2] squid: Exclude OpenVPN remote subnets from transparent proxy Date: Tue, 19 Jun 2018 16:41:08 +0200 Message-Id: <1529419268-17541-1-git-send-email-erik.kapfer@ipfire.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <7ead9291191f6a2b41aecc2393b21a00597992c3.camel@ipfire.org> References: <7ead9291191f6a2b41aecc2393b21a00597992c3.camel@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=erik.kapfer@ipfire.org X-Spamd-Result: default: False [-6.10 / 11.00]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]; BAYES_HAM(-3.00)[100.00%]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_GOOD(-0.10)[text/plain]; REPLY(-4.00)[]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ZERO(0.00)[0]; DKIM_SIGNED(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:8881, ipnet:89.247.16.0/20, country:DE] X-Spam-Status: No, score=-6.10 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Fix for bug #11614 Set other variable name for better understanding. Set another variable for remote subnet searcher to make the IPTables command better understandable. Deleted COUNTER lines since they are never used. Deleted variable to VPN configuration files since both are used only once. All changes has also been applied to IPSec section. Signed-off-by: Erik Kapfer --- src/initscripts/system/squid | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid index 7255c0a..81a132b 100644 --- a/src/initscripts/system/squid +++ b/src/initscripts/system/squid @@ -25,17 +25,25 @@ transparent() { exit 1 fi - COUNT=1 - FILE=/var/ipfire/vpn/config + # Exclude IPSec N2N remote subnets from transparent proxy + while read IPSECREMOTENET; do + CONN_TYPE=$(echo "$IPSECREMOTENET" | awk -F, '{ print $5 }') + IPSEC_REMOTE_SUBNET=$(echo "$IPSECREMOTENET" | awk -F, '{ print $13 }') + if [ "$CONN_TYPE" != "net" ]; then + continue + fi + iptables -t nat -A SQUID -i $1 -p tcp -d ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN + done < /var/ipfire/vpn/config - while read LINE; do - let COUNT=$COUNT+1 - CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` + # Exclude OpenVPN N2N remote subnets from transparent proxy + while read OVPNREMOTENET; do + CONN_TYPE=$(echo "$OVPNREMOTENET" | awk -F, '{ print $5 }') + OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET" | awk -F, '{ print $13 }') if [ "$CONN_TYPE" != "net" ]; then continue fi - iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN - done < $FILE + iptables -t nat -A SQUID -i $1 -p tcp -d ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN + done < /var/ipfire/ovpn/ovpnconfig if [ "$RED_TYPE" == "STATIC" ]; then iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN