updown: Properly configure ICMP[v6] message type and code in firewall rules
authorTobias Brunner <tobias@strongswan.org>
Thu, 17 Oct 2013 14:29:30 +0000 (16:29 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 17 Oct 2013 14:57:39 +0000 (16:57 +0200)
src/_updown/_updown.in

index 72ec7d2..c68c23d 100644 (file)
@@ -290,16 +290,41 @@ else
        IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 fi
 
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1)     # ICMP
+       ICMP_TYPE_OPTION="--icmp-type"
+       ;;
+58)    # ICMPv6
+       ICMP_TYPE_OPTION="--icmpv6-type"
+       ;;
+*)
+       ;;
+esac
+
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
-       S_MY_PORT="--sport $PLUTO_MY_PORT"
-       D_MY_PORT="--dport $PLUTO_MY_PORT"
+       if [ -n "$ICMP_TYPE_OPTION" ]
+       then
+               S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+               D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+       else
+               S_MY_PORT="--sport $PLUTO_MY_PORT"
+               D_MY_PORT="--dport $PLUTO_MY_PORT"
+       fi
 fi
 if [ "$PLUTO_PEER_PORT" != 0 ]
 then
-       S_PEER_PORT="--sport $PLUTO_PEER_PORT"
-       D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+       if [ -n "$ICMP_TYPE_OPTION" ]
+       then
+               # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+               S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+               D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+       else
+               S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+               D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+       fi
 fi
 
 # resolve octal escape sequences