1 files changed, 6 insertions, 7 deletions

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 7ca9bab..b27e5ce 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -31,41 +31,41 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 set -ue
 PATH=/usr/sbin:/usr/bin:/sbin:/bin
 timeout=10
 
 force=0
 check=0
 verbose=0
 addrfam=
 
 secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp)
 if [ -x /usr/sbin/ipsec ] && /usr/sbin/ipsec status >/dev/null; then
     ipsec=y
 else
     ipsec=n
 fi
 
 fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
-IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
+IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
 declare -A rss=() tables=()
 
 usage() {
     cat >&2 <<- EOF
 		Usage: $0 [OPTIONS]
 
 		Options:
 		    -f force:   no confirmation asked
 		    -c check:   check (dry-run) mode
 		    -v verbose: see the difference between old and new ruleset
 		    -4 IPv4 only
 		    -6 IPv6 only
 	EOF
     exit 1
 }
 
 log() {
     /usr/bin/logger -st firewall -p user.info -- "$@"
 }
 fatal() {
@@ -87,41 +87,41 @@ inet46() {
         4) echo "$2";;
         6) echo "$3";;
     esac
 }
 ipt-chains() {
     # Define new (tables and) chains.
     while [ $# -gt 0 ]; do
         case "$1" in
             ?*:*) echo ":${1%:*} ${1##*:} [0:0]";;
             ?*)   echo "*$1";;
         esac
         shift
     done >> "$new"
 }
 
 ipt-trim() {
     # Remove dynamic chain/rules from the input stream, as they are
     # automatically included by third-party servers (such as strongSwan
     # or fail2ban).  The output is ready to be made persistent.
     grep -Ev -e '^:fail2ban-\S' \
-             -e "$IPSec_re" \
+             -e "$IPsec_re" \
              -e '-j fail2ban-\S+$' \
              -e "$fail2ban_re"
 }
 
 ipt-diff() {
     # Get the difference between two rulesets.
     if [ $verbose -eq 1 ]; then
         /usr/bin/diff -u -I '^#' "$1" "$2"
     else
         /usr/bin/diff -q -I '^#' "$1" "$2" >/dev/null
     fi
 }
 
 ipt-persist() {
     # Make the current ruleset persistent.  (Requires a pre-up hook
     # script to load the rules before the network is configured.)
 
     log "Making ruleset persistent... "
     [ -d /etc/iptables ] || mkdir /etc/iptables
 
@@ -180,63 +180,62 @@ run() {
 
     if [ ! "$if" ]; then
         # If the interface is not configured, we stop here and DROP all
         # packets by default.  Thanks to the pre-up hook this tight
         # policy will be activated whenever the interface goes up.
         commit
         mv "$new" /etc/iptables/rules.v$f
         return 0
     fi
 
     # Fail2ban-specific chains and traps
     if [ $fail2ban -eq 1 ]; then
         echo ":fail2ban - [0:0]"
         # Don't remove existing rules & traps in the current rulest
         grep    -- '^:fail2ban-\S'      "$old" || true
         grep -E -- ' -j fail2ban-\S+$'  "$old" || true
         grep -E -- "$fail2ban_re"       "$old" || true
     fi >> "$new"
 
     if [ "$f" = 4 -a "$ipsec" = y ]; then
-        # Our IPSec tunnels are IPv4 only.
-        # (Host-to-host) IPSec tunnels come first.
-        grep -E -- "$IPSec_re" "$old" >> "$new" || true
+        # IPsec tunnels come first (IPv4 only).
+        grep -E -- "$IPsec_re" "$old" >> "$new" || true
 
         # Allow any IPsec $secproto protocol packets to be sent and received.
         iptables -A INPUT  -i $if -p $secproto -j ACCEPT
         iptables -A OUTPUT -o $if -p $secproto -j ACCEPT
     fi
 
 
     ########################################################################
     # DROP all RFC1918 addresses, martian networks, multicasts, ...
     # Credits to http://newartisans.com/2007/09/neat-tricks-with-iptables/
     #            http://baldric.net/loose-iptables-firewall-for-servers/
 
     local ip
     if [ "$f" = 4 -a "$ipsec" = y ]; then
         # Private-use networks (RFC 1918) and link local (RFC 3927)
-        local MyIPSec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
+        local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
         local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \
                           | sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \
                           | while read ip; do
-                              for ips in $MyIPSec; do
+                              for ips in $MyIPsec; do
                                 [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip"
                               done
                             done
                           )"
         [ "$MyNetwork" ] && \
         for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do
             # Don't lock us out if we are behind a NAT ;-)
             for myip in $MyNetwork; do
                 [ "$ip" = "$(/usr/bin/netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] \
                 || iptables -A INPUT -i $if -s "$ip" -j DROP
             done
         done
 
         # Other martian packets: "This" network, multicast, broadcast (RFCs
         # 1122, 3171 and 919).
         for ip in 0.0.0.0/8 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32; do
             iptables -A INPUT -i $if -s "$ip" -j DROP
             iptables -A INPUT -i $if -d "$ip" -j DROP
         done