From aaba815dbccbb0d623def17d1e030383d905daa0 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 29 Jun 2016 20:14:25 +0200
Subject: =?UTF-8?q?IPSec=20=E2=86=92=20IPsec?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/common/files/usr/local/sbin/update-firewall.sh | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

(limited to 'roles/common/files')

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 7ca9bab..b27e5ce 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -48,7 +48,7 @@ else
 fi
 
 fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
-IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
+IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
 declare -A rss=() tables=()
 
 usage() {
@@ -104,7 +104,7 @@ ipt-trim() {
     # automatically included by third-party servers (such as strongSwan
     # or fail2ban).  The output is ready to be made persistent.
     grep -Ev -e '^:fail2ban-\S' \
-             -e "$IPSec_re" \
+             -e "$IPsec_re" \
              -e '-j fail2ban-\S+$' \
              -e "$fail2ban_re"
 }
@@ -197,9 +197,8 @@ run() {
     fi >> "$new"
 
     if [ "$f" = 4 -a "$ipsec" = y ]; then
-        # Our IPSec tunnels are IPv4 only.
-        # (Host-to-host) IPSec tunnels come first.
-        grep -E -- "$IPSec_re" "$old" >> "$new" || true
+        # IPsec tunnels come first (IPv4 only).
+        grep -E -- "$IPsec_re" "$old" >> "$new" || true
 
         # Allow any IPsec $secproto protocol packets to be sent and received.
         iptables -A INPUT  -i $if -p $secproto -j ACCEPT
@@ -215,11 +214,11 @@ run() {
     local ip
     if [ "$f" = 4 -a "$ipsec" = y ]; then
         # Private-use networks (RFC 1918) and link local (RFC 3927)
-        local MyIPSec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
+        local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )"
         local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \
                           | sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \
                           | while read ip; do
-                              for ips in $MyIPSec; do
+                              for ips in $MyIPsec; do
                                 [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip"
                               done
                             done
-- 
cgit v1.2.3