| Summary: | squid and multiple VPN subnets | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Michael Tremer <michael.tremer> |
| Component: | --- | Assignee: | Oliver Fuhrer <oliver.fuhrer> |
| Status: | CLOSED WONTFIX | QA Contact: | Michael Tremer <michael.tremer> |
| Severity: | - Unknown - | ||
| Priority: | - Unknown - | CC: | alexander.marx, oliver.fuhrer, peter.mueller |
| Version: | 2 | ||
| Hardware: | unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 11618 | ||
| Attachments: |
Patch for squid init script
Patch for squid init script, updated Version init script patch for transparent proxy and ipsec vpn |
||
|
Description
Michael Tremer
2016-02-23 20:20:06 UTC
hm. Interesting issue. I am not using IPsec myself but how is one able to define more than one subnet in a IPsec connection?! Just type multiple subnets as a comma-separated list in the remote subnet field. You do not need to establish the tunnel to have a look at this script. Are you still working on this? Created attachment 438 [details]
Patch for squid init script
Hi All,
I was facing the same issue when using ipsec site2site connections with multiple subnets and wrote a small patch for the squid init script. It probably needs some further testing, but does the trick for me.
Regards
Comment on attachment 438 [details] Patch for squid init script >--- /etc/init.d/squid.orig 2016-04-21 15:23:24.930819093 +0200 >+++ /etc/init.d/squid 2016-05-01 12:41:47.382659336 +0200 >@@ -27,16 +27,27 @@ > > COUNT=1 > FILE=/var/ipfire/vpn/config >- >- while read LINE; do >- let COUNT=$COUNT+1 >- CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` >- if [ "$CONN_TYPE" != "net" ]; then >- continue >- fi >- iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN >- done < $FILE > >+ while read LINE; do >+ let COUNT=$COUNT+1 >+ CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` >+ if [ "$CONN_TYPE" != "net" ]; then >+ continue >+ fi >+ netlist=`echo "$LINE" | awk -F, '{ print $13 }'` >+ if [ `echo $netlist | grep "|" | wc -l` -eq 0 ];then >+ iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN >+ else >+ OIFS="$IFS" >+ IFS='|' >+ read -a subnets <<< "${netlist}" >+ IFS="$OIFS" >+ for subnet in ${subnets[@]};do >+ iptables -t nat -A SQUID -i $1 -p tcp -d $subnet --dport 80 -j RETURN >+ done >+ fi >+ done < $FILE >+ > if [ "$RED_TYPE" == "STATIC" ]; then > iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN > fi Created attachment 439 [details]
Patch for squid init script, updated Version
New Version of the Patch with fixed formatting.
Hey Oliver, thanks for working on this. This patch probably works, but I think this could also be done a bit shorter. Did you try something like: > for subnet in ${netlist//\|/ }; do ...; done This should work in all the cases and would make this script easier to read. Would you also please email the patch to the mailing list including authorship, etc.? http://wiki.ipfire.org/devel/submit-patches Is this bug still up to date? Closing this since nobody answered (although the issue itself seems to be unfixed). In case it is still relevant, please reopen it and add it to https://bugzilla.ipfire.org/show_bug.cgi?id=11618 as "depends on". Thanks. Created attachment 570 [details]
init script patch for transparent proxy and ipsec vpn
Hi All
Sorry for the long silence on this bug.
Please find a new patch for the issue attached including Michael's proposal and some minor cosmetics.
One little thing I noticed is, if a tunnel gets enabled later on, it wont' be excluded from the iptables chain by this Patch until squid is bounced via init script again.
Regards
Oliver
Reopening with new Patch For the record: https://patchwork.ipfire.org/patch/1721/ Patch not mergeable |