When multiple subnets are used for a single IPsec connection, the squid startup script shows the following error. The subnets need to be split and the loop that is creating the iptables rules must be modified to insert one rule for each subnet. ---- [root@ipfire1 fcron.hourly]# /etc/init.d/squid restart Creating Squid swap directories... [ OK ] Starting Squid Proxy Server... [ OK ] iptables v1.4.21: host/network `192.168.64.0/18|192.168.0.0/18|166.185.38.12' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.4.21: host/network `192.168.64.0/18|192.168.0.0/18|166.185.38.12' not found Try `iptables -h' or 'iptables --help' for more information.
hm. Interesting issue. I am not using IPsec myself but how is one able to define more than one subnet in a IPsec connection?!
Just type multiple subnets as a comma-separated list in the remote subnet field. You do not need to establish the tunnel to have a look at this script.
Are you still working on this?
Created attachment 438 [details] Patch for squid init script Hi All, I was facing the same issue when using ipsec site2site connections with multiple subnets and wrote a small patch for the squid init script. It probably needs some further testing, but does the trick for me. Regards
Comment on attachment 438 [details] Patch for squid init script >--- /etc/init.d/squid.orig 2016-04-21 15:23:24.930819093 +0200 >+++ /etc/init.d/squid 2016-05-01 12:41:47.382659336 +0200 >@@ -27,16 +27,27 @@ > > COUNT=1 > FILE=/var/ipfire/vpn/config >- >- while read LINE; do >- let COUNT=$COUNT+1 >- CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` >- if [ "$CONN_TYPE" != "net" ]; then >- continue >- fi >- iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN >- done < $FILE > >+ while read LINE; do >+ let COUNT=$COUNT+1 >+ CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` >+ if [ "$CONN_TYPE" != "net" ]; then >+ continue >+ fi >+ netlist=`echo "$LINE" | awk -F, '{ print $13 }'` >+ if [ `echo $netlist | grep "|" | wc -l` -eq 0 ];then >+ iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN >+ else >+ OIFS="$IFS" >+ IFS='|' >+ read -a subnets <<< "${netlist}" >+ IFS="$OIFS" >+ for subnet in ${subnets[@]};do >+ iptables -t nat -A SQUID -i $1 -p tcp -d $subnet --dport 80 -j RETURN >+ done >+ fi >+ done < $FILE >+ > if [ "$RED_TYPE" == "STATIC" ]; then > iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN > fi
Created attachment 439 [details] Patch for squid init script, updated Version New Version of the Patch with fixed formatting.
Hey Oliver, thanks for working on this. This patch probably works, but I think this could also be done a bit shorter. Did you try something like: > for subnet in ${netlist//\|/ }; do ...; done This should work in all the cases and would make this script easier to read. Would you also please email the patch to the mailing list including authorship, etc.? http://wiki.ipfire.org/devel/submit-patches
Is this bug still up to date?
Closing this since nobody answered (although the issue itself seems to be unfixed). In case it is still relevant, please reopen it and add it to https://bugzilla.ipfire.org/show_bug.cgi?id=11618 as "depends on". Thanks.
Created attachment 570 [details] init script patch for transparent proxy and ipsec vpn Hi All Sorry for the long silence on this bug. Please find a new patch for the issue attached including Michael's proposal and some minor cosmetics. One little thing I noticed is, if a tunnel gets enabled later on, it wont' be excluded from the iptables chain by this Patch until squid is bounced via init script again. Regards Oliver
Reopening with new Patch
For the record: https://patchwork.ipfire.org/patch/1721/
Patch not mergeable