added NETMAP rules for the reverse direction

2010-07-27 21:16:44 +02:00 · 2010-07-27 21:16:44 +02:00 · ff7b0dd289
parent c100dd6b5f
commit ff7b0dd289
3 changed files with 11 additions and 4 deletions
--- a/testing/tests/ikev2/net2net-same-nets/description.txt
+++ b/testing/tests/ikev2/net2net-same-nets/description.txt
@ -12,4 +12,4 @@ connection definition of <b>ipsec.conf</b> both on the inbound and outbound traf
 the necessary NETMAP operations and forward the tunneled traffic.
 <p/>
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b>.
+pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
--- a/testing/tests/ikev2/net2net-same-nets/evaltest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
@ -1,7 +1,10 @@
 moon::ipsec statusall::net-net.*ESTABLISHED::YES
 sun::ipsec statusall::net-net.*ESTABLISHED::YES
 alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
+bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES 
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES 
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@ -147,8 +147,8 @@ custom:*)		# custom parameters (see above CAUTION comment)
 esac

 # define NETMAP
-SAME_NET="10.0.0.0/14"
-IN_NET="10.4.0.0/14"
+SAME_NET=$PLUTO_PEER_CLIENT
+IN_NET=$PLUTO_MY_CLIENT
 OUT_NET="10.8.0.0/14"

 # define internal interface
@ -193,7 +193,11 @@ up-client:)
 	if [ -n "$PLUTO_MARK_OUT" ]
 	then
 	    iptables -t mangle -A PREROUTING $SET_MARK_OUT 
+	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+                     -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 down-client:)