From 34ffbdfceb8128ec5c4da412b35812eed02f0415 Mon Sep 17 00:00:00 2001
From: Chiradeep Vittal <chiradeep@cloud.com>
Date: Thu, 11 Aug 2011 18:23:35 -0700
Subject: [PATCH] bug 11084: ensure AH and ESP protocols are allowed in when
 creating a VPN

---
 .../debian/vpn/opt/cloud/bin/vpn_l2tp.sh      | 28 ++++++++++++-------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
index abffc5ef208..fdafdac5b37 100755
--- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
+++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
@@ -42,18 +42,26 @@ iptables_() {
    local subnet_if="eth0"
    local subnet_ip=$(get_intf_ip $subnet_if)
 
-   iptables $op INPUT -i $public_if --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT
-   iptables $op INPUT -i $public_if --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT
-   iptables $op INPUT -i $public_if --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT
-   iptables $op INPUT -i eth2 -p ah -j ACCEPT
-   iptables $op INPUT -i eth2 -p esp -j ACCEPT
-   iptables $op FORWARD -i ppp+ -o $subnet_if -j ACCEPT 
-   iptables $op FORWARD -i $subnet_if -o ppp+ -j ACCEPT 
-   iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT 
-   iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
+   sudo iptables $op INPUT -i $public_if --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT
+   sudo iptables $op INPUT -i $public_if --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT
+   sudo iptables $op INPUT -i $public_if --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT
+   sudo iptables $op INPUT -i eth2 -p ah -j ACCEPT
+   sudo iptables $op INPUT -i eth2 -p esp -j ACCEPT
+   sudo iptables $op FORWARD -i ppp+ -o $subnet_if -j ACCEPT 
+   sudo iptables $op FORWARD -i $subnet_if -o ppp+ -j ACCEPT 
+   sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT 
+   sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
+   sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j  DNAT --to-destination $subnet_ip
 
+   if sudo iptables -t mangle -N FIREWALL_$public_ip &> /dev/null
+   then
+     logger -t cloud "$(basename $0): created firewall chain in PREROUTING mangle"
+   fi
+   op2="-D"
+   [ "$op" == "-A" ] && op2="-I"
+   sudo iptables -t mangle $op FIREWALL_$public_ip  -p ah -j ACCEPT
+   sudo iptables -t mangle $op FIREWALL_$public_ip  -p esp -j ACCEPT
 
-   iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j  DNAT --to-destination $subnet_ip
    
 }