X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=debian%2Fifupdown.sh;h=e36c2b97e4e1722d2a17bc2c09075a2809778943;hp=b0ad90d5414dc69930947e8d970e32b7b6c8816e;hb=79f08c62c92c998e3904bab229444df2a2d6f522;hpb=3cc81077fbd2e9c4f8f945a0bf2f7fb2f829ece7;ds=sidebyside

diff --git a/debian/ifupdown.sh b/debian/ifupdown.sh
index b0ad90d..e36c2b9 100755
--- a/debian/ifupdown.sh
+++ b/debian/ifupdown.sh
@@ -12,14 +12,50 @@ then
 fi
 
 if [ "${MODE}" = "start" ]; then
-    test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
-    ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
-    ip link set "${IFACE}peer" up || exit 1
-    brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
+    
+    case "$PHASE" in
+        pre-up)
+ 
+	    test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
+	    ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
+	    ip link set "${IFACE}peer" up || exit 1
+	    brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
+	    ;;
+
+        post-up)
+	    test -n "${IF_VETH_MASQUERADE}" || exit 0
+	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
+		iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+		iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
+		iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
+	    else
+		echo "unable to setup VETH_MASQUERADE - no address/network"
+		exit 0
+	    fi
+	    ;;
+    esac
+  
 elif [ "${MODE}" = "stop" ]; then
-    brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
-    ip link set "${IFACE}peer" down || exit 1
-    ip link del "${IFACE}" || exit 1
+
+    case "$PHASE" in
+        post-down)
+  
+	    brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
+	    ip link set "${IFACE}peer" down || exit 1
+	    ip link del "${IFACE}" || exit 1
+	    ;;
+
+        pre-down)
+	    test -n "${IF_VETH_MASQUERADE}" || exit 0
+	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
+		iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+		iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
+		iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
+	    fi
+	    ;;
+
+    esac
+
 fi
 
 exit 0