extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-26 15:39:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix dynamic ipsec zones

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1571 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-21 22:20:26 +00:00
parent 420c4803bd
commit 0c5230d2cf
1 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
Shorewall2/firewall
View File

@ -6215,15 +6215,23 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
validate_zone $zone || startup_error "Unknown zone: $zone" validate_zone $zone || startup_error "Unknown zone: $zone"
f=$(find_file ipsec)
if [ -f $f ]; then
progress_message "Processing $f..."
setup_ipsec $f
fi
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
eval is_ipsec=\$${zone}_is_ipsec eval is_ipsec=\$${zone}_is_ipsec
eval options=\"\$${zone}_ipsec_options\" eval options=\"\$${zone}_ipsec_options\"
eval in_options=\"\$${zone}_ipsec_in_options\"
eval out_options=\"\$${zone}_ipsec_out_options\"
if [ -n "$is_ipsec" ]; then if [ -n "$is_ipsec" ]; then
[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support" [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support"
policyin="-m policy --pol ipsec --dir in $options" policyin="-m policy --pol ipsec --dir in $options $in_options"
policyout="-m policy --pol ipsec --dir out $options" policyout="-m policy --pol ipsec --dir out $options $out_options"
elif [ -n "$POLICY_MATCH" ]; then elif [ -n "$POLICY_MATCH" ]; then
policyin="-m policy --pol none --dir in" policyin="-m policy --pol none --dir in"
policyout="-m policy --pol none --dir out" policyout="-m policy --pol none --dir out"
@ -6373,11 +6381,31 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
determine_zones determine_zones
f=$(find_file ipsec)
if [ -f $f ]; then
progress_message "Processing $f..."
setup_ipsec $f
fi
zone=$2 zone=$2
validate_zone $zone || startup_error "Unknown zone: $zone" validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone" [ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone"
eval is_ipsec=\$${zone}_is_ipsec
eval options=\"\$${zone}_ipsec_options\"
eval in_options=\"\$${zone}_ipsec_in_options\"
eval out_options=\"\$${zone}_ipsec_out_options\"
if [ -n "$is_ipsec" ]; then
[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support"
policyin="-m policy --pol ipsec --dir in $options $in_options"
policyout="-m policy --pol ipsec --dir out $options $out_options"
elif [ -n "$POLICY_MATCH" ]; then
policyin="-m policy --pol none --dir in"
policyout="-m policy --pol none --dir out"
fi
# #
# Be sure that Shorewall has been restarted using a DZ-aware version of the code # Be sure that Shorewall has been restarted using a DZ-aware version of the code
# #
@ -6413,14 +6441,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Delete any nat table entries for the host(s) # Delete any nat table entries for the host(s)
# #
qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat qt iptables -t nat -D $(dynamic_in $interface) -s $host $policyin -j ${zone}_dnat
# #
# Delete rules rules the input chains for the passed interface # Delete rules rules the input chains for the passed interface
# #
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
qt iptables -D $(dynamic_in $interface) -s $host -j $chain qt iptables -D $(dynamic_in $interface) -s $host $policyin -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -6430,13 +6458,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi fi
done done
fi fi
elif [ "$z2" = "$zone" ]; then elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then if [ "$z1" = "$FW" ]; then
qt iptables -D $(dynamic_out $interface) -d $host -j $chain qt iptables -D $(dynamic_out $interface) -d $host $policyout -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -6445,7 +6473,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain
fi fi
done done
fi fi