New IPSEC Options

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1554 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -46,3 +46,5 @@ Changes since 2.0.3
 21) Apply policy to interface/host options.
 
 22) Fix policy and maclist.
+
+23) Implement additional IPSEC options for zones and masq entries.

Shorewall2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.1.4
+VERSION=2.1.5
 
 usage() # $1 = exit status
 {
@@ -85,6 +85,8 @@ restore_file /etc/shorewall/policy
 
 restore_file /etc/shorewall/interfaces
 
+restore_file /etc/shorewall/ipsec
+
 restore_file /etc/shorewall/hosts
 
 restore_file /etc/shorewall/rules

Shorewall2/firewall

@@ -613,11 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
 {
     eval local is_ipsec=\$${1}_is_ipsec
     eval local hosts=\"\$${1}_ipsec_hosts\"
+    eval local options=\"\$${1}_ipsec_options\"
 
     if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
-	echo "-m policy --pol ipsec --dir in"
+	echo "-m policy --pol ipsec --dir in $options"
     elif [ -n "$POLICY_MATCH" ]; then
-	echo "-m policy --pol none --dir in"
+	echo "-m policy --pol none --dir in $options"
     fi
 }
 
@@ -628,11 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
 {
     eval local is_ipsec=\$${1}_is_ipsec
     eval local hosts=\"\$${1}_ipsec_hosts\"
+    eval local options=\"\$${1}_ipsec_options\"
 
     if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
-	echo "-m policy --pol ipsec --dir out"
+	echo "-m policy --pol ipsec --dir out $options"
     elif [ -n "$POLICY_MATCH" ]; then
-	echo "-m policy --pol none --dir out"
+	echo "-m policy --pol none --dir out $options"
     fi
 }
 
@@ -1454,6 +1456,7 @@ setup_tunnels() # $1 = name of tunnels file
     local inchain
     local outchain
 
+
     setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
     {
     	local kind=$2 noah=
@@ -1485,7 +1488,21 @@ setup_tunnels() # $1 = name of tunnels file
 	    run_iptables -A $inchain  -p udp -s $1 --dport 4500 $options
 	fi
 
-	for z in $(separate_list $3); do
+	for z in $3; do
+	    case $z in 
+		*:ipsec)
+		    z=${z%:*}
+		    eval ${z}_is_ipsec=Yes
+		    ;;
+	        *:ipsec\(*)
+                    do_options
+		    eval ${z}_is_ipsec=Yes
+		    ;;
+		*:mixed\(*)
+	            do_options
+		    ;;
+            esac	
+
 	    if validate_zone $z; then
 		addrule ${FW}2${z} -p udp --dport 500 $options
 		if [ $kind = ipsec ]; then
@@ -1495,8 +1512,7 @@ setup_tunnels() # $1 = name of tunnels file
 		    addrule ${z}2${FW} -p udp --dport 4500 $options
 		fi
 	    else
-		error_message "Warning: Invalid gateway zone ($z)" \
+		fatal_error ": Invalid gateway zone ($z) -- Tunnel \"$tunnel\""
-		" -- Tunnel \"$tunnel\" may encounter keying problems"
 	    fi
 	done
 
@@ -1632,6 +1648,64 @@ setup_tunnels() # $1 = name of tunnels file
     done < $TMP_DIR/tunnels
 }
 
+setup_ipsec() {
+
+    do_options() {
+	local option newoptions=
+
+	options=$(separate_list $options)
+
+	for option in $options; do
+	    case $option in
+		reqid=*)
+		    newoptions="$newoptions --reqid ${option#*=}"
+		    ;;
+		spi=*)
+		    newoptions="$newoptions --spi ${option#*=}"
+		    ;;
+		proto=*)
+		    newoptions="$newoptions --proto ${option#*=}"
+		    ;;
+		mode=*)
+		    newoptions="$newoptions --mode ${option#*=}"
+		    ;;
+		tunnel-src=*)
+		    newoptions="$newoptions --tunnel-src ${option#*=}"
+		    ;;
+		tunnel-dst=*)
+		    newoptions="$newoptions --tunnel-dst ${option#*=}"
+		    ;;
+		*)
+		    fatal_error "Invalid option \"$option\" for zone $zone"
+		    ;;
+	    esac
+	done
+	eval ${zone}_ipsec_options=\"${newoptions# }\"	    
+    }
+
+    strip_file ipsec $1
+    
+    while read zone ipsec options; do
+	expandv zone ipsec options
+
+	validate_zone1 $zone || fatal_error "Unknown zone: $zone"
+
+	case $ipsec in
+	    -|No|no)
+		;;
+	    Yes|yes)
+		eval ${zone}_is_ipsec=Yes
+		;;
+	    *)
+		fatal_error "Invalid IPSEC column value: $ipsec"
+		;;
+	esac
+
+	do_options
+
+    done < $TMP_DIR/ipsec
+}	
+
 #
 # Setup Proxy ARP
 #
@@ -2424,6 +2498,12 @@ check_config() {
 
     display_list "Zones:" $zones
 
+    ipsecfile=$(find_file ipsec)
+
+    [ -f $ipsecfile ] && \
+	echo "Validating ipsec file..." && \
+	setup_ipsec $ipsecfile
+
     echo "Validating interfaces file..."
 
     validate_interfaces_file
@@ -4496,6 +4576,38 @@ get_routed_networks() # $1 = interface name
 #
 setup_masq()
 {
+    do_ipsec_options() {
+	local options=$(separate_list $ipsec) option 
+	policy ="-m policy --pol ipsec --dir out"
+
+	options=$(separate_list $options)
+	for option in $options; do
+	    case $option in
+		reqid=*)
+		    policy="$policy --reqid ${option#*=}"
+		    ;;
+		spi=*)
+		    policy="$policy --spi ${option#*=}"
+		    ;;
+		proto=*)
+		    policy="$policy --proto ${option#*=}"
+		    ;;
+		mode=*)
+		    policy="$policy --mode ${option#*=}"
+		    ;;
+		tunnel-src=*)
+		    policy="$policy --tunnel-src ${option#*=}"
+		    ;;
+		tunnel-dst=*)
+		    policy="$policy --tunnel-dst ${option#*=}"
+		    ;;
+		*)
+		    fatal_error "Invalid IPSEC option \"$option\""
+		    ;;
+	    esac
+	done
+    }
+
     setup_one() {
 	local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy=
 
@@ -4513,9 +4625,7 @@ setup_masq()
 		policy="-m policy --pol none --dir out"
 		;;
 	    *)
-		[ -n "$ipsec" ] && \
+		[ -n "$ipsec" ] && do_ipsec_options || [ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
-		    fatal_error "Invalid value in IPSEC column: $ipsec"
-		[ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
 		;;
 	esac
 
@@ -5985,6 +6095,10 @@ define_firewall() # $1 = Command (Start or Restart)
     [ -f $tunnels ] && \
 	echo "Processing $tunnels..." &&       setup_tunnels $tunnels
 
+    ipsecfile=$(find_file ipsec)
+    [ -f $ipsecfile ] && \
+	echo "Processing $ipsecfile..." &&     setup_ipsec $ipsecfile
+
     maclist_hosts=$(find_hosts_by_option maclist)
     [ -n "$maclist_hosts" ] &&                 setup_mac_lists
 
@@ -6118,11 +6232,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
 
     eval is_ipsec=\$${zone}_is_ipsec
+    eval options=\"\$${zone}_ipsec_options\"
 
     if [ -n "$is_ipsec" ]; then
 	[ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support"
-	policyin="-m policy --pol ipsec --dir in"
+	policyin="-m policy --pol ipsec --dir in $options"
-	policyout="-m policy --pol ipsec --dir out"
+	policyout="-m policy --pol ipsec --dir out $options"
     elif [ -n "$POLICY_MATCH" ]; then
  	policyin="-m policy --pol none --dir in"
 	policyout="-m policy --pol none --dir out"

Shorewall2/functions

@@ -270,15 +270,7 @@ determine_zones()
     
     for zone in $zones; do
 	dsply=$(find_display $zone $TMP_DIR/zones)
-	case $zone in 
+	[ ${#zone} -gt 5 ] && echo "   Warning: Zone name longer than 5 characters: $zone" >&2
-	    *:ipsec)
-		zone=${zone%:*}
-		eval ${zone}_is_ipsec=Yes
-		;;
-	    *)
-	esac
-	
-	[ ${#zone} -gt 5 ] && echo "   Warning: Zone name longer than 5 characters: $zone" 2> /tmp/trace
 	eval ${zone}_display=\$dsply
 	newzones="$newzones $zone"
     done

Shorewall2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.1.4
+VERSION=2.1.5
 
 usage() # $1 = exit status
 {
@@ -247,6 +247,16 @@ else
     echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
 fi
 #
+# Install the ipsec file
+#
+if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
+    backup_file /etc/shorewall/ipsec
+else
+    run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
+    echo
+    echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
+fi
+#
 # Install the hosts file
 #
 if [ -f ${PREFIX}/etc/shorewall/hosts ]; then

Shorewall2/ipsec

@@ -0,0 +1,42 @@
+#
+# Shorewall 2.1 - /etc/shorewall/ipsec
+#
+#	This file defines the attributes of zones with respect to
+#	IPSEC. To use this file, you must be running a 2.6 kernel and
+#       both your kernel and iptables must include Policy Match Support.
+#
+#	The columns are:
+#
+#		ZONE	The name of a zone defined in /etc/shorewall/zones. The
+#			$FW zone may not be listed.
+#
+#		IPSEC   Yes --  Communication with all zone hosts is encrypted
+#		ONLY	No  --  Communication with some zone hosts is encrypted. 
+#				Encrypted hosts are designated using the 'ipsec'
+#				option in /etc/shorewall/hosts. 				
+#
+#		OPTIONS	A comma-separated list of options as follows:
+#				reqid=<number> where <number> is specified
+#				using setkey(8) using the 'unique:<number>
+#				option for the SPD level.
+#
+#				spi=<number> where <number> is the SPI of
+#				the SA.
+#
+#				proto=ah|esp|ipcomp 
+#
+#				mode=transport|tunnel
+#
+#				tunnel-src=<address>[/<mask>] (only
+#				available with mode=tunnel)
+#
+#				tunnel-dst=<address>[/<mask>] (only
+#				available with mode=tunnel)
+#
+#			Example:
+#				mode=transport,reqid=44
+################################################################################
+#ZONE	IPSEC	OPTIONS
+#	ONLY
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+

Shorewall2/masq

@@ -107,8 +107,31 @@
 #				       source address changed.
 #
 #				- or empty is the same as No providing that 
-#				your kernel and iptables contain policy match
+#				       your kernel and iptables contain policy match
-#				support.
+#				       support.
+#
+#				Comma-separated list of options from the following.
+#				Only packets that will be encrypted via an SA that
+#				matches these options will have their source address
+#				changed.
+#
+#					reqid=<number> where <number> is specified
+#					using setkey(8) using the 'unique:<number>
+#					option for the SPD level.
+#
+#					spi=<number> where <number> is the SPI of
+#					the SA.
+#
+#					proto=ah|esp|ipcomp 
+#
+#					mode=transport|tunnel
+#
+#					tunnel-src=<address>[/<mask>] (only
+#					available with mode=tunnel)
+#
+#					tunnel-dst=<address>[/<mask>] (only
+#					available with mode=tunnel) 
+#
 #
 #	Example 1:
 #

Shorewall2/releasenotes.txt

@@ -230,8 +230,23 @@ New Features:
     IPSEC policy match patch from Patch-0-Matic-ng. That patch affects
     both your kernel and iptables.
 
-    This new Shorewall support is enabled through use of the 'ipsec'
+    There are two ways to specify that IPSEC is to be used when
-    option in /etc/shorewall/hosts.
+    communicating with a set of hosts; both methods involve the new
+    /etc/shorewall/ipsec file:
+
+    a) If encrypted communication is used with all hosts in a zone,
+    then you can designate the zone as an "ipsec" zone by placing
+    'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
+
+	#ZONE		IPSEC	OPTIONS
+	#		ONLY
+	vpn		Yes
+
+    The hosts in the zone (if any) must be specified in
+    /etc/shorewall/hosts but you do not need to specify the 'ipsec'
+    option on the entries in that file (see below).
+
+    Dynamic zones involving IPSEC must use that technique.
 
     Example:
 
@@ -249,10 +264,10 @@ New Features:
 
     Under 2.6 Kernel with this new support:
     
-	/etc/shorewall/zones (note the change of order):
+	/etc/shorewall/zones:
 
-	vpn	VPN	Remote Network
+	net		Net	The big bad Internet
-	net	Net	The big bad Internet
+	vpn		VPN	Remote Network
 
 	/etc/shorewall/interfaces:
 
@@ -260,13 +275,84 @@ New Features:
     
 	/etc/shorewall/hosts:
 
-	vpn	eth0:0.0.0.0/0	ipsec
+	vpn	eth0:0.0.0.0/0
 
+	/etc/shorewall/ipsec
+
+	vpn	Yes
+
+    b) If only part of the hosts in a zone require encrypted
+    communication, you may use of the new 'ipsec' option in
+    /etc/shorewall/hosts to designate those hosts.
+
+    Example:
+
+    Under 2.4 Kernel FreeS/Wan:
+
+	  /etc/shorewall/zones:
+
+	  net	Net	The big bad Internet
+	  loc	Local	Extended local zone
+
+	  /etc/shorewall/interfaces:
+
+	  net	eth0	...
+	  loc	eth1	...
+	  loc	ipsec0	...
+
+    Under 2.6 Kernel with this new support:
+    
+	/etc/shorewall/zones:
+
+	net		Net	The big bad Internet
+	vpn      	VPN	Remote Network
+
+	/etc/shorewall/interfaces:
+
+	net	eth0	...
+	loc	eth1	...
+    
+	/etc/shorewall/hosts:
+
+	vpn	eth0:0.0.0.0/0	ipsec,...
+
+    Regardless of which technique you choose, you can specify
+    additional SA options for the zone in the /etc/shorewall/ipsec
+    entry.
+
+    The OPTIONS column specifies 
+
+    The available options are:
+
+	reqid=<number> where <number> is specified using setkey(8) using
+	the 'unique:<number>' option for the SPD level.
+
+	 spi=<number> where <number> is the SPI of the SA.
+
+	 proto=ah|esp|ipcomp 
+
+	 mode=transport|tunnel
+
+	 tunnel-src=<address>[/<mask>] (only available with mode=tunnel)
+
+	 tunnel-dst=<address>[/<mask>] (only available with mode=tunnel) 
+
+    Examples:
+
+	#ZONE	IPSEC	OPTIONS
+	#	ONLY
+	vpn	Yes	mode=tunnel,proto=esp
+	loc	No	reqid=44,mode=transport
+ 
     The /etc/shorewall/masq file has a new IPSEC column added. If you
     specify Yes or yes in that column then the unencrypted packets will
     have their source address changed. Otherwise, the unencrypted
-    packets will not have their source addresses changed.
+    packets will not have their source addresses changed. This column
- 
+    may also contain a comma-separated list of the options specified
+    above in which case only those packets that will be encrypted
+    by an SA matching the given options will have their source address
+    changed.
+
 8)  To improve interoperability, tunnels of type 'ipsec' no longer
     enforce the use of source port 500 for ISAKMP.
 

Shorewall2/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.1.4
+%define version 2.1.5
 %define release 1
 %define prefix /usr
 
@@ -62,6 +62,7 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
+%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
@@ -127,6 +128,9 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Wed Aug 18 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.1.5-1
+- Add /etc/shorewall/ipsec
 * Sat Aug 14 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.1.4-1
 * Sat Aug 07 2004 Tom Eastep tom@shorewall.net

Shorewall2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.1.4
+VERSION=2.1.5
 
 usage() # $1 = exit status
 {

Shorewall2/zones

@@ -3,9 +3,7 @@
 #
 # This file determines your network zones. Columns are:
 #
-#	ZONE		Short name of the zone (5 Characters or less in length). 
+#	ZONE		Short name of the zone (5 Characters or less in length).
-#			If all hosts in the zone are accessed using kernel 2.6
-#			ipsec SAs then follow the zone name with ":ipsec".
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #