From 4c9cbfff84cd7125789d5f18efece69aa3938068 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 21 Aug 2004 00:22:47 +0000 Subject: [PATCH] More ipsec stuff git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1565 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/etc/shorewall/ipsec | 10 ++++++++-- LrpN/etc/shorewall/masq | 6 ++++++ LrpN/usr/share/shorewall/firewall | 32 +++++++++++-------------------- Shorewall2/firewall | 32 +++++++++++-------------------- Shorewall2/ipsec | 10 ++++++++-- Shorewall2/masq | 5 +++++ 6 files changed, 49 insertions(+), 46 deletions(-) diff --git a/LrpN/etc/shorewall/ipsec b/LrpN/etc/shorewall/ipsec index 6a0b881d6..5474ad718 100644 --- a/LrpN/etc/shorewall/ipsec +++ b/LrpN/etc/shorewall/ipsec @@ -16,8 +16,9 @@ # option in /etc/shorewall/hosts. # # OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, reqid= where is specified -# OUT OPTIONS using setkey(8) using the 'unique: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: # option for the SPD level. # # spi= where is the SPI of @@ -33,6 +34,11 @@ # tunnel-dst=
[/] (only # available with mode=tunnel) # +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# # Example: # mode=transport,reqid=44 # diff --git a/LrpN/etc/shorewall/masq b/LrpN/etc/shorewall/masq index 01f29f866..2d37de31b 100644 --- a/LrpN/etc/shorewall/masq +++ b/LrpN/etc/shorewall/masq @@ -132,6 +132,12 @@ # tunnel-dst=
[/] (only # available with mode=tunnel) # +# strict Means that packets must match all +# rules. +# +# next Separates rules; can only be used +# with strict.. +# # Example 1: # # You have a simple masquerading setup where eth0 connects to diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index ba630b7ff..01a69d59a 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -1646,6 +1646,8 @@ setup_ipsec() { for option in $opts; do case $option in + strict) newoptions="$newoptions --strict" ;; + next) newoptions="$newoptions --next" ;; reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;; spi=*) newoptions="$newoptions --spi ${option#*=}" ;; proto=*) newoptions="$newoptions --proto ${option#*=}" ;; @@ -4567,27 +4569,15 @@ setup_masq() options=$(separate_list $options) for option in $options; do case $option in - reqid=*) - policy="$policy --reqid ${option#*=}" - ;; - spi=*) - policy="$policy --spi ${option#*=}" - ;; - proto=*) - policy="$policy --proto ${option#*=}" - ;; - mode=*) - policy="$policy --mode ${option#*=}" - ;; - tunnel-src=*) - policy="$policy --tunnel-src ${option#*=}" - ;; - tunnel-dst=*) - policy="$policy --tunnel-dst ${option#*=}" - ;; - *) - fatal_error "Invalid IPSEC option \"$option\"" - ;; + strict) policy="$policy --strict" ;; + next) policy="$policy --next" ;; + reqid=*) policy="$policy --reqid ${option#*=}" ;; + spi=*) policy="$policy --spi ${option#*=}" ;; + proto=*) policy="$policy --proto ${option#*=}" ;; + mode=*) policy="$policy --mode ${option#*=}" ;; + tunnel-src=*) policy="$policy --tunnel-src ${option#*=}" ;; + tunnel-dst=*) policy="$policy --tunnel-dst ${option#*=}" ;; + *) fatal_error "Invalid IPSEC option \"$option\"" ;; esac done } diff --git a/Shorewall2/firewall b/Shorewall2/firewall index ba630b7ff..01a69d59a 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1646,6 +1646,8 @@ setup_ipsec() { for option in $opts; do case $option in + strict) newoptions="$newoptions --strict" ;; + next) newoptions="$newoptions --next" ;; reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;; spi=*) newoptions="$newoptions --spi ${option#*=}" ;; proto=*) newoptions="$newoptions --proto ${option#*=}" ;; @@ -4567,27 +4569,15 @@ setup_masq() options=$(separate_list $options) for option in $options; do case $option in - reqid=*) - policy="$policy --reqid ${option#*=}" - ;; - spi=*) - policy="$policy --spi ${option#*=}" - ;; - proto=*) - policy="$policy --proto ${option#*=}" - ;; - mode=*) - policy="$policy --mode ${option#*=}" - ;; - tunnel-src=*) - policy="$policy --tunnel-src ${option#*=}" - ;; - tunnel-dst=*) - policy="$policy --tunnel-dst ${option#*=}" - ;; - *) - fatal_error "Invalid IPSEC option \"$option\"" - ;; + strict) policy="$policy --strict" ;; + next) policy="$policy --next" ;; + reqid=*) policy="$policy --reqid ${option#*=}" ;; + spi=*) policy="$policy --spi ${option#*=}" ;; + proto=*) policy="$policy --proto ${option#*=}" ;; + mode=*) policy="$policy --mode ${option#*=}" ;; + tunnel-src=*) policy="$policy --tunnel-src ${option#*=}" ;; + tunnel-dst=*) policy="$policy --tunnel-dst ${option#*=}" ;; + *) fatal_error "Invalid IPSEC option \"$option\"" ;; esac done } diff --git a/Shorewall2/ipsec b/Shorewall2/ipsec index 6a0b881d6..5474ad718 100644 --- a/Shorewall2/ipsec +++ b/Shorewall2/ipsec @@ -16,8 +16,9 @@ # option in /etc/shorewall/hosts. # # OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, reqid= where is specified -# OUT OPTIONS using setkey(8) using the 'unique: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: # option for the SPD level. # # spi= where is the SPI of @@ -33,6 +34,11 @@ # tunnel-dst=
[/] (only # available with mode=tunnel) # +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# # Example: # mode=transport,reqid=44 # diff --git a/Shorewall2/masq b/Shorewall2/masq index 43224a142..7c6dd1ae8 100755 --- a/Shorewall2/masq +++ b/Shorewall2/masq @@ -132,6 +132,11 @@ # tunnel-dst=
[/] (only # available with mode=tunnel) # +# strict Means that packets must match all +# rules. +# +# next Separates rules; can only be used +# with strict.. # # Example 1: #