mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 09:03:30 +01:00
First Cut at Kernel 2.6 IPSEC Support
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
accc6a031f
commit
84cb8c445d
@ -157,7 +157,7 @@ run_iptables() {
|
||||
|
||||
if ! iptables $@ ; then
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$@\" Failed"
|
||||
error_message "ERROR: Command \"iptables $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -188,7 +188,7 @@ run_iptables2() {
|
||||
run_ip() {
|
||||
if ! ip $@ ; then
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$@\" Failed"
|
||||
error_message "ERROR: Command \"ip $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -201,7 +201,7 @@ run_ip() {
|
||||
run_tc() {
|
||||
if ! tc $@ ; then
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$@\" Failed"
|
||||
error_message "ERROR: Command \"tc $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -606,6 +606,46 @@ verify_interface()
|
||||
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a match for decrypted packets
|
||||
#
|
||||
match_ipsec_in() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
|
||||
list_search $2 $hosts && echo "-m policy --pol ipsec --dir in"
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a match for packets that will be encrypted
|
||||
#
|
||||
match_ipsec_out() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
|
||||
list_search $2 $hosts && echo "-m policy --pol ipsec --dir out"
|
||||
}
|
||||
|
||||
#
|
||||
# Generate a match for packets that have been decrypted and that will be encrypted
|
||||
#
|
||||
match_ipsec_inout() # $1 =input zone, $2 = input host, $3 = output zone, $4 = output host"
|
||||
{
|
||||
local result="-m policy --pol ipsec"
|
||||
eval local input_hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local output_hosts=\"\$${3}_ipsec_hosts\"
|
||||
|
||||
if list_search $2 $input_hosts; then
|
||||
result="$result --dir in"
|
||||
if list_search $4 $output_hosts; then
|
||||
result="$result --dir out"
|
||||
fi
|
||||
echo $result
|
||||
elif list_search $4 $output_hosts; then
|
||||
echo "$result --dir out"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
#
|
||||
# Find hosts in a given zone
|
||||
@ -855,7 +895,10 @@ validate_hosts_file() {
|
||||
|
||||
for option in $(separate_list $options) ; do
|
||||
case $option in
|
||||
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|ipsec|-)
|
||||
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
|
||||
;;
|
||||
ipsec)
|
||||
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
|
||||
;;
|
||||
routeback)
|
||||
[ -z "$ports" ] && \
|
||||
@ -5598,7 +5641,7 @@ activate_rules()
|
||||
if havenatchain $destchain ; then
|
||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
|
||||
rm -f #TMP_DIR/physdev
|
||||
rm -f $TMP_DIR/physdev
|
||||
fi
|
||||
}
|
||||
|
||||
@ -5617,7 +5660,7 @@ activate_rules()
|
||||
\$${sourcechain}_rule $@ -j $destchain
|
||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
||||
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
|
||||
rm -f $TMP_DIR/physdev
|
||||
rm -f $TMP_DIR/physdev
|
||||
fi
|
||||
}
|
||||
#
|
||||
@ -5671,18 +5714,18 @@ activate_rules()
|
||||
interface=${host%%:*}
|
||||
networks=${host#*:}
|
||||
|
||||
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) -j $chain1
|
||||
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
||||
|
||||
#
|
||||
# Add jumps from the builtin chains for DNAT and SNAT rules
|
||||
#
|
||||
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks)
|
||||
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks)
|
||||
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
|
||||
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
|
||||
|
||||
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2
|
||||
|
||||
[ -n "$complex" ] && \
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) -j $frwd_chain
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
|
||||
case $networks in
|
||||
*.*.*.*)
|
||||
@ -5747,22 +5790,22 @@ activate_rules()
|
||||
# routeback was specified for this host group
|
||||
#
|
||||
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
|
||||
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) -j $chain
|
||||
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
fi
|
||||
done
|
||||
else
|
||||
for host in $source_hosts; do
|
||||
interface=${host%%:*}
|
||||
networks=${host#*:}
|
||||
|
||||
|
||||
chain1=$(forward_chain $interface)
|
||||
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%%:*}
|
||||
networks1=${host1#*:}
|
||||
|
||||
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) -j $chain
|
||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_inout $zone $host $zone1 $host1) -j $chain
|
||||
fi
|
||||
done
|
||||
done
|
||||
@ -6338,6 +6381,8 @@ do_initialize() {
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
|
||||
ALL_INTERFACES=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
@ -6524,7 +6569,6 @@ do_initialize() {
|
||||
fi
|
||||
|
||||
rm -f $TMP_DIR/physdev
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -124,5 +124,8 @@
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# ipsec - The zone is accessed over a
|
||||
# kernel 2.6 ipsec tunnel
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -172,3 +172,40 @@ New Features:
|
||||
|
||||
b) It causes /etc/shorewall/shorewall.conf to be modified so that
|
||||
it won't be replaced by upgrades using RPM.
|
||||
|
||||
7) Some additional support has been added for the 2.6 Kernel IPSEC
|
||||
implementation. To use this support, you must have installed the
|
||||
IPSEC policy match patch from Patch-0-Matic-ng. That patch affects
|
||||
both your kernel and iptables.
|
||||
|
||||
This new Shorewall support is enabled through use of the 'ipsec'
|
||||
option in /etc/shorewall/hosts.
|
||||
|
||||
Example:
|
||||
|
||||
Under 2.4 Kernel FreeS/Wan:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
net Net The big bad Internet
|
||||
vpn VPN Remote Network
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
vpn ipsec0 ...
|
||||
|
||||
Under 2.6 Kernel with this new support:
|
||||
|
||||
/etc/shorewall/zones (note the change of order):
|
||||
|
||||
vpn VPN Remote Network
|
||||
net Net The big bad Internet
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
vpn eth0:0.0.0.0/0 ipsec
|
||||
|
Loading…
Reference in New Issue
Block a user