extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

First Cut at Kernel 2.6 IPSEC Support

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-06 15:35:05 +00:00
parent accc6a031f
commit 84cb8c445d
3 changed files with 99 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
Shorewall2/firewall
View File

@ -157,7 +157,7 @@ run_iptables() {
if ! iptables $@ ; then
if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed"
error_message "ERROR: Command \"iptables $@\" Failed"
stop_firewall
exit 2
fi
@ -188,7 +188,7 @@ run_iptables2() {
run_ip() {
if ! ip $@ ; then
if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed"
error_message "ERROR: Command \"ip $@\" Failed"
stop_firewall
exit 2
fi
@ -201,7 +201,7 @@ run_ip() {
run_tc() {
if ! tc $@ ; then
if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed"
error_message "ERROR: Command \"tc $@\" Failed"
stop_firewall
exit 2
fi
@ -606,6 +606,46 @@ verify_interface()
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
}
#
# Generate a match for decrypted packets
#
match_ipsec_in() # $1 = zone, $2 = host
{
eval local hosts=\"\$${1}_ipsec_hosts\"
list_search $2 $hosts && echo "-m policy --pol ipsec --dir in"
}
#
# Generate a match for packets that will be encrypted
#
match_ipsec_out() # $1 = zone, $2 = host
{
eval local hosts=\"\$${1}_ipsec_hosts\"
list_search $2 $hosts && echo "-m policy --pol ipsec --dir out"
}
#
# Generate a match for packets that have been decrypted and that will be encrypted
#
match_ipsec_inout() # $1 =input zone, $2 = input host, $3 = output zone, $4 = output host"
{
local result="-m policy --pol ipsec"
eval local input_hosts=\"\$${1}_ipsec_hosts\"
eval local output_hosts=\"\$${3}_ipsec_hosts\"
if list_search $2 $input_hosts; then
result="$result --dir in"
if list_search $4 $output_hosts; then
result="$result --dir out"
fi
echo $result
elif list_search $4 $output_hosts; then
echo "$result --dir out"
fi
}
#
#
# Find hosts in a given zone
@ -855,7 +895,10 @@ validate_hosts_file() {
for option in $(separate_list $options) ; do
case $option in
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|ipsec|-)
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
;;
ipsec)
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
;;
routeback)
[ -z "$ports" ] && \
@ -5598,7 +5641,7 @@ activate_rules()
if havenatchain $destchain ; then
run_iptables -t nat -A $sourcechain $@ -j $destchain
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
rm -f #TMP_DIR/physdev
rm -f $TMP_DIR/physdev
fi
}
@ -5671,18 +5714,18 @@ activate_rules()
interface=${host%%:*}
networks=${host#*:}
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) -j $chain1
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
#
# Add jumps from the builtin chains for DNAT and SNAT rules
#
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks)
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks)
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2
[ -n "$complex" ] && \
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) -j $frwd_chain
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
case $networks in
*.*.*.*)
@ -5747,7 +5790,7 @@ activate_rules()
# routeback was specified for this host group
#
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) -j $chain
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi
done
else
@ -5762,7 +5805,7 @@ activate_rules()
networks1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) -j $chain
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_inout $zone $host $zone1 $host1) -j $chain
fi
done
done
@ -6338,6 +6381,8 @@ do_initialize() {
RESTOREBASE=
TMP_DIR=
ALL_INTERFACES=
stopping=
have_mutex=
masq_seq=1
@ -6524,7 +6569,6 @@ do_initialize() {
fi
rm -f $TMP_DIR/physdev
}
#

3
Shorewall2/hosts
View File

@ -124,5 +124,8 @@
# This option has no effect if
# NEWNOTSYN=Yes.
#
# ipsec - The zone is accessed over a
# kernel 2.6 ipsec tunnel
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

37
Shorewall2/releasenotes.txt
View File

@ -172,3 +172,40 @@ New Features:
b) It causes /etc/shorewall/shorewall.conf to be modified so that
it won't be replaced by upgrades using RPM.
7) Some additional support has been added for the 2.6 Kernel IPSEC
implementation. To use this support, you must have installed the
IPSEC policy match patch from Patch-0-Matic-ng. That patch affects
both your kernel and iptables.
This new Shorewall support is enabled through use of the 'ipsec'
option in /etc/shorewall/hosts.
Example:
Under 2.4 Kernel FreeS/Wan:
/etc/shorewall/zones:
net Net The big bad Internet
vpn VPN Remote Network
/etc/shorewall/interfaces:
net eth0 ...
vpn ipsec0 ...
Under 2.6 Kernel with this new support:
/etc/shorewall/zones (note the change of order):
vpn VPN Remote Network
net Net The big bad Internet
/etc/shorewall/interfaces:
net eth0 ...
/etc/shorewall/hosts:
vpn eth0:0.0.0.0/0 ipsec