From d282947ccf14f961526c7a97e519f7a5f1cb9548 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 20 Aug 2004 15:37:56 +0000 Subject: [PATCH] Add IN and OUT SA options git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 29 +++++++++++++++++------------ Shorewall2/ipsec | 18 +++++++++++++----- Shorewall2/releasenotes.txt | 11 +++++++---- 4 files changed, 39 insertions(+), 21 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 4e7405ae0..787758980 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -50,3 +50,5 @@ Changes since 2.0.3 23) Implement additional IPSEC options for zones and masq entries. 24) Deprecate the -c option in /sbin/shorewall. + +25) Allow distinct input and output IPSEC parameters. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 2a27e414c..0436add3b 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host { eval local is_ipsec=\$${1}_is_ipsec eval local hosts=\"\$${1}_ipsec_hosts\" - eval local options=\"\$${1}_ipsec_options\" + eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" if [ -n "$is_ipsec" ] || list_search $2 $hosts; then echo "-m policy --pol ipsec --dir in $options" elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in $options" + echo "-m policy --pol none --dir in" fi } @@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host { eval local is_ipsec=\$${1}_is_ipsec eval local hosts=\"\$${1}_ipsec_hosts\" - eval local options=\"\$${1}_ipsec_options\" + eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" if [ -n "$is_ipsec" ] || list_search $2 $hosts; then echo "-m policy --pol ipsec --dir out $options" elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out $options" + echo "-m policy --pol none --dir out" fi } @@ -1636,10 +1636,13 @@ setup_tunnels() # $1 = name of tunnels file setup_ipsec() { - do_options() { - local option newoptions= + do_options() # $1 = _in, _out or "" - $2 = option list + { + local option opts newoptions= - options=$(separate_list $options) + [ x${2} = x- ] && return + + opts=$(separate_list $2) for option in $options; do case $option in @@ -1666,17 +1669,17 @@ setup_ipsec() { ;; esac done - + if [ -n "$newoptions" ]; then eval ${zone}_is_complex=Yes - eval ${zone}_ipsec_options=\"${newoptions# }\" + eval ${zone}_ipsec${1}_options=\"${newoptions# }\" fi } strip_file ipsec $1 - while read zone ipsec options; do - expandv zone ipsec options + while read zone ipsec options in_options out_options; do + expandv zone ipsec options in_options out_options [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" @@ -1694,7 +1697,9 @@ setup_ipsec() { ;; esac - do_options + do_options "" $options + do_options "_in" $in_options + do_options "_out" $out_options done < $TMP_DIR/ipsec } diff --git a/Shorewall2/ipsec b/Shorewall2/ipsec index 9413de096..6a0b881d6 100644 --- a/Shorewall2/ipsec +++ b/Shorewall2/ipsec @@ -15,9 +15,9 @@ # Encrypted hosts are designated using the 'ipsec' # option in /etc/shorewall/hosts. # -# OPTIONS A comma-separated list of options as follows: -# reqid= where is specified -# using setkey(8) using the 'unique: +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, reqid= where is specified +# OUT OPTIONS using setkey(8) using the 'unique: # option for the SPD level. # # spi= where is the SPI of @@ -35,8 +35,16 @@ # # Example: # mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". ################################################################################ -#ZONE IPSEC OPTIONS -# ONLY +#ZONE IPSEC OPTIONS IN OUT +# ONLY OPTIONS OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 04e1c9554..da8f8cc3e 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -320,7 +320,10 @@ New Features: additional SA options for the zone in the /etc/shorewall/ipsec entry. - The OPTIONS column specifies + The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the + input-output, input and output characteristing of the security + policies to be used to decrypt (input) or encrypt (output) traffic + to/from the zone. The available options are: @@ -339,9 +342,9 @@ New Features: Examples: - #ZONE IPSEC OPTIONS - # ONLY - vpn Yes mode=tunnel,proto=esp + #ZONE IPSEC OPTIONS IN OUT + # ONLY OPTIONS OPTIONS + vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001 loc No reqid=44,mode=transport The /etc/shorewall/masq file has a new IPSEC column added. If you