extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-13 09:08:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add IN and OUT SA options

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-20 15:37:56 +00:00
parent 83ad53d6bf
commit d282947ccf
4 changed files with 39 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -50,3 +50,5 @@ Changes since 2.0.3
23) Implement additional IPSEC options for zones and masq entries. 23) Implement additional IPSEC options for zones and masq entries.
24) Deprecate the -c option in /sbin/shorewall. 24) Deprecate the -c option in /sbin/shorewall.
25) Allow distinct input and output IPSEC parameters.

27
Shorewall2/firewall
View File

@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
{ {
eval local is_ipsec=\$${1}_is_ipsec eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\" eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\" eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir in $options" echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in $options" echo "-m policy --pol none --dir in"
fi fi
} }
@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
{ {
eval local is_ipsec=\$${1}_is_ipsec eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\" eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\" eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir out $options" echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out $options" echo "-m policy --pol none --dir out"
fi fi
} }
@ -1636,10 +1636,13 @@ setup_tunnels() # $1 = name of tunnels file
setup_ipsec() { setup_ipsec() {
do_options() { do_options() # $1 = _in, _out or "" - $2 = option list
local option newoptions= {
local option opts newoptions=
options=$(separate_list $options) [ x${2} = x- ] && return
opts=$(separate_list $2)
for option in $options; do for option in $options; do
case $option in case $option in
@ -1669,14 +1672,14 @@ setup_ipsec() {
if [ -n "$newoptions" ]; then if [ -n "$newoptions" ]; then
eval ${zone}_is_complex=Yes eval ${zone}_is_complex=Yes
eval ${zone}_ipsec_options=\"${newoptions# }\" eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
fi fi
} }
strip_file ipsec $1 strip_file ipsec $1
while read zone ipsec options; do while read zone ipsec options in_options out_options; do
expandv zone ipsec options expandv zone ipsec options in_options out_options
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
@ -1694,7 +1697,9 @@ setup_ipsec() {
;; ;;
esac esac
do_options do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
done < $TMP_DIR/ipsec done < $TMP_DIR/ipsec
} }

18
Shorewall2/ipsec
View File

@ -15,9 +15,9 @@
# Encrypted hosts are designated using the 'ipsec' # Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts. # option in /etc/shorewall/hosts.
# #
# OPTIONS A comma-separated list of options as follows: # OPTIONS, A comma-separated list of options as follows:
# reqid=<number> where <number> is specified # IN OPTIONS, reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number> # OUT OPTIONS using setkey(8) using the 'unique:<number>
# option for the SPD level. # option for the SPD level.
# #
# spi=<number> where <number> is the SPI of # spi=<number> where <number> is the SPI of
@ -35,8 +35,16 @@
# #
# Example: # Example:
# mode=transport,reqid=44 # mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
################################################################################ ################################################################################
#ZONE IPSEC OPTIONS #ZONE IPSEC OPTIONS IN OUT
# ONLY # ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall2/releasenotes.txt
View File

@ -320,7 +320,10 @@ New Features:
additional SA options for the zone in the /etc/shorewall/ipsec additional SA options for the zone in the /etc/shorewall/ipsec
entry. entry.
The OPTIONS column specifies The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
input-output, input and output characteristing of the security
policies to be used to decrypt (input) or encrypt (output) traffic
to/from the zone.
The available options are: The available options are:
@ -339,9 +342,9 @@ New Features:
Examples: Examples:
#ZONE IPSEC OPTIONS #ZONE IPSEC OPTIONS IN OUT
# ONLY # ONLY OPTIONS OPTIONS
vpn Yes mode=tunnel,proto=esp vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
loc No reqid=44,mode=transport loc No reqid=44,mode=transport
The /etc/shorewall/masq file has a new IPSEC column added. If you The /etc/shorewall/masq file has a new IPSEC column added. If you