Add IN and OUT SA options

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-20 15:37:56 +00:00
parent 83ad53d6bf
commit d282947ccf
4 changed files with 39 additions and 21 deletions

View File

@ -50,3 +50,5 @@ Changes since 2.0.3
23) Implement additional IPSEC options for zones and masq entries.
24) Deprecate the -c option in /sbin/shorewall.
25) Allow distinct input and output IPSEC parameters.

View File

@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
{
eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\"
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir in $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in $options"
echo "-m policy --pol none --dir in"
fi
}
@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
{
eval local is_ipsec=\$${1}_is_ipsec
eval local hosts=\"\$${1}_ipsec_hosts\"
eval local options=\"\$${1}_ipsec_options\"
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir out $options"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir out $options"
echo "-m policy --pol none --dir out"
fi
}
@ -1636,10 +1636,13 @@ setup_tunnels() # $1 = name of tunnels file
setup_ipsec() {
do_options() {
local option newoptions=
do_options() # $1 = _in, _out or "" - $2 = option list
{
local option opts newoptions=
options=$(separate_list $options)
[ x${2} = x- ] && return
opts=$(separate_list $2)
for option in $options; do
case $option in
@ -1669,14 +1672,14 @@ setup_ipsec() {
if [ -n "$newoptions" ]; then
eval ${zone}_is_complex=Yes
eval ${zone}_ipsec_options=\"${newoptions# }\"
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
fi
}
strip_file ipsec $1
while read zone ipsec options; do
expandv zone ipsec options
while read zone ipsec options in_options out_options; do
expandv zone ipsec options in_options out_options
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
@ -1694,7 +1697,9 @@ setup_ipsec() {
;;
esac
do_options
do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
done < $TMP_DIR/ipsec
}

View File

@ -15,9 +15,9 @@
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
#
# OPTIONS A comma-separated list of options as follows:
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS, reqid=<number> where <number> is specified
# OUT OPTIONS using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
@ -35,8 +35,16 @@
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
################################################################################
#ZONE IPSEC OPTIONS
# ONLY
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -320,7 +320,10 @@ New Features:
additional SA options for the zone in the /etc/shorewall/ipsec
entry.
The OPTIONS column specifies
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
input-output, input and output characteristing of the security
policies to be used to decrypt (input) or encrypt (output) traffic
to/from the zone.
The available options are:
@ -339,9 +342,9 @@ New Features:
Examples:
#ZONE IPSEC OPTIONS
# ONLY
vpn Yes mode=tunnel,proto=esp
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
loc No reqid=44,mode=transport
The /etc/shorewall/masq file has a new IPSEC column added. If you