mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 15:48:56 +01:00
Add IN and OUT SA options
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
83ad53d6bf
commit
d282947ccf
@ -50,3 +50,5 @@ Changes since 2.0.3
|
||||
23) Implement additional IPSEC options for zones and masq entries.
|
||||
|
||||
24) Deprecate the -c option in /sbin/shorewall.
|
||||
|
||||
25) Allow distinct input and output IPSEC parameters.
|
||||
|
@ -613,12 +613,12 @@ match_ipsec_in() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local options=\"\$${1}_ipsec_options\"
|
||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir in $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir in $options"
|
||||
echo "-m policy --pol none --dir in"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -629,12 +629,12 @@ match_ipsec_out() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
eval local options=\"\$${1}_ipsec_options\"
|
||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||
echo "-m policy --pol ipsec --dir out $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir out $options"
|
||||
echo "-m policy --pol none --dir out"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1636,10 +1636,13 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_ipsec() {
|
||||
|
||||
do_options() {
|
||||
local option newoptions=
|
||||
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||
{
|
||||
local option opts newoptions=
|
||||
|
||||
options=$(separate_list $options)
|
||||
[ x${2} = x- ] && return
|
||||
|
||||
opts=$(separate_list $2)
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
@ -1669,14 +1672,14 @@ setup_ipsec() {
|
||||
|
||||
if [ -n "$newoptions" ]; then
|
||||
eval ${zone}_is_complex=Yes
|
||||
eval ${zone}_ipsec_options=\"${newoptions# }\"
|
||||
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
|
||||
fi
|
||||
}
|
||||
|
||||
strip_file ipsec $1
|
||||
|
||||
while read zone ipsec options; do
|
||||
expandv zone ipsec options
|
||||
while read zone ipsec options in_options out_options; do
|
||||
expandv zone ipsec options in_options out_options
|
||||
|
||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||
|
||||
@ -1694,7 +1697,9 @@ setup_ipsec() {
|
||||
;;
|
||||
esac
|
||||
|
||||
do_options
|
||||
do_options "" $options
|
||||
do_options "_in" $in_options
|
||||
do_options "_out" $out_options
|
||||
|
||||
done < $TMP_DIR/ipsec
|
||||
}
|
||||
|
@ -15,9 +15,9 @@
|
||||
# Encrypted hosts are designated using the 'ipsec'
|
||||
# option in /etc/shorewall/hosts.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options as follows:
|
||||
# reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# OPTIONS, A comma-separated list of options as follows:
|
||||
# IN OPTIONS, reqid=<number> where <number> is specified
|
||||
# OUT OPTIONS using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
@ -35,8 +35,16 @@
|
||||
#
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
#
|
||||
# The options in the OPTIONS column are applied to both incoming
|
||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||
# applied to outgoing traffic.
|
||||
#
|
||||
# If you wish to leave a column empty but need to make an entry
|
||||
# in a following column, use "-".
|
||||
################################################################################
|
||||
#ZONE IPSEC OPTIONS
|
||||
# ONLY
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
@ -320,7 +320,10 @@ New Features:
|
||||
additional SA options for the zone in the /etc/shorewall/ipsec
|
||||
entry.
|
||||
|
||||
The OPTIONS column specifies
|
||||
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
|
||||
input-output, input and output characteristing of the security
|
||||
policies to be used to decrypt (input) or encrypt (output) traffic
|
||||
to/from the zone.
|
||||
|
||||
The available options are:
|
||||
|
||||
@ -339,9 +342,9 @@ New Features:
|
||||
|
||||
Examples:
|
||||
|
||||
#ZONE IPSEC OPTIONS
|
||||
# ONLY
|
||||
vpn Yes mode=tunnel,proto=esp
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
|
||||
loc No reqid=44,mode=transport
|
||||
|
||||
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||
|
Loading…
Reference in New Issue
Block a user