mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 23:59:01 +01:00
Handle traffic from IPSEC hosts before traffic from non-IPSEC zones
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1669 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
acc389ff68
commit
d34d2e1393
@ -97,3 +97,6 @@ Changes since 2.0.3
|
||||
46) Implement 'sourceroute' interface option.
|
||||
|
||||
47) Add 'AllowICMPs' action.
|
||||
|
||||
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
|
||||
handled before traffic from non-IPSEC zones.
|
||||
|
@ -699,13 +699,20 @@ verify_interface()
|
||||
#
|
||||
# Generate a match for decrypted packets
|
||||
#
|
||||
match_ipsec_in() # $1 = zone, $2 = host
|
||||
|
||||
ipsec_source() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local is_ipsec=\$${1}_is_ipsec
|
||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||
|
||||
test -n "$is_ipsec" || list_search $2 $hosts
|
||||
}
|
||||
|
||||
match_ipsec_in() # $1 = zone, $2 = host
|
||||
{
|
||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
||||
|
||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
||||
if ipsec_source $1 $2 ; then
|
||||
echo "-m policy --pol ipsec --dir in $options"
|
||||
elif [ -n "$POLICY_MATCH" ]; then
|
||||
echo "-m policy --pol none --dir in"
|
||||
@ -6088,6 +6095,30 @@ activate_rules()
|
||||
|
||||
> ${STATEDIR}/chains
|
||||
> ${STATEDIR}/zones
|
||||
#
|
||||
# Create forwarding chains for complex zones and generate jumps for IPSEC hosts to that chain.
|
||||
#
|
||||
for zone in $zones; do
|
||||
|
||||
eval complex=\$${zone}_is_complex
|
||||
|
||||
if [ -n "$complex" ]; then
|
||||
frwd_chain=${zone}_frwd
|
||||
createchain $frwd_chain No
|
||||
|
||||
if [ -n "$POLICY_MATCH" ]; then
|
||||
eval source_hosts=\$${zone}_hosts
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%%:*}
|
||||
networks=${host#*:}
|
||||
|
||||
ipsec_source $zone $host && \
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
done
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
for zone in $zones; do
|
||||
eval source_hosts=\$${zone}_hosts
|
||||
@ -6097,11 +6128,6 @@ activate_rules()
|
||||
|
||||
eval complex=\$${zone}_is_complex
|
||||
|
||||
if [ -n "$complex" ]; then
|
||||
frwd_chain=${zone}_frwd
|
||||
createchain $frwd_chain No
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_ZONES" ]; then
|
||||
echo $zone $source_hosts >> ${STATEDIR}/zones
|
||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||
@ -6124,8 +6150,9 @@ activate_rules()
|
||||
|
||||
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
||||
|
||||
[ -n "$complex" ] && \
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
if [ -n "$complex" ] && ! ipsec_source $zone $host ; then
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
fi
|
||||
|
||||
case $networks in
|
||||
*.*.*.*)
|
||||
@ -6138,7 +6165,6 @@ activate_rules()
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
for interface in $need_broadcast ; do
|
||||
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
|
||||
run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 2.1.10
|
||||
Shorewall 2.1.11
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected since 2.0.3
|
||||
@ -72,6 +72,11 @@ Problems corrected since 2.1.10
|
||||
1) If TC_ENABLED=Yes but you have no /etc/shorewall/tcstart file then
|
||||
"shorewall restore" will no longer attempt to run the tcstart file.
|
||||
|
||||
2) Previously it was necessary to define ipsec zones (those with
|
||||
"Yes" in the IPSEC column in /etc/shorewall/ipsec or those having
|
||||
an entry in /etc/shorewall/hosts having the "ipsec" option) before
|
||||
other zones using the same interface. This has been corrected.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user