Handle traffic from IPSEC hosts before traffic from non-IPSEC zones

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1669 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -97,3 +97,6 @@ Changes since 2.0.3
 46) Implement 'sourceroute' interface option.
 
 47) Add 'AllowICMPs' action.
+
+48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
+    handled before traffic from non-IPSEC zones.

Shorewall2/firewall

@@ -699,13 +699,20 @@ verify_interface()
 #
 # Generate a match for decrypted packets
 #
-match_ipsec_in() # $1 = zone, $2 = host
+
+ipsec_source() # $1 = zone, $2 = host
 {
     eval local is_ipsec=\$${1}_is_ipsec
     eval local hosts=\"\$${1}_ipsec_hosts\"
+
+    test -n "$is_ipsec" || list_search $2 $hosts
+}
+
+match_ipsec_in() # $1 = zone, $2 = host
+{
     eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
 
-    if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
+    if ipsec_source $1 $2 ; then
 	echo "-m policy --pol ipsec --dir in $options"
     elif [ -n "$POLICY_MATCH" ]; then
 	echo "-m policy --pol none --dir in"
@@ -6088,6 +6095,30 @@ activate_rules()
 
     > ${STATEDIR}/chains
     > ${STATEDIR}/zones
+    #
+    # Create forwarding chains for complex zones and generate jumps for IPSEC hosts to that chain.
+    #
+    for zone in $zones; do
+
+	eval complex=\$${zone}_is_complex
+
+	if [ -n "$complex" ]; then
+	    frwd_chain=${zone}_frwd
+	    createchain $frwd_chain No
+
+	    if [ -n "$POLICY_MATCH" ]; then
+		eval source_hosts=\$${zone}_hosts
+	    
+		for host in $source_hosts; do
+		    interface=${host%%:*}
+		    networks=${host#*:}
+		    
+		    ipsec_source $zone $host && \
+			run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
+		done
+	    fi
+	fi
+    done
 
     for zone in $zones; do
 	eval source_hosts=\$${zone}_hosts
@@ -6097,11 +6128,6 @@ activate_rules()
 
 	eval complex=\$${zone}_is_complex
 
-	if [ -n "$complex" ]; then
-	    frwd_chain=${zone}_frwd
-	    createchain $frwd_chain No
-	fi
-
 	if [ -n "$DYNAMIC_ZONES" ]; then
 	    echo $zone $source_hosts >> ${STATEDIR}/zones
 	    echo "$FW $zone $chain1" >> ${STATEDIR}/chains
@@ -6124,8 +6150,9 @@ activate_rules()
 
 	    run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
 
-	    [ -n "$complex" ] && \
-		run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
+	    if [ -n "$complex" ] && ! ipsec_source $zone $host ; then
+                run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
+	    fi
 
 	    case $networks in
 		*.*.*.*)
@@ -6138,7 +6165,6 @@ activate_rules()
 	    esac
 	done
 
-
 	for interface in $need_broadcast ; do
 	    run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
 	    run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4     -j $chain1

Shorewall2/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 2.1.10
+Shorewall 2.1.11
 
 ----------------------------------------------------------------------
 Problems Corrected since 2.0.3
@@ -72,6 +72,11 @@ Problems corrected since 2.1.10
 1)  If TC_ENABLED=Yes but you have no /etc/shorewall/tcstart file then
     "shorewall restore" will no longer attempt to run the tcstart file.
 
+2)  Previously it was necessary to define ipsec zones (those with 
+    "Yes" in the IPSEC column in /etc/shorewall/ipsec or those having
+    an entry in /etc/shorewall/hosts having the "ipsec" option) before
+    other zones using the same interface. This has been corrected.
+
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.1: