extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-17 02:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Eliminate 'ORIGINAL_POLICY_MATCH'

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-01-25 08:13:22 -08:00
parent 90b68a05de
commit d933aa602b
6 changed files with 25 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -2354,7 +2354,7 @@ sub match_ipsec_in( $$ ) {
if ( $zoneref->{type} eq 'ipsec' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( have_capability( 'POLICY_MATCH' ) ) { } elsif ( have_ipsec ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} else { } else {
return ''; return '';
@ -2378,7 +2378,7 @@ sub match_ipsec_out( $$ ) {
if ( $zoneref->{type} eq 'ipsec' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( have_capability( 'POLICY_MATCH' ) ) { } elsif ( have_ipsec ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
} else { } else {
return ''; return '';

3
Shorewall/Perl/Shorewall/Config.pm
View File

@ -327,7 +327,6 @@ sub initialize( $ ) {
%globals = ( SHAREDIR => '/usr/share/shorewall' , %globals = ( SHAREDIR => '/usr/share/shorewall' ,
SHAREDIRPL => '/usr/share/shorewall/' , SHAREDIRPL => '/usr/share/shorewall/' ,
CONFDIR => '/etc/shorewall', CONFDIR => '/etc/shorewall',
ORIGINAL_POLICY_MATCH => '',
LOGPARMS => '', LOGPARMS => '',
TC_SCRIPT => '', TC_SCRIPT => '',
EXPORT => 0, EXPORT => 0,
@ -2416,8 +2415,6 @@ sub get_configuration( $ ) {
get_capabilities( $export ); get_capabilities( $export );
$globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH};
if ( $config{LOGRATE} || $config{LOGBURST} ) { if ( $config{LOGRATE} || $config{LOGBURST} ) {
if ( defined $config{LOGRATE} ) { if ( defined $config{LOGRATE} ) {
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/; fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;

6
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -150,7 +150,7 @@ sub process_one_masq( )
# Handle IPSEC options, if any # Handle IPSEC options, if any
# #
if ( $ipsec ne '-' ) { if ( $ipsec ne '-' ) {
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH}; fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
if ( $ipsec =~ /^yes$/i ) { if ( $ipsec =~ /^yes$/i ) {
$baserule .= '-m policy --pol ipsec --dir out '; $baserule .= '-m policy --pol ipsec --dir out ';
@ -159,7 +159,7 @@ sub process_one_masq( )
} else { } else {
$baserule .= do_ipsec_options $ipsec; $baserule .= do_ipsec_options $ipsec;
} }
} elsif ( have_capability( 'POLICY_MATCH' ) ) { } elsif ( have_ipsec ) {
$baserule .= '-m policy --pol none --dir out '; $baserule .= '-m policy --pol none --dir out ';
} }
@ -372,7 +372,7 @@ sub do_one_nat( $$$$$ )
$interface = $interfaceref->{name}; $interface = $interfaceref->{name};
} }
if ( have_capability( 'POLICY_MATCH' ) ) { if ( have_ipsec ) {
$policyin = ' -m policy --pol none --dir in'; $policyin = ' -m policy --pol none --dir in';
$policyout = '-m policy --pol none --dir out'; $policyout = '-m policy --pol none --dir out';
} }

14
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -281,7 +281,7 @@ sub setup_blacklist() {
for my $hostref ( @$hosts ) { for my $hostref ( @$hosts ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : ''; my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2]; my $network = $hostref->[2];
my $source = match_source_net $network; my $source = match_source_net $network;
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
@ -505,7 +505,7 @@ sub add_common_rules() {
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
$interface = $hostref->[0]; $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : ''; my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( first_chains $interface ) { for $chain ( first_chains $interface ) {
@ -597,7 +597,7 @@ sub add_common_rules() {
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $hostref->[1] --dir in " : ''; my $policy = have_ipsec ? "-m policy --pol $hostref->[1] --dir in " : '';
for $chain ( first_chains $interface ) { for $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy ); add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy );
@ -763,7 +763,7 @@ sub setup_mac_lists( $ ) {
for my $hostref ( @$maclist_hosts ) { for my $hostref ( @$maclist_hosts ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : ''; my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $source = match_source_net $hostref->[2]; my $source = match_source_net $hostref->[2];
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW'; my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
@ -1709,7 +1709,7 @@ sub generate_matrix() {
# #
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
if ( have_capability( 'POLICY_MATCH' ) ) { if ( have_ipsec ) {
# #
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
@ -2121,7 +2121,7 @@ sub setup_mss( ) {
$option = "--set-mss $clampmss"; $option = "--set-mss $clampmss";
} }
$match .= '-m policy --pol none --dir out ' if have_capability( 'POLICY_MATCH' ); $match .= '-m policy --pol none --dir out ' if have_ipsec;
} }
my $interfaces = find_interfaces_by_option( 'mss' ); my $interfaces = find_interfaces_by_option( 'mss' );
@ -2139,7 +2139,7 @@ sub setup_mss( ) {
my $in_match = ''; my $in_match = '';
my $out_match = ''; my $out_match = '';
if ( have_capability( 'POLICY_MATCH' ) ) { if ( have_ipsec ) {
$in_match = '-m policy --pol none --dir in '; $in_match = '-m policy --pol none --dir in ';
$out_match = '-m policy --pol none --dir out '; $out_match = '-m policy --pol none --dir out ';
} }

2
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -86,7 +86,7 @@ sub setup_tunnels() {
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1; $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1; $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
unless ( have_capability( 'POLICY_MATCH' ) ) { unless ( have_ipsec ) {
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT"; add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";

13
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -72,6 +72,7 @@ our @EXPORT = qw( NOTHING
validate_hosts_file validate_hosts_file
find_hosts_by_option find_hosts_by_option
all_ipsets all_ipsets
have_ipsec
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
@ -156,6 +157,7 @@ our @bport_zones;
our %ipsets; our %ipsets;
our %physical; our %physical;
our $family; our $family;
our $have_ipsec;
use constant { FIREWALL => 1, use constant { FIREWALL => 1,
IP => 2, IP => 2,
@ -199,6 +201,7 @@ sub initialize( $ ) {
@zones = (); @zones = ();
%zones = (); %zones = ();
$firewall_zone = ''; $firewall_zone = '';
$have_ipsec = undef;
@interfaces = (); @interfaces = ();
%interfaces = (); %interfaces = ();
@ -1271,7 +1274,15 @@ sub validate_hosts_file()
$ipsec |= process_host while read_a_line; $ipsec |= process_host while read_a_line;
set_capability( 'POLICY_MATCH' , '' ) unless $ipsec || haveipseczones; require_capability( 'POLICY_MATCH', 'ipsec zones or hosts', '' ) if $have_ipsec = $ipsec || haveipseczones;
}
#
# Return an indication of whether IPSEC is present
#
sub have_ipsec() {
return defined $have_ipsec ? $have_ipsec : have_capability 'POLICY_MATCH';
} }
# #