diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index 59237dbd4..a52d83f3b 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -8,6 +8,10 @@ Changes in 4.0.0 RC 1
4) Validate host part in hosts file entry.
+5) Fix IPSECFILE=ipsec.
+
+6) Make ':noah' the default.
+
Changes in 4.0.0 Beta 6
1) First step to adding compiler debugging facility.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index b921e9918..3c30dc1cd 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -39,7 +39,11 @@ Other changes in Shorewall 4.0.0 RC 1.
1) The shorewall-perl RPM may no longer be installed under Shorewall
3.4. It requires shorewall_common.
-2) The compiler's CPU utilization has been reduced further.
+2) The Shorewall-perl compiler's CPU utilization has been reduced
+ further.
+
+3) ":noah" is now the default for all IPSEC tunnels. Tunnels that use
+ AH (protocol 51) must specify "ipsec:ah" in the TYPE column.
Migration Considerations:
diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm
index 50299d84f..db225046f 100644
--- a/Shorewall-perl/Shorewall/Tunnels.pm
+++ b/Shorewall-perl/Shorewall/Tunnels.pm
@@ -46,11 +46,18 @@ sub setup_tunnels() {
( $kind, my ( $qualifier , $remainder ) ) = split( /:/, $kind, 3 );
+ my $noah = 1;
+
fatal_error "Invalid IPSEC modified ($qualifier:$remainder)" if defined $remainder;
- fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier && ( $qualifier ne 'noah' );
-
- my $noah = $qualifier || ($kind ne 'ipsec' );
+ if ( defined $qualifier ) {
+ if ( $qualifier eq 'ah' ) {
+ fatal_error ":ah not allowed with ipsecnat tunnels" if $kind eq 'ipsecnat';
+ $noah = 0;
+ } else {
+ fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier ne 'noah';
+ }
+ }
my $options = '-m state --state NEW -j ACCEPT';
diff --git a/Shorewall-shell/diff-3.4-lib.tunnels b/Shorewall-shell/diff-3.4-lib.tunnels
new file mode 100644
index 000000000..e5f7c0db1
--- /dev/null
+++ b/Shorewall-shell/diff-3.4-lib.tunnels
@@ -0,0 +1,34 @@
+--- /home/teastep/shorewall/branches/3.4/Shorewall/lib.tunnels 2007-03-22 15:27:26.000000000 -0700
++++ lib.tunnels 2007-07-03 07:57:16.000000000 -0700
+@@ -37,19 +37,28 @@
+
+ setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
+ {
+- local kind=$1 noah=
++ local kind=$1 noah=noah
+
+ case $kind in
+ *:*)
+ noah=${kind#*:}
+- [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
++ case $noah in
++ ah|AH)
++ noah=
++ ;;
++ noah|NOAH)
++ ;;
++ *)
++ fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
++ ;;
++ esac
+ kind=${kind%:*}
+ ;;
+ esac
+
+ [ $kind = IPSEC ] && kind=ipsec
+
+- [ $kind = ipsec ] || noah=noah
++ [ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
+
+ options="-m state --state NEW -j ACCEPT"
+ addrule2 $inchain -p 50 $source -j ACCEPT
diff --git a/Shorewall-shell/lib.tunnels b/Shorewall-shell/lib.tunnels
index 0432adf58..b71300003 100644
--- a/Shorewall-shell/lib.tunnels
+++ b/Shorewall-shell/lib.tunnels
@@ -37,19 +37,28 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
{
- local kind=$1 noah=
+ local kind=$1 noah=noah
case $kind in
*:*)
noah=${kind#*:}
- [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+ case $noah in
+ ah|AH)
+ noah=
+ ;;
+ noah|NOAH)
+ ;;
+ *)
+ fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+ ;;
+ esac
kind=${kind%:*}
;;
esac
[ $kind = IPSEC ] && kind=ipsec
- [ $kind = ipsec ] || noah=noah
+ [ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
options="-m state --state NEW -j ACCEPT"
addrule2 $inchain -p 50 $source -j ACCEPT
diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml
index 1acfb2ca5..f64a02f3c 100644
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -135,6 +135,12 @@ shorewall restart The RPMs are set up so that if
Shorewall to leave the flags in /proc as they are. You must set the
option to 'No' in order to obtain the old behavior.
+
+
+ The option is now the default for ipsec
+ tunnels. Tunnels that use AH (protocol 51) must specify the
+ in the TYPE column.
+
diff --git a/manpages/shorewall-tunnels.xml b/manpages/shorewall-tunnels.xml
index 0d2fae2de..98fbaa769 100644
--- a/manpages/shorewall-tunnels.xml
+++ b/manpages/shorewall-tunnels.xml
@@ -34,7 +34,7 @@
TYPE — {ipsec[:noah]|:{noah|ah}]|ipsecnat|ipip|gre|generic - Other tunnel type
If the type is ipsec, it may
- be followed by :noah to indicate
- that the Authentication Headers protocol (51) is not used by the
- tunnel. NAT traversal is only supported with ESP (protocol 50) so
- ipsecnat tunnels don't require a
- noah option (:ah to indicate that
+ the Authentication Headers protocol (51) is used by the tunnel (the
+ default is which means that protocol 51 is
+ not used). NAT traversal is only supported with ESP (protocol 50) so
+ ipsecnat tunnels don't allow the
+ ah option (ipsecnat:noah may be specified but is
redundant).