Make :noah the default for ipsec tunnels

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -8,6 +8,10 @@ Changes in 4.0.0 RC 1
 
 4)  Validate host part in hosts file entry.
 
+5)  Fix IPSECFILE=ipsec.
+
+6)  Make ':noah' the default.
+
 Changes in 4.0.0 Beta 6
 
 1)  First step to adding compiler debugging facility.

Shorewall-common/releasenotes.txt

@@ -39,7 +39,11 @@ Other changes in Shorewall 4.0.0 RC 1.
 1)  The shorewall-perl RPM may no longer be installed under Shorewall
     3.4. It requires shorewall_common.
 
-2)  The compiler's CPU utilization has been reduced further.
+2)  The Shorewall-perl compiler's CPU utilization has been reduced
+    further.
+
+3)  ":noah" is now the default for all IPSEC tunnels. Tunnels that use
+    AH (protocol 51) must specify "ipsec:ah" in the TYPE column.
 
 Migration Considerations:
 

Shorewall-perl/Shorewall/Tunnels.pm

@@ -46,11 +46,18 @@ sub setup_tunnels() {
 
 	( $kind, my ( $qualifier , $remainder ) ) = split( /:/, $kind, 3 );
 
+	my $noah = 1;
+
 	fatal_error "Invalid IPSEC modified ($qualifier:$remainder)" if defined $remainder;
 
-	fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier && ( $qualifier ne 'noah' );
+	if ( defined $qualifier ) {
-
+	    if ( $qualifier eq 'ah' ) {
-	my $noah = $qualifier || ($kind ne 'ipsec' );
+		fatal_error ":ah not allowed with ipsecnat tunnels" if $kind eq 'ipsecnat';
+		$noah = 0;
+	    } else {
+		fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier ne 'noah';
+	    }
+	}
 
 	my $options = '-m state --state NEW -j ACCEPT';
 

Shorewall-shell/diff-3.4-lib.tunnels

@@ -0,0 +1,34 @@
+--- /home/teastep/shorewall/branches/3.4/Shorewall/lib.tunnels	2007-03-22 15:27:26.000000000 -0700
++++ lib.tunnels	2007-07-03 07:57:16.000000000 -0700
+@@ -37,19 +37,28 @@
+ 
+     setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
+     {
+-    	local kind=$1 noah=
++    	local kind=$1 noah=noah
+ 
+ 	case $kind in
+ 	    *:*)
+ 	    	noah=${kind#*:}
+-		[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
++		case $noah in
++		    ah|AH)
++			noah=
++			;;
++		    noah|NOAH)
++			;;
++		    *)
++			fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
++			;;
++		esac
+ 		kind=${kind%:*}
+ 		;;
+ 	esac
+ 
+ 	[ $kind = IPSEC ] && kind=ipsec
+ 
+-	[ $kind = ipsec ] || noah=noah
++	[ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
+ 
+ 	options="-m state --state NEW -j ACCEPT"
+ 	addrule2 $inchain	  -p 50	 $source -j ACCEPT

Shorewall-shell/lib.tunnels

@@ -37,19 +37,28 @@ setup_tunnels() # $1 = name of tunnels file
 
     setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
     {
-    	local kind=$1 noah=
+    	local kind=$1 noah=noah
 
 	case $kind in
 	    *:*)
 	    	noah=${kind#*:}
-		[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+		case $noah in
+		    ah|AH)
+			noah=
+			;;
+		    noah|NOAH)
+			;;
+		    *)
+			fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+			;;
+		esac
 		kind=${kind%:*}
 		;;
 	esac
 
 	[ $kind = IPSEC ] && kind=ipsec
 
-	[ $kind = ipsec ] || noah=noah
+	[ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
 
 	options="-m state --state NEW -j ACCEPT"
 	addrule2 $inchain	  -p 50	 $source -j ACCEPT

docs/upgrade_issues.xml

@@ -135,6 +135,12 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
         Shorewall to leave the flags in /proc as they are. You must set the
         option to 'No' in order to obtain the old behavior.</para>
       </listitem>
+
+      <listitem>
+        <para>The <option>:noah</option> option is now the default for ipsec
+        tunnels. Tunnels that use AH (protocol 51) must specify the
+        <option>ipsec:ah</option> in the TYPE column.</para>
+      </listitem>
     </orderedlist>
   </section>
 

manpages/shorewall-tunnels.xml

@@ -34,7 +34,7 @@
       <varlistentry>
         <term><emphasis role="bold">TYPE</emphasis> — {<emphasis
         role="bold">ipsec</emphasis>[<emphasis
-        role="bold">:noah</emphasis>]|<emphasis
+        role="bold">:{noah</emphasis>|ah}]|<emphasis
         role="bold">ipsecnat</emphasis>|<emphasis
         role="bold">ipip</emphasis>|<emphasis
         role="bold">gre</emphasis>|<emphasis
@@ -65,11 +65,12 @@
         <emphasis role="bold">generic</emphasis>       - Other tunnel type</programlisting>
 
           <para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
-          be followed by <emphasis role="bold">:noah</emphasis> to indicate
+          be followed by <emphasis role="bold">:ah</emphasis> to indicate that
-          that the Authentication Headers protocol (51) is not used by the
+          the Authentication Headers protocol (51) is used by the tunnel (the
-          tunnel. NAT traversal is only supported with ESP (protocol 50) so
+          default is <option>:noah</option> which means that protocol 51 is
-          <emphasis role="bold">ipsecnat</emphasis> tunnels don't require a
+          not used). NAT traversal is only supported with ESP (protocol 50) so
-          <emphasis role="bold">noah</emphasis> option (<emphasis
+          <emphasis role="bold">ipsecnat</emphasis> tunnels don't allow the
+          <emphasis role="bold">ah</emphasis> option (<emphasis
           role="bold">ipsecnat:noah</emphasis> may be specified but is
           redundant).</para>