From 24e6d1191db6d5e9673f79ca281dff88b015fb50 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 14 Aug 2004 18:39:09 +0000
Subject: [PATCH] IPSEC 2.6 Fixes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1537 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |  4 ++
 Shorewall2/firewall         | 81 ++++++++++++++++++++++---------------
 Shorewall2/masq             | 18 ++++++++-
 Shorewall2/releasenotes.txt |  6 +++
 4 files changed, 76 insertions(+), 33 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 493f89e90..91d663669 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -36,3 +36,7 @@ Changes since 2.0.3
 16) Added DNAT ONLY column to /etc/shorewall/nat.
 
 17) Removed SNAT from ORIGINAL DESTINATION column.
+
+18) Removed DNAT ONLY column.
+
+19) Added IPSEC column to /etc/shorewall/masq.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 7836f6069..4d00c00ff 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -613,7 +613,11 @@ match_ipsec_in() # $1 = zone, $2 = host
 {
     eval local hosts=\"\$${1}_ipsec_hosts\"
 
-    list_search $2 $hosts && echo "-m policy --pol ipsec --dir in"
+    if list_search $2 $hosts; then
+	echo "-m policy --pol ipsec --dir in"
+    elif [ -n "$POLICY_MATCH" ]; then
+	echo "-m policy --pol none --dir in"
+    fi
 }
 
 #
@@ -623,26 +627,10 @@ match_ipsec_out() # $1 = zone, $2 = host
 {
     eval local hosts=\"\$${1}_ipsec_hosts\"
 
-   list_search $2 $hosts && echo "-m policy --pol ipsec --dir out"
-}
-
-#
-# Generate a match for packets that have been decrypted and that will be encrypted
-#
-match_ipsec_inout() # $1 =input zone, $2 = input host, $3 = output zone, $4 = output host"
-{
-    local result="-m policy --pol ipsec"
-    eval local input_hosts=\"\$${1}_ipsec_hosts\"
-    eval local output_hosts=\"\$${3}_ipsec_hosts\"
-
-    if list_search $2 $input_hosts; then
-	result="$result --dir in"
-        if list_search $4 $output_hosts; then
-	    result="$result --dir out"
-        fi
-	echo $result
-    elif list_search $4 $output_hosts; then
-	echo "$result --dir out"
+    if list_search $2 $hosts; then
+	echo "-m policy --pol ipsec --dir out"
+    elif [ -n "$POLICY_MATCH" ]; then
+	echo "-m policy --pol none --dir out"
     fi
 }
 
@@ -898,7 +886,10 @@ validate_hosts_file() {
 		    maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
 			;;
 		    ipsec)
+			[ -n "$POLICY_MATCH" ] || \
+			    startup_error "Your kernel and/or iptables does not not support policy match: ipsec"
 			eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
+			eval ${z}_is_complex=Yes
 			;;
 		    routeback)
 			[ -z "$ports" ] && \
@@ -4464,7 +4455,27 @@ get_routed_networks() # $1 = interface name
 setup_masq()
 {
     setup_one() {
-	local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat=
+	local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy=
+
+	[ "x$ipsec" = x- ] && ipsec=
+
+	case $ipsec in
+	    Yes|yes)
+		[ -n "$POLICY_MATCH" ] || \
+		    fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables"
+		policy="-m policy --pol ipsec --dir out"
+		;;
+	    No|no)
+		[ -n "$POLICY_MATCH" ] || \
+		    fatal_error "IPSEC=No requires policy match support in your kernel and iptables"
+		policy="-m policy --pol none --dir out"
+		;;
+	    *)
+		[ -n "$ipsec" ] && \
+		    fatal_error "Invalid value in IPSEC column: $ipsec"
+		[ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
+		;;
+	esac
 
 	case $fullinterface in
 	    +*)
@@ -4612,7 +4623,7 @@ setup_masq()
 
 		if [ -n "$networks" ]; then
 		    for s in $networks; do
-			addnatrule $chain -s $s $proto $ports -j $newchain
+			addnatrule $chain -s $s $proto $ports $policy -j $newchain
 		    done
 		    networks=
 		else
@@ -4624,6 +4635,7 @@ setup_masq()
 		destnets=0.0.0.0/0
 		proto=
 		ports=
+		policy=
 
 		if [ -n "$nomasq" ]; then
 		    for addr in $(separate_list $nomasq); do
@@ -4645,7 +4657,7 @@ setup_masq()
 			done
 		    else
 			for destnet in $(separate_list $destnets); do
-			    addnatrule $chain -d $destnet $proto $ports -j $newchain
+			    addnatrule $chain -d $destnet $proto $ports $policy -j $newchain
 			done
 		    fi
 
@@ -4655,7 +4667,8 @@ setup_masq()
 		    destnets=0.0.0.0/0
 		    proto=
 		    ports=
-		    
+		    policy=
+
 		    for addr in $(separate_list $nomasq); do
 			addnatrule $chain -s $addr -j RETURN
 		    done
@@ -4677,24 +4690,24 @@ setup_masq()
 	    for s in $networks; do
 		if [ -n "$addresses" ]; then
 		    for destnet in $(separate_list $destnets); do
-			addnatrule $chain -s $s -d $destnet $proto $ports -j SNAT $addrlist
+			addnatrule $chain -s $s -d $destnet $proto $ports $policy -j SNAT $addrlist
 		    done
 		    progress_message "   To $destination $displayproto from $s through ${interface} using $addresses"
 		else
 		    for destnet in $(separate_list $destnets); do
-			addnatrule $chain -s $s -d $destnet $proto $ports -j MASQUERADE
+			addnatrule $chain -s $s -d $destnet $proto $ports $policy -j MASQUERADE
 		    done
 		    progress_message "   To $destination $displayproto from $s through ${interface}"
 		fi
 	    done
 	elif [ -n "$addresses" ]; then
 	    for destnet in $(separate_list $destnets); do
-		addnatrule $chain -d $destnet $proto $ports -j SNAT $addrlist
+		addnatrule $chain -d $destnet $proto $ports $policy -j SNAT $addrlist
 	    done
 	    echo "   To $destination $displayproto from $source through ${interface} using $addresses"
 	else
 	    for destnet in $(separate_list $destnets); do
-		addnatrule $chain -d $destnet $proto $ports -j MASQUERADE
+		addnatrule $chain -d $destnet $proto $ports $policy -j MASQUERADE
 	    done
 	    progress_message "   To $destination $displayproto from $source through ${interface}"
 	fi
@@ -4705,8 +4718,8 @@ setup_masq()
 
     [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
 
-    while read fullinterface networks addresses proto ports; do
-	expandv fullinterface networks addresses proto ports
+    while read fullinterface networks addresses proto ports ipsec; do
+	expandv fullinterface networks addresses proto ports ipsec
 	[ -n "$NAT_ENABLED" ] && setup_one || \
 	    error_message "Warning: NAT disabled; masq rule ignored"
     done < $TMP_DIR/masq
@@ -5000,10 +5013,13 @@ determine_capabilities() {
 
     CONNTRACK_MATCH=
     MULTIPORT=
+    POLICY_MATCH=
 
     if qt iptables -N fooX1234 ; then
 	qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
         qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT   && MULTIPORT=Yes
+	qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT       && POLICY_MATCH=Yes
+	
 
 	qt iptables -F fooX1234
 	qt iptables -X fooX1234
@@ -5035,6 +5051,7 @@ report_capabilities() {
     report_capability $MULTIPORT "Multi-port Match"
     report_capability $CONNTRACK_MATCH "Connection Tracking Match"
     report_capability $PKTTYPE "Packet Type Match"
+    report_capability $POLICY_MATCH "Policy Match"
 }
 
 #
@@ -5796,7 +5813,7 @@ activate_rules()
 			networks1=${host1#*:}
 
 			if [ "$host" != "$host1" ] || list_search $host $routeback; then
-			    run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_inout $zone $host $zone1 $host1) -j $chain
+			    run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
 			fi
 		    done
 		done
diff --git a/Shorewall2/masq b/Shorewall2/masq
index 23e603143..8aa73fee1 100755
--- a/Shorewall2/masq
+++ b/Shorewall2/masq
@@ -93,6 +93,22 @@
 #				support and a maximum of 15 ports may be 
 #				listed.
 #				
+#	IPSEC -- (Optional)	If you specify a value other than "-" in this
+#				column, you must be running kernel 2.6 and 
+#				your kernel and iptables must include policy
+#				match support.
+#
+#				Yes -- Only packets that will be encrypted using
+#				       an ipsec policy will have their source
+#				       address changed.
+#
+#				No  -- Only packets that will not be encrypted
+#				       using an ipsec policy will have their
+#				       source address changed.
+#
+#				- or empty is the same as No providing that 
+#				your kernel and iptables contain policy match
+#				support.
 #
 #	Example 1:
 #
@@ -147,5 +163,5 @@
 #		THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
 #
 ###############################################################################
-#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)
+#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 82d30f542..1c40e9b7a 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -256,3 +256,9 @@ New Features:
 	/etc/shorewall/hosts:
 
 	vpn	eth0:0.0.0.0/0	ipsec
+
+    The /etc/shorewall/masq file has a new IPSEC column added. If you
+    specify Yes or yes in that column then the unencrypted packets will
+    have their source address changed. Otherwise, the unencrypted
+    packets will not have their source addresses changed.
+