IPSEC 2.6 Fixes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1537 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-14 18:39:09 +00:00
parent 7d85e8d36c
commit 24e6d1191d
4 changed files with 76 additions and 33 deletions

View File

@ -36,3 +36,7 @@ Changes since 2.0.3
16) Added DNAT ONLY column to /etc/shorewall/nat. 16) Added DNAT ONLY column to /etc/shorewall/nat.
17) Removed SNAT from ORIGINAL DESTINATION column. 17) Removed SNAT from ORIGINAL DESTINATION column.
18) Removed DNAT ONLY column.
19) Added IPSEC column to /etc/shorewall/masq.

View File

@ -613,7 +613,11 @@ match_ipsec_in() # $1 = zone, $2 = host
{ {
eval local hosts=\"\$${1}_ipsec_hosts\" eval local hosts=\"\$${1}_ipsec_hosts\"
list_search $2 $hosts && echo "-m policy --pol ipsec --dir in" if list_search $2 $hosts; then
echo "-m policy --pol ipsec --dir in"
elif [ -n "$POLICY_MATCH" ]; then
echo "-m policy --pol none --dir in"
fi
} }
# #
@ -623,26 +627,10 @@ match_ipsec_out() # $1 = zone, $2 = host
{ {
eval local hosts=\"\$${1}_ipsec_hosts\" eval local hosts=\"\$${1}_ipsec_hosts\"
list_search $2 $hosts && echo "-m policy --pol ipsec --dir out" if list_search $2 $hosts; then
} echo "-m policy --pol ipsec --dir out"
elif [ -n "$POLICY_MATCH" ]; then
# echo "-m policy --pol none --dir out"
# Generate a match for packets that have been decrypted and that will be encrypted
#
match_ipsec_inout() # $1 =input zone, $2 = input host, $3 = output zone, $4 = output host"
{
local result="-m policy --pol ipsec"
eval local input_hosts=\"\$${1}_ipsec_hosts\"
eval local output_hosts=\"\$${3}_ipsec_hosts\"
if list_search $2 $input_hosts; then
result="$result --dir in"
if list_search $4 $output_hosts; then
result="$result --dir out"
fi
echo $result
elif list_search $4 $output_hosts; then
echo "$result --dir out"
fi fi
} }
@ -898,7 +886,10 @@ validate_hosts_file() {
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-) maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
;; ;;
ipsec) ipsec)
[ -n "$POLICY_MATCH" ] || \
startup_error "Your kernel and/or iptables does not not support policy match: ipsec"
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
eval ${z}_is_complex=Yes
;; ;;
routeback) routeback)
[ -z "$ports" ] && \ [ -z "$ports" ] && \
@ -4464,7 +4455,27 @@ get_routed_networks() # $1 = interface name
setup_masq() setup_masq()
{ {
setup_one() { setup_one() {
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= policy=
[ "x$ipsec" = x- ] && ipsec=
case $ipsec in
Yes|yes)
[ -n "$POLICY_MATCH" ] || \
fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables"
policy="-m policy --pol ipsec --dir out"
;;
No|no)
[ -n "$POLICY_MATCH" ] || \
fatal_error "IPSEC=No requires policy match support in your kernel and iptables"
policy="-m policy --pol none --dir out"
;;
*)
[ -n "$ipsec" ] && \
fatal_error "Invalid value in IPSEC column: $ipsec"
[ -n "$POLICY_MATCH" ] && policy="-m policy --pol none --dir out"
;;
esac
case $fullinterface in case $fullinterface in
+*) +*)
@ -4612,7 +4623,7 @@ setup_masq()
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $networks; do
addnatrule $chain -s $s $proto $ports -j $newchain addnatrule $chain -s $s $proto $ports $policy -j $newchain
done done
networks= networks=
else else
@ -4624,6 +4635,7 @@ setup_masq()
destnets=0.0.0.0/0 destnets=0.0.0.0/0
proto= proto=
ports= ports=
policy=
if [ -n "$nomasq" ]; then if [ -n "$nomasq" ]; then
for addr in $(separate_list $nomasq); do for addr in $(separate_list $nomasq); do
@ -4645,7 +4657,7 @@ setup_masq()
done done
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet $proto $ports -j $newchain addnatrule $chain -d $destnet $proto $ports $policy -j $newchain
done done
fi fi
@ -4655,7 +4667,8 @@ setup_masq()
destnets=0.0.0.0/0 destnets=0.0.0.0/0
proto= proto=
ports= ports=
policy=
for addr in $(separate_list $nomasq); do for addr in $(separate_list $nomasq); do
addnatrule $chain -s $addr -j RETURN addnatrule $chain -s $addr -j RETURN
done done
@ -4677,24 +4690,24 @@ setup_masq()
for s in $networks; do for s in $networks; do
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet $proto $ports -j SNAT $addrlist addnatrule $chain -s $s -d $destnet $proto $ports $policy -j SNAT $addrlist
done done
progress_message " To $destination $displayproto from $s through ${interface} using $addresses" progress_message " To $destination $displayproto from $s through ${interface} using $addresses"
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet $proto $ports -j MASQUERADE addnatrule $chain -s $s -d $destnet $proto $ports $policy -j MASQUERADE
done done
progress_message " To $destination $displayproto from $s through ${interface}" progress_message " To $destination $displayproto from $s through ${interface}"
fi fi
done done
elif [ -n "$addresses" ]; then elif [ -n "$addresses" ]; then
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet $proto $ports -j SNAT $addrlist addnatrule $chain -d $destnet $proto $ports $policy -j SNAT $addrlist
done done
echo " To $destination $displayproto from $source through ${interface} using $addresses" echo " To $destination $displayproto from $source through ${interface} using $addresses"
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet $proto $ports -j MASQUERADE addnatrule $chain -d $destnet $proto $ports $policy -j MASQUERADE
done done
progress_message " To $destination $displayproto from $source through ${interface}" progress_message " To $destination $displayproto from $source through ${interface}"
fi fi
@ -4705,8 +4718,8 @@ setup_masq()
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..." [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
while read fullinterface networks addresses proto ports; do while read fullinterface networks addresses proto ports ipsec; do
expandv fullinterface networks addresses proto ports expandv fullinterface networks addresses proto ports ipsec
[ -n "$NAT_ENABLED" ] && setup_one || \ [ -n "$NAT_ENABLED" ] && setup_one || \
error_message "Warning: NAT disabled; masq rule ignored" error_message "Warning: NAT disabled; masq rule ignored"
done < $TMP_DIR/masq done < $TMP_DIR/masq
@ -5000,10 +5013,13 @@ determine_capabilities() {
CONNTRACK_MATCH= CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
POLICY_MATCH=
if qt iptables -N fooX1234 ; then if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt iptables -F fooX1234 qt iptables -F fooX1234
qt iptables -X fooX1234 qt iptables -X fooX1234
@ -5035,6 +5051,7 @@ report_capabilities() {
report_capability $MULTIPORT "Multi-port Match" report_capability $MULTIPORT "Multi-port Match"
report_capability $CONNTRACK_MATCH "Connection Tracking Match" report_capability $CONNTRACK_MATCH "Connection Tracking Match"
report_capability $PKTTYPE "Packet Type Match" report_capability $PKTTYPE "Packet Type Match"
report_capability $POLICY_MATCH "Policy Match"
} }
# #
@ -5796,7 +5813,7 @@ activate_rules()
networks1=${host1#*:} networks1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_inout $zone $host $zone1 $host1) -j $chain run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi fi
done done
done done

View File

@ -93,6 +93,22 @@
# support and a maximum of 15 ports may be # support and a maximum of 15 ports may be
# listed. # listed.
# #
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Yes -- Only packets that will be encrypted using
# an ipsec policy will have their source
# address changed.
#
# No -- Only packets that will not be encrypted
# using an ipsec policy will have their
# source address changed.
#
# - or empty is the same as No providing that
# your kernel and iptables contain policy match
# support.
# #
# Example 1: # Example 1:
# #
@ -147,5 +163,5 @@
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! # THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
# #
############################################################################### ###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -256,3 +256,9 @@ New Features:
/etc/shorewall/hosts: /etc/shorewall/hosts:
vpn eth0:0.0.0.0/0 ipsec vpn eth0:0.0.0.0/0 ipsec
The /etc/shorewall/masq file has a new IPSEC column added. If you
specify Yes or yes in that column then the unencrypted packets will
have their source address changed. Otherwise, the unencrypted
packets will not have their source addresses changed.