forked from extern/shorewall_code
Allow multiple GATEWAYS to be listed in the tunnels file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
2b7e5dd9d8
commit
34f5838365
@ -219,6 +219,7 @@ our %EXPORT_TAGS = (
|
||||
do_ipsec_options
|
||||
do_ipsec
|
||||
log_rule
|
||||
handle_network_list
|
||||
expand_rule
|
||||
addnatjump
|
||||
set_chain_variables
|
||||
|
||||
@ -234,7 +234,7 @@ sub setup_tunnels() {
|
||||
}
|
||||
|
||||
sub setup_one_tunnel($$$$) {
|
||||
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
|
||||
my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
|
||||
|
||||
my $zonetype = zone_type( $zone );
|
||||
|
||||
@ -243,36 +243,43 @@ sub setup_tunnels() {
|
||||
my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
|
||||
my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
|
||||
|
||||
$gateway = ALLIP if $gateway eq '-';
|
||||
$gateways = ALLIP if $gateways eq '-';
|
||||
|
||||
my @source = imatch_source_net $gateway;
|
||||
my @dest = imatch_dest_net $gateway;
|
||||
my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
|
||||
( $net, $excl ) = handle_network_list( $gateways , 'dst' );
|
||||
|
||||
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
||||
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
||||
'ipip' => { function => \&setup_one_other, params => [ \@source, \@dest , 4 ] } ,
|
||||
'gre' => { function => \&setup_one_other, params => [ \@source, \@dest , 47 ] } ,
|
||||
'6to4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
||||
'6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
||||
'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
|
||||
'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, \@source, \@dest ] } ,
|
||||
'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, \@source, \@dest ] } ,
|
||||
'generic' => { function => \&setup_one_generic , params => [ $kind, \@source, \@dest ] } ,
|
||||
);
|
||||
fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
|
||||
|
||||
$kind = "\L$kind";
|
||||
for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
|
||||
my @source = imatch_source_net $gateway;
|
||||
my @dest = imatch_dest_net $gateway;
|
||||
|
||||
(my $type) = split /:/, $kind;
|
||||
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
||||
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
||||
'ipip' => { function => \&setup_one_other, params => [ \@source, \@dest , 4 ] } ,
|
||||
'gre' => { function => \&setup_one_other, params => [ \@source, \@dest , 47 ] } ,
|
||||
'6to4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
||||
'6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
||||
'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
|
||||
'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, \@source, \@dest ] } ,
|
||||
'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, \@source, \@dest ] } ,
|
||||
'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, \@source, \@dest ] } ,
|
||||
'generic' => { function => \&setup_one_generic , params => [ $kind, \@source, \@dest ] } ,
|
||||
);
|
||||
|
||||
my $tunnelref = $tunneltypes{ $type };
|
||||
$kind = "\L$kind";
|
||||
|
||||
fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
|
||||
(my $type) = split /:/, $kind;
|
||||
|
||||
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
|
||||
my $tunnelref = $tunneltypes{ $type };
|
||||
|
||||
fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
|
||||
|
||||
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
|
||||
}
|
||||
|
||||
progress_message " Tunnel \"$currentline\" $done";
|
||||
}
|
||||
|
||||
|
||||
@ -125,8 +125,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis> -
|
||||
<emphasis>address-or-range</emphasis></term>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis>S -
|
||||
<emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
|
||||
]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The IP address of the remote tunnel gateway. If the remote
|
||||
@ -134,6 +135,11 @@
|
||||
as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
|
||||
network address and if your kernel and iptables include iprange
|
||||
match support then IP address ranges are also allowed.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||
may be given. Exclusion (<ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
|
||||
not supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -148,7 +154,7 @@
|
||||
comma-separated list of the names of the zones that the host might
|
||||
be in. This column only applies to IPSEC tunnels where it enables
|
||||
ISAKMP traffic to flow through the tunnel to the remote
|
||||
gateway.</para>
|
||||
gateway(s).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -101,10 +101,10 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term></term>
|
||||
<term/>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -120,8 +120,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis> -
|
||||
<emphasis>address-or-range</emphasis></term>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis>S -
|
||||
<emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
|
||||
]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The IP address of the remote tunnel gateway. If the remote
|
||||
@ -129,6 +130,11 @@
|
||||
as <emphasis role="bold">::/0</emphasis>. May be specified as a
|
||||
network address and if your kernel and ip6tables include iprange
|
||||
match support then IP address ranges are also allowed.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||
may be given. Exclusion (<ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
|
||||
is not supported.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -143,7 +149,7 @@
|
||||
comma-separated list of the names of the zones that the host might
|
||||
be in. This column only applies to IPSEC tunnels where it enables
|
||||
ISAKMP traffic to flow through the tunnel to the remote
|
||||
gateway.</para>
|
||||
gateway(s).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user