diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 812b55bb4..f8018d86c 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -219,6 +219,7 @@ our %EXPORT_TAGS = (
do_ipsec_options
do_ipsec
log_rule
+ handle_network_list
expand_rule
addnatjump
set_chain_variables
diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm
index c07207a08..c3743452e 100644
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -234,7 +234,7 @@ sub setup_tunnels() {
}
sub setup_one_tunnel($$$$) {
- my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
+ my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
my $zonetype = zone_type( $zone );
@@ -243,36 +243,43 @@ sub setup_tunnels() {
my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
- $gateway = ALLIP if $gateway eq '-';
+ $gateways = ALLIP if $gateways eq '-';
- my @source = imatch_source_net $gateway;
- my @dest = imatch_dest_net $gateway;
+ my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
+ ( $net, $excl ) = handle_network_list( $gateways , 'dst' );
- my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
- 'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
- 'ipip' => { function => \&setup_one_other, params => [ \@source, \@dest , 4 ] } ,
- 'gre' => { function => \&setup_one_other, params => [ \@source, \@dest , 47 ] } ,
- '6to4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
- '6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
- 'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
- 'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
- 'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
- 'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, \@source, \@dest ] } ,
- 'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, \@source, \@dest ] } ,
- 'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, \@source, \@dest ] } ,
- 'generic' => { function => \&setup_one_generic , params => [ $kind, \@source, \@dest ] } ,
- );
+ fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
- $kind = "\L$kind";
+ for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
+ my @source = imatch_source_net $gateway;
+ my @dest = imatch_dest_net $gateway;
- (my $type) = split /:/, $kind;
+ my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+ 'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+ 'ipip' => { function => \&setup_one_other, params => [ \@source, \@dest , 4 ] } ,
+ 'gre' => { function => \&setup_one_other, params => [ \@source, \@dest , 47 ] } ,
+ '6to4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
+ '6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
+ 'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
+ 'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
+ 'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
+ 'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, \@source, \@dest ] } ,
+ 'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, \@source, \@dest ] } ,
+ 'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, \@source, \@dest ] } ,
+ 'generic' => { function => \&setup_one_generic , params => [ $kind, \@source, \@dest ] } ,
+ );
- my $tunnelref = $tunneltypes{ $type };
+ $kind = "\L$kind";
- fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+ (my $type) = split /:/, $kind;
- $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+ my $tunnelref = $tunneltypes{ $type };
+ fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+
+ $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+ }
+
progress_message " Tunnel \"$currentline\" $done";
}
diff --git a/Shorewall/manpages/shorewall-tunnels.xml b/Shorewall/manpages/shorewall-tunnels.xml
index b66c5523e..92d713179 100644
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -125,8 +125,9 @@
- GATEWAY -
- address-or-range
+ GATEWAYS -
+ address-or-range [ , ...
+ ]
The IP address of the remote tunnel gateway. If the remote
@@ -134,6 +135,11 @@
as 0.0.0.0/0. May be specified as a
network address and if your kernel and iptables include iprange
match support then IP address ranges are also allowed.
+
+ Beginning with Shorewall 4.5.3, a list of addresses or ranges
+ may be given. Exclusion (shorewall-exclusion (5) ) is
+ not supported.
@@ -148,7 +154,7 @@
comma-separated list of the names of the zones that the host might
be in. This column only applies to IPSEC tunnels where it enables
ISAKMP traffic to flow through the tunnel to the remote
- gateway.
+ gateway(s).
diff --git a/Shorewall6/manpages/shorewall6-tunnels.xml b/Shorewall6/manpages/shorewall6-tunnels.xml
index c3bd20c9f..028ae2667 100644
--- a/Shorewall6/manpages/shorewall6-tunnels.xml
+++ b/Shorewall6/manpages/shorewall6-tunnels.xml
@@ -101,10 +101,10 @@
-
+
-
+
@@ -120,8 +120,9 @@
- GATEWAY -
- address-or-range
+ GATEWAYS -
+ address-or-range [ , ...
+ ]
The IP address of the remote tunnel gateway. If the remote
@@ -129,6 +130,11 @@
as ::/0. May be specified as a
network address and if your kernel and ip6tables include iprange
match support then IP address ranges are also allowed.
+
+ Beginning with Shorewall 4.5.3, a list of addresses or ranges
+ may be given. Exclusion (shorewall6-exclusion (5) )
+ is not supported.
@@ -143,7 +149,7 @@
comma-separated list of the names of the zones that the host might
be in. This column only applies to IPSEC tunnels where it enables
ISAKMP traffic to flow through the tunnel to the remote
- gateway.
+ gateway(s).