forked from extern/shorewall_code
Allow multiple GATEWAYS to be listed in the tunnels file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
2b7e5dd9d8
commit
34f5838365
@ -219,6 +219,7 @@ our %EXPORT_TAGS = (
|
|||||||
do_ipsec_options
|
do_ipsec_options
|
||||||
do_ipsec
|
do_ipsec
|
||||||
log_rule
|
log_rule
|
||||||
|
handle_network_list
|
||||||
expand_rule
|
expand_rule
|
||||||
addnatjump
|
addnatjump
|
||||||
set_chain_variables
|
set_chain_variables
|
||||||
|
|||||||
@ -234,7 +234,7 @@ sub setup_tunnels() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub setup_one_tunnel($$$$) {
|
sub setup_one_tunnel($$$$) {
|
||||||
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
|
my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
|
||||||
|
|
||||||
my $zonetype = zone_type( $zone );
|
my $zonetype = zone_type( $zone );
|
||||||
|
|
||||||
@ -243,35 +243,42 @@ sub setup_tunnels() {
|
|||||||
my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
|
my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
|
||||||
my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
|
my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
|
||||||
|
|
||||||
$gateway = ALLIP if $gateway eq '-';
|
$gateways = ALLIP if $gateways eq '-';
|
||||||
|
|
||||||
my @source = imatch_source_net $gateway;
|
my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
|
||||||
my @dest = imatch_dest_net $gateway;
|
( $net, $excl ) = handle_network_list( $gateways , 'dst' );
|
||||||
|
|
||||||
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
|
||||||
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
|
||||||
'ipip' => { function => \&setup_one_other, params => [ \@source, \@dest , 4 ] } ,
|
|
||||||
'gre' => { function => \&setup_one_other, params => [ \@source, \@dest , 47 ] } ,
|
|
||||||
'6to4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
|
||||||
'6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
|
||||||
'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
|
|
||||||
'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
|
|
||||||
'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
|
|
||||||
'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, \@source, \@dest ] } ,
|
|
||||||
'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, \@source, \@dest ] } ,
|
|
||||||
'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, \@source, \@dest ] } ,
|
|
||||||
'generic' => { function => \&setup_one_generic , params => [ $kind, \@source, \@dest ] } ,
|
|
||||||
);
|
|
||||||
|
|
||||||
$kind = "\L$kind";
|
for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
|
||||||
|
my @source = imatch_source_net $gateway;
|
||||||
|
my @dest = imatch_dest_net $gateway;
|
||||||
|
|
||||||
(my $type) = split /:/, $kind;
|
my %tunneltypes = ( 'ipsec' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
||||||
|
'ipsecnat' => { function => \&setup_one_ipsec , params => [ $kind, \@source, \@dest , $gatewayzones ] } ,
|
||||||
|
'ipip' => { function => \&setup_one_other, params => [ \@source, \@dest , 4 ] } ,
|
||||||
|
'gre' => { function => \&setup_one_other, params => [ \@source, \@dest , 47 ] } ,
|
||||||
|
'6to4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
||||||
|
'6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
|
||||||
|
'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
|
||||||
|
'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
|
||||||
|
'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
|
||||||
|
'openvpnclient' => { function => \&setup_one_openvpn_client, params => [ $kind, \@source, \@dest ] } ,
|
||||||
|
'openvpnserver' => { function => \&setup_one_openvpn_server, params => [ $kind, \@source, \@dest ] } ,
|
||||||
|
'l2tp' => { function => \&setup_one_l2tp , params => [ $kind, \@source, \@dest ] } ,
|
||||||
|
'generic' => { function => \&setup_one_generic , params => [ $kind, \@source, \@dest ] } ,
|
||||||
|
);
|
||||||
|
|
||||||
my $tunnelref = $tunneltypes{ $type };
|
$kind = "\L$kind";
|
||||||
|
|
||||||
fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
|
(my $type) = split /:/, $kind;
|
||||||
|
|
||||||
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
|
my $tunnelref = $tunneltypes{ $type };
|
||||||
|
|
||||||
|
fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
|
||||||
|
|
||||||
|
$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
|
||||||
|
}
|
||||||
|
|
||||||
progress_message " Tunnel \"$currentline\" $done";
|
progress_message " Tunnel \"$currentline\" $done";
|
||||||
}
|
}
|
||||||
|
|||||||
@ -125,8 +125,9 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">GATEWAY</emphasis> -
|
<term><emphasis role="bold">GATEWAY</emphasis>S -
|
||||||
<emphasis>address-or-range</emphasis></term>
|
<emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
|
||||||
|
]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The IP address of the remote tunnel gateway. If the remote
|
<para>The IP address of the remote tunnel gateway. If the remote
|
||||||
@ -134,6 +135,11 @@
|
|||||||
as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
|
as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
|
||||||
network address and if your kernel and iptables include iprange
|
network address and if your kernel and iptables include iprange
|
||||||
match support then IP address ranges are also allowed.</para>
|
match support then IP address ranges are also allowed.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||||
|
may be given. Exclusion (<ulink
|
||||||
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
|
||||||
|
not supported.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -148,7 +154,7 @@
|
|||||||
comma-separated list of the names of the zones that the host might
|
comma-separated list of the names of the zones that the host might
|
||||||
be in. This column only applies to IPSEC tunnels where it enables
|
be in. This column only applies to IPSEC tunnels where it enables
|
||||||
ISAKMP traffic to flow through the tunnel to the remote
|
ISAKMP traffic to flow through the tunnel to the remote
|
||||||
gateway.</para>
|
gateway(s).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|||||||
@ -101,10 +101,10 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term></term>
|
<term/>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para></para>
|
<para/>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -120,8 +120,9 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">GATEWAY</emphasis> -
|
<term><emphasis role="bold">GATEWAY</emphasis>S -
|
||||||
<emphasis>address-or-range</emphasis></term>
|
<emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
|
||||||
|
]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The IP address of the remote tunnel gateway. If the remote
|
<para>The IP address of the remote tunnel gateway. If the remote
|
||||||
@ -129,6 +130,11 @@
|
|||||||
as <emphasis role="bold">::/0</emphasis>. May be specified as a
|
as <emphasis role="bold">::/0</emphasis>. May be specified as a
|
||||||
network address and if your kernel and ip6tables include iprange
|
network address and if your kernel and ip6tables include iprange
|
||||||
match support then IP address ranges are also allowed.</para>
|
match support then IP address ranges are also allowed.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
|
||||||
|
may be given. Exclusion (<ulink
|
||||||
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink> (5) )
|
||||||
|
is not supported.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -143,7 +149,7 @@
|
|||||||
comma-separated list of the names of the zones that the host might
|
comma-separated list of the names of the zones that the host might
|
||||||
be in. This column only applies to IPSEC tunnels where it enables
|
be in. This column only applies to IPSEC tunnels where it enables
|
||||||
ISAKMP traffic to flow through the tunnel to the remote
|
ISAKMP traffic to flow through the tunnel to the remote
|
||||||
gateway.</para>
|
gateway(s).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user