From 4af6c7650ed1dd49b4bf8f9e71f6ce2699f13a4e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 29 Jul 2009 14:35:27 -0700 Subject: [PATCH] Correct handling of nested IPSEC zone --- Shorewall/Perl/Shorewall/Chains.pm | 40 +++++++++++++++++++----------- Shorewall/Perl/Shorewall/Zones.pm | 7 ++++-- Shorewall/changelog.txt | 2 +- Shorewall/releasenotes.txt | 4 +-- 4 files changed, 34 insertions(+), 19 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 84dc6c1d9..ed3167534 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1911,17 +1911,23 @@ sub match_orig_dest ( $ ) { # sub match_ipsec_in( $$ ) { my ( $zone , $hostref ) = @_; - my $match = '-m policy --dir in --pol '; + my $match = ''; my $zoneref = find_zone( $zone ); my $optionsref = $zoneref->{options}; - if ( $zoneref->{type} eq 'ipsec' ) { - $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { - $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; - } else { - ''; + unless ( $optionsref->{super} ) { + $match = '-m policy --dir in --pol '; + + if ( $zoneref->{type} eq 'ipsec' ) { + $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; + } elsif ( $capabilities{POLICY_MATCH} ) { + $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; + } else { + return ''; + } } + + $match; } # @@ -1929,17 +1935,23 @@ sub match_ipsec_in( $$ ) { # sub match_ipsec_out( $$ ) { my ( $zone , $hostref ) = @_; - my $match = '-m policy --dir out --pol '; + my $match = ''; my $zoneref = find_zone( $zone ); my $optionsref = $zoneref->{options}; - if ( $zoneref->{type} eq 'ipsec' ) { - $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; - } elsif ( $capabilities{POLICY_MATCH} ) { - $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" - } else { - ''; + unless ( $optionsref->{super} ) { + $match = '-m policy --dir out --pol '; + + if ( $zoneref->{type} eq 'ipsec' ) { + $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; + } elsif ( $capabilities{POLICY_MATCH} ) { + $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" + } else { + return ''; + } } + + $match; } # diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 171f51a50..83914a948 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -93,6 +93,7 @@ use constant { NOTHING => 'NOTHING', # %zones{ => {type = > FIREWALL, IP, IPSEC, BPORT; # options => { complex => 0|1 # nested => 0|1 +# super => 0|1 # in_out => < policy match string > # in => < policy match string > # out => < policy match string > @@ -379,7 +380,7 @@ sub process_zone( \$ ) { if ( $type eq IPSEC ) { for ( @parents ) { - fatal_error "Parent zone $_ is not an IPSEC Zone" unless $zones{$_}{type} eq IPSEC; + $zones{$_}{options}{super} = 1 unless $zones{$_}{type} eq IPSEC; } } @@ -394,7 +395,9 @@ sub process_zone( \$ ) { in => parse_zone_option_list( $in_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) , complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) , - nested => @parents > 0 } , + nested => @parents > 0 , + super => 0 , + } , interfaces => {} , children => [] , hosts => {} diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 93da0ad75..409129fbc 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,7 +6,7 @@ Changes in Shorewall 4.4.0-RC2 3) Make 'any' a reserved zone name. -4) Issue a warning if an ipsec zone is nested in a non-ipsec zone. +4) Correct handling of an ipsec zone nested in a non-ipsec zone. Changes in Shorewall 4.4.0-RC1 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e75ec398f..4c62f4fbe 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -121,8 +121,8 @@ Shorewall 4.4.0 RC2 3) 'any' is now a reserved name. In RC1, 'any' could be defined as the name of a zone. -4) Previously, an IPSEC zone could be defined as a sub-zone of a - non-IPSEC zone. This invalid definition is now flagged with an error. +4) Previously, embedding an IPSEC zone in an IP zone did not work as + expected with CONTINUE policies. This has been corrected. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G