forked from extern/shorewall_code
Correct handling of nested IPSEC zone
This commit is contained in:
parent
99128502a2
commit
4af6c7650e
@ -1911,37 +1911,49 @@ sub match_orig_dest ( $ ) {
|
|||||||
#
|
#
|
||||||
sub match_ipsec_in( $$ ) {
|
sub match_ipsec_in( $$ ) {
|
||||||
my ( $zone , $hostref ) = @_;
|
my ( $zone , $hostref ) = @_;
|
||||||
my $match = '-m policy --dir in --pol ';
|
my $match = '';
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
my $optionsref = $zoneref->{options};
|
my $optionsref = $zoneref->{options};
|
||||||
|
|
||||||
|
unless ( $optionsref->{super} ) {
|
||||||
|
$match = '-m policy --dir in --pol ';
|
||||||
|
|
||||||
if ( $zoneref->{type} eq 'ipsec' ) {
|
if ( $zoneref->{type} eq 'ipsec' ) {
|
||||||
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
||||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||||
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
||||||
} else {
|
} else {
|
||||||
'';
|
return '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$match;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Match Dest IPSEC
|
# Match Dest IPSEC
|
||||||
#
|
#
|
||||||
sub match_ipsec_out( $$ ) {
|
sub match_ipsec_out( $$ ) {
|
||||||
my ( $zone , $hostref ) = @_;
|
my ( $zone , $hostref ) = @_;
|
||||||
my $match = '-m policy --dir out --pol ';
|
my $match = '';
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
my $optionsref = $zoneref->{options};
|
my $optionsref = $zoneref->{options};
|
||||||
|
|
||||||
|
unless ( $optionsref->{super} ) {
|
||||||
|
$match = '-m policy --dir out --pol ';
|
||||||
|
|
||||||
if ( $zoneref->{type} eq 'ipsec' ) {
|
if ( $zoneref->{type} eq 'ipsec' ) {
|
||||||
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
|
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
|
||||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||||
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
|
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
|
||||||
} else {
|
} else {
|
||||||
'';
|
return '';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$match;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Generate a log message
|
# Generate a log message
|
||||||
#
|
#
|
||||||
|
@ -93,6 +93,7 @@ use constant { NOTHING => 'NOTHING',
|
|||||||
# %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT;
|
# %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT;
|
||||||
# options => { complex => 0|1
|
# options => { complex => 0|1
|
||||||
# nested => 0|1
|
# nested => 0|1
|
||||||
|
# super => 0|1
|
||||||
# in_out => < policy match string >
|
# in_out => < policy match string >
|
||||||
# in => < policy match string >
|
# in => < policy match string >
|
||||||
# out => < policy match string >
|
# out => < policy match string >
|
||||||
@ -379,7 +380,7 @@ sub process_zone( \$ ) {
|
|||||||
|
|
||||||
if ( $type eq IPSEC ) {
|
if ( $type eq IPSEC ) {
|
||||||
for ( @parents ) {
|
for ( @parents ) {
|
||||||
fatal_error "Parent zone $_ is not an IPSEC Zone" unless $zones{$_}{type} eq IPSEC;
|
$zones{$_}{options}{super} = 1 unless $zones{$_}{type} eq IPSEC;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -394,7 +395,9 @@ sub process_zone( \$ ) {
|
|||||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||||
complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) ,
|
complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) ,
|
||||||
nested => @parents > 0 } ,
|
nested => @parents > 0 ,
|
||||||
|
super => 0 ,
|
||||||
|
} ,
|
||||||
interfaces => {} ,
|
interfaces => {} ,
|
||||||
children => [] ,
|
children => [] ,
|
||||||
hosts => {}
|
hosts => {}
|
||||||
|
@ -6,7 +6,7 @@ Changes in Shorewall 4.4.0-RC2
|
|||||||
|
|
||||||
3) Make 'any' a reserved zone name.
|
3) Make 'any' a reserved zone name.
|
||||||
|
|
||||||
4) Issue a warning if an ipsec zone is nested in a non-ipsec zone.
|
4) Correct handling of an ipsec zone nested in a non-ipsec zone.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.0-RC1
|
Changes in Shorewall 4.4.0-RC1
|
||||||
|
|
||||||
|
@ -121,8 +121,8 @@ Shorewall 4.4.0 RC2
|
|||||||
3) 'any' is now a reserved name. In RC1, 'any' could be defined as the
|
3) 'any' is now a reserved name. In RC1, 'any' could be defined as the
|
||||||
name of a zone.
|
name of a zone.
|
||||||
|
|
||||||
4) Previously, an IPSEC zone could be defined as a sub-zone of a
|
4) Previously, embedding an IPSEC zone in an IP zone did not work as
|
||||||
non-IPSEC zone. This invalid definition is now flagged with an error.
|
expected with CONTINUE policies. This has been corrected.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
K N O W N P R O B L E M S R E M A I N I N G
|
K N O W N P R O B L E M S R E M A I N I N G
|
||||||
|
Loading…
Reference in New Issue
Block a user