Correct handling of nested IPSEC zone

This commit is contained in:
Tom Eastep 2009-07-29 14:35:27 -07:00
parent 99128502a2
commit 4af6c7650e
4 changed files with 34 additions and 19 deletions

View File

@ -1911,37 +1911,49 @@ sub match_orig_dest ( $ ) {
# #
sub match_ipsec_in( $$ ) { sub match_ipsec_in( $$ ) {
my ( $zone , $hostref ) = @_; my ( $zone , $hostref ) = @_;
my $match = '-m policy --dir in --pol '; my $match = '';
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options}; my $optionsref = $zoneref->{options};
unless ( $optionsref->{super} ) {
$match = '-m policy --dir in --pol ';
if ( $zoneref->{type} eq 'ipsec' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} else { } else {
''; return '';
} }
} }
$match;
}
# #
# Match Dest IPSEC # Match Dest IPSEC
# #
sub match_ipsec_out( $$ ) { sub match_ipsec_out( $$ ) {
my ( $zone , $hostref ) = @_; my ( $zone , $hostref ) = @_;
my $match = '-m policy --dir out --pol '; my $match = '';
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options}; my $optionsref = $zoneref->{options};
unless ( $optionsref->{super} ) {
$match = '-m policy --dir out --pol ';
if ( $zoneref->{type} eq 'ipsec' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
} else { } else {
''; return '';
} }
} }
$match;
}
# #
# Generate a log message # Generate a log message
# #

View File

@ -93,6 +93,7 @@ use constant { NOTHING => 'NOTHING',
# %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT; # %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT;
# options => { complex => 0|1 # options => { complex => 0|1
# nested => 0|1 # nested => 0|1
# super => 0|1
# in_out => < policy match string > # in_out => < policy match string >
# in => < policy match string > # in => < policy match string >
# out => < policy match string > # out => < policy match string >
@ -379,7 +380,7 @@ sub process_zone( \$ ) {
if ( $type eq IPSEC ) { if ( $type eq IPSEC ) {
for ( @parents ) { for ( @parents ) {
fatal_error "Parent zone $_ is not an IPSEC Zone" unless $zones{$_}{type} eq IPSEC; $zones{$_}{options}{super} = 1 unless $zones{$_}{type} eq IPSEC;
} }
} }
@ -394,7 +395,9 @@ sub process_zone( \$ ) {
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) , complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) ,
nested => @parents > 0 } , nested => @parents > 0 ,
super => 0 ,
} ,
interfaces => {} , interfaces => {} ,
children => [] , children => [] ,
hosts => {} hosts => {}

View File

@ -6,7 +6,7 @@ Changes in Shorewall 4.4.0-RC2
3) Make 'any' a reserved zone name. 3) Make 'any' a reserved zone name.
4) Issue a warning if an ipsec zone is nested in a non-ipsec zone. 4) Correct handling of an ipsec zone nested in a non-ipsec zone.
Changes in Shorewall 4.4.0-RC1 Changes in Shorewall 4.4.0-RC1

View File

@ -121,8 +121,8 @@ Shorewall 4.4.0 RC2
3) 'any' is now a reserved name. In RC1, 'any' could be defined as the 3) 'any' is now a reserved name. In RC1, 'any' could be defined as the
name of a zone. name of a zone.
4) Previously, an IPSEC zone could be defined as a sub-zone of a 4) Previously, embedding an IPSEC zone in an IP zone did not work as
non-IPSEC zone. This invalid definition is now flagged with an error. expected with CONTINUE policies. This has been corrected.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G