holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Correct handling of nested IPSEC zone

Browse Source
This commit is contained in:
Tom Eastep 2009-07-29 14:35:27 -07:00
parent 99128502a2
commit 4af6c7650e
4 changed files with 34 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1911,17 +1911,23 @@ sub match_orig_dest ( $ ) {
#
sub match_ipsec_in( $$ ) {
my ( $zone , $hostref ) = @_;
my $match = '-m policy --dir in --pol ';
my $match = '';
my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} else {
'';
unless ( $optionsref->{super} ) {
$match = '-m policy --dir in --pol ';
if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} else {
return '';
}
}
$match;
}
#
@ -1929,17 +1935,23 @@ sub match_ipsec_in( $$ ) {
#
sub match_ipsec_out( $$ ) {
my ( $zone , $hostref ) = @_;
my $match = '-m policy --dir out --pol ';
my $match = '';
my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
} else {
'';
unless ( $optionsref->{super} ) {
$match = '-m policy --dir out --pol ';
if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
} else {
return '';
}
}
$match;
}
#

7
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -93,6 +93,7 @@ use constant { NOTHING => 'NOTHING',
# %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT;
# options => { complex => 0|1
# nested => 0|1
# super => 0|1
# in_out => < policy match string >
# in => < policy match string >
# out => < policy match string >
@ -379,7 +380,7 @@ sub process_zone( \$ ) {
if ( $type eq IPSEC ) {
for ( @parents ) {
fatal_error "Parent zone $_ is not an IPSEC Zone" unless $zones{$_}{type} eq IPSEC;
$zones{$_}{options}{super} = 1 unless $zones{$_}{type} eq IPSEC;
}
}
@ -394,7 +395,9 @@ sub process_zone( \$ ) {
in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) ,
nested => @parents > 0 } ,
nested => @parents > 0 ,
super => 0 ,
} ,
interfaces => {} ,
children => [] ,
hosts => {}

2
Shorewall/changelog.txt
View File

@ -6,7 +6,7 @@ Changes in Shorewall 4.4.0-RC2
3) Make 'any' a reserved zone name.
4) Issue a warning if an ipsec zone is nested in a non-ipsec zone.
4) Correct handling of an ipsec zone nested in a non-ipsec zone.
Changes in Shorewall 4.4.0-RC1

4
Shorewall/releasenotes.txt
View File

@ -121,8 +121,8 @@ Shorewall 4.4.0 RC2
3) 'any' is now a reserved name. In RC1, 'any' could be defined as the
name of a zone.
4) Previously, an IPSEC zone could be defined as a sub-zone of a
non-IPSEC zone. This invalid definition is now flagged with an error.
4) Previously, embedding an IPSEC zone in an IP zone did not work as
expected with CONTINUE policies. This has been corrected.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G