More ipsec stuff

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1565 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-08-21 00:22:47 +00:00 · 2004-08-21 00:22:47 +00:00 · 4c9cbfff84
commit 4c9cbfff84
parent 79c7f644b2
6 changed files with 49 additions and 46 deletions
--- a/LrpN/etc/shorewall/ipsec
+++ b/LrpN/etc/shorewall/ipsec
@ -16,8 +16,9 @@
 #				option in /etc/shorewall/hosts. 				
 #
 #		OPTIONS,        A comma-separated list of options as follows:
-#		IN OPTIONS,	reqid=<number> where <number> is specified
-#		OUT OPTIONS	using setkey(8) using the 'unique:<number>
+#		IN OPTIONS,
+#		OUT OPTIONS	reqid=<number> where <number> is specified
+#				using setkey(8) using the 'unique:<number>
 #				option for the SPD level.
 #
 #				spi=<number> where <number> is the SPI of
@ -33,6 +34,11 @@
 #				tunnel-dst=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
+#				strict  Means that packets must match all rules.
+#
+#				next    Separates rules; can only be used with
+#                                       strict..
+#
 #			Example:
 #				mode=transport,reqid=44
 #
--- a/LrpN/etc/shorewall/masq
+++ b/LrpN/etc/shorewall/masq
@ -132,6 +132,12 @@
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel) 
 #
+#					strict  Means that packets must match all
+#						rules.
+#
+#					next    Separates rules; can only be used
+#						with strict..
+#
 #	Example 1:
 #
 #		  You have a simple masquerading setup where eth0 connects to
--- a/LrpN/usr/share/shorewall/firewall
+++ b/LrpN/usr/share/shorewall/firewall
@ -1646,6 +1646,8 @@ setup_ipsec() {

 	for option in $opts; do
 	    case $option in
+		strict)       newoptions="$newoptions --strict" ;;
+		next)         newoptions="$newoptions --next" ;;
 		reqid=*)      newoptions="$newoptions --reqid ${option#*=}" ;;
 		spi=*)        newoptions="$newoptions --spi ${option#*=}" ;;
 		proto=*)      newoptions="$newoptions --proto ${option#*=}" ;;
@ -4567,27 +4569,15 @@ setup_masq()
 	options=$(separate_list $options)
 	for option in $options; do
 	    case $option in
-		reqid=*)
-		    policy="$policy --reqid ${option#*=}"
-		    ;;
-		spi=*)
-		    policy="$policy --spi ${option#*=}"
-		    ;;
-		proto=*)
-		    policy="$policy --proto ${option#*=}"
-		    ;;
-		mode=*)
-		    policy="$policy --mode ${option#*=}"
-		    ;;
-		tunnel-src=*)
-		    policy="$policy --tunnel-src ${option#*=}"
-		    ;;
-		tunnel-dst=*)
-		    policy="$policy --tunnel-dst ${option#*=}"
-		    ;;
-		*)
-		    fatal_error "Invalid IPSEC option \"$option\""
-		    ;;
+		strict)         policy="$policy --strict" ;;
+		next)           policy="$policy --next" ;;
+		reqid=*)        policy="$policy --reqid ${option#*=}" ;;
+		spi=*)          policy="$policy --spi ${option#*=}" ;;
+		proto=*)        policy="$policy --proto ${option#*=}" ;;
+		mode=*)         policy="$policy --mode ${option#*=}" ;;
+		tunnel-src=*)   policy="$policy --tunnel-src ${option#*=}" ;;
+		tunnel-dst=*)   policy="$policy --tunnel-dst ${option#*=}" ;;
+		*)              fatal_error "Invalid IPSEC option \"$option\"" ;;
 	    esac
 	done
    }
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1646,6 +1646,8 @@ setup_ipsec() {

 	for option in $opts; do
 	    case $option in
+		strict)       newoptions="$newoptions --strict" ;;
+		next)         newoptions="$newoptions --next" ;;
 		reqid=*)      newoptions="$newoptions --reqid ${option#*=}" ;;
 		spi=*)        newoptions="$newoptions --spi ${option#*=}" ;;
 		proto=*)      newoptions="$newoptions --proto ${option#*=}" ;;
@ -4567,27 +4569,15 @@ setup_masq()
 	options=$(separate_list $options)
 	for option in $options; do
 	    case $option in
-		reqid=*)
-		    policy="$policy --reqid ${option#*=}"
-		    ;;
-		spi=*)
-		    policy="$policy --spi ${option#*=}"
-		    ;;
-		proto=*)
-		    policy="$policy --proto ${option#*=}"
-		    ;;
-		mode=*)
-		    policy="$policy --mode ${option#*=}"
-		    ;;
-		tunnel-src=*)
-		    policy="$policy --tunnel-src ${option#*=}"
-		    ;;
-		tunnel-dst=*)
-		    policy="$policy --tunnel-dst ${option#*=}"
-		    ;;
-		*)
-		    fatal_error "Invalid IPSEC option \"$option\""
-		    ;;
+		strict)         policy="$policy --strict" ;;
+		next)           policy="$policy --next" ;;
+		reqid=*)        policy="$policy --reqid ${option#*=}" ;;
+		spi=*)          policy="$policy --spi ${option#*=}" ;;
+		proto=*)        policy="$policy --proto ${option#*=}" ;;
+		mode=*)         policy="$policy --mode ${option#*=}" ;;
+		tunnel-src=*)   policy="$policy --tunnel-src ${option#*=}" ;;
+		tunnel-dst=*)   policy="$policy --tunnel-dst ${option#*=}" ;;
+		*)              fatal_error "Invalid IPSEC option \"$option\"" ;;
 	    esac
 	done
    }
--- a/Shorewall2/ipsec
+++ b/Shorewall2/ipsec
@ -16,8 +16,9 @@
 #				option in /etc/shorewall/hosts. 				
 #
 #		OPTIONS,        A comma-separated list of options as follows:
-#		IN OPTIONS,	reqid=<number> where <number> is specified
-#		OUT OPTIONS	using setkey(8) using the 'unique:<number>
+#		IN OPTIONS,
+#		OUT OPTIONS	reqid=<number> where <number> is specified
+#				using setkey(8) using the 'unique:<number>
 #				option for the SPD level.
 #
 #				spi=<number> where <number> is the SPI of
@ -33,6 +34,11 @@
 #				tunnel-dst=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
+#				strict  Means that packets must match all rules.
+#
+#				next    Separates rules; can only be used with
+#                                       strict..
+#
 #			Example:
 #				mode=transport,reqid=44
 #
--- a/Shorewall2/masq
+++ b/Shorewall2/masq
@ -132,6 +132,11 @@
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel) 
 #
+#					strict  Means that packets must match all
+#						rules.
+#
+#					next    Separates rules; can only be used
+#						with strict..
 #
 #	Example 1:
 #