More ipsec stuff

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1565 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

LrpN/etc/shorewall/ipsec

@@ -16,8 +16,9 @@
 #				option in /etc/shorewall/hosts. 				
 #
 #		OPTIONS,        A comma-separated list of options as follows:
-#		IN OPTIONS,	reqid=<number> where <number> is specified
+#		IN OPTIONS,
-#		OUT OPTIONS	using setkey(8) using the 'unique:<number>
+#		OUT OPTIONS	reqid=<number> where <number> is specified
+#				using setkey(8) using the 'unique:<number>
 #				option for the SPD level.
 #
 #				spi=<number> where <number> is the SPI of
@@ -33,6 +34,11 @@
 #				tunnel-dst=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
+#				strict  Means that packets must match all rules.
+#
+#				next    Separates rules; can only be used with
+#                                       strict..
+#
 #			Example:
 #				mode=transport,reqid=44
 #

LrpN/etc/shorewall/masq

@@ -132,6 +132,12 @@
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel) 
 #
+#					strict  Means that packets must match all
+#						rules.
+#
+#					next    Separates rules; can only be used
+#						with strict..
+#
 #	Example 1:
 #
 #		  You have a simple masquerading setup where eth0 connects to

LrpN/usr/share/shorewall/firewall

@@ -1646,6 +1646,8 @@ setup_ipsec() {
 
 	for option in $opts; do
 	    case $option in
+		strict)       newoptions="$newoptions --strict" ;;
+		next)         newoptions="$newoptions --next" ;;
 		reqid=*)      newoptions="$newoptions --reqid ${option#*=}" ;;
 		spi=*)        newoptions="$newoptions --spi ${option#*=}" ;;
 		proto=*)      newoptions="$newoptions --proto ${option#*=}" ;;
@@ -4567,27 +4569,15 @@ setup_masq()
 	options=$(separate_list $options)
 	for option in $options; do
 	    case $option in
-		reqid=*)
+		strict)         policy="$policy --strict" ;;
-		    policy="$policy --reqid ${option#*=}"
+		next)           policy="$policy --next" ;;
-		    ;;
+		reqid=*)        policy="$policy --reqid ${option#*=}" ;;
-		spi=*)
+		spi=*)          policy="$policy --spi ${option#*=}" ;;
-		    policy="$policy --spi ${option#*=}"
+		proto=*)        policy="$policy --proto ${option#*=}" ;;
-		    ;;
+		mode=*)         policy="$policy --mode ${option#*=}" ;;
-		proto=*)
+		tunnel-src=*)   policy="$policy --tunnel-src ${option#*=}" ;;
-		    policy="$policy --proto ${option#*=}"
+		tunnel-dst=*)   policy="$policy --tunnel-dst ${option#*=}" ;;
-		    ;;
+		*)              fatal_error "Invalid IPSEC option \"$option\"" ;;
-		mode=*)
-		    policy="$policy --mode ${option#*=}"
-		    ;;
-		tunnel-src=*)
-		    policy="$policy --tunnel-src ${option#*=}"
-		    ;;
-		tunnel-dst=*)
-		    policy="$policy --tunnel-dst ${option#*=}"
-		    ;;
-		*)
-		    fatal_error "Invalid IPSEC option \"$option\""
-		    ;;
 	    esac
 	done
     }

Shorewall2/firewall

@@ -1646,6 +1646,8 @@ setup_ipsec() {
 
 	for option in $opts; do
 	    case $option in
+		strict)       newoptions="$newoptions --strict" ;;
+		next)         newoptions="$newoptions --next" ;;
 		reqid=*)      newoptions="$newoptions --reqid ${option#*=}" ;;
 		spi=*)        newoptions="$newoptions --spi ${option#*=}" ;;
 		proto=*)      newoptions="$newoptions --proto ${option#*=}" ;;
@@ -4567,27 +4569,15 @@ setup_masq()
 	options=$(separate_list $options)
 	for option in $options; do
 	    case $option in
-		reqid=*)
+		strict)         policy="$policy --strict" ;;
-		    policy="$policy --reqid ${option#*=}"
+		next)           policy="$policy --next" ;;
-		    ;;
+		reqid=*)        policy="$policy --reqid ${option#*=}" ;;
-		spi=*)
+		spi=*)          policy="$policy --spi ${option#*=}" ;;
-		    policy="$policy --spi ${option#*=}"
+		proto=*)        policy="$policy --proto ${option#*=}" ;;
-		    ;;
+		mode=*)         policy="$policy --mode ${option#*=}" ;;
-		proto=*)
+		tunnel-src=*)   policy="$policy --tunnel-src ${option#*=}" ;;
-		    policy="$policy --proto ${option#*=}"
+		tunnel-dst=*)   policy="$policy --tunnel-dst ${option#*=}" ;;
-		    ;;
+		*)              fatal_error "Invalid IPSEC option \"$option\"" ;;
-		mode=*)
-		    policy="$policy --mode ${option#*=}"
-		    ;;
-		tunnel-src=*)
-		    policy="$policy --tunnel-src ${option#*=}"
-		    ;;
-		tunnel-dst=*)
-		    policy="$policy --tunnel-dst ${option#*=}"
-		    ;;
-		*)
-		    fatal_error "Invalid IPSEC option \"$option\""
-		    ;;
 	    esac
 	done
     }

Shorewall2/ipsec

@@ -16,8 +16,9 @@
 #				option in /etc/shorewall/hosts. 				
 #
 #		OPTIONS,        A comma-separated list of options as follows:
-#		IN OPTIONS,	reqid=<number> where <number> is specified
+#		IN OPTIONS,
-#		OUT OPTIONS	using setkey(8) using the 'unique:<number>
+#		OUT OPTIONS	reqid=<number> where <number> is specified
+#				using setkey(8) using the 'unique:<number>
 #				option for the SPD level.
 #
 #				spi=<number> where <number> is the SPI of
@@ -33,6 +34,11 @@
 #				tunnel-dst=<address>[/<mask>] (only
 #				available with mode=tunnel)
 #
+#				strict  Means that packets must match all rules.
+#
+#				next    Separates rules; can only be used with
+#                                       strict..
+#
 #			Example:
 #				mode=transport,reqid=44
 #

Shorewall2/masq

@@ -132,6 +132,11 @@
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel) 
 #
+#					strict  Means that packets must match all
+#						rules.
+#
+#					next    Separates rules; can only be used
+#						with strict..
 #
 #	Example 1:
 #