First Cut at Kernel 2.6 IPSEC Support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-06 15:35:05 +00:00
parent accc6a031f
commit 84cb8c445d
3 changed files with 99 additions and 15 deletions

View File

@ -157,7 +157,7 @@ run_iptables() {
if ! iptables $@ ; then if ! iptables $@ ; then
if [ -z "$stopping" ]; then if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed" error_message "ERROR: Command \"iptables $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi
@ -188,7 +188,7 @@ run_iptables2() {
run_ip() { run_ip() {
if ! ip $@ ; then if ! ip $@ ; then
if [ -z "$stopping" ]; then if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed" error_message "ERROR: Command \"ip $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi
@ -201,7 +201,7 @@ run_ip() {
run_tc() { run_tc() {
if ! tc $@ ; then if ! tc $@ ; then
if [ -z "$stopping" ]; then if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$@\" Failed" error_message "ERROR: Command \"tc $@\" Failed"
stop_firewall stop_firewall
exit 2 exit 2
fi fi
@ -606,6 +606,46 @@ verify_interface()
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; } known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
} }
#
# Generate a match for decrypted packets
#
match_ipsec_in() # $1 = zone, $2 = host
{
eval local hosts=\"\$${1}_ipsec_hosts\"
list_search $2 $hosts && echo "-m policy --pol ipsec --dir in"
}
#
# Generate a match for packets that will be encrypted
#
match_ipsec_out() # $1 = zone, $2 = host
{
eval local hosts=\"\$${1}_ipsec_hosts\"
list_search $2 $hosts && echo "-m policy --pol ipsec --dir out"
}
#
# Generate a match for packets that have been decrypted and that will be encrypted
#
match_ipsec_inout() # $1 =input zone, $2 = input host, $3 = output zone, $4 = output host"
{
local result="-m policy --pol ipsec"
eval local input_hosts=\"\$${1}_ipsec_hosts\"
eval local output_hosts=\"\$${3}_ipsec_hosts\"
if list_search $2 $input_hosts; then
result="$result --dir in"
if list_search $4 $output_hosts; then
result="$result --dir out"
fi
echo $result
elif list_search $4 $output_hosts; then
echo "$result --dir out"
fi
}
# #
# #
# Find hosts in a given zone # Find hosts in a given zone
@ -855,7 +895,10 @@ validate_hosts_file() {
for option in $(separate_list $options) ; do for option in $(separate_list $options) ; do
case $option in case $option in
maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|ipsec|-) maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-)
;;
ipsec)
eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
;; ;;
routeback) routeback)
[ -z "$ports" ] && \ [ -z "$ports" ] && \
@ -5598,7 +5641,7 @@ activate_rules()
if havenatchain $destchain ; then if havenatchain $destchain ; then
run_iptables -t nat -A $sourcechain $@ -j $destchain run_iptables -t nat -A $sourcechain $@ -j $destchain
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
rm -f #TMP_DIR/physdev rm -f $TMP_DIR/physdev
fi fi
} }
@ -5671,18 +5714,18 @@ activate_rules()
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) -j $chain1 run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
# #
# Add jumps from the builtin chains for DNAT and SNAT rules # Add jumps from the builtin chains for DNAT and SNAT rules
# #
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2 run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2
[ -n "$complex" ] && \ [ -n "$complex" ] && \
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) -j $frwd_chain run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
case $networks in case $networks in
*.*.*.*) *.*.*.*)
@ -5747,7 +5790,7 @@ activate_rules()
# routeback was specified for this host group # routeback was specified for this host group
# #
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) -j $chain run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi fi
done done
else else
@ -5762,7 +5805,7 @@ activate_rules()
networks1=${host1#*:} networks1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) -j $chain run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_inout $zone $host $zone1 $host1) -j $chain
fi fi
done done
done done
@ -6338,6 +6381,8 @@ do_initialize() {
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
ALL_INTERFACES=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
@ -6524,7 +6569,6 @@ do_initialize() {
fi fi
rm -f $TMP_DIR/physdev rm -f $TMP_DIR/physdev
} }
# #

View File

@ -124,5 +124,8 @@
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# ipsec - The zone is accessed over a
# kernel 2.6 ipsec tunnel
#
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

View File

@ -172,3 +172,40 @@ New Features:
b) It causes /etc/shorewall/shorewall.conf to be modified so that b) It causes /etc/shorewall/shorewall.conf to be modified so that
it won't be replaced by upgrades using RPM. it won't be replaced by upgrades using RPM.
7) Some additional support has been added for the 2.6 Kernel IPSEC
implementation. To use this support, you must have installed the
IPSEC policy match patch from Patch-0-Matic-ng. That patch affects
both your kernel and iptables.
This new Shorewall support is enabled through use of the 'ipsec'
option in /etc/shorewall/hosts.
Example:
Under 2.4 Kernel FreeS/Wan:
/etc/shorewall/zones:
net Net The big bad Internet
vpn VPN Remote Network
/etc/shorewall/interfaces:
net eth0 ...
vpn ipsec0 ...
Under 2.6 Kernel with this new support:
/etc/shorewall/zones (note the change of order):
vpn VPN Remote Network
net Net The big bad Internet
/etc/shorewall/interfaces:
net eth0 ...
/etc/shorewall/hosts:
vpn eth0:0.0.0.0/0 ipsec