diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index f6e39febc..48b158e6a 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -97,3 +97,6 @@ Changes since 2.0.3 46) Implement 'sourceroute' interface option. 47) Add 'AllowICMPs' action. + +48) Changed 'activate_rules' such that traffic from IPSEC hosts gets + handled before traffic from non-IPSEC zones. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 3ab674d64..5facddd8a 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -699,13 +699,20 @@ verify_interface() # # Generate a match for decrypted packets # -match_ipsec_in() # $1 = zone, $2 = host + +ipsec_source() # $1 = zone, $2 = host { eval local is_ipsec=\$${1}_is_ipsec eval local hosts=\"\$${1}_ipsec_hosts\" + + test -n "$is_ipsec" || list_search $2 $hosts +} + +match_ipsec_in() # $1 = zone, $2 = host +{ eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - if [ -n "$is_ipsec" ] || list_search $2 $hosts; then + if ipsec_source $1 $2 ; then echo "-m policy --pol ipsec --dir in $options" elif [ -n "$POLICY_MATCH" ]; then echo "-m policy --pol none --dir in" @@ -6088,6 +6095,30 @@ activate_rules() > ${STATEDIR}/chains > ${STATEDIR}/zones + # + # Create forwarding chains for complex zones and generate jumps for IPSEC hosts to that chain. + # + for zone in $zones; do + + eval complex=\$${zone}_is_complex + + if [ -n "$complex" ]; then + frwd_chain=${zone}_frwd + createchain $frwd_chain No + + if [ -n "$POLICY_MATCH" ]; then + eval source_hosts=\$${zone}_hosts + + for host in $source_hosts; do + interface=${host%%:*} + networks=${host#*:} + + ipsec_source $zone $host && \ + run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + done + fi + fi + done for zone in $zones; do eval source_hosts=\$${zone}_hosts @@ -6097,11 +6128,6 @@ activate_rules() eval complex=\$${zone}_is_complex - if [ -n "$complex" ]; then - frwd_chain=${zone}_frwd - createchain $frwd_chain No - fi - if [ -n "$DYNAMIC_ZONES" ]; then echo $zone $source_hosts >> ${STATEDIR}/zones echo "$FW $zone $chain1" >> ${STATEDIR}/chains @@ -6124,8 +6150,9 @@ activate_rules() run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 - [ -n "$complex" ] && \ - run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + if [ -n "$complex" ] && ! ipsec_source $zone $host ; then + run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + fi case $networks in *.*.*.*) @@ -6138,7 +6165,6 @@ activate_rules() esac done - for interface in $need_broadcast ; do run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 81bd0ae83..3d84fa7d3 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 2.1.10 +Shorewall 2.1.11 ---------------------------------------------------------------------- Problems Corrected since 2.0.3 @@ -72,6 +72,11 @@ Problems corrected since 2.1.10 1) If TC_ENABLED=Yes but you have no /etc/shorewall/tcstart file then "shorewall restore" will no longer attempt to run the tcstart file. +2) Previously it was necessary to define ipsec zones (those with + "Yes" in the IPSEC column in /etc/shorewall/ipsec or those having + an entry in /etc/shorewall/hosts having the "ipsec" option) before + other zones using the same interface. This has been corrected. + ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.1: