diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm
index 5d2fd1b5c..3a8947fa3 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -46,6 +46,7 @@ my $jumpchainref;
my %accountingjumps;
my $asection;
my $defaultchain;
+my $ipsecdir;
my $defaultrestriction;
my $restriction;
my $accounting_commands = { COMMENT => 0, SECTION => 2 };
@@ -92,6 +93,7 @@ sub initialize() {
# These are the legacy values
#
$defaultchain = 'accounting';
+ $ipsecdir = '';
$defaultrestriction = NO_RESTRICT;
$sectionname = '';
}
@@ -111,20 +113,25 @@ sub process_section ($) {
if ( $sectionname eq 'INPUT' ) {
$defaultchain = 'accountin';
+ $ipsecdir = 'in';
$defaultrestriction = INPUT_RESTRICT;
} elsif ( $sectionname eq 'OUTPUT' ) {
$defaultchain = 'accountout';
+ $ipsecdir = 'out';
$defaultrestriction = OUTPUT_RESTRICT;
} elsif ( $sectionname eq 'FORWARD' ) {
$defaultchain = 'accountfwd';
+ $ipsecdir = '';
$defaultrestriction = NO_RESTRICT;
} else {
fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
if ( $sectionname eq 'PREROUTING' ) {
$defaultchain = 'accountpre';
+ $ipsecdir = 'in';
$defaultrestriction = PREROUTE_RESTRICT;
} else {
$defaultchain = 'accountpost';
+ $ipsecdir = 'out';
$defaultrestriction = POSTROUTE_RESTRICT;
}
}
@@ -285,7 +292,21 @@ sub process_accounting_rule( ) {
}
my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
- my $dir;
+ my $dir = $ipsecdir;
+
+ if ( $asection && $ipsec ne '-' ) {
+ if ( $ipsecdir ) {
+ fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
+ } else {
+ if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
+ $dir = $1;
+ } else {
+ fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
+ }
+ }
+
+ $rule .= do_ipsec( $dir, $ipsec );
+ }
if ( ! $chainref ) {
if ( reserved_chain_name( $chain ) ) {
@@ -297,28 +318,32 @@ sub process_accounting_rule( ) {
$chainref = ensure_accounting_chain $chain, 0 , $restriction;
}
- $dir = ipsec_chain_name( $chain );
+ unless ( $asection ) {
+ $dir = ipsec_chain_name( $chain );
- if ( $ipsec ne '-' ) {
- if ( $dir ) {
- $rule .= do_ipsec( $dir, $ipsec );
- $chainref->{ipsec} = $dir;
+ if ( $ipsec ne '-' ) {
+ if ( $dir ) {
+ $rule .= do_ipsec( $dir, $ipsec );
+ $chainref->{ipsec} = $dir;
+ } else {
+ fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+ }
} else {
- fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+ warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+ $chainref->{ipsec} = $dir;
}
- } else {
- warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
- $chainref->{ipsec} = $dir;
}
} else {
fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
- if ( $ipsec ne '-' ) {
- $dir = $chainref->{ipsec};
- fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
- $rule .= do_ipsec( $dir , $ipsec );
- } elsif ( $asection ) {
- $restriction |= $chainref->{restriction};
+ unless ( $asection ) {
+ if ( $ipsec ne '-' ) {
+ $dir = $chainref->{ipsec};
+ fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+ $rule .= do_ipsec( $dir , $ipsec );
+ } elsif ( $asection ) {
+ $restriction |= $chainref->{restriction};
+ }
}
}
@@ -366,7 +391,6 @@ sub process_accounting_rule( ) {
} else {
$jumpchainref->{ipsec} = $chainref->{ipsec};
}
-
}
if ( $rule2 ) {
diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml
index 61445473c..7178660c2 100644
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -539,7 +539,8 @@
IPSEC - option-list
- (Optional - Added in Shorewall 4.4.13 )
+ (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
+ )
The option-list consists of a comma-separated list of options
@@ -653,9 +654,30 @@
match the rule.
+
+
+ in
+
+
+ May only be used in the FORWARD section and must be the
+ first or the only item the list. Indicates that matching
+ packets have been decrypted in input.
+
+
+
+
+ out
+
+
+ May only be used in the FORWARD section and must be the
+ first or the only item in the list. Indicates that matching
+ packets will be encrypted on output.
+
+
- If this column is non-empty, then:
+ If this column is non-empty and sections are not used,
+ then:
@@ -671,10 +693,12 @@
role="bold">accipsecout or a chain branched either
directly or indirectly from those chains.
-
- These rules will NOT appear in the accounting chain.
+
+ These rules will NOT appear in the accounting chain.
+
+
diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml
index 5cfef4399..733419dcd 100644
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -480,13 +480,15 @@
IPSEC - option-list
- (Optional - Added in Shorewall 4.4.13 )
+ (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
+ )
The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
- source address changed.
+ source address changed. May only be specified when sections are
+ used.
@@ -594,9 +596,30 @@
match the rule.
+
+
+ in
+
+
+ May only be used in the FORWARD section and must be the
+ first or the only item the list. Indicates that matching
+ packets have been decrypted in input.
+
+
+
+
+ out
+
+
+ May only be used in the FORWARD section and must be the
+ first or the only item in the list. Indicates that matching
+ packets will be encrypted on output.
+
+
- If this column is non-empty, then:
+ If this column is non-empty and sections are not used,
+ then:
@@ -612,10 +635,12 @@
role="bold">accipsecout or a chain branched either
directly or indirectly from those chains.
-
- These rules will NOT appear in the accounting chain.
+
+ These rules will NOT appear in the accounting chain.
+
+