forked from extern/shorewall_code
Make :noah the default for ipsec tunnels
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
0c60bd6a9c
commit
e0b5af80f3
@ -8,6 +8,10 @@ Changes in 4.0.0 RC 1
|
||||
|
||||
4) Validate host part in hosts file entry.
|
||||
|
||||
5) Fix IPSECFILE=ipsec.
|
||||
|
||||
6) Make ':noah' the default.
|
||||
|
||||
Changes in 4.0.0 Beta 6
|
||||
|
||||
1) First step to adding compiler debugging facility.
|
||||
|
||||
@ -39,7 +39,11 @@ Other changes in Shorewall 4.0.0 RC 1.
|
||||
1) The shorewall-perl RPM may no longer be installed under Shorewall
|
||||
3.4. It requires shorewall_common.
|
||||
|
||||
2) The compiler's CPU utilization has been reduced further.
|
||||
2) The Shorewall-perl compiler's CPU utilization has been reduced
|
||||
further.
|
||||
|
||||
3) ":noah" is now the default for all IPSEC tunnels. Tunnels that use
|
||||
AH (protocol 51) must specify "ipsec:ah" in the TYPE column.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
||||
@ -46,11 +46,18 @@ sub setup_tunnels() {
|
||||
|
||||
( $kind, my ( $qualifier , $remainder ) ) = split( /:/, $kind, 3 );
|
||||
|
||||
my $noah = 1;
|
||||
|
||||
fatal_error "Invalid IPSEC modified ($qualifier:$remainder)" if defined $remainder;
|
||||
|
||||
fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier && ( $qualifier ne 'noah' );
|
||||
|
||||
my $noah = $qualifier || ($kind ne 'ipsec' );
|
||||
if ( defined $qualifier ) {
|
||||
if ( $qualifier eq 'ah' ) {
|
||||
fatal_error ":ah not allowed with ipsecnat tunnels" if $kind eq 'ipsecnat';
|
||||
$noah = 0;
|
||||
} else {
|
||||
fatal_error "Invalid IPSEC modifier ($qualifier)" if $qualifier ne 'noah';
|
||||
}
|
||||
}
|
||||
|
||||
my $options = '-m state --state NEW -j ACCEPT';
|
||||
|
||||
|
||||
34
Shorewall-shell/diff-3.4-lib.tunnels
Normal file
34
Shorewall-shell/diff-3.4-lib.tunnels
Normal file
@ -0,0 +1,34 @@
|
||||
--- /home/teastep/shorewall/branches/3.4/Shorewall/lib.tunnels 2007-03-22 15:27:26.000000000 -0700
|
||||
+++ lib.tunnels 2007-07-03 07:57:16.000000000 -0700
|
||||
@@ -37,19 +37,28 @@
|
||||
|
||||
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
|
||||
{
|
||||
- local kind=$1 noah=
|
||||
+ local kind=$1 noah=noah
|
||||
|
||||
case $kind in
|
||||
*:*)
|
||||
noah=${kind#*:}
|
||||
- [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||
+ case $noah in
|
||||
+ ah|AH)
|
||||
+ noah=
|
||||
+ ;;
|
||||
+ noah|NOAH)
|
||||
+ ;;
|
||||
+ *)
|
||||
+ fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||
+ ;;
|
||||
+ esac
|
||||
kind=${kind%:*}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ $kind = IPSEC ] && kind=ipsec
|
||||
|
||||
- [ $kind = ipsec ] || noah=noah
|
||||
+ [ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
|
||||
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule2 $inchain -p 50 $source -j ACCEPT
|
||||
@ -37,19 +37,28 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
|
||||
{
|
||||
local kind=$1 noah=
|
||||
local kind=$1 noah=noah
|
||||
|
||||
case $kind in
|
||||
*:*)
|
||||
noah=${kind#*:}
|
||||
[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||
case $noah in
|
||||
ah|AH)
|
||||
noah=
|
||||
;;
|
||||
noah|NOAH)
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
|
||||
;;
|
||||
esac
|
||||
kind=${kind%:*}
|
||||
;;
|
||||
esac
|
||||
|
||||
[ $kind = IPSEC ] && kind=ipsec
|
||||
|
||||
[ $kind = ipsec ] || noah=noah
|
||||
[ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
|
||||
|
||||
options="-m state --state NEW -j ACCEPT"
|
||||
addrule2 $inchain -p 50 $source -j ACCEPT
|
||||
|
||||
@ -135,6 +135,12 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
|
||||
Shorewall to leave the flags in /proc as they are. You must set the
|
||||
option to 'No' in order to obtain the old behavior.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <option>:noah</option> option is now the default for ipsec
|
||||
tunnels. Tunnels that use AH (protocol 51) must specify the
|
||||
<option>ipsec:ah</option> in the TYPE column.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TYPE</emphasis> — {<emphasis
|
||||
role="bold">ipsec</emphasis>[<emphasis
|
||||
role="bold">:noah</emphasis>]|<emphasis
|
||||
role="bold">:{noah</emphasis>|ah}]|<emphasis
|
||||
role="bold">ipsecnat</emphasis>|<emphasis
|
||||
role="bold">ipip</emphasis>|<emphasis
|
||||
role="bold">gre</emphasis>|<emphasis
|
||||
@ -65,11 +65,12 @@
|
||||
<emphasis role="bold">generic</emphasis> - Other tunnel type</programlisting>
|
||||
|
||||
<para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
|
||||
be followed by <emphasis role="bold">:noah</emphasis> to indicate
|
||||
that the Authentication Headers protocol (51) is not used by the
|
||||
tunnel. NAT traversal is only supported with ESP (protocol 50) so
|
||||
<emphasis role="bold">ipsecnat</emphasis> tunnels don't require a
|
||||
<emphasis role="bold">noah</emphasis> option (<emphasis
|
||||
be followed by <emphasis role="bold">:ah</emphasis> to indicate that
|
||||
the Authentication Headers protocol (51) is used by the tunnel (the
|
||||
default is <option>:noah</option> which means that protocol 51 is
|
||||
not used). NAT traversal is only supported with ESP (protocol 50) so
|
||||
<emphasis role="bold">ipsecnat</emphasis> tunnels don't allow the
|
||||
<emphasis role="bold">ah</emphasis> option (<emphasis
|
||||
role="bold">ipsecnat:noah</emphasis> may be specified but is
|
||||
redundant).</para>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user