forked from extern/shorewall_code
Improve IPSEC hosts fix
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d34d2e1393
commit
fa0c2ec9ab
@ -700,7 +700,7 @@ verify_interface()
|
|||||||
# Generate a match for decrypted packets
|
# Generate a match for decrypted packets
|
||||||
#
|
#
|
||||||
|
|
||||||
ipsec_source() # $1 = zone, $2 = host
|
ipsec_host() # $1 = zone, $2 = host
|
||||||
{
|
{
|
||||||
eval local is_ipsec=\$${1}_is_ipsec
|
eval local is_ipsec=\$${1}_is_ipsec
|
||||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
eval local hosts=\"\$${1}_ipsec_hosts\"
|
||||||
@ -710,9 +710,8 @@ ipsec_source() # $1 = zone, $2 = host
|
|||||||
|
|
||||||
match_ipsec_in() # $1 = zone, $2 = host
|
match_ipsec_in() # $1 = zone, $2 = host
|
||||||
{
|
{
|
||||||
|
if ipsec_host $1 $2 ; then
|
||||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\"
|
||||||
|
|
||||||
if ipsec_source $1 $2 ; then
|
|
||||||
echo "-m policy --pol ipsec --dir in $options"
|
echo "-m policy --pol ipsec --dir in $options"
|
||||||
elif [ -n "$POLICY_MATCH" ]; then
|
elif [ -n "$POLICY_MATCH" ]; then
|
||||||
echo "-m policy --pol none --dir in"
|
echo "-m policy --pol none --dir in"
|
||||||
@ -724,11 +723,8 @@ match_ipsec_in() # $1 = zone, $2 = host
|
|||||||
#
|
#
|
||||||
match_ipsec_out() # $1 = zone, $2 = host
|
match_ipsec_out() # $1 = zone, $2 = host
|
||||||
{
|
{
|
||||||
eval local is_ipsec=\$${1}_is_ipsec
|
if ipsec_host $1 $2 ; then
|
||||||
eval local hosts=\"\$${1}_ipsec_hosts\"
|
|
||||||
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
|
eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\"
|
||||||
|
|
||||||
if [ -n "$is_ipsec" ] || list_search $2 $hosts; then
|
|
||||||
echo "-m policy --pol ipsec --dir out $options"
|
echo "-m policy --pol ipsec --dir out $options"
|
||||||
elif [ -n "$POLICY_MATCH" ]; then
|
elif [ -n "$POLICY_MATCH" ]; then
|
||||||
echo "-m policy --pol none --dir out"
|
echo "-m policy --pol none --dir out"
|
||||||
@ -6113,7 +6109,7 @@ activate_rules()
|
|||||||
interface=${host%%:*}
|
interface=${host%%:*}
|
||||||
networks=${host#*:}
|
networks=${host#*:}
|
||||||
|
|
||||||
ipsec_source $zone $host && \
|
ipsec_host $zone $host && \
|
||||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -6150,7 +6146,7 @@ activate_rules()
|
|||||||
|
|
||||||
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
||||||
|
|
||||||
if [ -n "$complex" ] && ! ipsec_source $zone $host ; then
|
if [ -n "$complex" ] && ! ipsec_host $zone $host ; then
|
||||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user