Merge branch 'passthrough-policies-priority'
Introduces a new priority class for policies, which allows us to install passthrough policies with a strictly higher priority than IPsec policies, which was not the case previously depending on the traffic selectors.
This commit is contained in:
commit
73b22aa842
|
@ -56,7 +56,6 @@ plugins = \
|
|||
plugins/imv-test.opt \
|
||||
plugins/ipseckey.opt \
|
||||
plugins/led.opt \
|
||||
plugins/kernel-klips.opt \
|
||||
plugins/kernel-libipsec.opt \
|
||||
plugins/kernel-netlink.opt \
|
||||
plugins/kernel-pfroute.opt \
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
charon.plugins.kernel-klips.ipsec_dev_count = 4
|
||||
Number of ipsecN devices.
|
||||
|
||||
charon.plugins.kernel-klips.ipsec_dev_mtu = 0
|
||||
Set MTU of ipsecN device.
|
|
@ -203,7 +203,6 @@ ARG_ENABL_SET([xauth-noauth], [enable XAuth pseudo-backend that does not actua
|
|||
ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
|
||||
ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.])
|
||||
ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
|
||||
ARG_ENABL_SET([kernel-klips], [enable the KLIPS kernel interface.])
|
||||
ARG_ENABL_SET([kernel-libipsec],[enable the libipsec kernel interface.])
|
||||
ARG_ENABL_SET([kernel-iph], [enable the Windows IP Helper based networking backend.])
|
||||
ARG_ENABL_SET([kernel-wfp], [enable the Windows Filtering Platform IPsec backend.])
|
||||
|
@ -1222,7 +1221,6 @@ ADD_PLUGIN([kernel-wfp], [c charon])
|
|||
ADD_PLUGIN([kernel-iph], [c charon])
|
||||
ADD_PLUGIN([kernel-pfkey], [h charon starter nm cmd])
|
||||
ADD_PLUGIN([kernel-pfroute], [h charon starter nm cmd])
|
||||
ADD_PLUGIN([kernel-klips], [h charon starter])
|
||||
ADD_PLUGIN([kernel-netlink], [h charon starter nm cmd])
|
||||
ADD_PLUGIN([resolve], [h charon cmd])
|
||||
ADD_PLUGIN([socket-default], [c charon nm cmd])
|
||||
|
@ -1442,7 +1440,6 @@ AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
|
|||
# ---------------
|
||||
AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
|
||||
AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
|
||||
AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
|
||||
AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
|
||||
AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
|
||||
AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
|
||||
|
@ -1601,7 +1598,6 @@ AC_CONFIG_FILES([
|
|||
src/libhydra/Makefile
|
||||
src/libhydra/plugins/attr/Makefile
|
||||
src/libhydra/plugins/attr_sql/Makefile
|
||||
src/libhydra/plugins/kernel_klips/Makefile
|
||||
src/libhydra/plugins/kernel_netlink/Makefile
|
||||
src/libhydra/plugins/kernel_pfkey/Makefile
|
||||
src/libhydra/plugins/kernel_pfroute/Makefile
|
||||
|
|
|
@ -49,11 +49,24 @@ static bool install_shunt_policy(child_cfg_t *child)
|
|||
traffic_selector_t *my_ts, *other_ts;
|
||||
host_t *host_any;
|
||||
policy_type_t policy_type;
|
||||
policy_priority_t policy_prio;
|
||||
status_t status = SUCCESS;
|
||||
ipsec_sa_cfg_t sa = { .mode = MODE_TRANSPORT };
|
||||
|
||||
policy_type = (child->get_mode(child) == MODE_PASS) ?
|
||||
POLICY_PASS : POLICY_DROP;
|
||||
switch (child->get_mode(child))
|
||||
{
|
||||
case MODE_PASS:
|
||||
policy_type = POLICY_PASS;
|
||||
policy_prio = POLICY_PRIORITY_PASS;
|
||||
break;
|
||||
case MODE_DROP:
|
||||
policy_type = POLICY_DROP;
|
||||
policy_prio = POLICY_PRIORITY_FALLBACK;
|
||||
break;
|
||||
default:
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
|
||||
other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
|
||||
host_any = host_create_any(AF_INET);
|
||||
|
@ -70,21 +83,21 @@ static bool install_shunt_policy(child_cfg_t *child)
|
|||
hydra->kernel_interface, host_any, host_any,
|
||||
my_ts, other_ts, POLICY_OUT, policy_type,
|
||||
&sa, child->get_mark(child, FALSE),
|
||||
POLICY_PRIORITY_DEFAULT);
|
||||
policy_prio);
|
||||
|
||||
/* install in policy */
|
||||
status |= hydra->kernel_interface->add_policy(
|
||||
hydra->kernel_interface, host_any, host_any,
|
||||
other_ts, my_ts, POLICY_IN, policy_type,
|
||||
&sa, child->get_mark(child, TRUE),
|
||||
POLICY_PRIORITY_DEFAULT);
|
||||
policy_prio);
|
||||
|
||||
/* install forward policy */
|
||||
status |= hydra->kernel_interface->add_policy(
|
||||
hydra->kernel_interface, host_any, host_any,
|
||||
other_ts, my_ts, POLICY_FWD, policy_type,
|
||||
&sa, child->get_mark(child, TRUE),
|
||||
POLICY_PRIORITY_DEFAULT);
|
||||
policy_prio);
|
||||
}
|
||||
e_other_ts->destroy(e_other_ts);
|
||||
}
|
||||
|
@ -137,8 +150,21 @@ static void uninstall_shunt_policy(child_cfg_t *child)
|
|||
enumerator_t *e_my_ts, *e_other_ts;
|
||||
linked_list_t *my_ts_list, *other_ts_list;
|
||||
traffic_selector_t *my_ts, *other_ts;
|
||||
policy_priority_t policy_prio;
|
||||
status_t status = SUCCESS;
|
||||
|
||||
switch (child->get_mode(child))
|
||||
{
|
||||
case MODE_PASS:
|
||||
policy_prio = POLICY_PRIORITY_PASS;
|
||||
break;
|
||||
case MODE_DROP:
|
||||
policy_prio = POLICY_PRIORITY_FALLBACK;
|
||||
break;
|
||||
default:
|
||||
return;
|
||||
}
|
||||
|
||||
my_ts_list = child->get_traffic_selectors(child, TRUE, NULL, NULL);
|
||||
other_ts_list = child->get_traffic_selectors(child, FALSE, NULL, NULL);
|
||||
|
||||
|
@ -153,19 +179,19 @@ static void uninstall_shunt_policy(child_cfg_t *child)
|
|||
status |= hydra->kernel_interface->del_policy(
|
||||
hydra->kernel_interface, my_ts, other_ts,
|
||||
POLICY_OUT, 0, child->get_mark(child, FALSE),
|
||||
POLICY_PRIORITY_DEFAULT);
|
||||
policy_prio);
|
||||
|
||||
/* uninstall in policy */
|
||||
status |= hydra->kernel_interface->del_policy(
|
||||
hydra->kernel_interface, other_ts, my_ts,
|
||||
POLICY_IN, 0, child->get_mark(child, TRUE),
|
||||
POLICY_PRIORITY_DEFAULT);
|
||||
policy_prio);
|
||||
|
||||
/* uninstall forward policy */
|
||||
status |= hydra->kernel_interface->del_policy(
|
||||
hydra->kernel_interface, other_ts, my_ts,
|
||||
POLICY_FWD, 0, child->get_mark(child, TRUE),
|
||||
POLICY_PRIORITY_DEFAULT);
|
||||
policy_prio);
|
||||
}
|
||||
e_other_ts->destroy(e_other_ts);
|
||||
}
|
||||
|
@ -249,4 +275,3 @@ shunt_manager_t *shunt_manager_create()
|
|||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -66,13 +66,6 @@ if MONOLITHIC
|
|||
endif
|
||||
endif
|
||||
|
||||
if USE_KERNEL_KLIPS
|
||||
SUBDIRS += plugins/kernel_klips
|
||||
if MONOLITHIC
|
||||
libhydra_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la
|
||||
endif
|
||||
endif
|
||||
|
||||
if USE_KERNEL_NETLINK
|
||||
SUBDIRS += plugins/kernel_netlink
|
||||
if MONOLITHIC
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
AM_CPPFLAGS = \
|
||||
-I$(top_srcdir)/src/libstrongswan \
|
||||
-I$(top_srcdir)/src/libhydra
|
||||
|
||||
AM_CFLAGS = \
|
||||
$(PLUGIN_CFLAGS)
|
||||
|
||||
if MONOLITHIC
|
||||
noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
|
||||
else
|
||||
plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
|
||||
endif
|
||||
|
||||
libstrongswan_kernel_klips_la_SOURCES = \
|
||||
kernel_klips_plugin.h kernel_klips_plugin.c \
|
||||
kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
|
||||
|
||||
libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
|
File diff suppressed because it is too large
Load Diff
|
@ -1,46 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup kernel_klips_ipsec_i kernel_klips_ipsec
|
||||
* @{ @ingroup kernel_klips
|
||||
*/
|
||||
|
||||
#ifndef KERNEL_KLIPS_IPSEC_H_
|
||||
#define KERNEL_KLIPS_IPSEC_H_
|
||||
|
||||
#include <kernel/kernel_ipsec.h>
|
||||
|
||||
typedef struct kernel_klips_ipsec_t kernel_klips_ipsec_t;
|
||||
|
||||
/**
|
||||
* Implementation of the kernel ipsec interface using PF_KEY.
|
||||
*/
|
||||
struct kernel_klips_ipsec_t {
|
||||
|
||||
/**
|
||||
* Implements kernel_ipsec_t interface
|
||||
*/
|
||||
kernel_ipsec_t interface;
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a PF_KEY kernel ipsec interface instance.
|
||||
*
|
||||
* @return kernel_klips_ipsec_t instance
|
||||
*/
|
||||
kernel_klips_ipsec_t *kernel_klips_ipsec_create();
|
||||
|
||||
#endif /** KERNEL_KLIPS_IPSEC_H_ @}*/
|
|
@ -1,76 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
|
||||
#include "kernel_klips_plugin.h"
|
||||
|
||||
#include "kernel_klips_ipsec.h"
|
||||
|
||||
#include <hydra.h>
|
||||
|
||||
typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
|
||||
|
||||
/**
|
||||
* private data of kernel PF_KEY plugin
|
||||
*/
|
||||
struct private_kernel_klips_plugin_t {
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
kernel_klips_plugin_t public;
|
||||
};
|
||||
|
||||
METHOD(plugin_t, get_name, char*,
|
||||
private_kernel_klips_plugin_t *this)
|
||||
{
|
||||
return "kernel-klips";
|
||||
}
|
||||
|
||||
METHOD(plugin_t, get_features, int,
|
||||
private_kernel_klips_plugin_t *this, plugin_feature_t *features[])
|
||||
{
|
||||
static plugin_feature_t f[] = {
|
||||
PLUGIN_CALLBACK(kernel_ipsec_register, kernel_klips_ipsec_create),
|
||||
PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
|
||||
};
|
||||
*features = f;
|
||||
return countof(f);
|
||||
}
|
||||
|
||||
METHOD(plugin_t, destroy, void,
|
||||
private_kernel_klips_plugin_t *this)
|
||||
{
|
||||
free(this);
|
||||
}
|
||||
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
plugin_t *kernel_klips_plugin_create()
|
||||
{
|
||||
private_kernel_klips_plugin_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.plugin = {
|
||||
.get_name = _get_name,
|
||||
.get_features = _get_features,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup kernel_klips kernel_klips
|
||||
* @ingroup hplugins
|
||||
*
|
||||
* @defgroup kernel_klips_plugin kernel_klips_plugin
|
||||
* @{ @ingroup kernel_klips
|
||||
*/
|
||||
|
||||
#ifndef KERNEL_KLIPS_PLUGIN_H_
|
||||
#define KERNEL_KLIPS_PLUGIN_H_
|
||||
|
||||
#include <plugins/plugin.h>
|
||||
|
||||
typedef struct kernel_klips_plugin_t kernel_klips_plugin_t;
|
||||
|
||||
/**
|
||||
* PF_KEY kernel interface plugin
|
||||
*/
|
||||
struct kernel_klips_plugin_t {
|
||||
|
||||
/**
|
||||
* implements plugin interface
|
||||
*/
|
||||
plugin_t plugin;
|
||||
};
|
||||
|
||||
#endif /** KERNEL_KLIPS_PLUGIN_H_ @}*/
|
|
@ -1,322 +0,0 @@
|
|||
/*
|
||||
RFC 2367 PF_KEY Key Management API July 1998
|
||||
|
||||
|
||||
Appendix D: Sample Header File
|
||||
|
||||
This file defines structures and symbols for the PF_KEY Version 2
|
||||
key management interface. It was written at the U.S. Naval Research
|
||||
Laboratory. This file is in the public domain. The authors ask that
|
||||
you leave this credit intact on any copies of this file.
|
||||
*/
|
||||
#ifndef __PFKEY_V2_H
|
||||
#define __PFKEY_V2_H 1
|
||||
|
||||
#define PF_KEY_V2 2
|
||||
#define PFKEYV2_REVISION 199806L
|
||||
|
||||
#define SADB_RESERVED 0
|
||||
#define SADB_GETSPI 1
|
||||
#define SADB_UPDATE 2
|
||||
#define SADB_ADD 3
|
||||
#define SADB_DELETE 4
|
||||
#define SADB_GET 5
|
||||
#define SADB_ACQUIRE 6
|
||||
#define SADB_REGISTER 7
|
||||
#define SADB_EXPIRE 8
|
||||
#define SADB_FLUSH 9
|
||||
#define SADB_DUMP 10
|
||||
#define SADB_X_PROMISC 11
|
||||
#define SADB_X_PCHANGE 12
|
||||
#define SADB_X_GRPSA 13
|
||||
#define SADB_X_ADDFLOW 14
|
||||
#define SADB_X_DELFLOW 15
|
||||
#define SADB_X_DEBUG 16
|
||||
#define SADB_X_NAT_T_NEW_MAPPING 17
|
||||
#define SADB_MAX 17
|
||||
|
||||
struct sadb_msg {
|
||||
uint8_t sadb_msg_version;
|
||||
uint8_t sadb_msg_type;
|
||||
uint8_t sadb_msg_errno;
|
||||
uint8_t sadb_msg_satype;
|
||||
uint16_t sadb_msg_len;
|
||||
uint16_t sadb_msg_reserved;
|
||||
uint32_t sadb_msg_seq;
|
||||
uint32_t sadb_msg_pid;
|
||||
};
|
||||
|
||||
struct sadb_ext {
|
||||
uint16_t sadb_ext_len;
|
||||
uint16_t sadb_ext_type;
|
||||
};
|
||||
|
||||
struct sadb_sa {
|
||||
uint16_t sadb_sa_len;
|
||||
uint16_t sadb_sa_exttype;
|
||||
uint32_t sadb_sa_spi;
|
||||
uint8_t sadb_sa_replay;
|
||||
uint8_t sadb_sa_state;
|
||||
uint8_t sadb_sa_auth;
|
||||
uint8_t sadb_sa_encrypt;
|
||||
uint32_t sadb_sa_flags;
|
||||
};
|
||||
|
||||
struct sadb_lifetime {
|
||||
uint16_t sadb_lifetime_len;
|
||||
uint16_t sadb_lifetime_exttype;
|
||||
uint32_t sadb_lifetime_allocations;
|
||||
uint64_t sadb_lifetime_bytes;
|
||||
uint64_t sadb_lifetime_addtime;
|
||||
uint64_t sadb_lifetime_usetime;
|
||||
uint32_t sadb_x_lifetime_packets;
|
||||
uint32_t sadb_x_lifetime_reserved;
|
||||
};
|
||||
|
||||
struct sadb_address {
|
||||
uint16_t sadb_address_len;
|
||||
uint16_t sadb_address_exttype;
|
||||
uint8_t sadb_address_proto;
|
||||
uint8_t sadb_address_prefixlen;
|
||||
uint16_t sadb_address_reserved;
|
||||
};
|
||||
|
||||
struct sadb_key {
|
||||
uint16_t sadb_key_len;
|
||||
uint16_t sadb_key_exttype;
|
||||
uint16_t sadb_key_bits;
|
||||
uint16_t sadb_key_reserved;
|
||||
};
|
||||
|
||||
struct sadb_ident {
|
||||
uint16_t sadb_ident_len;
|
||||
uint16_t sadb_ident_exttype;
|
||||
uint16_t sadb_ident_type;
|
||||
uint16_t sadb_ident_reserved;
|
||||
uint64_t sadb_ident_id;
|
||||
};
|
||||
|
||||
struct sadb_sens {
|
||||
uint16_t sadb_sens_len;
|
||||
uint16_t sadb_sens_exttype;
|
||||
uint32_t sadb_sens_dpd;
|
||||
uint8_t sadb_sens_sens_level;
|
||||
uint8_t sadb_sens_sens_len;
|
||||
uint8_t sadb_sens_integ_level;
|
||||
uint8_t sadb_sens_integ_len;
|
||||
uint32_t sadb_sens_reserved;
|
||||
};
|
||||
|
||||
struct sadb_prop {
|
||||
uint16_t sadb_prop_len;
|
||||
uint16_t sadb_prop_exttype;
|
||||
uint8_t sadb_prop_replay;
|
||||
uint8_t sadb_prop_reserved[3];
|
||||
};
|
||||
|
||||
struct sadb_comb {
|
||||
uint8_t sadb_comb_auth;
|
||||
uint8_t sadb_comb_encrypt;
|
||||
uint16_t sadb_comb_flags;
|
||||
uint16_t sadb_comb_auth_minbits;
|
||||
uint16_t sadb_comb_auth_maxbits;
|
||||
uint16_t sadb_comb_encrypt_minbits;
|
||||
uint16_t sadb_comb_encrypt_maxbits;
|
||||
uint32_t sadb_comb_reserved;
|
||||
uint32_t sadb_comb_soft_allocations;
|
||||
uint32_t sadb_comb_hard_allocations;
|
||||
uint64_t sadb_comb_soft_bytes;
|
||||
uint64_t sadb_comb_hard_bytes;
|
||||
uint64_t sadb_comb_soft_addtime;
|
||||
uint64_t sadb_comb_hard_addtime;
|
||||
uint64_t sadb_comb_soft_usetime;
|
||||
uint64_t sadb_comb_hard_usetime;
|
||||
uint32_t sadb_x_comb_soft_packets;
|
||||
uint32_t sadb_x_comb_hard_packets;
|
||||
};
|
||||
|
||||
struct sadb_supported {
|
||||
uint16_t sadb_supported_len;
|
||||
uint16_t sadb_supported_exttype;
|
||||
uint32_t sadb_supported_reserved;
|
||||
};
|
||||
|
||||
struct sadb_alg {
|
||||
uint8_t sadb_alg_id;
|
||||
uint8_t sadb_alg_ivlen;
|
||||
uint16_t sadb_alg_minbits;
|
||||
uint16_t sadb_alg_maxbits;
|
||||
uint16_t sadb_alg_reserved;
|
||||
};
|
||||
|
||||
struct sadb_spirange {
|
||||
uint16_t sadb_spirange_len;
|
||||
uint16_t sadb_spirange_exttype;
|
||||
uint32_t sadb_spirange_min;
|
||||
uint32_t sadb_spirange_max;
|
||||
uint32_t sadb_spirange_reserved;
|
||||
};
|
||||
|
||||
struct sadb_x_kmprivate {
|
||||
uint16_t sadb_x_kmprivate_len;
|
||||
uint16_t sadb_x_kmprivate_exttype;
|
||||
uint32_t sadb_x_kmprivate_reserved;
|
||||
};
|
||||
|
||||
struct sadb_x_satype {
|
||||
uint16_t sadb_x_satype_len;
|
||||
uint16_t sadb_x_satype_exttype;
|
||||
uint8_t sadb_x_satype_satype;
|
||||
uint8_t sadb_x_satype_reserved[3];
|
||||
};
|
||||
|
||||
struct sadb_x_debug {
|
||||
uint16_t sadb_x_debug_len;
|
||||
uint16_t sadb_x_debug_exttype;
|
||||
uint32_t sadb_x_debug_tunnel;
|
||||
uint32_t sadb_x_debug_netlink;
|
||||
uint32_t sadb_x_debug_xform;
|
||||
uint32_t sadb_x_debug_eroute;
|
||||
uint32_t sadb_x_debug_spi;
|
||||
uint32_t sadb_x_debug_radij;
|
||||
uint32_t sadb_x_debug_esp;
|
||||
uint32_t sadb_x_debug_ah;
|
||||
uint32_t sadb_x_debug_rcv;
|
||||
uint32_t sadb_x_debug_pfkey;
|
||||
uint32_t sadb_x_debug_ipcomp;
|
||||
uint32_t sadb_x_debug_verbose;
|
||||
uint8_t sadb_x_debug_reserved[4];
|
||||
};
|
||||
|
||||
struct sadb_x_nat_t_type {
|
||||
uint16_t sadb_x_nat_t_type_len;
|
||||
uint16_t sadb_x_nat_t_type_exttype;
|
||||
uint8_t sadb_x_nat_t_type_type;
|
||||
uint8_t sadb_x_nat_t_type_reserved[3];
|
||||
};
|
||||
struct sadb_x_nat_t_port {
|
||||
uint16_t sadb_x_nat_t_port_len;
|
||||
uint16_t sadb_x_nat_t_port_exttype;
|
||||
uint16_t sadb_x_nat_t_port_port;
|
||||
uint16_t sadb_x_nat_t_port_reserved;
|
||||
};
|
||||
|
||||
/*
|
||||
* A protocol structure for passing through the transport level
|
||||
* protocol. It contains more fields than are actually used/needed
|
||||
* but it is this way to be compatible with the structure used in
|
||||
* OpenBSD (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfkeyv2.h)
|
||||
*/
|
||||
struct sadb_protocol {
|
||||
uint16_t sadb_protocol_len;
|
||||
uint16_t sadb_protocol_exttype;
|
||||
uint8_t sadb_protocol_proto;
|
||||
uint8_t sadb_protocol_direction;
|
||||
uint8_t sadb_protocol_flags;
|
||||
uint8_t sadb_protocol_reserved2;
|
||||
};
|
||||
|
||||
#define SADB_EXT_RESERVED 0
|
||||
#define SADB_EXT_SA 1
|
||||
#define SADB_EXT_LIFETIME_CURRENT 2
|
||||
#define SADB_EXT_LIFETIME_HARD 3
|
||||
#define SADB_EXT_LIFETIME_SOFT 4
|
||||
#define SADB_EXT_ADDRESS_SRC 5
|
||||
#define SADB_EXT_ADDRESS_DST 6
|
||||
#define SADB_EXT_ADDRESS_PROXY 7
|
||||
#define SADB_EXT_KEY_AUTH 8
|
||||
#define SADB_EXT_KEY_ENCRYPT 9
|
||||
#define SADB_EXT_IDENTITY_SRC 10
|
||||
#define SADB_EXT_IDENTITY_DST 11
|
||||
#define SADB_EXT_SENSITIVITY 12
|
||||
#define SADB_EXT_PROPOSAL 13
|
||||
#define SADB_EXT_SUPPORTED_AUTH 14
|
||||
#define SADB_EXT_SUPPORTED_ENCRYPT 15
|
||||
#define SADB_EXT_SPIRANGE 16
|
||||
#define SADB_X_EXT_KMPRIVATE 17
|
||||
#define SADB_X_EXT_SATYPE2 18
|
||||
#define SADB_X_EXT_SA2 19
|
||||
#define SADB_X_EXT_ADDRESS_DST2 20
|
||||
#define SADB_X_EXT_ADDRESS_SRC_FLOW 21
|
||||
#define SADB_X_EXT_ADDRESS_DST_FLOW 22
|
||||
#define SADB_X_EXT_ADDRESS_SRC_MASK 23
|
||||
#define SADB_X_EXT_ADDRESS_DST_MASK 24
|
||||
#define SADB_X_EXT_DEBUG 25
|
||||
#define SADB_X_EXT_PROTOCOL 26
|
||||
#define SADB_X_EXT_NAT_T_TYPE 27
|
||||
#define SADB_X_EXT_NAT_T_SPORT 28
|
||||
#define SADB_X_EXT_NAT_T_DPORT 29
|
||||
#define SADB_X_EXT_NAT_T_OA 30
|
||||
#define SADB_EXT_MAX 30
|
||||
|
||||
/* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
|
||||
#define SADB_X_EXT_ADDRESS_DELFLOW \
|
||||
( (1<<SADB_X_EXT_ADDRESS_SRC_FLOW) \
|
||||
| (1<<SADB_X_EXT_ADDRESS_DST_FLOW) \
|
||||
| (1<<SADB_X_EXT_ADDRESS_SRC_MASK) \
|
||||
| (1<<SADB_X_EXT_ADDRESS_DST_MASK))
|
||||
|
||||
#define SADB_SATYPE_UNSPEC 0
|
||||
#define SADB_SATYPE_AH 2
|
||||
#define SADB_SATYPE_ESP 3
|
||||
#define SADB_SATYPE_RSVP 5
|
||||
#define SADB_SATYPE_OSPFV2 6
|
||||
#define SADB_SATYPE_RIPV2 7
|
||||
#define SADB_SATYPE_MIP 8
|
||||
#define SADB_X_SATYPE_IPIP 9
|
||||
#define SADB_X_SATYPE_COMP 10
|
||||
#define SADB_X_SATYPE_INT 11
|
||||
#define SADB_SATYPE_MAX 11
|
||||
|
||||
#define SADB_SASTATE_LARVAL 0
|
||||
#define SADB_SASTATE_MATURE 1
|
||||
#define SADB_SASTATE_DYING 2
|
||||
#define SADB_SASTATE_DEAD 3
|
||||
#define SADB_SASTATE_MAX 3
|
||||
|
||||
#define SADB_SAFLAGS_PFS 1
|
||||
#define SADB_X_SAFLAGS_REPLACEFLOW 2
|
||||
#define SADB_X_SAFLAGS_CLEARFLOW 4
|
||||
#define SADB_X_SAFLAGS_INFLOW 8
|
||||
|
||||
#define SADB_AALG_NONE 0
|
||||
#define SADB_AALG_MD5HMAC 2
|
||||
#define SADB_AALG_SHA1HMAC 3
|
||||
#define SADB_AALG_SHA256_HMAC 5
|
||||
#define SADB_AALG_SHA384_HMAC 6
|
||||
#define SADB_AALG_SHA512_HMAC 7
|
||||
#define SADB_AALG_RIPEMD160HMAC 8
|
||||
#define SADB_AALG_MAX 15
|
||||
|
||||
#define SADB_EALG_NONE 0
|
||||
#define SADB_EALG_DESCBC 2
|
||||
#define SADB_EALG_3DESCBC 3
|
||||
#define SADB_EALG_BFCBC 7
|
||||
#define SADB_EALG_NULL 11
|
||||
#define SADB_EALG_AESCBC 12
|
||||
#define SADB_EALG_MAX 255
|
||||
|
||||
#define SADB_X_CALG_NONE 0
|
||||
#define SADB_X_CALG_OUI 1
|
||||
#define SADB_X_CALG_DEFLATE 2
|
||||
#define SADB_X_CALG_LZS 3
|
||||
#define SADB_X_CALG_V42BIS 4
|
||||
#define SADB_X_CALG_MAX 4
|
||||
|
||||
#define SADB_X_TALG_NONE 0
|
||||
#define SADB_X_TALG_IPv4_in_IPv4 1
|
||||
#define SADB_X_TALG_IPv6_in_IPv4 2
|
||||
#define SADB_X_TALG_IPv4_in_IPv6 3
|
||||
#define SADB_X_TALG_IPv6_in_IPv6 4
|
||||
#define SADB_X_TALG_MAX 4
|
||||
|
||||
|
||||
#define SADB_IDENTTYPE_RESERVED 0
|
||||
#define SADB_IDENTTYPE_PREFIX 1
|
||||
#define SADB_IDENTTYPE_FQDN 2
|
||||
#define SADB_IDENTTYPE_USERFQDN 3
|
||||
#define SADB_X_IDENTTYPE_CONNECTION 4
|
||||
#define SADB_IDENTTYPE_MAX 4
|
||||
|
||||
#define SADB_KEY_FLAGS_MAX 0
|
||||
#endif /* __PFKEY_V2_H */
|
|
@ -70,8 +70,8 @@
|
|||
#define SOL_UDP IPPROTO_UDP
|
||||
#endif
|
||||
|
||||
/** Default priority of installed policies */
|
||||
#define PRIO_BASE 512
|
||||
/** Base priority for installed policies */
|
||||
#define PRIO_BASE 384
|
||||
|
||||
/** Default lifetime of an acquire XFRM state (in seconds) */
|
||||
#define DEFAULT_ACQUIRE_LIFETIME 165
|
||||
|
@ -606,6 +606,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
|
|||
priority <<= 1;
|
||||
/* fall-through */
|
||||
case POLICY_PRIORITY_DEFAULT:
|
||||
priority <<= 1;
|
||||
/* fall-through */
|
||||
case POLICY_PRIORITY_PASS:
|
||||
break;
|
||||
}
|
||||
/* calculate priority based on selector size, small size = high prio */
|
||||
|
|
|
@ -135,8 +135,8 @@
|
|||
#define SOL_UDP IPPROTO_UDP
|
||||
#endif
|
||||
|
||||
/** default priority of installed policies */
|
||||
#define PRIO_BASE 512
|
||||
/** base priority for installed policies */
|
||||
#define PRIO_BASE 384
|
||||
|
||||
#ifdef __APPLE__
|
||||
/** from xnu/bsd/net/pfkeyv2.h */
|
||||
|
@ -583,6 +583,9 @@ static inline u_int32_t get_priority(policy_entry_t *policy,
|
|||
priority <<= 1;
|
||||
/* fall-through */
|
||||
case POLICY_PRIORITY_DEFAULT:
|
||||
priority <<= 1;
|
||||
/* fall-trough */
|
||||
case POLICY_PRIORITY_PASS:
|
||||
break;
|
||||
}
|
||||
/* calculate priority based on selector size, small size = high prio */
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
#include <collections/linked_list.h>
|
||||
|
||||
/** Base priority for installed policies */
|
||||
#define PRIO_BASE 512
|
||||
#define PRIO_BASE 384
|
||||
|
||||
typedef struct private_ipsec_policy_mgr_t private_ipsec_policy_mgr_t;
|
||||
|
||||
|
@ -88,6 +88,9 @@ static u_int32_t calculate_priority(policy_priority_t policy_priority,
|
|||
priority <<= 1;
|
||||
/* fall-through */
|
||||
case POLICY_PRIORITY_DEFAULT:
|
||||
priority <<= 1;
|
||||
/* fall-through */
|
||||
case POLICY_PRIORITY_PASS:
|
||||
break;
|
||||
}
|
||||
/* calculate priority based on selector size, small size = high prio */
|
||||
|
|
|
@ -90,7 +90,9 @@ enum policy_type_t {
|
|||
* High-level priority of a policy.
|
||||
*/
|
||||
enum policy_priority_t {
|
||||
/** Default priority */
|
||||
/** Priority for passthrough policies */
|
||||
POLICY_PRIORITY_PASS,
|
||||
/** Priority for regular IPsec policies */
|
||||
POLICY_PRIORITY_DEFAULT,
|
||||
/** Priority for trap policies */
|
||||
POLICY_PRIORITY_ROUTED,
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
|
||||
tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway. In order to prevent
|
||||
local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
|
||||
shunt policy with <b>type=pass</b>.
|
||||
<p/>
|
||||
In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
|
||||
ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
|
|
@ -0,0 +1,10 @@
|
|||
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
|
||||
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
|
||||
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
|
||||
alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
|
||||
alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
|
|
@ -8,7 +8,16 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
mobike=no
|
||||
|
||||
conn nat-t
|
||||
left=%any
|
||||
leftcert=aliceCert.pem
|
||||
leftid=alice@strongswan.org
|
||||
leftsourceip=%config
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
rightsubnet=0.0.0.0/0
|
||||
auto=add
|
||||
|
||||
conn local-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
|
@ -16,25 +25,3 @@ conn local-net
|
|||
authby=never
|
||||
type=pass
|
||||
auto=route
|
||||
|
||||
conn venus-icmp
|
||||
leftsubnet=PH_IP_VENUS/32
|
||||
rightsubnet=0.0.0.0/0
|
||||
leftprotoport=icmp
|
||||
rightprotoport=icmp
|
||||
leftauth=any
|
||||
rightauth=any
|
||||
type=drop
|
||||
auto=route
|
||||
|
||||
conn net-net
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
leftfirewall=yes
|
||||
lefthostaccess=yes
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
rightsubnet=0.0.0.0/0
|
||||
auto=add
|
|
@ -1,6 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -6,17 +6,15 @@ conn %default
|
|||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
mobike=no
|
||||
|
||||
conn net-net
|
||||
conn nat-t
|
||||
left=PH_IP_SUN
|
||||
leftcert=sunCert.pem
|
||||
leftid=@sun.strongswan.org
|
||||
leftsubnet=0.0.0.0/0
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsubnet=10.1.0.0/16
|
||||
leftsubnet=0.0.0.0/0
|
||||
right=%any
|
||||
rightsourceip=10.3.0.0/28
|
||||
auto=add
|
|
@ -0,0 +1,24 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -1,7 +1,5 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
|
||||
multiple_authentication = no
|
||||
install_routes = no
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn nat-t
|
||||
left=%any
|
||||
leftcert=venusCert.pem
|
||||
leftid=@venus.strongswan.org
|
||||
leftsourceip=%config
|
||||
right=PH_IP_SUN
|
||||
rightid=@sun.strongswan.org
|
||||
rightsubnet=0.0.0.0/0
|
||||
auto=add
|
||||
|
||||
conn local-net
|
||||
leftsubnet=10.1.0.0/16
|
||||
rightsubnet=10.1.0.0/16
|
||||
authby=never
|
||||
type=pass
|
||||
auto=route
|
|
@ -0,0 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
|
||||
|
||||
keep_alive = 5
|
||||
}
|
|
@ -0,0 +1,5 @@
|
|||
sun::ipsec stop
|
||||
alice::ipsec stop
|
||||
venus::ipsec stop
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
moon::iptables -t nat -F
|
|
@ -0,0 +1,11 @@
|
|||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
|
||||
moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
|
||||
alice::ipsec start
|
||||
venus::ipsec start
|
||||
sun::ipsec start
|
||||
alice::expect-connection nat-t
|
||||
venus::expect-connection nat-t
|
||||
sun::expect-connection nat-t
|
||||
alice::ipsec up nat-t
|
||||
venus::ipsec up nat-t
|
|
@ -5,17 +5,17 @@
|
|||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice moon winnetou sun bob"
|
||||
VIRTHOSTS="alice venus moon winnetou sun bob"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-w-s-b.png"
|
||||
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="sun"
|
||||
TCPDUMPHOSTS="alice moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon sun"
|
||||
IPSECHOSTS="alice venus sun"
|
|
@ -1,11 +0,0 @@
|
|||
All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
|
||||
by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
|
||||
prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
|
||||
tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
|
||||
In order for the shunt to work, automatic route insertion must be disabled
|
||||
by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
|
||||
<p/>
|
||||
In order to demonstrate the use of <b>type=drop</b> shunt policies, the
|
||||
<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
|
||||
to use the IPsec tunnel by dropping such packets. Since this policy does not
|
||||
apply to the localnet, <b>venus</b> and <b>moon</b> can still ping each other.
|
|
@ -1,16 +0,0 @@
|
|||
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
|
||||
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
|
||||
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
|
||||
venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
|
||||
moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
|
||||
bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
|
||||
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
|
||||
venus::ssh PH_IP_BOB hostname::bob::YES
|
||||
bob:: ssh PH_IP_VENUS hostname::venus::YES
|
|
@ -1,32 +0,0 @@
|
|||
*filter
|
||||
|
||||
# default policy is DROP
|
||||
-P INPUT DROP
|
||||
-P OUTPUT DROP
|
||||
-P FORWARD DROP
|
||||
|
||||
# allow esp
|
||||
-A INPUT -i eth0 -p 50 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p 50 -j ACCEPT
|
||||
|
||||
# allow IKE
|
||||
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
|
||||
|
||||
# allow MobIKE
|
||||
-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
|
||||
|
||||
# allow icmp in local net
|
||||
-A INPUT -i eth1 -p icmp -j ACCEPT
|
||||
-A OUTPUT -o eth1 -p icmp -j ACCEPT
|
||||
|
||||
COMMIT
|
|
@ -1,5 +0,0 @@
|
|||
moon::ipsec stop
|
||||
sun::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
sun::iptables-restore < /etc/iptables.flush
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
sun::iptables-restore < /etc/iptables.rules
|
||||
moon::ipsec start
|
||||
sun::ipsec start
|
||||
moon::sleep 1
|
||||
moon::ipsec up net-net
|
Loading…
Reference in New Issue