diff options
| author | An-Cheng Huang <ancheng@vyatta.com> | 2008-05-19 05:12:44 -0700 |
|---|---|---|
| committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-05-19 05:12:44 -0700 |
| commit | 667e6987770ef9c072fdc26226820bdd2b8acd48 (patch) | |
| tree | 630ad34c24874423e5125f59a4b8d0f6b7e3a46f | |
| parent | 184b1af2794b5187f33bc6ce14d2d28f84a827a6 (diff) | |
| download | vyatta-cfg-firewall-667e6987770ef9c072fdc26226820bdd2b8acd48.tar.gz vyatta-cfg-firewall-667e6987770ef9c072fdc26226820bdd2b8acd48.zip | |
allow firewall rule to match inbound IPsec packets.
4 files changed, 20 insertions, 0 deletions
diff --git a/scripts/firewall/VyattaIpTablesRule.pm b/scripts/firewall/VyattaIpTablesRule.pm index 63c4ddd..ef0d599 100644 --- a/scripts/firewall/VyattaIpTablesRule.pm +++ b/scripts/firewall/VyattaIpTablesRule.pm @@ -22,6 +22,8 @@ my %fields = ( _icmp_type => undef, _mod_mark => undef, _mod_dscp => undef, + _ipsec => undef, + _non_ipsec => undef, ); my %dummy_rule = ( @@ -39,6 +41,8 @@ my %dummy_rule = ( _icmp_type => undef, _mod_mark => undef, _mod_dscp => undef, + _ipsec => undef, + _non_ipsec => undef, ); sub new { @@ -81,6 +85,8 @@ sub setup { $self->{_icmp_type} = $config->returnValue("icmp type"); $self->{_mod_mark} = $config->returnValue("modify mark"); $self->{_mod_dscp} = $config->returnValue("modify dscp"); + $self->{_ipsec} = $config->exists("ipsec match-ipsec"); + $self->{_non_ipsec} = $config->exists("ipsec match-none"); # TODO: need $config->exists("$level source") in VyattaConfig.pm $src->setup("$level source"); @@ -112,6 +118,8 @@ sub setupOrig { $self->{_icmp_type} = $config->returnOrigValue("icmp type"); $self->{_mod_mark} = $config->returnOrigValue("modify mark"); $self->{_mod_dscp} = $config->returnOrigValue("modify dscp"); + $self->{_ipsec} = $config->existsOrig("ipsec match-ipsec"); + $self->{_non_ipsec} = $config->existsOrig("ipsec match-none"); # TODO: need $config->exists("$level source") in VyattaConfig.pm $src->setupOrig("$level source"); @@ -229,6 +237,15 @@ sub rule { } $rule .= " $srcrule $dstrule "; + # note: "out" is not valid in the INPUT chain. + return ('Cannot specify both "match-ipsec" and "match-none"', ) + if (defined($self->{_ipsec}) && defined($self->{_non_ipsec})); + if (defined($self->{_ipsec})) { + $rule .= ' -m policy --pol ipsec --dir in '; + } elsif (defined($self->{_non_ipsec})) { + $rule .= ' -m policy --pol none --dir in '; + } + my $chain = $self->{_name}; my $rule_num = $self->{_rule_number}; my $rule2 = undef; diff --git a/templates/firewall/name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def new file mode 100644 index 0000000..8d4bf12 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def @@ -0,0 +1 @@ +help: Match inbound IPsec packets diff --git a/templates/firewall/name/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/name/node.tag/rule/node.tag/ipsec/match-none/node.def new file mode 100644 index 0000000..cfcbc8a --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/ipsec/match-none/node.def @@ -0,0 +1 @@ +help: Match inbound non-IPsec packets diff --git a/templates/firewall/name/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/name/node.tag/rule/node.tag/ipsec/node.def new file mode 100644 index 0000000..c905e2d --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/ipsec/node.def @@ -0,0 +1 @@ +help: Set inbound IPsec packet matching |