From 89f7f78402a0f4362f59ffd693b8491b34700abe Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 8 Jan 2002 02:36:05 +0000 Subject: ipmasq: Separate IPsec rules, rename them *.def and update them to match syntax of latest ipmasq release. --- ipmasq/rules/A01interfaces.rul | 19 ----------------- ipmasq/rules/A01interfaces_ipsec.def | 23 +++++++++++++++++++++ ipmasq/rules/A01precompute_ipsec.def | 26 +++++++++++++++++++++++ ipmasq/rules/F50ipsec.def | 40 ++++++++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 19 deletions(-) delete mode 100644 ipmasq/rules/A01interfaces.rul create mode 100644 ipmasq/rules/A01interfaces_ipsec.def create mode 100644 ipmasq/rules/A01precompute_ipsec.def create mode 100644 ipmasq/rules/F50ipsec.def (limited to 'ipmasq') diff --git a/ipmasq/rules/A01interfaces.rul b/ipmasq/rules/A01interfaces.rul deleted file mode 100644 index 56808c6..0000000 --- a/ipmasq/rules/A01interfaces.rul +++ /dev/null @@ -1,19 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. -# -# Correction: -# Ignore irda interfaces as well. -# Jonas Smedegaard Sat, 17 Jun 2000 15:10:17 +0200 - -# find interface names -EXTERNAL=$(default-if | sort -u) -INTERNAL=$(enumerate-if | sort -u | grep -v lo | grep -v irda) -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - INTERNAL=$(echo $INTERNAL | sed -e s/$i//) - done -fi - diff --git a/ipmasq/rules/A01interfaces_ipsec.def b/ipmasq/rules/A01interfaces_ipsec.def new file mode 100644 index 0000000..484fb9e --- /dev/null +++ b/ipmasq/rules/A01interfaces_ipsec.def @@ -0,0 +1,23 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# find IPsec interface names, and separate them from INTERNAL +IPSEC=$(enumerate-if | sort -u | grep ipsec) +if [ -n "$IPSEC" ]; then + for i in $IPSEC; do + INTERNAL=$(echo $INTERNAL | sed -e "s/\( *\|^\)$i\( *\|$\)/\1/") + done +fi + +# remove interfaces that don't have networks attached to them +if [ -n "$IPSEC" ]; then + for i in $IPSEC; do + nm=$(nmofif $i) + if [ -z "${nm}" ]; then + IPSEC=$(echo $IPSEC | sed -e "s/\( *\|^\)$i\( *\|$\)/\1/") + fi + done +fi diff --git a/ipmasq/rules/A01precompute_ipsec.def b/ipmasq/rules/A01precompute_ipsec.def new file mode 100644 index 0000000..197c2d4 --- /dev/null +++ b/ipmasq/rules/A01precompute_ipsec.def @@ -0,0 +1,26 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# precompute ips and netmasks +if [ -n "$IPSEC" ]; then + if [ "$SHOWRULES" = "yes" ]; then + echo "#: IPSec interfaces found:" + fi + IPSECGW="" + for i in $IPSEC; do + ii=$(echo $i | sed -e 's/\:/_/g') + igw=$(ipsec look | grep IPIP:.*src=$ip | sed 's/^\([^[:blank:]]*\).*/\1/') + cidrcollect="" + for ipsecgw in $igw; do + cidr=$(ipsec look | grep "=> $ipsecgw" | sed 's/^\([^[:blank:]]*\).*/\1/') + cidrcollect="$cidrcollect $cidr" + done + eval "CIDROFIPSEC_${ii}=\"$cidrcollect\"" + if [ "$SHOWRULES" = "yes" ]; then + echo -e "#: $i\t$ip/$nm\t$cidrcollect" + fi + done +fi diff --git a/ipmasq/rules/F50ipsec.def b/ipmasq/rules/F50ipsec.def new file mode 100644 index 0000000..cad4d78 --- /dev/null +++ b/ipmasq/rules/F50ipsec.def @@ -0,0 +1,40 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +#: Forward packets among internal and IPsec networks +if [ -n "$IPSEC" ]; then + for j in $IPSEC; do + jj=$(echo $j | sed -e 's/\:/_/g') + eval "CIDROFIPSEC=\$CIDROFIPSEC_$jj" + for DESTCIDR in $CIDROFIPSEC; do + for i in $INTERNAL; do + if [ "$i" != "$j" ]; then + ipnm_cache $i + case $MASQMETHOD in + ipfwadm) + if [ -n "$PEEROFIF" ]; then + $IPFWADM -F -a accept -S $PEEROFIF/$NMOFIF -D $DESTCIDR + fi + $IPFWADM -F -a accept -S $IPOFIF/$NMOFIF -D $DESTCIDR + ;; + ipchains) + if [ -n "$PEEROFIF" ]; then + $IPCHAINS --no-warnings -A forward -j ACCEPT -s $PEEROFIF/$NMOFIF -d $DESTCIDR + fi + $IPCHAINS --no-warnings -A forward -j ACCEPT -s $IPOFIF/$NMOFIF -d $DESTCIDR + ;; + netfilter) + if [ -n "$PEEROFIF" ]; then + $IPTABLES -A FORWARD -j ACCEPT -s $PEEROFIF/$NMOFIF -d $DESTCIDR + fi + $IPTABLES -A FORWARD -j ACCEPT -s $IPOFIF/$NMOFIF -d $DESTCIDR + ;; + esac + fi + done + done + done +fi -- cgit v1.2.3