Add rule to allow IPsec AH protected VRRP traffic.

According to RFC 2338 section 5.3.6.3, VRRP exchanges can be integrity protected using IPsec AH. Patch contributed by Joerg Marx.
2026-03-23 11:47:24 +01:00 · 2010-03-19 14:09:04 +00:00 · 2010-03-19 14:09:04 +00:00 · 149d96a75c
commit 149d96a75c
parent b8f059fcf1
2 changed files with 16 additions and 1 deletions
--- a/src/ipt/ipt.cpp
+++ b/src/ipt/ipt.cpp
@ -122,6 +122,7 @@ int main(int argc, char **argv)
    init(argv);

    // register protocols we need
+    IPService::addNamedProtocol(51, "ah");
    IPService::addNamedProtocol(112, "vrrp");

    try
--- a/src/iptlib/PolicyCompiler_ipt.cpp
+++ b/src/iptlib/PolicyCompiler_ipt.cpp
@ -4867,7 +4867,7 @@ void PolicyCompiler_ipt::insertFailoverRule()
            "/FWBuilderResources/Target/protocols/openais/default_address");

    FWObjectTypedChildIterator interfaces = fw->findByType(Interface::TYPENAME);
-    for (; interfaces != interfaces.end(); ++interfaces) 
+    for (; interfaces != interfaces.end(); ++interfaces)
    {
        Interface *iface = Interface::cast(*interfaces);

@ -4908,6 +4908,20 @@ void PolicyCompiler_ipt::insertFailoverRule()
                addMgmtRule(NULL, vrrp_dst, vrrp_srv, iface,
                            PolicyRule::Both, PolicyRule::Accept,
                            "VRRP");
+
+                /*
+                 * Add AH-Service to database.
+                 * According to RFC 2338 section 5.3.6.3, VRRP can use IPsec AH.
+                 */
+                IPService* ah_srv = IPService::cast(
+                    dbcopy->create(IPService::TYPENAME));
+                ah_srv->setComment("IPSEC-AH");
+                ah_srv->setProtocolNumber(51);
+                dbcopy->add(ah_srv);
+
+                addMgmtRule(NULL, vrrp_dst, ah_srv, iface,
+                            PolicyRule::Both, PolicyRule::Accept,
+                            "VRRP (with IPSEC-AH)");
            }

            if (failover_group->getStr("type") == "heartbeat")