Prohibit binding against the IP reserved for IPSec.

Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to

    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666

3 files changed, 50 insertions, 27 deletions

diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
index e21d6ea..98bf42c 100755
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ b/roles/common/files/etc/network/if-up.d/ipsec
@@ -1,44 +1,56 @@
 #!/bin/sh
 #
 # A post-up/down hook to automatically create/delete a 'sec' VLAN
 # device, and a dedicated, host-scoped, IP for IPSec (v4 only).
 #
 # Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
 #
 # Licensed under the GNU GPL version 3 or higher.
 #
 
 set -ue
 PATH=/usr/sbin:/usr/bin:/sbin:/bin
 
-if=sec0
-ip=172.16.0.1/32
+ifsec=sec0
+ipsec=172.16.0.1/32
+
+# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh.
+secmark=0xA99
 
 # Ignore the loopback interface and non inet4 families.
 [ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
 
 # Only the device with the default, globally-scoped route, is of
 # interest here.
 [ "$( /bin/ip -4 route show to default scope global \
     | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \
   = \
   "$IFACE" ] || exit 0
 
 case "$MODE" in
-    start) # Don't create $if if it's already there
-           /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" && exit 0
-        
-           # Create a new VLAN $IFACE on physical device $if. This is
-           # required otherwise charon thinks the left peer is that
-           # host-scoped, non-routable IP.
-           /bin/ip link    add link "$IFACE" name "$if" type vlan id 2713
-           /bin/ip address add "$ip" dev "$if" scope host
-           /bin/ip link    set dev "$if" up
+    start) # Don't create $ifsec if it's already there
+           if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
+               # Create a new VLAN $IFACE on physical device $ifsec. This is
+               # required otherwise charon thinks the left peer is that
+               # host-scoped, non-routable IP.
+               /bin/ip link    add link "$IFACE" name "$ifsec" type vlan id 2713
+               /bin/ip address add "$ipsec" dev "$ifsec" scope host
+               /bin/ip link    set dev "$ifsec" up
+           fi
+
+           # If a packet retained its mark that far, it means it has
+           # been SNAT'ed from $ipsec, and didn't have a xfrm
+           # association.  Hence we nullroute it to avoid leaking data.
+           /bin/ip rule  add fwmark "$secmark" table 666 priority 666 || true
+           /bin/ip route add prohibit default  table 666              || true
     ;;
-    stop)  # Don't create $if if it's no there
-           /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" || exit 0
-        
-           # Deactivate the VLAN
-           /bin/ip link set dev "$if" down
+    stop)  if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
+               # Deactivate the VLAN
+               /bin/ip link set dev "$ifsec" down
+           fi
+
+           # Delete the 'prohibit' rule
+           /bin/ip rule  del fwmark "$secmark" table 666 priority 666 || true
+           /bin/ip route flush table 666
     ;;
 esac
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index a8123f9..0907ffc 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -130,45 +130,47 @@ ipt-revert() {
         rm -f "${rss[$f]}"
     done
     exit 1
 }
 
 run() {
     # Build and apply the firewall for IPv4/6.
     local f="$1"
     local ipt=/sbin/$(inet46 $f iptables ip6tables)
     tables[$f]=filter
 
     # The default interface associated with this address.
     local if=$( /bin/ip -$f route show to default scope global \
               | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )
 
     # The virtual interface reserved for IPSec.
     local ifsec=$( /bin/ip -o -$f link show \
                  | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" )
 
     # The (host-scoped) IP reserved for IPSec.
-    local ipsec=
+    local ipsec= secmark
     if [ -n "$ifsec" -a $f = 4 ]; then
         tables[$f]='mangle nat filter'
         ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
                | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
+        # /!\ This mark much match that in /etc/network/if-up.d/ipsec.
+        secmark=0xA99
     fi
 
     # Store the old (current) ruleset
     local old=$(mktemp -t current-rules.v$f.XXXXXX) \
           new=$(mktemp -t new-rules.v$f.XXXXXX)
     for table in ${tables[$f]}; do
         $ipt-save -ct $table
     done > "$old"
     rss[$f]="$old"
 
     local fail2ban=0
     # XXX: As of Wheezy, fail2ban is IPv4 only.  See
     #      https://github.com/fail2ban/fail2ban/issues/39 for the current
     #      state of the art.
     if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then
         fail2ban=1
     fi
 
     # The usual chains in filter, along with the desired default policies.
     ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP
@@ -234,41 +236,41 @@ run() {
     fi
 
     # DROP INVALID packets immediately.
     iptables -A INPUT  -m state --state INVALID -j DROP
     iptables -A OUTPUT -m state --state INVALID -j DROP
 
     # DROP bogus TCP packets.
     iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
     iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
     # Allow all input/output to/from the loopback interface.
     local localhost=$(inet46 $f '127.0.0.1/32' '::1/128')
     iptables -A INPUT  -i lo -s "$localhost" -d "$localhost" -j ACCEPT
     iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT
 
     if [ -n "$ipsec" ]; then
         # ACCEPT any, *IPSec* traffic destinating to the non-routable
         # $ipsec.  Also ACCEPT all traffic originating from $ipsec, as
         # it is MASQUERADE'd.
         iptables -A INPUT  -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT
-        iptables -A OUTPUT -s "$ipsec" -o $if -j ACCEPT
+        iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT
     fi
 
     # Prepare fail2ban.  We make fail2ban insert its rules in a
     # dedicated chain, so that it doesn't mess up the existing rules.
     [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban
 
     if [ "$f" = 4 ]; then
         # Allow only ICMP of type 0, 3 and 8.  The rate-limiting is done
         # directly by the kernel (net.ipv4.icmp_ratelimit and
         # net.ipv4.icmp_ratemask runtime options).  See icmp(7).
         local t
         for t in  'echo-reply' 'destination-unreachable' 'echo-request'; do
             iptables -A INPUT  -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT
             iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT
         done
     elif [ $f = 6 ]; then
         iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT
     fi
 
 
@@ -305,56 +307,65 @@ run() {
             in|inout) iptNew="-A INPUT  -i";  iptEst="-A OUTPUT -o";;
             out)      iptNew="-A OUTPUT -o";  iptEst="-A INPUT  -i";;
             *) fatal "Error: Unknown direction: '$dir'."
         esac
 
         iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT
         iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT
     done
 
     ########################################################################
     commit
 
     if [ -n "$ipsec" ]; then
         # DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT
         # them before encapsulation.  We need to do the NAT'ing before
         # packets enter the IPSec stack because they are signed
         # afterwards, and NAT'ing would mess up the signature.
         ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \
                           FORWARD:DROP \
                           OUTPUT:ACCEPT POSTROUTING:ACCEPT
+
         # Packets which destination is $ipsec *must* be associated with
         # an IPSec policy.
         iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP
+
+        # Packets originating from our (non-routable) $ipsec are marked;
+        # if there is no xfrm lookup (i.e., no matching IPSec
+        # association), the packet will retain its mark and be null
+        # routed later on.  Otherwise, the packet is re-queued unmarked.
+        iptables -A OUTPUT -o $if -j MARK --set-mark 0x0
+        iptables -A OUTPUT -s "$ipsec" -o $if  -m policy --dir out --pol none \
+                     -j MARK --set-mark $secmark
         commit
 
         ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
                        OUTPUT:ACCEPT POSTROUTING:ACCEPT
-        # DNAT all marked packets after decapsulation.  Packets
-        # originating from our IPSec are SNAT'ed (MASQUERADE).  XXX:
-        # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't
-        # DROP packets not matching an IPSec policy. However, any reply
-        # not going through IPSec would be DROPped (thanks to the rule
-        # in mangle:INPUT above); this is the best we can do for now.
+
+        # DNAT all marked packets after decapsulation.
         iptables -A PREROUTING \! -d "$ipsec" -i $if \
                      -m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}"
-        iptables -A POSTROUTING -s "$ipsec" -o $if -j MASQUERADE
+
+        # Packets originating from our IPSec are SNAT'ed (MASQUERADE).
+        # (And null-routed later on unless there is an xfrm
+        # association.)
+        iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE
         commit
     fi
 
     ########################################################################
 
 
     local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
     local oldz=$(mktemp -t current-rules.v$f.XXXXXX)
 
     # Reset the counters.  They are not useful for comparing and/or
     # storing persistent ruleset.  (We don't use sed -i because we want
     # to restore the counters when reverting.)
     sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
            -e 's/^\[[0-9]+:[0-9]+\]\s+//' \
            "$old" > "$oldz"
 
     /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore || ipt-revert
 
     for table in ${tables[$f]}; do
        /bin/ip netns exec $netns $ipt-save -t $table
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 3d7a1dd..4c0a946 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -26,30 +26,30 @@
   template: src=etc/ipsec.secrets.j2
             dest=/etc/ipsec.secrets
             owner=root group=root
             mode=0600
   notify:
     - Restart IPSec
 
 - name: Configure IPSec
   template: src=etc/ipsec.conf.j2
             dest=/etc/ipsec.conf
             owner=root group=root
             mode=0644
   notify:
     - Restart IPSec
 
 - name: Auto-create a dedicated interface for IPSec
   copy: src=etc/network/if-up.d/ipsec
         dest=/etc/network/if-up.d/ipsec
         owner=root group=root
         mode=0755
+  notify:
+    - Reload networking
 
 # XXX: As of 1.3.1 ansible doesn't accept relative src.
 # See https://github.com/ansible/ansible/issues/4459
 - name: Auto-deactivate the dedicated interface for IPSec
   file: #src=../if-up.d/ipsec
         src=/etc/network/if-up.d/ipsec
         dest=/etc/network/if-down.d/ipsec
         owner=root group=root state=link
-  notify:
-    - Reload networking