Prohibit binding against the IP reserved for IPSec.

Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to

    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666

1 files changed, 20 insertions, 9 deletions

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index a8123f9..0907ffc 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -130,45 +130,47 @@ ipt-revert() {
         rm -f "${rss[$f]}"
     done
     exit 1
 }
 
 run() {
     # Build and apply the firewall for IPv4/6.
     local f="$1"
     local ipt=/sbin/$(inet46 $f iptables ip6tables)
     tables[$f]=filter
 
     # The default interface associated with this address.
     local if=$( /bin/ip -$f route show to default scope global \
               | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )
 
     # The virtual interface reserved for IPSec.
     local ifsec=$( /bin/ip -o -$f link show \
                  | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" )
 
     # The (host-scoped) IP reserved for IPSec.
-    local ipsec=
+    local ipsec= secmark
     if [ -n "$ifsec" -a $f = 4 ]; then
         tables[$f]='mangle nat filter'
         ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
                | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
+        # /!\ This mark much match that in /etc/network/if-up.d/ipsec.
+        secmark=0xA99
     fi
 
     # Store the old (current) ruleset
     local old=$(mktemp -t current-rules.v$f.XXXXXX) \
           new=$(mktemp -t new-rules.v$f.XXXXXX)
     for table in ${tables[$f]}; do
         $ipt-save -ct $table
     done > "$old"
     rss[$f]="$old"
 
     local fail2ban=0
     # XXX: As of Wheezy, fail2ban is IPv4 only.  See
     #      https://github.com/fail2ban/fail2ban/issues/39 for the current
     #      state of the art.
     if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then
         fail2ban=1
     fi
 
     # The usual chains in filter, along with the desired default policies.
     ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP
@@ -234,41 +236,41 @@ run() {
     fi
 
     # DROP INVALID packets immediately.
     iptables -A INPUT  -m state --state INVALID -j DROP
     iptables -A OUTPUT -m state --state INVALID -j DROP
 
     # DROP bogus TCP packets.
     iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
     iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
     # Allow all input/output to/from the loopback interface.
     local localhost=$(inet46 $f '127.0.0.1/32' '::1/128')
     iptables -A INPUT  -i lo -s "$localhost" -d "$localhost" -j ACCEPT
     iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT
 
     if [ -n "$ipsec" ]; then
         # ACCEPT any, *IPSec* traffic destinating to the non-routable
         # $ipsec.  Also ACCEPT all traffic originating from $ipsec, as
         # it is MASQUERADE'd.
         iptables -A INPUT  -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT
-        iptables -A OUTPUT -s "$ipsec" -o $if -j ACCEPT
+        iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT
     fi
 
     # Prepare fail2ban.  We make fail2ban insert its rules in a
     # dedicated chain, so that it doesn't mess up the existing rules.
     [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban
 
     if [ "$f" = 4 ]; then
         # Allow only ICMP of type 0, 3 and 8.  The rate-limiting is done
         # directly by the kernel (net.ipv4.icmp_ratelimit and
         # net.ipv4.icmp_ratemask runtime options).  See icmp(7).
         local t
         for t in  'echo-reply' 'destination-unreachable' 'echo-request'; do
             iptables -A INPUT  -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT
             iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT
         done
     elif [ $f = 6 ]; then
         iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT
     fi
 
 
@@ -305,56 +307,65 @@ run() {
             in|inout) iptNew="-A INPUT  -i";  iptEst="-A OUTPUT -o";;
             out)      iptNew="-A OUTPUT -o";  iptEst="-A INPUT  -i";;
             *) fatal "Error: Unknown direction: '$dir'."
         esac
 
         iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT
         iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT
     done
 
     ########################################################################
     commit
 
     if [ -n "$ipsec" ]; then
         # DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT
         # them before encapsulation.  We need to do the NAT'ing before
         # packets enter the IPSec stack because they are signed
         # afterwards, and NAT'ing would mess up the signature.
         ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \
                           FORWARD:DROP \
                           OUTPUT:ACCEPT POSTROUTING:ACCEPT
+
         # Packets which destination is $ipsec *must* be associated with
         # an IPSec policy.
         iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP
+
+        # Packets originating from our (non-routable) $ipsec are marked;
+        # if there is no xfrm lookup (i.e., no matching IPSec
+        # association), the packet will retain its mark and be null
+        # routed later on.  Otherwise, the packet is re-queued unmarked.
+        iptables -A OUTPUT -o $if -j MARK --set-mark 0x0
+        iptables -A OUTPUT -s "$ipsec" -o $if  -m policy --dir out --pol none \
+                     -j MARK --set-mark $secmark
         commit
 
         ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
                        OUTPUT:ACCEPT POSTROUTING:ACCEPT
-        # DNAT all marked packets after decapsulation.  Packets
-        # originating from our IPSec are SNAT'ed (MASQUERADE).  XXX:
-        # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't
-        # DROP packets not matching an IPSec policy. However, any reply
-        # not going through IPSec would be DROPped (thanks to the rule
-        # in mangle:INPUT above); this is the best we can do for now.
+
+        # DNAT all marked packets after decapsulation.
         iptables -A PREROUTING \! -d "$ipsec" -i $if \
                      -m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}"
-        iptables -A POSTROUTING -s "$ipsec" -o $if -j MASQUERADE
+
+        # Packets originating from our IPSec are SNAT'ed (MASQUERADE).
+        # (And null-routed later on unless there is an xfrm
+        # association.)
+        iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE
         commit
     fi
 
     ########################################################################
 
 
     local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
     local oldz=$(mktemp -t current-rules.v$f.XXXXXX)
 
     # Reset the counters.  They are not useful for comparing and/or
     # storing persistent ruleset.  (We don't use sed -i because we want
     # to restore the counters when reverting.)
     sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
            -e 's/^\[[0-9]+:[0-9]+\]\s+//' \
            "$old" > "$oldz"
 
     /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore || ipt-revert
 
     for table in ${tables[$f]}; do
        /bin/ip netns exec $netns $ipt-save -t $table