diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2013-11-04 00:31:43 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:50:38 +0200 |
| commit | 67c5135625d3553dcb6f2bfc193df24c0e1ab826 (patch) | |
| tree | 21d5c3c18a1531e445cd1c0dad9ac76a358f7321 /roles/common/tasks | |
| parent | ad9c840c40d923e0fd1b04a57274cc2ec2e381ec (diff) | |
Prohibit binding against the IP reserved for IPSec.
Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
ip rule add fwmark "$secmark" table 666 priority 666
ip route add blackhole default table 666
Diffstat (limited to 'roles/common/tasks')
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 3d7a1dd..4c0a946 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -43,6 +43,8 @@ dest=/etc/network/if-up.d/ipsec owner=root group=root mode=0755 + notify: + - Reload networking # XXX: As of 1.3.1 ansible doesn't accept relative src. # See https://github.com/ansible/ansible/issues/4459 @@ -51,5 +53,3 @@ src=/etc/network/if-up.d/ipsec dest=/etc/network/if-down.d/ipsec owner=root group=root state=link - notify: - - Reload networking |