summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-18 01:15:43 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-18 01:15:45 +0200
commitab0bf1867d9946c1fac57e8ec2bdff1ad07aff33 (patch)
treecec3f03a375616e22e99d40d1b0edb95d290dcd3 /roles
parent3c7c834a37802e5ca5d93a4b4a91dde3264d9f5d (diff)
Firewall: Use `meta secpath exists` to match xfrm associations.
Marking incoming ESP packets and matching decapsulated packets doesn't work with NAT traverslate (UDP encapsulation aka MOBIKE).
Diffstat (limited to 'roles')
-rwxr-xr-xroles/common/templates/etc/nftables.conf.j221
1 files changed, 12 insertions, 9 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 3104a4a..2261994 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -56,13 +56,15 @@ table inet filter {
iif lo accept
- # XXX Bullseye: this is a hack for the lack of reqid matches in
- # nftables: we mark the esp packet and accept after decapsulation
+ # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions
+ # to match match inbound resp. outbound policies and source resp. destination tunnel addresses.
# https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
# https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
- define IPsec.mark = 0x220
- meta l4proto esp mark set mark | $IPsec.mark accept
- ip saddr 172.16.0.0/24 ip daddr {{ ipsec[inventory_hostname_short] }} mark & $IPsec.mark == $IPsec.mark accept
+ # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP
+ # encapsulation.)
+ meta l4proto esp accept
+ # ipsec in ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} accept
+ ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
# rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options)
icmp type { echo-reply, echo-request, destination-unreachable } counter accept
@@ -104,11 +106,12 @@ table inet filter {
oif lo accept
- # XXX Bullseye: unlike for input we can't use marks here,
- # because by the time we see a packet to 172.16.0.0/24 we don't
- # know if it'll be encapsulated
+ # XXX Bullseye: unlike for input we can't use marks or test for
+ # secpath existence here, because by the time we see a packet to
+ # 172.16.0.0/24 we don't know if it'll be encapsulated
meta l4proto esp accept
- ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr 172.16.0.0/24 accept
+ # ipsec out ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
+ ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
meta l4proto { icmp, icmpv6 } accept