summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/network/if-up.d/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/etc/network/if-up.d/ipsec')
-rwxr-xr-xroles/common/files/etc/network/if-up.d/ipsec5
1 files changed, 4 insertions, 1 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
index 98bf42c..a43af6c 100755
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ b/roles/common/files/etc/network/if-up.d/ipsec
@@ -40,7 +40,10 @@ case "$MODE" in
# If a packet retained its mark that far, it means it has
# been SNAT'ed from $ipsec, and didn't have a xfrm
- # association. Hence we nullroute it to avoid leaking data.
+ # association. Hence we nullroute it to avoid to leak data
+ # intented to be tunneled through IPSec. /!\ The priority
+ # must be >220 (strongSwan IPSec's policy) since xfrm lookup
+ # must take precedence.
/bin/ip rule add fwmark "$secmark" table 666 priority 666 || true
/bin/ip route add prohibit default table 666 || true
;;