diff options
Diffstat (limited to 'roles/common/files/etc/network/if-up.d')
| -rwxr-xr-x | roles/common/files/etc/network/if-up.d/ipsec | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec index 98bf42c..a43af6c 100755 --- a/roles/common/files/etc/network/if-up.d/ipsec +++ b/roles/common/files/etc/network/if-up.d/ipsec @@ -23,34 +23,37 @@ secmark=0xA99 # Only the device with the default, globally-scoped route, is of # interest here. [ "$( /bin/ip -4 route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \ = \ "$IFACE" ] || exit 0 case "$MODE" in start) # Don't create $ifsec if it's already there if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then # Create a new VLAN $IFACE on physical device $ifsec. This is # required otherwise charon thinks the left peer is that # host-scoped, non-routable IP. /bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713 /bin/ip address add "$ipsec" dev "$ifsec" scope host /bin/ip link set dev "$ifsec" up fi # If a packet retained its mark that far, it means it has # been SNAT'ed from $ipsec, and didn't have a xfrm - # association. Hence we nullroute it to avoid leaking data. + # association. Hence we nullroute it to avoid to leak data + # intented to be tunneled through IPSec. /!\ The priority + # must be >220 (strongSwan IPSec's policy) since xfrm lookup + # must take precedence. /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true /bin/ip route add prohibit default table 666 || true ;; stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then # Deactivate the VLAN /bin/ip link set dev "$ifsec" down fi # Delete the 'prohibit' rule /bin/ip rule del fwmark "$secmark" table 666 priority 666 || true /bin/ip route flush table 666 ;; esac |