From 67c5135625d3553dcb6f2bfc193df24c0e1ab826 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 4 Nov 2013 00:31:43 +0100
Subject: Prohibit binding against the IP reserved for IPSec.

Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to

    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666
---
 roles/common/tasks/ipsec.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'roles/common/tasks/ipsec.yml')

diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 3d7a1dd..4c0a946 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -43,6 +43,8 @@
         dest=/etc/network/if-up.d/ipsec
         owner=root group=root
         mode=0755
+  notify:
+    - Reload networking
 
 # XXX: As of 1.3.1 ansible doesn't accept relative src.
 # See https://github.com/ansible/ansible/issues/4459
@@ -51,5 +53,3 @@
         src=/etc/network/if-up.d/ipsec
         dest=/etc/network/if-down.d/ipsec
         owner=root group=root state=link
-  notify:
-    - Reload networking
-- 
cgit v1.2.3