From bc41db5237d188c339d25d96a20465e488ea5475 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 8 Sep 2024 02:32:24 +0200
Subject: Firewall: Harden IPsec configuration by pining the reqids.

---
 roles/common/templates/etc/ipsec.conf.j2    |  1 +
 roles/common/templates/etc/nftables.conf.j2 | 29 +++++++++++++++--------------
 2 files changed, 16 insertions(+), 14 deletions(-)

(limited to 'roles/common/templates')

diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index e7505b4..eaa9a08 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -37,6 +37,7 @@ conn {{ hostvars[host].inventory_hostname_short }}
 {% endif %}
     rightsigkey   = {{ hostvars[host].inventory_hostname_short }}.pem
     rightsubnet   = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 }}/32
+    reqid         = {{ ipsec[ hostvars[host].inventory_hostname_short ].replace(":",".").split(".")[-1] }}
 {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
     mobike        = yes
 {% endif %}
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 805d1a8..f603ed9 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -155,16 +155,8 @@ table inet filter {
 
         iif lo accept
 
-        # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions
-        # to match match inbound resp. outbound policies and source resp. destination tunnel addresses.
-        # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
-        # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
-        # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP
-        # encapsulation.)  We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way
-        # peers can't impersonate each other.
         meta l4proto esp accept
-        # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept
-        ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
+        ip daddr {{ ipsec[inventory_hostname_short] }} jump ipsec-in
 
         # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already
         meta l4proto { icmp, icmpv6 } counter accept
@@ -200,12 +192,8 @@ table inet filter {
 
         oif lo accept
 
-        # XXX Bullseye: unlike for input we can't use marks or test for
-        # secpath existence here, because by the time we see a packet to
-        # 172.16.0.0/24 we don't know if it'll be encapsulated
         meta l4proto esp accept
-        # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept
-        ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
+        ip saddr {{ ipsec[inventory_hostname_short] }} jump ipsec-out
 
         meta l4proto { icmp, icmpv6 } counter accept
 
@@ -234,4 +222,17 @@ table inet filter {
         meta l4proto udp counter reject
         counter reject
     }
+
+    chain ipsec-in {
+{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %}
+        ip saddr {{ ipsec[h] }} ipsec in reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept
+{% endfor %}
+        log prefix "ipsec-in " drop
+    }
+    chain ipsec-out {
+{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %}
+        ip daddr {{ ipsec[h] }} ipsec out reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept
+{% endfor %}
+        log prefix "ipsec-out " drop
+    }
 }
-- 
cgit v1.2.3