blob: 4a84112a3c784193fc13566d3c368ebb5222929c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
#!/bin/sh
# A post-up/down hook to automatically create/delete a 'sec' VLAN
# device, and a dedicated, host-scoped, IP for IPSec (v4 only).
# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -ue
PATH=/usr/sbin:/usr/bin:/sbin:/bin
ifsec=sec0
ipsec=172.16.0.1/32
# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh.
secmark=0xA99
# Ignore the loopback interface and non inet4 families.
[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
# Only the device with the default, globally-scoped route, is of
# interest here.
[ "$( /bin/ip -4 route show to default scope global \
| sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \
= \
"$IFACE" ] || exit 0
case "$MODE" in
start) # Don't create $ifsec if it's already there
if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
# Create a new VLAN $IFACE on physical device $ifsec. This is
# required otherwise charon thinks the left peer is that
# host-scoped, non-routable IP.
/bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713
/bin/ip address add "$ipsec" dev "$ifsec" scope host
/bin/ip link set dev "$ifsec" up
fi
# If a packet retained its mark that far, it means it has
# been SNAT'ed from $ipsec, and didn't have a xfrm
# association. Hence we nullroute it to avoid to leak data
# intented to be tunneled through IPSec. /!\ The priority
# must be >220 (which the one used by strongSwan IPSec) since
# xfrm lookup must take precedence.
/bin/ip rule add fwmark "$secmark" table 666 priority 666 || true
/bin/ip route add prohibit default table 666 || true
;;
stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
# Deactivate the VLAN
/bin/ip link set dev "$ifsec" down
fi
# Delete the 'prohibit' rule
/bin/ip rule del fwmark "$secmark" table 666 priority 666 || true
/bin/ip route flush table 666
;;
esac
|
