summaryrefslogtreecommitdiffstats
path: root/sysconfig
diff options
context:
space:
mode:
authorMiloslav Trmac <mitr@volny.cz>2006-07-08 01:29:42 +0000
committerMiloslav Trmac <mitr@volny.cz>2006-07-08 01:29:42 +0000
commit59246de763ead6ad4f7b8c7d8b2bb847e45f7865 (patch)
treee048a2f0ad82c04ad1e2374cfb5c5fc2f2d19669 /sysconfig
parent76afb000ffb6eaeb9bcc07f005dc0d29ee928b8b (diff)
downloadinitscripts-59246de763ead6ad4f7b8c7d8b2bb847e45f7865.tar.gz
initscripts-59246de763ead6ad4f7b8c7d8b2bb847e45f7865.tar.xz
initscripts-59246de763ead6ad4f7b8c7d8b2bb847e45f7865.zip
Prevent IPsec tunelling of local traffic when tunnel subnets overlap (#150862)
Diffstat (limited to 'sysconfig')
-rwxr-xr-xsysconfig/network-scripts/ifdown-ipsec13
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec26
2 files changed, 29 insertions, 10 deletions
diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec
index 722c12df..3b03e277 100755
--- a/sysconfig/network-scripts/ifdown-ipsec
+++ b/sysconfig/network-scripts/ifdown-ipsec
@@ -37,6 +37,14 @@ fi
if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
MODE=tunnel
+ [ -z "$SRCNET" ] && SRCNET="$SRC/32"
+ [ -z "$DSTNET" ] && DSTNET="$DST/32"
+ # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
+ if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
+ && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
+ = "NETWORK=${DSTNET%%/*}" ]; then
+ EXCLUDE_SRCNET=yes
+ fi
else
MODE=host
fi
@@ -60,15 +68,14 @@ if [ "$MODE" = "host" ]; then
spddelete $DST $SRC any -P in;
EOF
else
- [ -z "$SRCNET" ] && SRCNET="$SRC/32"
- [ -z "$DSTNET" ] && DSTNET="$DST/32"
-
[ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
ip route del to $DSTNET via $SRCGW src $SRCGW
/sbin/setkey -c >/dev/null 2>&1 << EOF
spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;
+ ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
+ ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
EOF
fi
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index 00943045..017414d9 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -101,6 +101,14 @@ fi
if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
MODE=tunnel
+ [ -z "$SRCNET" ] && SRCNET="$SRC/32"
+ [ -z "$DSTNET" ] && DSTNET="$DST/32"
+ # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
+ if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
+ && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
+ = "NETWORK=${DSTNET%%/*}" ]; then
+ EXCLUDE_SRCNET=yes
+ fi
else
MODE=host
fi
@@ -148,9 +156,6 @@ spdadd $DST $SRC any -P in ipsec
;
EOF
else
- [ -z "$SRCNET" ] && SRCNET="$SRC/32"
- [ -z "$DSTNET" ] && DSTNET="$DST/32"
-
[ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
ip route add to $DSTNET via $SRCGW src $SRCGW
@@ -161,6 +166,8 @@ ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
# ESP
${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
@@ -170,6 +177,9 @@ ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP
${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;}
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;}
+
spdadd $SRCNET $DSTNET any -P out ipsec
${KEY_ESP_OUT:+esp/tunnel/$SRC-$DST/require}
${KEY_AH_OUT:+ah/tunnel/$SRC-$DST/require}
@@ -203,15 +213,17 @@ spdadd $DST $SRC any -P in ipsec
;
EOF
else
- [ -z "$SRCNET" ] && SRCNET="$SRC/32"
- [ -z "$DSTNET" ] && DSTNET="$DST/32"
-
[ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
ip route add to $DSTNET via $SRCGW src $SRCGW
-
+
/sbin/setkey -c >/dev/null 2>&1 << EOF
spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
+
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;}
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;}
spdadd $SRCNET $DSTNET any -P out ipsec
esp/tunnel/$SRC-$DST/require