diff options
author | Miloslav Trmac <mitr@volny.cz> | 2006-07-08 01:29:42 +0000 |
---|---|---|
committer | Miloslav Trmac <mitr@volny.cz> | 2006-07-08 01:29:42 +0000 |
commit | 59246de763ead6ad4f7b8c7d8b2bb847e45f7865 (patch) | |
tree | e048a2f0ad82c04ad1e2374cfb5c5fc2f2d19669 /sysconfig | |
parent | 76afb000ffb6eaeb9bcc07f005dc0d29ee928b8b (diff) | |
download | initscripts-59246de763ead6ad4f7b8c7d8b2bb847e45f7865.tar.gz initscripts-59246de763ead6ad4f7b8c7d8b2bb847e45f7865.tar.xz initscripts-59246de763ead6ad4f7b8c7d8b2bb847e45f7865.zip |
Prevent IPsec tunelling of local traffic when tunnel subnets overlap (#150862)
Diffstat (limited to 'sysconfig')
-rwxr-xr-x | sysconfig/network-scripts/ifdown-ipsec | 13 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifup-ipsec | 26 |
2 files changed, 29 insertions, 10 deletions
diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec index 722c12df..3b03e277 100755 --- a/sysconfig/network-scripts/ifdown-ipsec +++ b/sysconfig/network-scripts/ifdown-ipsec @@ -37,6 +37,14 @@ fi if [ -n "$SRCNET" -o -n "$DSTNET" ]; then MODE=tunnel + [ -z "$SRCNET" ] && SRCNET="$SRC/32" + [ -z "$DSTNET" ] && DSTNET="$DST/32" + # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication + if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ + && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ + = "NETWORK=${DSTNET%%/*}" ]; then + EXCLUDE_SRCNET=yes + fi else MODE=host fi @@ -60,15 +68,14 @@ if [ "$MODE" = "host" ]; then spddelete $DST $SRC any -P in; EOF else - [ -z "$SRCNET" ] && SRCNET="$SRC/32" - [ -z "$DSTNET" ] && DSTNET="$DST/32" - [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` ip route del to $DSTNET via $SRCGW src $SRCGW /sbin/setkey -c >/dev/null 2>&1 << EOF spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; + ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;} + ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;} EOF fi diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec index 00943045..017414d9 100755 --- a/sysconfig/network-scripts/ifup-ipsec +++ b/sysconfig/network-scripts/ifup-ipsec @@ -101,6 +101,14 @@ fi if [ -n "$SRCNET" -o -n "$DSTNET" ]; then MODE=tunnel + [ -z "$SRCNET" ] && SRCNET="$SRC/32" + [ -z "$DSTNET" ] && DSTNET="$DST/32" + # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication + if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ + && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ + = "NETWORK=${DSTNET%%/*}" ]; then + EXCLUDE_SRCNET=yes + fi else MODE=host fi @@ -148,9 +156,6 @@ spdadd $DST $SRC any -P in ipsec ; EOF else - [ -z "$SRCNET" ] && SRCNET="$SRC/32" - [ -z "$DSTNET" ] && DSTNET="$DST/32" - [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` ip route add to $DSTNET via $SRCGW src $SRCGW @@ -161,6 +166,8 @@ ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; +${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;} +${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;} # ESP ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;} @@ -170,6 +177,9 @@ ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} +${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;} +${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;} + spdadd $SRCNET $DSTNET any -P out ipsec ${KEY_ESP_OUT:+esp/tunnel/$SRC-$DST/require} ${KEY_AH_OUT:+ah/tunnel/$SRC-$DST/require} @@ -203,15 +213,17 @@ spdadd $DST $SRC any -P in ipsec ; EOF else - [ -z "$SRCNET" ] && SRCNET="$SRC/32" - [ -z "$DSTNET" ] && DSTNET="$DST/32" - [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` ip route add to $DSTNET via $SRCGW src $SRCGW - + /sbin/setkey -c >/dev/null 2>&1 << EOF spddelete $SRCNET $DSTNET any -P out; spddelete $DSTNET $SRCNET any -P in; +${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;} +${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;} + +${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;} +${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;} spdadd $SRCNET $DSTNET any -P out ipsec esp/tunnel/$SRC-$DST/require |