updown: Allow IPIP traffic if IPComp was negotiated

The kernel implicitly creates an IPIP SA if an IPComp SA is installed. This SA is used inbound for small packets that are not compressed. Since the addresses are different (they are the tunnel addresses not those of the tunneled traffic) additional rules are required if the traffic selector does not cover the tunnel addresses (e.g. due to a NAT). For SAs with multiple traffic selectors duplicate rules will get installed.
2013-11-07 17:50:02 +01:00 · 2013-11-07 17:50:02 +01:00 · 6d1198e71d
parent cf4a7395aa
commit 6d1198e71d
1 changed files with 31 additions and 0 deletions
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@ -414,6 +414,14 @@ up-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed)
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection setup
 	if [ $VPN_LOGGING ]
 	then
@ -438,6 +446,13 @@ down-host:iptables)
 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec host connection teardown
 	if [ $VPN_LOGGING ]
 	then
@ -477,6 +492,15 @@ up-client:iptables)
 	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# allow IPIP traffic because of the implicit SA created by the kernel if
+	# IPComp is used (for small inbound packets that are not compressed).
+	# INPUT is correct here even for forwarded traffic.
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection setup
 	if [ $VPN_LOGGING ]
 	then
@ -520,6 +544,13 @@ down-client:iptables)
 	         $IPSEC_POLICY_OUT -j ACCEPT
 	fi
 	#
+	# IPIP exception teardown
+	if [ -n "$PLUTO_IPCOMP" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
 	# log IPsec client connection teardown
 	if [ $VPN_LOGGING ]
 	then