From 59246de763ead6ad4f7b8c7d8b2bb847e45f7865 Mon Sep 17 00:00:00 2001
From: Miloslav Trmac <mitr@volny.cz>
Date: Sat, 8 Jul 2006 01:29:42 +0000
Subject: Prevent IPsec tunelling of local traffic when tunnel subnets overlap
 (#150862)

---
 sysconfig/network-scripts/ifdown-ipsec | 13 ++++++++++---
 sysconfig/network-scripts/ifup-ipsec   | 26 +++++++++++++++++++-------
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec
index 722c12df..3b03e277 100755
--- a/sysconfig/network-scripts/ifdown-ipsec
+++ b/sysconfig/network-scripts/ifdown-ipsec
@@ -37,6 +37,14 @@ fi
 
 if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
   MODE=tunnel
+  [ -z "$SRCNET" ] && SRCNET="$SRC/32"
+  [ -z "$DSTNET" ] && DSTNET="$DST/32"
+  # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
+  if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
+      && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
+           = "NETWORK=${DSTNET%%/*}" ]; then
+    EXCLUDE_SRCNET=yes
+  fi
 else
   MODE=host
 fi
@@ -60,15 +68,14 @@ if [ "$MODE" = "host" ]; then
 	spddelete $DST $SRC any -P in;
 EOF
 else
-      [ -z "$SRCNET" ] && SRCNET="$SRC/32"
-      [ -z "$DSTNET" ] && DSTNET="$DST/32"
-      
       [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
       ip route del to $DSTNET via $SRCGW src $SRCGW
 
       /sbin/setkey -c >/dev/null 2>&1 << EOF
 	spddelete $SRCNET $DSTNET any -P out;
 	spddelete $DSTNET $SRCNET any -P in;
+	${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
+	${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
 EOF
 fi
 
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index 00943045..017414d9 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -101,6 +101,14 @@ fi
 
 if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
   MODE=tunnel
+  [ -z "$SRCNET" ] && SRCNET="$SRC/32"
+  [ -z "$DSTNET" ] && DSTNET="$DST/32"
+  # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
+  if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
+      && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
+           = "NETWORK=${DSTNET%%/*}" ]; then
+    EXCLUDE_SRCNET=yes
+  fi
 else
   MODE=host
 fi
@@ -148,9 +156,6 @@ spdadd $DST $SRC any -P in ipsec
 	    ;
 EOF
     else
-      [ -z "$SRCNET" ] && SRCNET="$SRC/32"
-      [ -z "$DSTNET" ] && DSTNET="$DST/32"
-      
       [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
       ip route add to $DSTNET via $SRCGW src $SRCGW
 
@@ -161,6 +166,8 @@ ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
 ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
 spddelete $SRCNET $DSTNET any -P out;
 spddelete $DSTNET $SRCNET any -P in;
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
 
 # ESP
 ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
@@ -170,6 +177,9 @@ ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP
 ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
 ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
 
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;}
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;}
+
 spdadd $SRCNET $DSTNET any -P out ipsec
             ${KEY_ESP_OUT:+esp/tunnel/$SRC-$DST/require}
             ${KEY_AH_OUT:+ah/tunnel/$SRC-$DST/require}
@@ -203,15 +213,17 @@ spdadd $DST $SRC any -P in ipsec
 	    ;
 EOF
     else
-      [ -z "$SRCNET" ] && SRCNET="$SRC/32"
-      [ -z "$DSTNET" ] && DSTNET="$DST/32"
-      
       [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
       ip route add to $DSTNET via $SRCGW src $SRCGW
-      
+
       /sbin/setkey -c >/dev/null 2>&1 << EOF
 spddelete $SRCNET $DSTNET any -P out;
 spddelete $DSTNET $SRCNET any -P in;
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
+${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
+
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P out none;}
+${EXCLUDE_SRCNET:+spdadd $SRCNET $SRCNET any -P in none;}
 
 spdadd $SRCNET $DSTNET any -P out ipsec
 	    esp/tunnel/$SRC-$DST/require
-- 
cgit v1.2.1