From 29cc08a8be9823fe10c873a43ecc1fc38c2dd1bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastian=20M=C3=A4user?= <bma@fan-internet.de>
Date: Tue, 3 Aug 2021 11:37:19 +0200
Subject: [PATCH] exip_ip: add rule to avoid VPN loops

---
 .gitignore                          | 1 +
 roles/exit_ip/templates/rules.v4.j2 | 4 +++-
 roles/exit_ip/templates/rules.v6.j2 | 4 +++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index b482e5e..18a3f12 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 __pycache__
 site.retry
 *.pyc
+ff-ansible.code-workspace
diff --git a/roles/exit_ip/templates/rules.v4.j2 b/roles/exit_ip/templates/rules.v4.j2
index 4697353..fa6f2eb 100644
--- a/roles/exit_ip/templates/rules.v4.j2
+++ b/roles/exit_ip/templates/rules.v4.j2
@@ -8,8 +8,10 @@
 COMMIT
 *filter
 :INPUT ACCEPT [1124:131621]
--A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
 -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [1151:175226]
diff --git a/roles/exit_ip/templates/rules.v6.j2 b/roles/exit_ip/templates/rules.v6.j2
index 155a479..ea1f7af 100644
--- a/roles/exit_ip/templates/rules.v6.j2
+++ b/roles/exit_ip/templates/rules.v6.j2
@@ -1,8 +1,10 @@
 # {{ ansible_managed }}
 *filter
 :INPUT ACCEPT [0:0]
--A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j LOG --log-prefix "fastd-vpn-int-loop-" -m limit --limit 5/min
 -A INPUT -p udp -m multiport -i br-{{ site_code }} --destination-ports {{ fastd_port }}:{{ fastd_port + (fastd_instances-1) }} -j REJECT
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j LOG --log-prefix "wg-vpn-int-loop-" -m limit --limit 5/min
+-A INPUT -p udp -i br-{{ site_code }} --dport {{ mesh_wg_port }} -j REJECT
 :FORWARD ACCEPT [0:0]
 -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 :OUTPUT ACCEPT [0:0]