From 31abf0634210992e8b16df91f406fc52c7784e60 Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Tue, 23 Oct 2018 23:28:29 +0200
Subject: [PATCH] setting leftsubnet to only be the local loopback instead of a
 wide range. this will avoid blackholing traffic for edges and potentially
 other nodes

---
 debian/wit-network-config.postinst | 2 ++
 files/ipsec.conf.wit               | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index 8cf4c9e..d704a64 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -301,6 +301,8 @@ case "$1" in
       # set ipsec config
         sed -i \
                 -e "s/FQHOSTNAME/${HOSTNAME}/" \
+                -e "s/LOOPBACKv4/${LOOPBACKv4}\/32/" \
+                -e "s/LOOPBACKv6/${LOOPBACKv6}\/128/" \
                 -e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
                 -e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
                 $IPSECCONFIG
diff --git a/files/ipsec.conf.wit b/files/ipsec.conf.wit
index 553ff5a..1dfdf35 100644
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@@ -27,14 +27,14 @@ conn %default
 
 conn loopback4
     leftsourceip=%config4
-    leftsubnet=IPSEC_IPV4_SUBNETS
+    leftsubnet=LOOPBACKv4
     rightsubnet=IPSEC_IPV4_SUBNETS
     right=%any4
 
 
 conn loopback6
     leftsourceip=%config6
-    leftsubnet=IPSEC_IPV6_SUBNETS
+    leftsubnet=LOOPBACKv6
     rightsubnet=IPSEC_IPV6_SUBNETS
     right=%any6