From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sun, 8 May 2022 13:15:18 +0000 (+0200)
Subject: rules.pl: Do not check private networks against ipblocklists.
X-Git-Tag: v2.27-core170~4^2~149^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f37368da670f8514ebba3bbd01b376a3c758539;p=ipfire-2.x.git

rules.pl: Do not check private networks against ipblocklists.

In case some of these private networks are part of an used blocklist
this kind of traffic needs to be allowed. Otherwise some services may
not work properly.

For example:
In case one ore more IPSec N2N connections are configured no traffic can
be passed through it, if the used networks are part of an blocklist.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 62fae8c025..e1d7718a88 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -731,6 +731,16 @@ sub ipblocklist () {
 	run("$IPTABLES -F BLOCKLISTIN");
 	run("$IPTABLES -F BLOCKLISTOUT");
 
+	# Check if the blocklist feature is enabled.
+	if($blocklistsettings{'ENABLE'} eq "on") {
+		# Loop through the array of private networks.
+		foreach my $private_network (@PRIVATE_NETWORKS) {
+			# Create firewall rules to never block private networks.
+			run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -s $private_network -j RETURN");
+			run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -d $private_network -j RETURN");
+		}
+	}
+
 	# Loop through the array of blocklists.
 	foreach my $blocklist (@blocklists) {
 		# Check if the blocklist feature and the current processed blocklist is enabled.