eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
VARS=(
- id status name lefthost type ctype x1 x2 x3 leftsubnets
- x4 righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
- x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
- route x26 x27 x28 x29 x30 x31 x32 x33 x34 x35
- interface_mode interface_address interface_mtu rest
+ id status name lefthost type ctype psk local local_id leftsubnets
+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+ route x23 mode interface_mode interface_address interface_mtu rest
)
block_subnet() {
local subnet="${1}"
local action="${2}"
+ # Nothing to be done if no action is requested
+ if [ "${action}" = "none" ]; then
+ return 0
+ fi
+
# Don't block a wildcard subnet
if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
return 0
# Check if this a net-to-net connection
[ "${type}" = "net" ] || continue
+ # Default local to 0.0.0.0/0
+ if [ "${local}" = "" -o "${local}" = "off" ]; then
+ local="0.0.0.0/0"
+ fi
+
+ # Install permissions for GRE traffic
+ case "${interface_mode}" in
+ gre)
+ if [ -n "${remote}" ]; then
+ iptables -A IPSECINPUT -p gre \
+ -s "${remote}" -d "${local}" -j ACCEPT
+
+ iptables -A IPSECOUTPUT -p gre \
+ -s "${local}" -d "${remote}" -j ACCEPT
+ fi
+ ;;
+ esac
+
+ # Install firewall rules only for interfaces without interface
+ [ -n "${interface_mode}" ] && continue
+
# Split multiple subnets
rightsubnets="${rightsubnets//\|/ }"
case "${route}" in
route)
- action="drop"
+ action="none"
;;
*)
action="reject"