From 7cf08c68ce3f9f5841dd2f78370e86ba5bed1881 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sun, 8 May 2022 15:15:18 +0200
Subject: [PATCH] rules.pl: Do not check private networks against ipblocklists.

In case some of these private networks are part of an used blocklist
this kind of traffic needs to be allowed. Otherwise some services may
not work properly.

For example:
In case one ore more IPSec N2N connections are configured no traffic can
be passed through it, if the used networks are part of an blocklist.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/firewall/rules.pl | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 62fae8c025..e1d7718a88 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -731,6 +731,16 @@ sub ipblocklist () {
 	run("$IPTABLES -F BLOCKLISTIN");
 	run("$IPTABLES -F BLOCKLISTOUT");
 
+	# Check if the blocklist feature is enabled.
+	if($blocklistsettings{'ENABLE'} eq "on") {
+		# Loop through the array of private networks.
+		foreach my $private_network (@PRIVATE_NETWORKS) {
+			# Create firewall rules to never block private networks.
+			run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -s $private_network -j RETURN");
+			run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -d $private_network -j RETURN");
+		}
+	}
+
 	# Loop through the array of blocklists.
 	foreach my $blocklist (@blocklists) {
 		# Check if the blocklist feature and the current processed blocklist is enabled.
-- 
2.39.5