From 7ba652af8c16d9d0c84292cdc75f35af5cd628f3 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 22 Jan 2019 12:46:53 +0000
Subject: [PATCH] firewall: Write correct rules bound to interface for routes
 IPsec tunnels

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/firewall-lib.pl | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 2820eea655..118744fd6e 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -169,6 +169,15 @@ sub get_ipsec_host_ip
 		}
 	}
 }
+sub get_ipsec_id {
+	my $val = shift;
+
+	foreach my $key (keys %ipsecconf) {
+		if ($ipsecconf{$key}[1] eq $val) {
+			return $key;
+		}
+	}
+}
 sub get_ovpn_n2n_ip
 {
 	my $val=shift;
@@ -399,10 +408,16 @@ sub get_address
 			my @parts = split(/\|/, $value);
 			push(@ret, [$parts[1], ""]);
 		}else{
-			my $network_address = &get_ipsec_net_ip($value, 11);
-			my @nets = split(/\|/, $network_address);
-			foreach my $net (@nets) {
-				push(@ret, [$net, ""]);
+			my $interface_mode = &get_ipsec_net_ip($value, 36);
+			if ($interface_mode ~~ ["gre", "vti"]) {
+				my $id = &get_ipsec_id($value);
+				push(@ret, ["0.0.0.0/0", "${interface_mode}${id}"]);
+			} else {
+				my $network_address = &get_ipsec_net_ip($value, 11);
+				my @nets = split(/\|/, $network_address);
+				foreach my $net (@nets) {
+					push(@ret, [$net, ""]);
+				}
 			}
 		}
 
-- 
2.39.2