]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
projects / people / pmueller / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c5d8554)
ipsec-policy: Do no create DROP rules for on-demand mode
authorMichael Tremer <michael.tremer@ipfire.org>
Fri, 11 Jun 2021 16:15:37 +0000 (16:15 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 11 Jun 2021 16:15:37 +0000 (16:15 +0000)
This is not necessary and gets in the way if users have SNAT rules or
other things that make the check be in the wrong place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/firewall/ipsec-policy patch | blob | blame | history
config/rootfiles/core/158/filelists/files patch | blob | blame | history

diff --git a/config/firewall/ipsec-policy b/config/firewall/ipsec-policy
index 1ad4de65013fe66c8d3e36fb62c370256b865289..334e2d9bbdd9f0b383ad0a960c579985c4d79ad1 100644 (file)
--- a/config/firewall/ipsec-policy
+++ b/config/firewall/ipsec-policy
@@ -34,6 +34,11 @@ block_subnet() {
        local subnet="${1}"
        local action="${2}"
 
        local subnet="${1}"
        local action="${2}"
 
+       # Nothing to be done if no action is requested
+       if [ "${action}" = "none" ]; then
+               return 0
+       fi
+
        # Don't block a wildcard subnet
        if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
                return 0
        # Don't block a wildcard subnet
        if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
                return 0
@@ -108,7 +113,7 @@ install_policy() {
 
                case "${route}" in
                        route)
 
                case "${route}" in
                        route)
-                               action="drop"
+                               action="none"
                                ;;
                        *)
                                action="reject"
                                ;;
                        *)
                                action="reject"
diff --git a/config/rootfiles/core/158/filelists/files b/config/rootfiles/core/158/filelists/files
index e7a6a30739ffab4e4f8f9d50efe15fa62af3731b..e39449614e2add6c6fc82440d72748cb041c9bbd 100644 (file)
--- a/config/rootfiles/core/158/filelists/files
+++ b/config/rootfiles/core/158/filelists/files
@@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/traffic.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 srv/web/ipfire/html/images/apple.png
 srv/web/ipfire/cgi-bin/traffic.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 srv/web/ipfire/html/images/apple.png
+usr/lib/firewall/ipsec-policy
 var/ipfire/backup/bin/backup.pl
 var/ipfire/countries.pl
 var/ipfire/general-functions.pl
 var/ipfire/backup/bin/backup.pl
 var/ipfire/countries.pl
 var/ipfire/general-functions.pl
Peter's tree of IPFire 2.x