firewall: Write correct rules bound to interface for routes IPsec tunnels
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 22 Jan 2019 12:46:53 +0000 (12:46 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 4 Feb 2019 18:20:36 +0000 (18:20 +0000)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/firewall/firewall-lib.pl

index 2820eea..118744f 100644 (file)
@@ -169,6 +169,15 @@ sub get_ipsec_host_ip
                }
        }
 }
+sub get_ipsec_id {
+       my $val = shift;
+
+       foreach my $key (keys %ipsecconf) {
+               if ($ipsecconf{$key}[1] eq $val) {
+                       return $key;
+               }
+       }
+}
 sub get_ovpn_n2n_ip
 {
        my $val=shift;
@@ -399,10 +408,16 @@ sub get_address
                        my @parts = split(/\|/, $value);
                        push(@ret, [$parts[1], ""]);
                }else{
-                       my $network_address = &get_ipsec_net_ip($value, 11);
-                       my @nets = split(/\|/, $network_address);
-                       foreach my $net (@nets) {
-                               push(@ret, [$net, ""]);
+                       my $interface_mode = &get_ipsec_net_ip($value, 36);
+                       if ($interface_mode ~~ ["gre", "vti"]) {
+                               my $id = &get_ipsec_id($value);
+                               push(@ret, ["0.0.0.0/0", "${interface_mode}${id}"]);
+                       } else {
+                               my $network_address = &get_ipsec_net_ip($value, 11);
+                               my @nets = split(/\|/, $network_address);
+                               foreach my $net (@nets) {
+                                       push(@ret, [$net, ""]);
+                               }
                        }
                }