From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 21 Jan 2019 16:33:53 +0000 (+0000)
Subject: ipsec-policy: Correct open ports for connections on aliases
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=c32fc72e36daf8510949aa8a0fea695cc080c9d3

ipsec-policy: Correct open ports for connections on aliases

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/firewall/ipsec-policy b/config/firewall/ipsec-policy
index e2048844a8..cd427f0221 100644
--- a/config/firewall/ipsec-policy
+++ b/config/firewall/ipsec-policy
@@ -24,10 +24,10 @@ VPN_CONFIG="/var/ipfire/vpn/config"
 eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
 
 VARS=(
-	id status name lefthost type ctype x1 x2 x3 leftsubnets
-	remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
-	x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
-	route x26 mode interface_mode interface_address interface_mtu rest
+	id status name lefthost type ctype psk local x1 leftsubnets
+	x2 remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+	route x23 mode interface_mode interface_address interface_mtu rest
 )
 
 block_subnet() {
@@ -82,15 +82,20 @@ install_policy() {
 		# Check if this a net-to-net connection
 		[ "${type}" = "net" ] || continue
 
+		# Default local to 0.0.0.0/0
+		if [ "${local}" = "" -o "${local}" = "off" ]; then
+			local="0.0.0.0/0"
+		fi
+
 		# Install permissions for GRE traffic
 		case "${interface_mode}" in
 			gre)
 				if [ -n "${remote}" ]; then
 					iptables -A IPSECINPUT -p gre \
-						-s "${remote}" -j ACCEPT
+						-s "${remote}" -d "${local}" -j ACCEPT
 
 					iptables -A IPSECOUTPUT -p gre \
-						-d "${remote}" -j ACCEPT
+						-s "${local}" -d "${remote}" -j ACCEPT
 				fi
 				;;
 		esac