From 053a582d3a68456f861d4e7ab3529163ee84ec47 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 11 Jun 2021 16:15:37 +0000
Subject: [PATCH] ipsec-policy: Do no create DROP rules for on-demand mode

This is not necessary and gets in the way if users have SNAT rules or
other things that make the check be in the wrong place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/ipsec-policy              | 7 ++++++-
 config/rootfiles/core/158/filelists/files | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/firewall/ipsec-policy b/config/firewall/ipsec-policy
index 1ad4de6501..334e2d9bbd 100644
--- a/config/firewall/ipsec-policy
+++ b/config/firewall/ipsec-policy
@@ -34,6 +34,11 @@ block_subnet() {
 	local subnet="${1}"
 	local action="${2}"
 
+	# Nothing to be done if no action is requested
+	if [ "${action}" = "none" ]; then
+		return 0
+	fi
+
 	# Don't block a wildcard subnet
 	if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
 		return 0
@@ -108,7 +113,7 @@ install_policy() {
 
 		case "${route}" in
 			route)
-				action="drop"
+				action="none"
 				;;
 			*)
 				action="reject"
diff --git a/config/rootfiles/core/158/filelists/files b/config/rootfiles/core/158/filelists/files
index e7a6a30739..e39449614e 100644
--- a/config/rootfiles/core/158/filelists/files
+++ b/config/rootfiles/core/158/filelists/files
@@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/traffic.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 srv/web/ipfire/html/images/apple.png
+usr/lib/firewall/ipsec-policy
 var/ipfire/backup/bin/backup.pl
 var/ipfire/countries.pl
 var/ipfire/general-functions.pl
-- 
2.39.2