Commit 5d3729e4 authored by Ad Schellevis's avatar Ad Schellevis

(filter) move IPsec internal host to host

parent 4b61811b
...@@ -2522,6 +2522,7 @@ function filter_rules_generate(&$FilterIflist) ...@@ -2522,6 +2522,7 @@ function filter_rules_generate(&$FilterIflist)
$log['block'] = !isset($config['syslog']['nologdefaultblock']) ? "log" : ""; $log['block'] = !isset($config['syslog']['nologdefaultblock']) ? "log" : "";
$log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : ""; $log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : "";
// TODO : route-to needs to be refactored / simplified.
foreach ($FilterIflist as $ifdescr => $ifcfg) { foreach ($FilterIflist as $ifdescr => $ifcfg) {
if (isset($ifcfg['virtual'])) { if (isset($ifcfg['virtual'])) {
continue; continue;
...@@ -2553,11 +2554,6 @@ function filter_rules_generate(&$FilterIflist) ...@@ -2553,11 +2554,6 @@ function filter_rules_generate(&$FilterIflist)
} }
} }
/* add ipsec interfaces */
if (!empty($FilterIflist['enc0']['descr'])) {
$ipfrules .= "pass out {$log['pass']} on \${$FilterIflist['enc0']['descr']} all keep state label \"IPsec internal host to host\"\n";
}
if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) { if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) {
$alports = filter_get_antilockout_ports(); $alports = filter_get_antilockout_ports();
......
...@@ -294,4 +294,13 @@ function filter_core_rules_system($fw, $defaults) ...@@ -294,4 +294,13 @@ function filter_core_rules_system($fw, $defaults)
'quick' => false, "label" => "let out anything from firewall host itself"), 'quick' => false, "label" => "let out anything from firewall host itself"),
$defaults['pass'] $defaults['pass']
); );
// ipsec
if (!empty($fw->getInterfaceMapping()['enc0'])) {
$fw->registerFilterRule(5,
array('direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0',
'label' =>'IPsec internal host to host'),
$defaults['pass']
);
}
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment