ipsec: improve interface plugging; closes #1157

Required a little soft-coding in areas that could be thought of as "pluggable" firewall rules. It looks very doable for 17.7, we could potentially make IPsec and OpenVPN plugins! Or at least prove that the plugin framework is capable of plugging in a complex VPN tech.

ipsec: improve interface plugging; closes #1157
Required a little soft-coding in areas that could be thought of as "pluggable" firewall rules. It looks very doable for 17.7, we could potentially make IPsec and OpenVPN plugins! Or at least prove that the plugin framework is capable of plugging in a complex VPN tech.
b1af5b7b · Franco Fichtner · f8b18799 · b1af5b7b · b1af5b7b
Commit b1af5b7b authored Aug 29, 2016 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 13 deletions

filter.inc src/etc/inc/filter.inc +5 -3

if_ipsec.inc src/etc/inc/plugins.inc.d/if_ipsec.inc +28 -10

No files found.
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2782,6 +2782,7 @@ pass in {$log['pass']} on \$loopback inet all label "pass IPv4 loopback"
 pass out {$log['pass']} on \$loopback inet all label "pass IPv4 loopback"
 pass in {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback"
 pass out {$log['pass']} on \$loopback inet6 all label "pass IPv6 loopback"
+
 # let out anything from the firewall host itself and decrypted IPsec traffic
 pass out {$log['pass']} inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
 pass out {$log['pass']} inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
@@ -2819,10 +2820,9 @@ EOD;
        }
    }

-
    /* add ipsec interfaces */
-    if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) {
-        $ipfrules .= "pass out {$log['pass']} on \$IPsec all keep state label \"IPsec internal host to host\"\n";
+    if (!empty($FilterIflist['enc0']['descr'])) {
+        $ipfrules .= "pass out {$log['pass']} on \${$FilterIflist['enc0']['descr']} all keep state label \"IPsec internal host to host\"\n";
    }

    if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) {
@@ -2834,6 +2834,7 @@ EOD;
             */
            $lanif = $FilterIflist['lan']['if'];
            $ipfrules .= <<<EOD
+
 # make sure the user cannot lock himself out of the webConfigurator or SSH
 pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } keep state label "anti-lockout rule"

@@ -2842,6 +2843,7 @@ EOD;
            /* single-interface deployment, add to WAN  */
            $wanif = $FilterIflist["wan"]['if'];
            $ipfrules .= <<<EOD
+
 # make sure the user cannot lock himself out of the webConfigurator or SSH
 pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } keep state label "anti-lockout rule"


--- a/src/etc/inc/plugins.inc.d/if_ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/if_ipsec.inc
@@ -44,7 +44,7 @@ function if_ipsec_services()

    $services = array();

-    if (isset($config['ipsec']['enable'])) {
+    if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) {
        $pconfig = array();
        $pconfig['name'] = 'ipsec';
        $pconfig['description'] = gettext('IPsec VPN');
@@ -64,15 +64,33 @@ function if_ipsec_interfaces()

    $interfaces = array();

-    if ((isset($config['ipsec']['phase1']) && count($config['ipsec']['phase1'])) &&
-        (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable']))) {
-        $oic = array("enable" => true);
-        $oic['if'] = 'enc0';
-        $oic['descr'] = 'IPsec';
-        $oic['type'] = "none";
-        $oic['virtual'] = true;
-        $oic['networks'] = array();
-        $interfaces['enc0'] = $oic;
+    if (isset($config['ipsec']['phase1']) && isset($config['ipsec']['phase2'])) {
+        foreach ($config['ipsec']['phase1'] as $ph1ent) {
+            if (isset($ph1ent['disabled'])) {
+                continue;
+            }
+
+            foreach ($config['ipsec']['phase2'] as $ph2ent) {
+                if (isset($ph2ent['disabled']) || $ph1ent['ikeid'] != $ph2ent['ikeid']) {
+                    continue;
+                }
+
+                if ((isset($ph2ent['mobile']) && !isset($config['ipsec']['client']['enable'])) ||
+                    !isset($config['ipsec']['enable'])) {
+                    continue;
+                }
+
+                $oic = array('enable' => true);
+                $oic['if'] = 'enc0';
+                $oic['descr'] = 'IPsec';
+                $oic['type'] = 'none';
+                $oic['virtual'] = true;
+                $oic['networks'] = array();
+                $interfaces['enc0'] = $oic;
+
+                break 2;
+            }
+        }
    }

    return $interfaces;