Check whether the P2 or its associated P1 are disabled before adding NAT

rules. Ticket #5320
author: Chris Buechler <cmb@pfsense.org> 2015-10-20 12:56:07 -0500
committer: Chris Buechler <cmb@pfsense.org> 2015-10-20 12:56:07 -0500
commit: 4f1bf9029c9b30ff648f5a6df29f95c872e5b5e4 (patch)
tree: 094a4d82f4e273a627c430ea1523f1caa59f390b
parent: ca35be37bf73efc5fd98a473bdc3a8b4fc6b90ca (diff)
download: pfsense-4f1bf9029c9b30ff648f5a6df29f95c872e5b5e4.zip
pfsense-4f1bf9029c9b30ff648f5a6df29f95c872e5b5e4.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 402f064..586c9e7 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1791,9 +1791,16 @@ function filter_nat_rules_generate() {
 	if (is_array($config['ipsec']) && isset($config['ipsec']['enable'])) {
 		if (is_array($config['ipsec']['phase2'])) {
 			foreach ($config['ipsec']['phase2'] as $ph2ent) {
-				if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid'])) {
+				if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid']) && !isset($ph2ent['disabled'])) {
 					if (!function_exists('ipsec_idinfo_to_cidr'))
 						require_once("ipsec.inc");
+					ipsec_lookup_phase1($ph2ent, $ph1ent);
+					if (!is_array($ph1ent)) {
+						continue;
+					}
+					if (isset($ph1ent['disabled'])) {
+						continue;
+					}
 					if (!is_array($ph2ent['localid']))
 						$ph2ent['localid'] = array();
 					$ph2ent['localid']['mode'] = $ph2ent['mode'];
author	Chris Buechler <cmb@pfsense.org>	2015-10-20 12:56:07 -0500
committer	Chris Buechler <cmb@pfsense.org>	2015-10-20 12:56:07 -0500
commit	4f1bf9029c9b30ff648f5a6df29f95c872e5b5e4 (patch)
tree	094a4d82f4e273a627c430ea1523f1caa59f390b
parent	ca35be37bf73efc5fd98a473bdc3a8b4fc6b90ca (diff)
download	pfsense-4f1bf9029c9b30ff648f5a6df29f95c872e5b5e4.zip pfsense-4f1bf9029c9b30ff648f5a6df29f95c872e5b5e4.tar.gz