diff options
author | smos <seth.mos@dds.nl> | 2012-11-19 10:00:06 +0100 |
---|---|---|
committer | smos <seth.mos@dds.nl> | 2012-11-19 10:00:06 +0100 |
commit | 081507eb21c7e554cc9c2c835a4b0fec02eacec3 (patch) | |
tree | 1ce316fa6e52caa4e3b2a41991fc963386af6871 /etc | |
parent | 6fb26a17c19d66033320debb863c0a7c9a3499aa (diff) | |
download | pfsense-081507eb21c7e554cc9c2c835a4b0fec02eacec3.zip pfsense-081507eb21c7e554cc9c2c835a4b0fec02eacec3.tar.gz |
Add correct rules for IPv6 tunnel endpoints which differ from the default route.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 54 |
1 files changed, 31 insertions, 23 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 66e0fab..09d689c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -3235,53 +3235,61 @@ function filter_generate_ipsec_rules() { $ipfrules = "# Could not locate interface for IPsec: {$descr}\n"; continue; } - /* add endpoint routes to correct gateway on interface */ - if(interface_has_gateway($parentinterface)) { + if((is_ipaddrv4($rgip)) && (interface_has_gateway($parentinterface))) { $gateway = get_interface_gateway($parentinterface); $interface = $FilterIflist[$parentinterface]['if']; - /* Just in case */ - if(!is_ipaddr($gateway) || empty($interface)) { - $route_to = " "; - $reply_to = " "; - } else { - $route_to = " route-to ( $interface $gateway ) "; - $reply_to = " reply-to ( $interface $gateway ) "; - } + $route_to = " route-to ( $interface $gateway ) "; + $reply_to = " reply-to ( $interface $gateway ) "; + + } + if((is_ipaddrv6($rgip)) && (interface_has_gatewayv6($parentinterface))) { + $gateway = get_interface_gateway_v6($parentinterface); + $interface = $FilterIflist[$parentinterface]['if']; - /* Add rules to allow IKE to pass */ - $shorttunneldescr = substr($descr, 0, 35); + $route_to = " route-to ( $interface $gateway ) "; + $reply_to = " reply-to ( $interface $gateway ) "; + } + + /* Just in case */ + if((!is_ipaddr($gateway) || empty($interface))) { + $route_to = " "; + $reply_to = " "; + } + + /* Add rules to allow IKE to pass */ + $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; - /* If NAT-T is enabled, add additional rules */ - if($ph1ent['nat_traversal'] != "off" ) { - $ipfrules .= <<<EOD + /* If NAT-T is enabled, add additional rules */ + if($ph1ent['nat_traversal'] != "off" ) { + $ipfrules .= <<<EOD pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; - } - /* Add rules to allow the protocols in use */ - if($prot_used_esp == true) { - $ipfrules .= <<<EOD + } + /* Add rules to allow the protocols in use */ + if($prot_used_esp == true) { + $ipfrules .= <<<EOD pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; - } - if($prot_used_ah == true) { - $ipfrules .= <<<EOD + } + if($prot_used_ah == true) { + $ipfrules .= <<<EOD pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; - } } } + } return($ipfrules); } |