diff options
| author | jim-p <jimp@pfsense.org> | 2011-05-11 17:02:29 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2011-05-11 17:03:00 -0400 |
| commit | a1bad14197056b186726180846103fa922a94df6 (patch) | |
| tree | 34dcc6883c76f8f3332df4e1ce6e6eb8012e7690 /etc | |
| parent | b148ab813f932985655625a04e4400080e60b74d (diff) | |
| download | pfsense-a1bad14197056b186726180846103fa922a94df6.zip pfsense-a1bad14197056b186726180846103fa922a94df6.tar.gz | |
Fix IPsec descr trimming for rule labels. Ticket #1426
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index b11ee3a..14e6560 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2773,32 +2773,32 @@ function filter_generate_ipsec_rules() { } /* Add rules to allow IKE to pass */ - $shorttunneldescr = substr($descr, 0, 36); + $shorttunneldescr = substr($descr, 0, 35); $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label \"IPsec: {$shorttunneldescr} - outbound isakmp\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label \"IPsec: {$shorttunneldescr} - inbound isakmp\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp" EOD; /* If NAT-T is enabled, add additional rules */ if($ph1ent['nat_traversal'] != "off" ) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label \"IPsec: {$shorttunneldescr} - outbound nat-t\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label \"IPsec: {$shorttunneldescr} - inbound nat-t\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t" EOD; } /* Add rules to allow the protocols in use */ if($prot_used_esp == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound esp proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound esp proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto" EOD; } if($prot_used_ah == true) { $ipfrules .= <<<EOD -pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label \"IPsec: {$shorttunneldescr} - outbound ah proto\" -pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label \"IPsec: {$shorttunneldescr} - inbound ah proto\" +pass out on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto" +pass in on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto" EOD; } |
