ipsec-policy: Do no create DROP rules for on-demand mode

This is not necessary and gets in the way if users have SNAT rules or other things that make the check be in the wrong place. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2021-06-11 16:15:37 +00:00
parent c5d855492e
commit 053a582d3a
2 changed files with 7 additions and 1 deletions
--- a/config/firewall/ipsec-policy
+++ b/config/firewall/ipsec-policy
@@ -34,6 +34,11 @@ block_subnet() {
 	local subnet="${1}"
 	local action="${2}"

+	# Nothing to be done if no action is requested
+	if [ "${action}" = "none" ]; then
+		return 0
+	fi
+
 	# Don't block a wildcard subnet
 	if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then
 		return 0
@@ -108,7 +113,7 @@ install_policy() {

 		case "${route}" in
 			route)
-				action="drop"
+				action="none"
 				;;
 			*)
 				action="reject"
--- a/config/rootfiles/core/158/filelists/files
+++ b/config/rootfiles/core/158/filelists/files
@@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/traffic.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 srv/web/ipfire/html/images/apple.png
+usr/lib/firewall/ipsec-policy
 var/ipfire/backup/bin/backup.pl
 var/ipfire/countries.pl
 var/ipfire/general-functions.pl