diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index aeb79c9c11..e5cdf9196f 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -97,8 +97,14 @@ $icmptypes = array(
* Specify the driver prefix to match (from the left)
* https://redmine.pfsense.org/issues/8685
*/
-global $filter_interface_blacklist;
-$filter_interface_blacklist = array("ipsec");
+global $filter_interface_remove;
+$filter_interface_remove = array();
+
+if ($config['ipsec']['filtermode'] == 'if_ipsec') {
+ $filter_interface_remove[] = 'enc';
+} else {
+ $filter_interface_remove[] = 'ipsec';
+}
/*
* Fixed tracker values (used to group and track usage in GUI):
@@ -4700,13 +4706,13 @@ function move_separators(&$a_separators, $ridx, $mvnrows) {
}
function filter_get_interface_list() {
- global $filter_interface_blacklist;
+ global $filter_interface_remove;
$iflist = create_interface_list();
$filter_ifs = array();
foreach ($iflist as $ifent => $ifname) {
$realifname = get_real_interface($ifent);
- foreach ($filter_interface_blacklist as $ifbl) {
- if (substr($realifname, 0, strlen($ifbl)) == $ifbl) {
+ foreach ($filter_interface_remove as $ifr) {
+ if (substr($realifname, 0, strlen($ifr)) == $ifr) {
continue 2;
}
}
diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
index 42b7bb9ae5..663d6bff35 100644
--- a/src/etc/inc/globals.inc
+++ b/src/etc/inc/globals.inc
@@ -160,10 +160,6 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024",
"net.inet.udp.checksum" => 1,
"net.inet.icmp.reply_from_interface" => 1,
"net.inet6.ip6.rfc6204w3" => 1,
- "net.enc.out.ipsec_bpf_mask" => "0x0001",
- "net.enc.out.ipsec_filter_mask" => "0x0001",
- "net.enc.in.ipsec_bpf_mask" => "0x0002",
- "net.enc.in.ipsec_filter_mask" => "0x0002",
"net.key.preferred_oldsa" => "0",
"net.inet.carp.senderr_demotion_factor" => 0, /* Do not demote CARP for interface send errors */
"net.pfsync.carp_demotion_factor" => 0, /* Do not demote CARP for pfsync errors */
@@ -322,4 +318,30 @@ $ddnsdomainkeyalgorithms = array(
'hmac-sha384' => 'HMAC-SHA384',
'hmac-sha512' => 'HMAC-SHA512 (most secure)');
+global $ipsec_filtermodes;
+$ipsec_filtermodes = array(
+ 'enc' => 'Filter IPsec Tunnel and VTI on IPsec tab (enc0)',
+ 'if_ipsec' => 'Filter IPsec VTI on assigned interfaces, block all tunnel mode traffic'
+);
+
+global $ipsec_filter_sysctl;
+$ipsec_filter_sysctl = array(
+ 'enc' => array(
+ "net.inet.ipsec.filtertunnel" => "0x0000",
+ "net.inet6.ipsec6.filtertunnel" => "0x0000",
+ "net.enc.out.ipsec_bpf_mask" => "0x0001",
+ "net.enc.out.ipsec_filter_mask" => "0x0001",
+ "net.enc.in.ipsec_bpf_mask" => "0x0002",
+ "net.enc.in.ipsec_filter_mask" => "0x0002"
+ ),
+ 'if_ipsec' => array(
+ "net.inet.ipsec.filtertunnel" => "0x0001",
+ "net.inet6.ipsec6.filtertunnel" => "0x0001",
+ "net.enc.out.ipsec_bpf_mask" => "0x0000",
+ "net.enc.out.ipsec_filter_mask" => "0x0000",
+ "net.enc.in.ipsec_bpf_mask" => "0x0000",
+ "net.enc.in.ipsec_filter_mask" => "0x0000"
+ ),
+);
+
?>
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 98d978a645..82c7364dda 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -102,7 +102,14 @@ function system_get_sysctls() {
}
function activate_sysctls() {
- global $config, $g, $sysctls;
+ global $config, $g, $sysctls, $ipsec_filter_sysctl;
+
+ if (!is_array($sysctls)) {
+ $sysctls = array();
+ }
+
+ $ipsec_filtermode = empty($config['ipsec']['filtermode']) ? 'enc' : $config['ipsec']['filtermode'];
+ $sysctls = array_merge($sysctls, $ipsec_filter_sysctl[$ipsec_filtermode]);
if (is_array($config['sysctl']) && is_array($config['sysctl']['item'])) {
foreach ($config['sysctl']['item'] as $tunable) {
diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php
index 9458ae2430..bd8e34c6ed 100644
--- a/src/usr/local/www/vpn_ipsec_settings.php
+++ b/src/usr/local/www/vpn_ipsec_settings.php
@@ -35,6 +35,8 @@ require_once("shaper.inc");
require_once("ipsec.inc");
require_once("vpn.inc");
+global $ipsec_filtermodes;
+
$pconfig['logging'] = ipsec_get_loglevels();
$pconfig['unityplugin'] = isset($config['ipsec']['unityplugin']);
$pconfig['strictcrlpolicy'] = isset($config['ipsec']['strictcrlpolicy']);
@@ -47,6 +49,7 @@ $pconfig['maxexchange'] = $config['ipsec']['maxexchange'];
$pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']);
$pconfig['maxmss'] = $config['system']['maxmss'];
$pconfig['uniqueids'] = $config['ipsec']['uniqueids'];
+$pconfig['filtermode'] = $config['ipsec']['filtermode'];
$pconfig['ipsecbypass'] = isset($config['ipsec']['ipsecbypass']);
$pconfig['bypassrules'] = $config['ipsec']['bypassrules'];
$pconfig['port'] = $config['ipsec']['port'];
@@ -238,6 +241,12 @@ if ($_POST['save']) {
unset($config['ipsec']['uniqueids']);
}
+ if (!empty($_POST['filtermode'])) {
+ $config['ipsec']['filtermode'] = $_POST['filtermode'];
+ } else if (isset($config['ipsec']['filtermode'])) {
+ unset($config['ipsec']['filtermode']);
+ }
+
if ($_POST['maxmss_enable'] == "yes") {
$config['system']['maxmss_enable'] = true;
$config['system']['maxmss'] = $_POST['maxmss'];
@@ -277,6 +286,8 @@ if ($_POST['save']) {
$retval |= filter_configure();
ipsec_configure($needsrestart);
+ system_setup_sysctl();
+ clear_subsystem_dirty('sysctl');
}
// The logic value sent by $_POST for autoexcludelanaddress is opposite to
@@ -370,6 +381,21 @@ $section->addInput(new Form_Select(
'', ''
);
+$section->addInput(new Form_Select(
+ 'filtermode',
+ 'IPsec Filter Mode',
+ $pconfig['filtermode'],
+ $ipsec_filtermodes
+))->setHelp(
+ 'Experimental. Controls how the firewall will filter IPsec traffic. By default, rules on ' .
+ 'the IPsec tab filter all IPsec traffic, including both tunnel mode and VTI mode. %3$s' .
+ 'This is limited in that it does not allow for filtering on assigned VTI interfaces, and it does not ' .
+ 'support features such as NAT rules and reply-to for return routing. ' .
+ 'When set to filter on assigned VTI interfaces, %1$sall tunnel mode traffic is blocked%2$s. ' .
+ 'Do not set this option unless %1$sall%2$s IPsec tunnels are using VTI.',
+ '', '', '
'
+);
+
$section->addInput(new Form_Checkbox(
'compression',
'IP Compression',