Project

General

Profile

Bug #11832

``ipsec_vti()`` does not skip disabled VTI entries

Added by Viktor Gurov about 2 months ago. Updated 12 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
04/21/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:

Description

https://github.com/pfsense/pfsense/blob/3af1961155caafb890cfb635d7278e1498ae7423/src/etc/inc/ipsec.inc#L959:

            if (!$skipdisabled && isset($ph2ent['disabled'])) {
                continue;

- is incorrect, sould be:
            if ($skipdisabled && isset($ph2ent['disabled'])) {
                continue;

Because of this, `interface_ipsec_vti_configure()` tries to configure disabled VTI interfaces
and `upgrade_208_to_209()` could work incorrectly for IKEv1/SplitConnectionIKEv2 VTIs:
https://github.com/pfsense/pfsense/blob/3af1961155caafb890cfb635d7278e1498ae7423/src/etc/inc/upgrade_config.inc#L6248:

    foreach ($config['ipsec']['phase1'] as $ph1ent) {
        if (!isset($ph1ent['mobile']) &&
            ($ph1ent['iketype'] == 'ikev1' ||
            isset($ph1ent['splitconn']))) {
            $vtisubnet_spec = ipsec_vti($ph1ent, true, false);
            if (empty($vtisubnet_spec)) {
                continue;
            }

Associated revisions

Revision 9ca88c29 (diff)
Added by Viktor Gurov about 1 month ago

ipsec_vti() skipdisabled fix. Issue #11832

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0

#3 Updated by Jim Pingle about 1 month ago

  • Plus Target Version set to 21.05

#4 Updated by Steve Beaver about 1 month ago

  • Status changed from Pull Request Review to Feedback

#5 Updated by Jim Pingle about 1 month ago

  • Subject changed from ipsec_vti() doesn't skip disabled VTI entries to ``ipsec_vti()`` doesn't skip disabled VTI entries

Updating subject for release notes.

#6 Updated by Jim Pingle about 1 month ago

  • Subject changed from ``ipsec_vti()`` doesn't skip disabled VTI entries to ``ipsec_vti()`` does not skip disabled VTI entries

Updating subject for release notes.

#7 Updated by Jim Pingle 19 days ago

  • Target version changed from 2.6.0 to 2.5.2

#8 Updated by Jim Pingle 12 days ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF