Project

General

Profile

Bug #5487

If IPsec is enabled without any configured tunnels, a broken ruleset is generated

Added by Jim Pingle almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
11/19/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3
Affected Architecture:
All

Description

If you enable IPsec but do not create any Phase 1 entries, a broken ruleset is generated:

/tmp/rules.debug:140: macro 'IPsec' not defined

Renato reproduced it the same way, he said it looked like it was related to some recent ipsec_enable() changes by Luiz.

History

#1 Updated by Renato Botelho almost 4 years ago

ipsec_enable() is not checking $config['ipsec']['client']['enable'] and there are places in code still checking it in filter.inc

It also looks like there are more places that need to be changed to call the function:

src/etc/inc/filter.inc:    if (isset($config['ipsec']['enable'])) {
src/etc/inc/filter.inc:    if ((isset($config['ipsec']['client']['enable'])) &&
src/etc/inc/filter.inc:    if (is_array($config['ipsec']) && isset($config['ipsec']['enable'])) {
src/etc/inc/filter.inc:    if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) {
src/etc/inc/filter.inc:    if ((isset($config['ipsec']['enable'])) &&
src/etc/inc/ipsec.inc:    if (isset($config['ipsec']['enable'])) {
src/etc/inc/service-utils.inc:    if (isset($config['ipsec']['enable'])) {
src/etc/inc/upgrade_config.inc:        if (isset($config['ipsec']['mobileclients']['enable'])) {
src/etc/inc/upgrade_config.inc:            $config['ipsec']['client']['enable'] = true;
src/etc/rc.newipsecdns:if (isset($config['ipsec']['enable'])) {
src/usr/local/www/vpn_ipsec.php:$pconfig['enable'] = isset($config['ipsec']['enable']);
src/usr/local/www/vpn_ipsec.php:        $config['ipsec']['enable'] = $_POST['enable'] ? true : false;
src/usr/local/www/vpn_ipsec_mobile.php:if (isset($config['ipsec']['enable']) && is_subsystem_dirty('ipsec'))
src/usr/local/www/xmlrpc.php:    if (isset($old_config['ipsec']['enable']) !== isset($config['ipsec']['enable'])) {

#2 Updated by Luiz Souza almost 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Fixed the generated ruleset when there are no phase 1 entries.

dc0f709e

#3 Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Resolved

Looks good now, I can no longer reproduce the broken ruleset with the original condition. Closing.

Also available in: Atom PDF