Bug #5487
closed
If IPsec is enabled without any configured tunnels, a broken ruleset is generated
Added by Jim Pingle over 8 years ago.
Updated over 8 years ago.
Affected Architecture:
All
Description
If you enable IPsec but do not create any Phase 1 entries, a broken ruleset is generated:
/tmp/rules.debug:140: macro 'IPsec' not defined
Renato reproduced it the same way, he said it looked like it was related to some recent ipsec_enable() changes by Luiz.
ipsec_enable() is not checking $config['ipsec']['client']['enable'] and there are places in code still checking it in filter.inc
It also looks like there are more places that need to be changed to call the function:
src/etc/inc/filter.inc: if (isset($config['ipsec']['enable'])) {
src/etc/inc/filter.inc: if ((isset($config['ipsec']['client']['enable'])) &&
src/etc/inc/filter.inc: if (is_array($config['ipsec']) && isset($config['ipsec']['enable'])) {
src/etc/inc/filter.inc: if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) {
src/etc/inc/filter.inc: if ((isset($config['ipsec']['enable'])) &&
src/etc/inc/ipsec.inc: if (isset($config['ipsec']['enable'])) {
src/etc/inc/service-utils.inc: if (isset($config['ipsec']['enable'])) {
src/etc/inc/upgrade_config.inc: if (isset($config['ipsec']['mobileclients']['enable'])) {
src/etc/inc/upgrade_config.inc: $config['ipsec']['client']['enable'] = true;
src/etc/rc.newipsecdns:if (isset($config['ipsec']['enable'])) {
src/usr/local/www/vpn_ipsec.php:$pconfig['enable'] = isset($config['ipsec']['enable']);
src/usr/local/www/vpn_ipsec.php: $config['ipsec']['enable'] = $_POST['enable'] ? true : false;
src/usr/local/www/vpn_ipsec_mobile.php:if (isset($config['ipsec']['enable']) && is_subsystem_dirty('ipsec'))
src/usr/local/www/xmlrpc.php: if (isset($old_config['ipsec']['enable']) !== isset($config['ipsec']['enable'])) {
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Fixed the generated ruleset when there are no phase 1 entries.
dc0f709e
- Status changed from Feedback to Resolved
Looks good now, I can no longer reproduce the broken ruleset with the original condition. Closing.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by