diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-04-25 20:59:45 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-04-25 20:59:45 +0000 |
| commit | 408917a0e619286c1cc1e74bde6cd8f257d5aeb9 (patch) | |
| tree | c7b104ffa126fe79f131c04dd2759fbcfafa043a /src/conf_mode | |
| parent | a10bf3ba34f034f9fc60ea0070d8c4f3f60586e2 (diff) | |
| download | vyos-1x-408917a0e619286c1cc1e74bde6cd8f257d5aeb9.tar.gz vyos-1x-408917a0e619286c1cc1e74bde6cd8f257d5aeb9.zip | |
vpn-ipsec: T4398: Fix unexpected passthrough policy for peer
Set default passtrough list to None to prevent unexpected policy
for peers with not overplapped local and remote prefixes
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 99b82ca2d..dc134fd1f 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -553,13 +553,15 @@ def generate(ipsec): if not local_prefixes or not remote_prefixes: continue - passthrough = [] + passthrough = None for local_prefix in local_prefixes: for remote_prefix in remote_prefixes: local_net = ipaddress.ip_network(local_prefix) remote_net = ipaddress.ip_network(remote_prefix) if local_net.overlaps(remote_net): + if passthrough is None: + passthrough = [] passthrough.append(local_prefix) ipsec['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough |