From 408917a0e619286c1cc1e74bde6cd8f257d5aeb9 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Mon, 25 Apr 2022 20:59:45 +0000
Subject: vpn-ipsec: T4398: Fix unexpected passthrough policy for peer

Set default passtrough list to None to prevent unexpected policy
for peers with not overplapped local and remote prefixes
---
 src/conf_mode/vpn_ipsec.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/conf_mode')

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 99b82ca2d..dc134fd1f 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -553,13 +553,15 @@ def generate(ipsec):
                     if not local_prefixes or not remote_prefixes:
                         continue
 
-                    passthrough = []
+                    passthrough = None
 
                     for local_prefix in local_prefixes:
                         for remote_prefix in remote_prefixes:
                             local_net = ipaddress.ip_network(local_prefix)
                             remote_net = ipaddress.ip_network(remote_prefix)
                             if local_net.overlaps(remote_net):
+                                if passthrough is None:
+                                    passthrough = []
                                 passthrough.append(local_prefix)
 
                     ipsec['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
-- 
cgit v1.2.3