From ee8fd03c330f7ca87a5ab2d88d6072b1af6ae7fb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 5 Mar 2019 17:04:22 +0100
Subject: [PATCH] IPSec / routed (VTI), we shouldn't add route-to rules for
 ipsec interfaces, but the same likely counts for all that's plugged in
 automatically. for https://github.com/opnsense/core/issues/2332

---
 src/etc/inc/filter.lib.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index 4a513d7e3..404d47e25 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -510,7 +510,7 @@ function filter_core_rules_system($fw, $defaults)
     // This behaviour can be disabled, so settings can be customized using manual firewall rules.
     if (empty($config['system']['pf_disable_force_gw'])) {
         foreach ($fw->getInterfaceMapping() as $ifdescr => $ifcfg) {
-            if (!isset($ifcfg['virtual']) && $ifcfg['if'] != 'lo0') {
+            if (!isset($ifcfg['internal_dynamic']) && $ifcfg['if'] != 'lo0') {
                 $intf_has_v4 = false;
                 $intf_has_v6 = false;
                 foreach (legacy_getall_interface_addresses($ifcfg['if']) as $addr) {