Merge remote-tracking branch 'ms/ipsec-subnets' into next

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index b389fac3c351230ec354d27579c692b387249b01..eabd9a42f22d7bab5fd93cf17855120fa6ce1f46 100644 (file)
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -391,8 +391,9 @@ sub get_address
        # IPsec networks.
        } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
                my $network_address = &get_ipsec_net_ip($value, 11);
-               if ($network_address) {
-                       push(@ret, [$network_address, ""]);
+               my @nets = split(/\|/, $network_address);
+               foreach my $net (@nets) {
+                       push(@ret, [$net, ""]);
                }
 
        # The firewall's own IP addresses.

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e71786243dc573a2b8fa8ed832b13d1023ca08e4..b697b0aeb6264b703ce637e6d502e02b85ac12cf 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -281,15 +281,13 @@ sub writeipsecfiles {
 
                print CONF "conn $lconfighash{$key}[1]\n";
                print CONF "\tleft=$localside\n";
-               my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
-               print CONF "\tleftsubnet=$cidr_net\n";
+               print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
                print CONF "\tleftfirewall=yes\n";
                print CONF "\tlefthostaccess=yes\n";
                print CONF "\tright=$lconfighash{$key}[10]\n";
 
                if ($lconfighash{$key}[3] eq 'net') {
-                       my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
-                       print CONF "\trightsubnet=$cidr_net\n";
+                       print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
                }
 
                # Local Cert and Remote Cert (unless auth is DN dn-auth)
@@ -1263,10 +1261,12 @@ END
                $cgiparams{'PSK'}                               = $confighash{$cgiparams{'KEY'}}[5];
                #$cgiparams{'free'}                             = $confighash{$cgiparams{'KEY'}}[6];
                $cgiparams{'LOCAL_ID'}                  = $confighash{$cgiparams{'KEY'}}[7];
-               $cgiparams{'LOCAL_SUBNET'}              = $confighash{$cgiparams{'KEY'}}[8];
+               my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]);
+               $cgiparams{'LOCAL_SUBNET'}              = join(/\|/, @local_subnets);
                $cgiparams{'REMOTE_ID'}                 = $confighash{$cgiparams{'KEY'}}[9];
                $cgiparams{'REMOTE'}                    = $confighash{$cgiparams{'KEY'}}[10];
-               $cgiparams{'REMOTE_SUBNET'}             = $confighash{$cgiparams{'KEY'}}[11];
+               my @remote_subnets = split(",", $confighash{$cgiparams{'KEY'}}[11]);
+               $cgiparams{'REMOTE_SUBNET'}             = join(/\|/, @remote_subnets);
                $cgiparams{'REMARK'}                    = $confighash{$cgiparams{'KEY'}}[25];
                $cgiparams{'DPD_ACTION'}                = $confighash{$cgiparams{'KEY'}}[27];
                $cgiparams{'IKE_VERSION'}               = $confighash{$cgiparams{'KEY'}}[29];
@@ -1346,9 +1346,12 @@ END
                        }
                }
 
-               unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
-                       $errormessage = $Lang::tr{'local subnet is invalid'};
-                       goto VPNCONF_ERROR;
+               my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
+               foreach my $subnet (@local_subnets) {
+                       unless (&Network::check_subnet($subnet)) {
+                               $errormessage = $Lang::tr{'local subnet is invalid'};
+                               goto VPNCONF_ERROR;
+                       }
                }
 
                # Allow only one roadwarrior/psk without remote IP-address
@@ -1362,9 +1365,15 @@ END
                                }
                        }
                }
-               if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
-                       $errormessage = $Lang::tr{'remote subnet is invalid'};
-                       goto VPNCONF_ERROR;
+
+               if ($cgiparams{'TYPE'} eq 'net') {
+                       my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
+                       foreach my $subnet (@remote_subnets) {
+                               unless (&Network::check_subnet($subnet)) {
+                                       $errormessage = $Lang::tr{'remote subnet is invalid'};
+                                       goto VPNCONF_ERROR;
+                               }
+                       }
                }
 
                if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
@@ -1784,10 +1793,12 @@ END
                $confighash{$key}[4] = 'cert';
        }
        if ($cgiparams{'TYPE'} eq 'net') {
-               $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
+               my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'});
+               $confighash{$key}[11] = join('|', @remote_subnets);
        }
        $confighash{$key}[7] = $cgiparams{'LOCAL_ID'};
-       $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
+       my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'});
+       $confighash{$key}[8] = join('|', @local_subnets);
        $confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
        $confighash{$key}[10] = $cgiparams{'REMOTE'};
        $confighash{$key}[25] = $cgiparams{'REMARK'};
@@ -1969,6 +1980,12 @@ EOF
                $blob = "<img src='/blob.gif' alt='*' />";
        };
 
+       my @local_subnets = split(/\|/, $cgiparams{'LOCAL_SUBNET'});
+       my $local_subnets = join(",", @local_subnets);
+
+       my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
+       my $remote_subnets = join(",", @remote_subnets);
+
        print <<END
        <tr>
                <td width='20%'>$Lang::tr{'enabled'}</td>
@@ -1977,7 +1994,7 @@ EOF
                </td>
                <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
                <td width='30%'>
-                       <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" />
+                       <input type='text' name='LOCAL_SUBNET' value='$local_subnets' />
                </td>
        </tr>
        <tr>
@@ -1987,7 +2004,7 @@ EOF
                </td>
                <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td>
                <td width='30%'>
-                       <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" />
+                       <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' />
                </td>
        </tr>
        <tr>
@@ -3101,3 +3118,16 @@ sub make_algos($$$$$) {
 
        return &array_unique(\@algos);
 }
+
+sub make_subnets($) {
+       my $subnets = shift;
+
+       my @nets = split(/\|/, $subnets);
+       my @cidr_nets = ();
+       foreach my $net (@nets) {
+               my $cidr_net = &General::ipcidr($net);
+               push(@cidr_nets, $cidr_net);
+       }
+
+       return join(",", @cidr_nets);
+}