]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4960c91)
BUG11278: It is not possible to create subnets of internal networks in firewallgroups
authorAlexander Marx <alexander.marx@ipfire.org>
Wed, 7 Jun 2017 13:13:56 +0000 (15:13 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 7 Jun 2017 16:19:30 +0000 (17:19 +0100)
Fixes: #11278
When creating networks which are part of an internal network, there was an errormessage displayed and the creation was prohibited.
Now it is possible to create such subnets. This is used at own risk! Users have to take care of the firewallrule sequence.
It is possible to create situations that are not wanted.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/cfgroot/general-functions.pl patch | blob | blame | history
html/cgi-bin/fwhosts.cgi patch | blob | blame | history

diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index 5e5417d0971f4ec19f93a0d724611681e4831042..f448c34befc7cf8af483f674f02665c0203d6a54 100644 (file)
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -465,6 +465,7 @@ sub checksubnets
        my $ccdname=$_[0];
        my $ccdnet=$_[1];
        my $ownnet=$_[2];
+       my $checktype=$_[3];
        my $errormessage;
        my ($ip,$cidr)=split(/\//,$ccdnet);
        $cidr=&iporsubtocidr($cidr);
@@ -542,10 +543,15 @@ sub checksubnets
        }
        
        #call check_net_internal
-       &General::check_net_internal($ccdnet);
+       if ($checktype eq "exact")
+       {
+               &General::check_net_internal_exact($ccdnet);
+       }else{
+               &General::check_net_internal_range($ccdnet);
+       }
 }
 
-sub check_net_internal{
+sub check_net_internal_range{
        my $network=shift;
        my ($ip,$cidr)=split(/\//,$network);
        my %ownnet=();
@@ -559,6 +565,20 @@ sub check_net_internal{
        if (($ownnet{'RED_NETADDRESS'}          ne '' && $ownnet{'RED_NETADDRESS'}              ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'RED_NETADDRESS'},&iporsubtodec($ownnet{'RED_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
 }
 
+sub check_net_internal_exact{
+       my $network=shift;
+       my ($ip,$cidr)=split(/\//,$network);
+       my %ownnet=();
+       my $errormessage;
+       $cidr=&iporsubtocidr($cidr);
+       #check if we use one of ipfire's networks (green,orange,blue)
+       &readhash("${General::swroot}/ethernet/settings", \%ownnet);
+       if (($ownnet{'GREEN_NETADDRESS'}        ne '' && $ownnet{'GREEN_NETADDRESS'}    ne '0.0.0.0') && &Network::network_equal("$ownnet{'GREEN_NETADDRESS'}/$ownnet{'GREEN_NETMASK'}", $network)){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;}
+       if (($ownnet{'ORANGE_NETADDRESS'}       ne '' && $ownnet{'ORANGE_NETADDRESS'}   ne '0.0.0.0') && &Network::network_equal("$ownnet{'ORANGE_NETADDRESS'}/$ownnet{'ORANGE_NETMASK'}", $network)){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;}
+       if (($ownnet{'BLUE_NETADDRESS'}         ne '' && $ownnet{'BLUE_NETADDRESS'}     ne '0.0.0.0') && &Network::network_equal("$ownnet{'BLUE_NETADDRESS'}/$ownnet{'BLUE_NETMASK'}", $network)){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;}
+       if (($ownnet{'RED_NETADDRESS'}          ne '' && $ownnet{'RED_NETADDRESS'}              ne '0.0.0.0') && &Network::network_equal("$ownnet{'RED_NETADDRESS'}/$ownnet{'RED_NETMASK'}", $network)){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
+}
+
 sub validport
 {
        $_ = $_[0];
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 1b0fe075178a765e8b107ad7c60e8615cc1e3fb3..25ab489ea9f656106046e8bb5e004a689d3eb83c 100644 (file)
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -301,7 +301,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
                }
                if($fwhostsettings{'error'} ne 'on'){
                                my $fullip="$fwhostsettings{'IP'}/".&General::iporsubtocidr($fwhostsettings{'SUBNET'});
-                               $errormessage=$errormessage.&General::checksubnets($fwhostsettings{'HOSTNAME'},$fullip,"");
+                               $errormessage=$errormessage.&General::checksubnets($fwhostsettings{'HOSTNAME'},$fullip,"","exact");
                }
                #only check plausi when no error till now
                if (!$errormessage){
IPFire 2.x development tree