IPsec: Do not allow 0.0.0.0/0 as remote subnet

This renders the whole machine inaccessible

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index b65838d92e43920c76530deec3a8afcd2952dcd0..f6791c70b245b7c4c217507267d9c2a0975126c1 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -305,7 +305,7 @@ sub writeipsecfiles {
                } elsif ($interface_mode eq "vti") {
                        print CONF "\tleftsubnet=0.0.0.0/0\n";
                } else {
-                       print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n";
+                       print CONF "\tleftsubnet=" . &make_subnets("left", $lconfighash{$key}[8]) . "\n";
                }
 
                print CONF "\tleftfirewall=yes\n";
@@ -318,7 +318,7 @@ sub writeipsecfiles {
                        } elsif ($interface_mode eq "vti") {
                                print CONF "\trightsubnet=0.0.0.0/0\n";
                        } else {
-                               print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n";
+                               print CONF "\trightsubnet=" . &make_subnets("right", $lconfighash{$key}[11]) . "\n";
                        }
                }
 
@@ -3345,13 +3345,19 @@ sub make_algos($$$$$) {
        return &array_unique(\@algos);
 }
 
-sub make_subnets($) {
+sub make_subnets($$) {
+       my $direction = shift;
        my $subnets = shift;
 
        my @nets = split(/\|/, $subnets);
        my @cidr_nets = ();
        foreach my $net (@nets) {
                my $cidr_net = &General::ipcidr($net);
+
+               # Skip 0.0.0.0/0 for remote because this renders the
+               # while system inaccessible
+               next if (($direction eq "right") && ($cidr_net eq "0.0.0.0/0"));
+
                push(@cidr_nets, $cidr_net);
        }