From: Alexander Marx Date: Thu, 13 Mar 2014 14:09:01 +0000 (+0100) Subject: VPN Checksubnets: Now the remote subnets (OpenVPN/IPSec) are checked. If they are... X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=4d81e0f3812fc272b2515a631a2e98c4ae76a42b VPN Checksubnets: Now the remote subnets (OpenVPN/IPSec) are checked. If they are defined elsewhere, there's a warningmessage displayed --- diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 386b0479f..adfba5489 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -506,24 +506,46 @@ sub validipandmask sub checksubnets { - my %ccdconfhash=(); - my @ccdconf=(); - my $ccdname=$_[0]; - my $ccdnet=$_[1]; + my %ccdconfhash=(); + my %ovpnconfhash=(); + my %vpnconf=(); + my %ipsecconf=(); + my %ownnet=(); + my %ovpnconf=(); + my @ccdconf=(); + my $ccdname=$_[0]; + my $ccdnet=$_[1]; + my $ownnet=$_[2]; my $errormessage; my ($ip,$cidr)=split(/\//,$ccdnet); $cidr=&iporsubtocidr($cidr); + #get OVPN-Subnet (dynamic range) - my %ovpnconf=(); &readhash("${General::swroot}/ovpn/settings", \%ovpnconf); my ($ovpnip,$ovpncidr)= split (/\//,$ovpnconf{'DOVPN_SUBNET'}); $ovpncidr=&iporsubtocidr($ovpncidr); + #check if we try to use same network as ovpn server if ("$ip/$cidr" eq "$ovpnip/$ovpncidr") { $errormessage=$errormessage.$Lang::tr{'ccd err isovpnnet'}."
"; return $errormessage; } - #check if we use a network-name/subnet that already exists + + #check if we try to use same network as another ovpn N2N + if($ownnet ne 'ovpn'){ + &readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfhash); + foreach my $key (keys %ovpnconfhash) { + if ($ovpnconfhash{$key}[3] eq 'net'){ + my @ovpnnet=split (/\//,$ovpnconfhash{$key}[11]); + if (&IpInSubnet($ip,$ovpnnet[0],&iporsubtodec($ovpnnet[1]))){ + $errormessage=$errormessage.$Lang::tr{'ccd err isovpnn2n'}." $ovpnconfhash{$key}[1]
"; + return $errormessage; + } + } + } + } + + #check if we use a network-name/subnet (static-ovpn) that already exists &readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); foreach my $key (keys %ccdconfhash) { @ccdconf=split(/\//,$ccdconfhash{$key}[1]); @@ -535,32 +557,45 @@ sub checksubnets my ($newip,$newsub) = split(/\//,$ccdnet); if (&IpInSubnet($newip,$ccdconf[0],&iporsubtodec($ccdconf[1]))) { - $errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}."
"; + $errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}." $ccdconfhash{$key}[0]
"; return $errormessage; } } + #check if we use a ipsec right network which is already defined - my %ipsecconf=(); - &General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf); - foreach my $key (keys %ipsecconf){ - if ($ipsecconf{$key}[11] ne ''){ - my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]); - $ipsecsub=&iporsubtodec($ipsecsub); - if($ipsecconf{$key}[1] ne $ccdname){ - if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){ - $errormessage=$Lang::tr{'ccd err isipsecnet'}." Name: $ipsecconf{$key}[1]"; - return $errormessage; + if($ownnet ne 'ipsec'){ + &General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf); + foreach my $key (keys %ipsecconf){ + if ($ipsecconf{$key}[11] ne ''){ + my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]); + $ipsecsub=&iporsubtodec($ipsecsub); + if($ipsecconf{$key}[1] ne $ccdname){ + if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){ + $errormessage=$Lang::tr{'ccd err isipsecnet'}." Name: $ipsecconf{$key}[1]"; + return $errormessage; + } } } } } + + #check if we use the ipsec RW Network (if defined) + &readhash("${General::swroot}/vpn/settings", \%vpnconf); + if ($vpnconf{'RW_NET'} ne ''){ + my ($ipsecrwnet,$ipsecrwsub)=split (/\//, $vpnconf{'RW_NET'}); + if (&IpInSubnet($ip,$ipsecrwnet,&iporsubtodec($ipsecrwsub))) + { + $errormessage=$errormessage.$Lang::tr{'ccd err isipsecrw'}."
"; + return $errormessage; + } + } + #check if we use one of ipfire's networks (green,orange,blue) - my %ownnet=(); &readhash("${General::swroot}/ethernet/settings", \%ownnet); - if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'GREEN_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;} - if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'ORANGE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;} - if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'BLUE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;} - if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'RED_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;} + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'GREEN_NETADDRESS'},&iporsubtodec($ownnet{'GREEN_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;} + if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'ORANGE_NETADDRESS'},&iporsubtodec($ownnet{'ORANGE_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;} + if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'BLUE_NETADDRESS'},&iporsubtodec($ownnet{'BLUE_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;} + if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'RED_NETADDRESS'},&iporsubtodec($ownnet{'RED_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;} } diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index d8fc89327..c315e9e5e 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3509,8 +3509,13 @@ if ($cgiparams{'TYPE'} eq 'net') { unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; - } - + } + #Check if remote subnet is used elsewhere + my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'}); + $warnmessage=&General::checksubnets('',$n2nip,'ovpn'); + if ($warnmessage){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'})
".$warnmessage; + } } # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { @@ -4569,6 +4574,16 @@ END &Header::closebox(); } + if ($warnmessage) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } + my $sactive = "
$Lang::tr{'stopped'}
"; my $srunning = "no"; my $activeonrun = ""; diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 627b19159..8324ae771 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1225,7 +1225,7 @@ END } else { $errormessage = $Lang::tr{'invalid key'}; } - &General::firewall_reload(); + ### ### Choose between adding a host-net or net-net connection ### @@ -1407,14 +1407,13 @@ END goto VPNCONF_ERROR; } -#temporary disabled (BUG 10294) -# if ($cgiparams{'TYPE'} eq 'net'){ -# $errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'}); -# if ($errormessage ne ''){ -# goto VPNCONF_ERROR; -# } -# -# } + if ($cgiparams{'TYPE'} eq 'net'){ + $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec'); + if ($warnmessage ne ''){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) ".$warnmessage; + } + } + if ($cgiparams{'AUTH'} eq 'psk') { if (! length($cgiparams{'PSK'}) ) { $errormessage = $Lang::tr{'pre-shared key is too short'}; @@ -2612,6 +2611,16 @@ EOF &Header::closebox(); } + if ($warnmessage) { + &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } + &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); print < diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index e951b68b5..90222c425 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -481,7 +481,9 @@ 'ccd err iroute' => 'Netzadresse für Route ungültig.', 'ccd err irouteexist' => 'Diese Route wird bereits verwendet.', 'ccd err isipsecnet' => 'Diese Subnetzadresse wird bereits für ein IPsec-Netzwerk verwendet.', +'ccd err isipsecrw' => 'Diese Subnetzadresse wird bereits für das IPsec-RW Netz verwendet.', 'ccd err isovpnnet' => 'Subnetzadresse wird für bereits für den OpenVPN-Server verwendet!', +'ccd err isovpnn2n' => 'Subnetzadresse wird für bereits für ein OpenVPN N2N verwendet.', 'ccd err issubnet' => 'Subnetzadresse wird bereits verwendet.', 'ccd err name' => 'Es muss ein Name angegeben werden.', 'ccd err nameexist' => 'Name existiert bereits.', @@ -1005,6 +1007,7 @@ 'fwdfw use srcport' => 'Quellport:', 'fwdfw use srv' => 'Zielport:', 'fwdfw useless rule' => 'Diese Regel ist nicht sinnvoll.', +'fwdfw warn1' => 'Dies kann dazu führen, dass Firewallregeln auf Netze angewendet werden, für die sie nicht gedacht sind.', 'fwdfw wd_fri' => 'Fr', 'fwdfw wd_mon' => 'Mo', 'fwdfw wd_sat' => 'Sa', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index d8cfdc771..f614f58f2 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -499,8 +499,10 @@ 'ccd err invalidnet' => 'Invalid IP address. Format: 192.168.0.0/24 or 192.168.0.0/255.255.255.0.', 'ccd err iroute' => 'Network address for route is invalid.', 'ccd err irouteexist' => 'This route is already in use.', -'ccd err isipsecnet' => 'The given subnet address already used by an IPsec network.', +'ccd err isipsecnet' => 'The given subnet address is already used by an IPsec network.', +'ccd err isipsecrw' => 'The given subnet address is already used by the IPsec rw network.', 'ccd err isovpnnet' => 'Subnet address already in use for OpenVPN Server.', +'ccd err isovpnn2n' => 'Subnet address already in use for an OpenVPN N2N.', 'ccd err issubnet' => 'Subnet address already in use.', 'ccd err name' => 'Please choose a name.', 'ccd err nameexist' => 'Name already exists.', @@ -1031,6 +1033,7 @@ 'fwdfw use srcport' => 'Source port:', 'fwdfw use srv' => 'Destination port:', 'fwdfw useless rule' => 'This rule is useless.', +'fwdfw warn1' => 'This might lead to firewallrules which are applied to networks for which they are not intended to be.', 'fwdfw wd_fri' => 'Fri', 'fwdfw wd_mon' => 'Mon', 'fwdfw wd_sat' => 'Sat',