From: Alexander Marx Date: Mon, 26 Nov 2012 12:13:16 +0000 (+0100) Subject: OpenVPN ccd: created subnet checkfunction in general_functions, because ipsec needs... X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=e2429e8d3452e39128a8c8f2806b97314f9c9470 OpenVPN ccd: created subnet checkfunction in general_functions, because ipsec needs this too! This should prevent ipsec Hosts/Nets to have same ip addresses than openvpn Hosts/Nets --- diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 605556718..c14f9903f 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -399,6 +399,85 @@ sub validipandmask return 0; } +sub checksubnets +{ + + my %ccdconfhash=(); + my @ccdconf=(); + my $ccdname=$_[0]; + my $ccdnet=$_[1]; + my $errormessage; + my ($ip,$cidr)=split(/\//,$ccdnet); + $cidr=&iporsubtocidr($cidr); + + + #get OVPN-Subnet (dynamic range) + my %ovpnconf=(); + &readhash("${General::swroot}/ovpn/settings", \%ovpnconf); + my ($ovpnip,$ovpncidr)= split (/\//,$ovpnconf{'DOVPN_SUBNET'}); + $ovpncidr=&iporsubtocidr($ovpncidr); + + #check if we try to use same network as ovpn server + if ("$ip/$cidr" eq "$ovpnip/$ovpncidr") { + $errormessage=$errormessage.$Lang::tr{'ccd err isovpnnet'}."
"; + return $errormessage; + } + + #check if we use a network-name/subnet that already exists + &readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + @ccdconf=split(/\//,$ccdconfhash{$key}[1]); + if ($ccdname eq $ccdconfhash{$key}[0]) + { + $errormessage=$errormessage.$Lang::tr{'ccd err nameexist'}."
"; + return $errormessage; + } + my ($newip,$newsub) = split(/\//,$ccdnet); + if (&IpInSubnet($newip,$ccdconf[0],&iporsubtodec($ccdconf[1]))) + { + $errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}."
"; + return $errormessage; + } + + } + #check if we use a name which is already used by ovpn + + + + + + #check if we use a ipsec right network which is already defined + my %ipsecconf=(); + &General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf); + foreach my $key (keys %ipsecconf){ + if ($ipsecconf{$key}[11] ne ''){ + #$errormessage="DRIN!"; + #return $errormessage; + + my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]); + $ipsecsub=&iporsubtodec($ipsecsub); + + if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){ + $errormessage=$Lang::tr{'ccd err isipsecnet'}." Name: $ipsecconf{$key}[2]"; + return $errormessage; + } + } + } + + + #check if we use one of ipfire's networks (green,orange,blue) + my %ownnet=(); + &readhash("${General::swroot}/ethernet/settings", \%ownnet); + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'GREEN_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;} + if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'ORANGE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;} + if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'BLUE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;} + if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &IpInSubnet($ownnet{'RED_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;} + + + +} + + sub validport { $_ = $_[0]; diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 1c1af21cc..cd13a14bd 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -497,7 +497,6 @@ sub addccdnet my @ccdconf=(); my $ccdname=$_[0]; my $ccdnet=$_[1]; - my $ovpnsubnet=$_[2]; my $subcidr; my @ip2=(); my $checkup; @@ -532,29 +531,8 @@ sub addccdnet return; } + $errormessage=&General::checksubnets($ccdname,$ccdnet); - #check if we try to use same network as ovpn server - if (&General::iporsubtocidr($ccdnet) eq &General::iporsubtocidr($ovpnsubnet)) { - $errormessage=$errormessage.$Lang::tr{'ccd err isovpnnet'}."
"; - } - - #check if we use a name/subnet that already exists - &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); - foreach my $key (keys %ccdconfhash) { - @ccdconf=split(/\//,$ccdconfhash{$key}[1]); - if ($ccdname eq $ccdconfhash{$key}[0]) {$errormessage=$errormessage.$Lang::tr{'ccd err nameexist'}."
";} - my ($newip,$newsub) = split(/\//,$ccdnet); - if (&General::IpInSubnet($newip,$ccdconf[0],&General::iporsubtodec($ccdconf[1]))) {$errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}."
";} - - } - #check if we use one of ipfire's networks (green,orange,blue) - my %ownnet=(); - &General::readhash("${General::swroot}/ethernet/settings", \%ownnet); - if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'GREEN_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err green'};} - if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'ORANGE_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err orange'};} - if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'BLUE_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err blue'};} - if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'RED_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err red'};} - if (!$errormessage) { my %ccdconfhash=(); @@ -2588,7 +2566,7 @@ END } if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) { - &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'},$cgiparams{'DOVPN_SUBNET'}); + &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'}); } if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index f7ab1eac1..e5061a69c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2231,6 +2231,7 @@ 'you can only define one roadwarrior connection when using pre-shared key authentication' => 'Sie können nur eine Roadwarrior Verbindung definieren, wenn die Pre-shared Schlüsselauthentifizierung verwendet wird.
Entweder haben Sie bereits eine Roadwarrior Verbindung mit Pre-shared Schlüsselauthentifizierung, oder Sie versuchen gerade eine hinzuzufügen.', 'your department' => 'Ihre Abteilung', 'your e-mail' => 'Ihre E-mail Adresse', +'ccd err isipsecnet' => 'Diese Subnetzadresse wird bereits für ein IPsec-Netzwerk verwendet.' ); #EOF diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 508055967..51c5bd02b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2264,6 +2264,7 @@ 'you can only define one roadwarrior connection when using pre-shared key authentication' => 'You can only define one Roadwarrior connection when using pre-shared key authentication.
Either you already have a Roadwarrior connection with pre-shared key authentication, or you\'re trying to add one now.', 'your department' => 'Your department', 'your e-mail' => 'Your e-mail address', +'ccd err isipsecnet' => 'The given subnet address already used by an IPsec network.', ); #EOF