Merge remote-tracking branch 'amarx/BETA3' into next

2026-04-09 18:45:54 +02:00 · 2014-03-13 15:32:00 +01:00
parent 9d870c49eb 03b08c08f0
commit 7e7788ea0b
5 changed files with 98 additions and 33 deletions
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -506,24 +506,46 @@ sub validipandmask

 sub checksubnets
 {
-	my %ccdconfhash=();			
-	my @ccdconf=();				
-	my $ccdname=$_[0];			
-	my $ccdnet=$_[1];			
+	my %ccdconfhash=();
+	my %ovpnconfhash=();
+	my %vpnconf=();
+	my %ipsecconf=();
+	my %ownnet=();
+	my %ovpnconf=();
+	my @ccdconf=();
+	my $ccdname=$_[0];
+	my $ccdnet=$_[1];
+	my $ownnet=$_[2];
 	my $errormessage;
 	my ($ip,$cidr)=split(/\//,$ccdnet);
 	$cidr=&iporsubtocidr($cidr);
+
 	#get OVPN-Subnet (dynamic range)
-	my %ovpnconf=();
 	&readhash("${General::swroot}/ovpn/settings", \%ovpnconf);
 	my ($ovpnip,$ovpncidr)= split (/\//,$ovpnconf{'DOVPN_SUBNET'});
 	$ovpncidr=&iporsubtocidr($ovpncidr);
+
 	#check if we try to use same network as ovpn server
 	if ("$ip/$cidr" eq "$ovpnip/$ovpncidr") {
 			$errormessage=$errormessage.$Lang::tr{'ccd err isovpnnet'}."<br>";
 			return $errormessage;
 	}
-	#check if we use a network-name/subnet that already exists
+
+	#check if we try to use same network as another ovpn N2N
+	if($ownnet ne 'ovpn'){
+		&readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfhash);
+		foreach my $key (keys %ovpnconfhash) {
+			if ($ovpnconfhash{$key}[3] eq 'net'){
+				my @ovpnnet=split (/\//,$ovpnconfhash{$key}[11]);
+				if (&IpInSubnet($ip,$ovpnnet[0],&iporsubtodec($ovpnnet[1]))){
+					$errormessage=$errormessage.$Lang::tr{'ccd err isovpnn2n'}." $ovpnconfhash{$key}[1] <br>";
+					return $errormessage;
+				}
+			}
+		}
+	}
+
+	#check if we use a network-name/subnet (static-ovpn) that already exists
 	&readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
 	foreach my $key (keys %ccdconfhash) {
 		@ccdconf=split(/\//,$ccdconfhash{$key}[1]);
@@ -535,32 +557,45 @@ sub checksubnets
 		my ($newip,$newsub) = split(/\//,$ccdnet);
 		if (&IpInSubnet($newip,$ccdconf[0],&iporsubtodec($ccdconf[1]))) 
 		{
-			$errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}."<br>";
+			$errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}." $ccdconfhash{$key}[0]<br>";
 			return $errormessage;
 		}
 	}
+
 	#check if we use a ipsec right network which is already defined
-	my %ipsecconf=();
-	&General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf);
-	foreach my $key (keys %ipsecconf){
-		if ($ipsecconf{$key}[11] ne ''){
-			my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]);
-			$ipsecsub=&iporsubtodec($ipsecsub);
-			if($ipsecconf{$key}[1] ne $ccdname){
-				if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){
-					$errormessage=$Lang::tr{'ccd err isipsecnet'}." Name:  $ipsecconf{$key}[1]";
-					return $errormessage;
+	if($ownnet ne 'ipsec'){
+		&General::readhasharray("${General::swroot}/vpn/config", \%ipsecconf);
+		foreach my $key (keys %ipsecconf){
+			if ($ipsecconf{$key}[11] ne ''){
+				my ($ipsecip,$ipsecsub) = split (/\//, $ipsecconf{$key}[11]);
+				$ipsecsub=&iporsubtodec($ipsecsub);
+				if($ipsecconf{$key}[1] ne $ccdname){
+					if ( &IpInSubnet ($ip,$ipsecip,$ipsecsub) ){
+						$errormessage=$Lang::tr{'ccd err isipsecnet'}." Name:  $ipsecconf{$key}[1]";
+						return $errormessage;
+					}
 				}
 			}
 		}
 	}
+
+	#check if we use the ipsec RW Network (if defined)
+	&readhash("${General::swroot}/vpn/settings", \%vpnconf);
+	if ($vpnconf{'RW_NET'} ne ''){
+		my ($ipsecrwnet,$ipsecrwsub)=split (/\//, $vpnconf{'RW_NET'});
+		if (&IpInSubnet($ip,$ipsecrwnet,&iporsubtodec($ipsecrwsub)))
+		{
+			$errormessage=$errormessage.$Lang::tr{'ccd err isipsecrw'}."<br>";
+			return $errormessage;
+		}
+	}
+
 	#check if we use one of ipfire's networks (green,orange,blue)
-	my %ownnet=();
 	&readhash("${General::swroot}/ethernet/settings", \%ownnet);
-	if (($ownnet{'GREEN_NETADDRESS'}  	ne '' && $ownnet{'GREEN_NETADDRESS'} 	ne '0.0.0.0') && &IpInSubnet($ownnet{'GREEN_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;}
-	if (($ownnet{'ORANGE_NETADDRESS'}	ne '' && $ownnet{'ORANGE_NETADDRESS'} 	ne '0.0.0.0') && &IpInSubnet($ownnet{'ORANGE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;}
-	if (($ownnet{'BLUE_NETADDRESS'} 	ne '' && $ownnet{'BLUE_NETADDRESS'} 	ne '0.0.0.0') && &IpInSubnet($ownnet{'BLUE_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;}
-	if (($ownnet{'RED_NETADDRESS'} 		ne '' && $ownnet{'RED_NETADDRESS'} 		ne '0.0.0.0') && &IpInSubnet($ownnet{'RED_NETADDRESS'},$ip,&iporsubtodec($cidr))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
+	if (($ownnet{'GREEN_NETADDRESS'}  	ne '' && $ownnet{'GREEN_NETADDRESS'} 	ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'GREEN_NETADDRESS'},&iporsubtodec($ownnet{'GREEN_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err green'};return $errormessage;}
+	if (($ownnet{'ORANGE_NETADDRESS'}	ne '' && $ownnet{'ORANGE_NETADDRESS'} 	ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'ORANGE_NETADDRESS'},&iporsubtodec($ownnet{'ORANGE_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err orange'};return $errormessage;}
+	if (($ownnet{'BLUE_NETADDRESS'} 	ne '' && $ownnet{'BLUE_NETADDRESS'} 	ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'BLUE_NETADDRESS'},&iporsubtodec($ownnet{'BLUE_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err blue'};return $errormessage;}
+	if (($ownnet{'RED_NETADDRESS'} 		ne '' && $ownnet{'RED_NETADDRESS'} 		ne '0.0.0.0') && &IpInSubnet($ip,$ownnet{'RED_NETADDRESS'},&iporsubtodec($ownnet{'RED_NETMASK'}))){ $errormessage=$Lang::tr{'ccd err red'};return $errormessage;}
 }


--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -3509,8 +3509,13 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		  unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
 	    rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
 		  goto VPNCONF_ERROR;
-		}
-   
+	}
+	#Check if remote subnet is used elsewhere
+	my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
+	$warnmessage=&General::checksubnets('',$n2nip,'ovpn');
+	if ($warnmessage){
+		$warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
+	}
 }

 #	if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
@@ -4569,6 +4574,16 @@ END
 	&Header::closebox();
    }

+	if ($warnmessage) {
+		&Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
+		print "$warnmessage<br>";
+		print "$Lang::tr{'fwdfw warn1'}<br>";
+		&Header::closebox();
+		print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
+		&Header::closepage();
+		exit 0;
+	}
+
    my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
    my $srunning = "no";
    my $activeonrun = "";
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1407,14 +1407,13 @@ END
 	    goto VPNCONF_ERROR;
 	}

-#temporary disabled (BUG 10294)
-#	if ($cgiparams{'TYPE'} eq 'net'){
-#		$errormessage=&General::checksubnets($cgiparams{'NAME'},$cgiparams{'REMOTE_SUBNET'});
-#		if ($errormessage ne ''){
-#			goto VPNCONF_ERROR;
-#		}
-#		
-#	}
+	if ($cgiparams{'TYPE'} eq 'net'){
+		$warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec');
+		if ($warnmessage ne ''){
+			$warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
+		}
+	}
+
 	if ($cgiparams{'AUTH'} eq 'psk') {
 	    if (! length($cgiparams{'PSK'}) ) {
 		$errormessage = $Lang::tr{'pre-shared key is too short'};
@@ -2612,6 +2611,16 @@ EOF
 	&Header::closebox();
    }

+	if ($warnmessage) {
+		&Header::openbox('100%', 'left', $Lang::tr{'warning messages'});
+		print "$warnmessage<br>";
+		print "$Lang::tr{'fwdfw warn1'}<br>";
+		&Header::closebox();
+		print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
+		&Header::closepage();
+		exit 0;
+	}
+
    &Header::openbox('100%', 'left', $Lang::tr{'global settings'});
    print <<END
    <form method='post' action='$ENV{'SCRIPT_NAME'}'>
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -481,7 +481,9 @@
 'ccd err iroute' => 'Netzadresse für Route ungültig.',
 'ccd err irouteexist' => 'Diese Route wird bereits verwendet.',
 'ccd err isipsecnet' => 'Diese Subnetzadresse wird bereits für ein IPsec-Netzwerk verwendet.',
+'ccd err isipsecrw' => 'Diese Subnetzadresse wird bereits für das IPsec-RW Netz verwendet.',
 'ccd err isovpnnet' => 'Subnetzadresse wird für bereits für den OpenVPN-Server verwendet!',
+'ccd err isovpnn2n' => 'Subnetzadresse wird für bereits für ein OpenVPN N2N verwendet.',
 'ccd err issubnet' => 'Subnetzadresse wird bereits verwendet.',
 'ccd err name' => 'Es muss ein Name angegeben werden.',
 'ccd err nameexist' => 'Name existiert bereits.',
@@ -1006,6 +1008,7 @@
 'fwdfw use srcport' => 'Quellport:',
 'fwdfw use srv' => 'Zielport:',
 'fwdfw useless rule' => 'Diese Regel ist nicht sinnvoll.',
+'fwdfw warn1' => 'Dies kann dazu führen, dass Firewallregeln auf Netze angewendet werden, für die sie nicht gedacht sind.',
 'fwdfw wd_fri' => 'Fr',
 'fwdfw wd_mon' => 'Mo',
 'fwdfw wd_sat' => 'Sa',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -499,8 +499,10 @@
 'ccd err invalidnet' => 'Invalid IP address. Format: 192.168.0.0/24 or 192.168.0.0/255.255.255.0.',
 'ccd err iroute' => 'Network address for route is invalid.',
 'ccd err irouteexist' => 'This route is already in use.',
-'ccd err isipsecnet' => 'The given subnet address already used by an IPsec network.',
+'ccd err isipsecnet' => 'The given subnet address is already used by an IPsec network.',
+'ccd err isipsecrw' => 'The given subnet address is already used by the IPsec rw network.',
 'ccd err isovpnnet' => 'Subnet address already in use for OpenVPN Server.',
+'ccd err isovpnn2n' => 'Subnet address already in use for an OpenVPN N2N.',
 'ccd err issubnet' => 'Subnet address already in use.',
 'ccd err name' => 'Please choose a name.',
 'ccd err nameexist' => 'Name already exists.',
@@ -1032,6 +1034,7 @@
 'fwdfw use srcport' => 'Source port:',
 'fwdfw use srv' => 'Destination port:',
 'fwdfw useless rule' => 'This rule is useless.',
+'fwdfw warn1' => 'This might lead to firewallrules which are applied to networks for which they are not intended to be.',
 'fwdfw wd_fri' => 'Fri',
 'fwdfw wd_mon' => 'Mon',
 'fwdfw wd_sat' => 'Sat',