Project

General

Profile

« Previous | Next » 

Revision 7c4e29cb

Added by Jim Pingle almost 7 years ago

VTI input validation. Fixes #8674

Add input validation to prevent switching away from VTI or deleting a
VTI P1/P2 which belongs to an assigned interface, since this would break
the interface assignment and cause an interface mismatch at the next
boot.

View differences:

src/etc/inc/interfaces.inc
1227 1227 
	}
1228 1228 

  		




  1229
  1229
  
    
	/* With IKEv1 or v2+Split, each P2 gets its own conn/reqid/interface */


  		




  1230
  
  
    
	if (!isset($ph1ent['mobile']) && ($keyexchange == 'ikev1' || isset($ph1ent['splitconn']))) {


  		




  
  1230
  
    
	if (!isset($ph1ent['mobile']) && ($ph1ent['iketype'] == 'ikev1' || isset($ph1ent['splitconn']))) {


  		




  1231
  1231
  
    
		foreach ($vtisubnet_spec as $idx => $vtisub) {


  		




  1232
  1232
  
    
			$iface_list["ipsec{$ph1ent['ikeid']}00{$idx}"] = gettext("IPsec VTI") . ": ".htmlspecialchars($ph1ent['descr'] . " / " . $vtisub['descr']);


  		




  1233
  1233
  
    
		}


  		




  ......




  1251
  1251
  
    
	return $iface_list;


  		




  1252
  1252
  
    
}


  		




  1253
  1253
  
    

  		




  
  1254
  
    
function is_interface_ipsec_vti_assigned($phase2) {


  		




  
  1255
  
    
	$phase1 = ipsec_get_phase1($phase2['ikeid']);


  		




  
  1256
  
    
	$vti_interface = null;


  		




  
  1257
  
    
	$vtisubnet_spec = ipsec_vti($phase1, true);


  		




  
  1258
  
    
	if (($vtisubnet_spec && is_array($vtisubnet_spec))) {


  		




  
  1259
  
    
		/* With IKEv1 or v2+Split, each P2 gets its own conn/reqid/interface */


  		




  
  1260
  
    
		if (!isset($phase1['mobile']) && ($phase1['iketype'] == 'ikev1' || isset($phase1['splitconn']))) {


  		




  
  1261
  
    
			foreach ($vtisubnet_spec as $idx => $vtisub) {


  		




  
  1262
  
    
				/* Is this for this P2? */


  		




  
  1263
  
    
				if (($vtisub['left'] == ipsec_idinfo_to_cidr($phase2['localid'], true, $phase2['mode'])) &&


  		




  
  1264
  
    
				    ($vtisub['right'] == ipsec_idinfo_to_cidr($phase2['remoteid'], false, $phase2['mode']))) {


  		




  
  1265
  
    
					$vti_interface = "ipsec{$phase1['ikeid']}00{$idx}";


  		




  
  1266
  
    
				}


  		




  
  1267
  
    
			}


  		




  
  1268
  
    
		} else {


  		




  
  1269
  
    
			$vti_interface = "ipsec{$phase1['ikeid']}000";


  		




  
  1270
  
    
		}


  		




  
  1271
  
    
	}


  		




  
  1272
  
    
	/* Check if this interface is assigned */


  		




  
  1273
  
    
	return (does_interface_exist($vti_interface) && (convert_real_interface_to_friendly_interface_name($vti_interface) != null));


  		




  
  1274
  
    
}


  		




  1254
  1275
  
    
function interface_ipsec_vti_configure($ph1ent) {


  		




  1255
  1276
  
    
	global $config;


  		




  1256
  1277
  
    

  		




  ......




  1269
  1290
  
    
	$iface_addrs = array();


  		




  1270
  1291
  
    

  		




  1271
  1292
  
    
	/* With IKEv1 or v2+Split, each P2 gets its own conn/reqid/interface */


  		




  1272
  
  
    
	if (!isset($ph1ent['mobile']) && ($keyexchange == 'ikev1' || isset($ph1ent['splitconn']))) {


  		




  
  1293
  
    
	if (!isset($ph1ent['mobile']) && ($ph1ent['iketype'] == 'ikev1' || isset($ph1ent['splitconn']))) {


  		




  1273
  1294
  
    
		/* Form a single interface for each P2 entry */


  		




  1274
  1295
  
    
		foreach ($vtisubnet_spec as $idx => $vtisub) {


  		




  1275
  1296
  
    
			$ipsecifnum = "{$ph1ent['ikeid']}00{$idx}";


  		












Also available in:  Unified diff