diff options
author | Erik Fonnesbeck <efonnes@gmail.com> | 2010-05-20 10:48:39 -0600 |
---|---|---|
committer | Erik Fonnesbeck <efonnes@gmail.com> | 2010-05-20 10:55:02 -0600 |
commit | 9603306327f07205ac69ea99b8c0666ba9dc8a1d (patch) | |
tree | 105765d1e09bbb9eea4dacfb7ff0f2cb1f943a89 | |
parent | 986a3accd40a7d45c0a3d48d2b42d2c58a231d99 (diff) | |
download | pfsense-9603306327f07205ac69ea99b8c0666ba9dc8a1d.zip pfsense-9603306327f07205ac69ea99b8c0666ba9dc8a1d.tar.gz |
Various fixes to usage of ip2long, long2ip, and negated subnet masks, mostly affecting 64-bit. Ticket #459
-rw-r--r-- | etc/inc/openvpn.inc | 18 | ||||
-rw-r--r-- | etc/inc/util.inc | 26 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 10 | ||||
-rwxr-xr-x | usr/local/www/diag_dhcp_leases.php | 4 | ||||
-rw-r--r-- | usr/local/www/diag_states_summary.php | 2 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 4 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_out_edit.php | 6 | ||||
-rwxr-xr-x | usr/local/www/services_dhcp.php | 20 | ||||
-rwxr-xr-x | usr/local/www/services_dhcp_edit.php | 12 | ||||
-rw-r--r-- | usr/local/www/vpn_l2tp.php | 8 | ||||
-rwxr-xr-x | usr/local/www/vpn_pppoe.php | 8 | ||||
-rwxr-xr-x | usr/local/www/vpn_pptp.php | 8 |
12 files changed, 68 insertions, 58 deletions
diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 72630e7..3fe4574 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -363,9 +363,9 @@ function openvpn_reconfigure($mode,& $settings) { switch($settings['mode']) { case 'p2p_tls': case 'p2p_shared_key': - $baselong = ip2long($ip) & ip2long($mask); - $ip1 = long2ip($baselong + 1); - $ip2 = long2ip($baselong + 2); + $baselong = ip2long32($ip) & ip2long($mask); + $ip1 = long2ip32($baselong + 1); + $ip2 = long2ip32($baselong + 2); $conf .= "ifconfig $ip1 $ip2\n"; break; case 'server_tls': @@ -463,9 +463,9 @@ function openvpn_reconfigure($mode,& $settings) { if (!empty($settings['tunnel_network'])) { list($ip, $mask) = explode('/', $settings['tunnel_network']); $mask = gen_subnet_mask($mask); - $baselong = ip2long($ip) & ip2long($mask); - $ip1 = long2ip($baselong + 1); - $ip2 = long2ip($baselong + 2); + $baselong = ip2long32($ip) & ip2long($mask); + $ip1 = long2ip32($baselong + 1); + $ip2 = long2ip32($baselong + 2); $conf .= "ifconfig $ip2 $ip1\n"; } @@ -626,9 +626,9 @@ function openvpn_resync_csc(& $settings) { if (!empty($settings['tunnel_network'])) { list($ip, $mask) = explode('/', $settings['tunnel_network']); - $baselong = ip2long($ip) & gen_subnet_mask_long($mask); - $ip1 = long2ip($baselong + 1); - $ip2 = long2ip($baselong + 2); + $baselong = ip2long32($ip) & gen_subnet_mask_long($mask); + $ip1 = long2ip32($baselong + 1); + $ip2 = long2ip32($baselong + 2); $conf .= "ifconfig-push {$ip1} {$ip2}\n"; } diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 930f9ac..0828bbf 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -198,7 +198,7 @@ function gen_subnet_max($ipaddr, $bits) { if (!is_ipaddr($ipaddr) || !is_numeric($bits)) return ""; - return long2ip(ip2long($ipaddr) | ~gen_subnet_mask_long($bits)); + return long2ip32(ip2long($ipaddr) | ~gen_subnet_mask_long($bits)); } /* returns a subnet mask (long given a bit count) */ @@ -216,9 +216,19 @@ function gen_subnet_mask($bits) { return long2ip(gen_subnet_mask_long($bits)); } +/* Convert long int to IP address, truncating to 32-bits. */ +function long2ip32($ip) { + return long2ip($ip & 0xFFFFFFFF); +} + +/* Convert IP address to long int, truncated to 32-bits to avoid sign extension on 64-bit platforms. */ +function ip2long32($ip) { + return ( ip2long($ip) & 0xFFFFFFFF ); +} + /* Convert IP address to unsigned long int. */ function ip2ulong($ip) { - return sprintf("%u", ip2long($ip)); + return sprintf("%u", ip2long32($ip)); } /* Find out how many IPs are contained within a given IP range @@ -246,12 +256,12 @@ function find_smallest_cidr($number) { /* Return the previous IP address before the given address */ function ip_before($ip) { - return long2ip(ip2long($ip)-1); + return long2ip32(ip2long($ip)-1); } /* Return the next IP address after the given address */ function ip_after($ip) { - return long2ip(ip2long($ip)+1); + return long2ip32(ip2long($ip)+1); } /* Return true if the first IP is 'before' the second */ @@ -347,7 +357,7 @@ function is_ipaddr($ipaddr) { return false; $ip_long = ip2long($ipaddr); - $ip_reverse = long2ip($ip_long); + $ip_reverse = long2ip32($ip_long); if ($ipaddr == $ip_reverse) return true; @@ -891,9 +901,9 @@ function check_subnets_overlap($subnet1, $bits1, $subnet2, $bits2) { /* compare two IP addresses */ function ipcmp($a, $b) { - if (ip2long($a) < ip2long($b)) + if (ip_less_than($a, $b)) return -1; - else if (ip2long($a) > ip2long($b)) + else if (ip_greater_than($a, $b)) return 1; else return 0; @@ -902,7 +912,7 @@ function ipcmp($a, $b) { /* return true if $addr is in $subnet, false if not */ function ip_in_subnet($addr,$subnet) { list($ip, $mask) = explode('/', $subnet); - $mask = 0xffffffff << (32 - $mask); + $mask = (0xffffffff << (32 - $mask)) & 0xffffffff; return ((ip2long($addr) & $mask) == (ip2long($ip) & $mask)); } diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index f2343e1..c874a83 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -343,8 +343,8 @@ function vpn_ipsec_configure($ipchg = false) $pool_address = $a_client['pool_address']; $pool_netmask = gen_subnet_mask($a_client['pool_netbits']); - $pool_address = long2ip(ip2long($pool_address)+1); - $pool_size = ~ip2long($pool_netmask) - 2; + $pool_address = long2ip32(ip2long($pool_address)+1); + $pool_size = (~ip2long($pool_netmask) & 0xFFFFFFFF) - 2; $racoonconf .= "\tpool_size {$pool_size};\n"; $racoonconf .= "\tnetwork4 {$pool_address};\n"; @@ -1012,7 +1012,7 @@ EOD; for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) { - $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); + $clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i); $mpdconf .= <<<EOD @@ -1219,7 +1219,7 @@ EOD; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { - $clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i); + $clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i); if (isset ($pppoecfg['radius']['radiusissueips']) && isset ($pppoecfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; @@ -1409,7 +1409,7 @@ EOD; for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) { - $clientip = long2ip(ip2long($l2tpcfg['remoteip']) + $i); + $clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i); if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0"; diff --git a/usr/local/www/diag_dhcp_leases.php b/usr/local/www/diag_dhcp_leases.php index 1496685..58e8351 100755 --- a/usr/local/www/diag_dhcp_leases.php +++ b/usr/local/www/diag_dhcp_leases.php @@ -328,7 +328,7 @@ foreach ($leases as $data) { } else { $fspans = $fspane = ""; } - $lip = ip2long($data['ip']); + $lip = ip2ulong($data['ip']); if ($data['act'] == "static") { foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) { if(is_array($dhcpifconf['staticmap'])) { @@ -345,7 +345,7 @@ foreach ($leases as $data) { } } else { foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) { - if (($lip >= ip2long($dhcpifconf['range']['from'])) && ($lip <= ip2long($dhcpifconf['range']['to']))) { + if (($lip >= ip2ulong($dhcpifconf['range']['from'])) && ($lip <= ip2ulong($dhcpifconf['range']['to']))) { $data['if'] = $dhcpif; break; } diff --git a/usr/local/www/diag_states_summary.php b/usr/local/www/diag_states_summary.php index 45600a0..40d064f 100644 --- a/usr/local/www/diag_states_summary.php +++ b/usr/local/www/diag_states_summary.php @@ -99,7 +99,7 @@ if(count($states) > 0) { } function sort_by_ip($a, $b) { - return sprintf("%u", ip2long($a)) < sprintf("%u", ip2long($b)) ? -1 : 1; + return ip2ulong($a) < ip2ulong($b) ? -1 : 1; } function build_port_info($portarr, $proto) { diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 11744ae..d7806b1 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -625,10 +625,10 @@ include("fbegin.inc"); ?> <?php if (is_array($config['virtualip']['vip'])): foreach ($config['virtualip']['vip'] as $sn): if ($sn['mode'] == "proxyarp" && $sn['type'] == "network"): - $baseip = ip2long($sn['subnet']) & ip2long(gen_subnet_mask($sn['subnet_bits'])); + $baseip = ip2long32($sn['subnet']) & ip2long(gen_subnet_mask($sn['subnet_bits'])); for ($i = $sn['subnet_bits'] - 1; $i <= 32; $i++): - $snip = long2ip($baseip); + $snip = long2ip32($baseip); ?> <option value="<?=$snip;?>" <?php if ($snip == $pconfig['dst']) echo "selected"; ?>><?=htmlspecialchars("{$snip} ({$sn['descr']})");?></option> <?php $baseip = $baseip + 1; ?> diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 483aec1..e5fb88a 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -421,14 +421,14 @@ any)</td> <?php if (is_array($config['virtualip']['vip'])): foreach ($config['virtualip']['vip'] as $sn): if ($sn['mode'] == "proxyarp" && $sn['type'] == "network"): - $baseip = ip2long($sn['subnet']) & ip2long(gen_subnet_mask($sn['subnet_bits'])); - $snip = long2ip($baseip); + $baseip = ip2long32($sn['subnet']) & ip2long(gen_subnet_mask($sn['subnet_bits'])); + $snip = long2ip32($baseip); ?> <option value="<?=$snip;?>" <?php if ($snip == $pconfig['target']) echo "selected"; ?>><?=htmlspecialchars("{$snip} ({$sn['descr']})");?></option> <?php for ($i = $sn['subnet_bits']; $i <= 32; $i++): $baseip = $baseip + 1; - $snip = long2ip($baseip); + $snip = long2ip32($baseip); ?> <option value="<?=$snip;?>" <?php if ($snip == $pconfig['target']) echo "selected"; ?>><?=htmlspecialchars("{$snip} ({$sn['descr']})");?></option> <?php endfor; ?> diff --git a/usr/local/www/services_dhcp.php b/usr/local/www/services_dhcp.php index cc3d1e4..b72258f 100755 --- a/usr/local/www/services_dhcp.php +++ b/usr/local/www/services_dhcp.php @@ -181,7 +181,7 @@ if(is_array($dhcrelaycfg)) { } function is_inrange($test, $start, $end) { - if ( (ip2long($test) < ip2long($end)) && (ip2long($test) > ip2long($start)) ) + if ( (ip2ulong($test) < ip2ulong($end)) && (ip2ulong($test) > ip2ulong($start)) ) return true; else return false; @@ -242,15 +242,15 @@ if ($_POST) { if (!$input_errors) { /* make sure the range lies within the current subnet */ - $subnet_start = (ip2long($ifcfgip) & gen_subnet_mask_long($ifcfgsn)); - $subnet_end = (ip2long($ifcfgip) | (~gen_subnet_mask_long($ifcfgsn))); + $subnet_start = ip2ulong(long2ip32(ip2long($ifcfgip) & gen_subnet_mask_long($ifcfgsn))); + $subnet_end = ip2ulong(long2ip32(ip2long($ifcfgip) | (~gen_subnet_mask_long($ifcfgsn)))); - if ((ip2long($_POST['range_from']) < $subnet_start) || (ip2long($_POST['range_from']) > $subnet_end) || - (ip2long($_POST['range_to']) < $subnet_start) || (ip2long($_POST['range_to']) > $subnet_end)) { + if ((ip2ulong($_POST['range_from']) < $subnet_start) || (ip2ulong($_POST['range_from']) > $subnet_end) || + (ip2ulong($_POST['range_to']) < $subnet_start) || (ip2ulong($_POST['range_to']) > $subnet_end)) { $input_errors[] = "The specified range lies outside of the current subnet."; } - if (ip2long($_POST['range_from']) > ip2long($_POST['range_to'])) + if (ip2ulong($_POST['range_from']) > ip2ulong($_POST['range_to'])) $input_errors[] = "The range is invalid (first element higher than second element)."; /* make sure that the DHCP Relay isn't enabled on this interface */ @@ -534,15 +534,15 @@ include("head.inc"); <td width="22%" valign="top" class="vncellreq">Available range</td> <td width="78%" class="vtable"> <?php - $range_from = ip2long(long2ip(ip2long($ifcfgip) & gen_subnet_mask_long($ifcfgsn))); + $range_from = ip2long(long2ip32(ip2long($ifcfgip) & gen_subnet_mask_long($ifcfgsn))); $range_from++; - echo long2ip($range_from); + echo long2ip32($range_from); ?> - <?php - $range_to = ip2long(long2ip(ip2long($ifcfgip) | (~gen_subnet_mask_long($ifcfgsn)))); + $range_to = ip2long(long2ip32(ip2long($ifcfgip) | (~gen_subnet_mask_long($ifcfgsn)))); $range_to--; - echo long2ip($range_to); + echo long2ip32($range_to); ?> </td> </tr> diff --git a/usr/local/www/services_dhcp_edit.php b/usr/local/www/services_dhcp_edit.php index d44fb9b..86fefe3 100755 --- a/usr/local/www/services_dhcp_edit.php +++ b/usr/local/www/services_dhcp_edit.php @@ -140,12 +140,12 @@ if ($_POST) { /* make sure it's not within the dynamic subnet */ if ($_POST['ipaddr']) { - $dynsubnet_start = ip2long($config['dhcpd'][$if]['range']['from']); - $dynsubnet_end = ip2long($config['dhcpd'][$if]['range']['to']); - $lansubnet_start = (ip2long($ifcfgip) & gen_subnet_mask_long($ifcfgsn)); - $lansubnet_end = (ip2long($ifcfgip) | (~gen_subnet_mask_long($ifcfgsn))); - if ((ip2long($_POST['ipaddr']) < $lansubnet_start) || - (ip2long($_POST['ipaddr']) > $lansubnet_end)) { + $dynsubnet_start = ip2ulong($config['dhcpd'][$if]['range']['from']); + $dynsubnet_end = ip2ulong($config['dhcpd'][$if]['range']['to']); + $lansubnet_start = ip2ulong(long2ip32(ip2long($ifcfgip) & gen_subnet_mask_long($ifcfgsn))); + $lansubnet_end = ip2ulong(long2ip32(ip2long($ifcfgip) | (~gen_subnet_mask_long($ifcfgsn)))); + if ((ip2ulong($_POST['ipaddr']) < $lansubnet_start) || + (ip2ulong($_POST['ipaddr']) > $lansubnet_end)) { $input_errors[] = "The IP address must lie in the {$ifcfgdescr} subnet."; } } diff --git a/usr/local/www/vpn_l2tp.php b/usr/local/www/vpn_l2tp.php index 025e30f..2b61209 100644 --- a/usr/local/www/vpn_l2tp.php +++ b/usr/local/www/vpn_l2tp.php @@ -95,11 +95,11 @@ if ($_POST) { if (!$input_errors) { $_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $_POST['l2tp_subnet']); - $subnet_start = ip2long($_POST['remoteip']); - $subnet_end = ip2long($_POST['remoteip']) + $_POST['n_l2tp_units'] - 1; + $subnet_start = ip2ulong($_POST['remoteip']); + $subnet_end = ip2ulong($_POST['remoteip']) + $_POST['n_l2tp_units'] - 1; - if ((ip2long($_POST['localip']) >= $subnet_start) && - (ip2long($_POST['localip']) <= $subnet_end)) { + if ((ip2ulong($_POST['localip']) >= $subnet_start) && + (ip2ulong($_POST['localip']) <= $subnet_end)) { $input_errors[] = gettext("The specified server address lies in the remote subnet."); } if ($_POST['localip'] == get_interface_ip("lan")) { diff --git a/usr/local/www/vpn_pppoe.php b/usr/local/www/vpn_pppoe.php index 7b0cd41..d95302e 100755 --- a/usr/local/www/vpn_pppoe.php +++ b/usr/local/www/vpn_pppoe.php @@ -98,11 +98,11 @@ if ($_POST) { if (!$input_errors) { $_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $_POST['pppoe_subnet']); - $subnet_start = ip2long($_POST['remoteip']); - $subnet_end = ip2long($_POST['remoteip']) + $_POST['pppoe_subnet'] - 1; + $subnet_start = ip2ulong($_POST['remoteip']); + $subnet_end = ip2ulong($_POST['remoteip']) + $_POST['pppoe_subnet'] - 1; - if ((ip2long($_POST['localip']) >= $subnet_start) && - (ip2long($_POST['localip']) <= $subnet_end)) { + if ((ip2ulong($_POST['localip']) >= $subnet_start) && + (ip2ulong($_POST['localip']) <= $subnet_end)) { $input_errors[] = "The specified server address lies in the remote subnet."; } if ($_POST['localip'] == get_interface_ip("lan")) { diff --git a/usr/local/www/vpn_pptp.php b/usr/local/www/vpn_pptp.php index 5aae209..1c88670 100755 --- a/usr/local/www/vpn_pptp.php +++ b/usr/local/www/vpn_pptp.php @@ -99,11 +99,11 @@ if ($_POST) { } if (!$input_errors) { - $subnet_start = ip2long($_POST['remoteip']); - $subnet_end = ip2long($_POST['remoteip']) + $_POST['n_pptp_units'] - 1; + $subnet_start = ip2ulong($_POST['remoteip']); + $subnet_end = ip2ulong($_POST['remoteip']) + $_POST['n_pptp_units'] - 1; - if ((ip2long($_POST['localip']) >= $subnet_start) && - (ip2long($_POST['localip']) <= $subnet_end)) { + if ((ip2ulong($_POST['localip']) >= $subnet_start) && + (ip2ulong($_POST['localip']) <= $subnet_end)) { $input_errors[] = "The specified server address lies in the remote subnet."; } // TODO: Should this check be for any local IP address? |