diff options
author | Renato Botelho <garga@FreeBSD.org> | 2015-04-15 09:24:02 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2015-04-15 09:24:02 -0300 |
commit | fc70ad875b4c677d6db2b83b99f1ca5d3fe6a77f (patch) | |
tree | dfd87aed2c9171bc9720f625a4ab473102a4762a | |
parent | 2195baef904dea932c8e36d8ef041e9b2e31e646 (diff) | |
parent | 3490b8ddaea5944d9dd4b93ab1f28398170ee181 (diff) | |
download | pfsense-fc70ad875b4c677d6db2b83b99f1ca5d3fe6a77f.zip pfsense-fc70ad875b4c677d6db2b83b99f1ca5d3fe6a77f.tar.gz |
Merge pull request #1601 from phil-davis/check-overlapping-subnets
-rw-r--r-- | etc/inc/pfsense-utils.inc | 94 | ||||
-rw-r--r-- | usr/local/www/interfaces.php | 20 |
2 files changed, 92 insertions, 22 deletions
diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 7a3d378..7ee8b09 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2719,13 +2719,41 @@ function load_mac_manufacturer_table() { * INPUTS * IP Address to check. * If ignore_if is a VIP (not carp), vip array index is passed after string _virtualip + * check_localip - if true then also check for matches with PPTP and LT2P addresses + * check_subnets - if true then check if the given ipaddr is contained anywhere in the subnet of any other configured IP address + * cidrprefix - the CIDR prefix (16, 20, 24, 64...) of ipaddr. + * If check_subnets is true and cidrprefix is specified, + * then check if the ipaddr/cidrprefix subnet overlaps the subnet of any other configured IP address * RESULT - * returns true if the IP Address is - * configured and present on this device. + * returns true if the IP Address is configured and present on this device or overlaps a configured subnet. */ -function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, $check_subnets = false) { +function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, $check_subnets = false, $cidrprefix = "") { + if (count(where_is_ipaddr_configured($ipaddr, $ignore_if, $check_localip, $check_subnets, $cidrprefix))) { + return true; + } + return false; +} + +/****f* pfsense-utils/where_is_ipaddr_configured + * NAME + * where_is_ipaddr_configured + * INPUTS + * IP Address to check. + * If ignore_if is a VIP (not carp), vip array index is passed after string _virtualip + * check_localip - if true then also check for matches with PPTP and LT2P addresses + * check_subnets - if true then check if the given ipaddr is contained anywhere in the subnet of any other configured IP address + * cidrprefix - the CIDR prefix (16, 20, 24, 64...) of ipaddr. + * If check_subnets is true and cidrprefix is specified, + * then check if the ipaddr/cidrprefix subnet overlaps the subnet of any other configured IP address + * RESULT + * Returns an array of the interfaces 'if' plus IP address or subnet 'ip_or_subnet' that match or overlap the IP address to check. + * If there are no matches then an empty array is returned. +*/ +function where_is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, $check_subnets = false, $cidrprefix = "") { global $config; + $where_configured = array(); + $pos = strpos($ignore_if, '_virtualip'); if ($pos !== false) { $ignore_vip_id = substr($ignore_if, $pos+10); @@ -2738,26 +2766,44 @@ function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, $isipv6 = is_ipaddrv6($ipaddr); if ($check_subnets) { + $cidrprefix = intval($cidrprefix); + if ($isipv6) { + if (($cidrprefix < 1) || ($cidrprefix > 128)) { + $cidrprefix = 128; + } + } else { + if (($cidrprefix < 1) || ($cidrprefix > 32)) { + $cidrprefix = 32; + } + } $iflist = get_configured_interface_list(); foreach ($iflist as $if => $ifname) { if ($ignore_if == $if) { continue; } - if ($isipv6 === true) { - $bitmask = get_interface_subnetv6($if); - $subnet = gen_subnetv6(get_interface_ipv6($if), $bitmask); + if ($isipv6) { + $if_ipv6 = get_interface_ipv6($if); + $if_snbitsv6 = get_interface_subnetv6($if); + if ($if_ipv6 && $if_snbitsv6 && check_subnetsv6_overlap($ipaddr, $cidrprefix, $if_ipv6, $if_snbitsv6)) { + $where_entry = array(); + $where_entry['if'] = $if; + $where_entry['ip_or_subnet'] = get_interface_ipv6($if) . "/" . get_interface_subnetv6($if); + $where_configured[] = $where_entry; + } } else { - $bitmask = get_interface_subnet($if); - $subnet = gen_subnet(get_interface_ip($if), $bitmask); - } - - if (ip_in_subnet($ipaddr, $subnet . '/' . $bitmask)) { - return true; + $if_ipv4 = get_interface_ip($if); + $if_snbitsv4 = get_interface_subnet($if); + if ($if_ipv4 && $if_snbitsv4 && check_subnets_overlap($ipaddr, $cidrprefix, $if_ipv4, $if_snbitsv4)) { + $where_entry = array(); + $where_entry['if'] = $if; + $where_entry['ip_or_subnet'] = get_interface_ip($if) . "/" . get_interface_subnet($if); + $where_configured[] = $where_entry; + } } } } else { - if ($isipv6 === true) { + if ($isipv6) { $interface_list_ips = get_configured_ipv6_addresses(); } else { $interface_list_ips = get_configured_ip_addresses(); @@ -2768,7 +2814,10 @@ function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, continue; } if (strcasecmp($ipaddr, $ilips) == 0) { - return true; + $where_entry = array(); + $where_entry['if'] = $if; + $where_entry['ip_or_subnet'] = $ilips; + $where_configured[] = $where_entry; } } } @@ -2780,21 +2829,30 @@ function is_ipaddr_configured($ipaddr, $ignore_if = "", $check_localip = false, continue; } if (strcasecmp($ipaddr, $vip['ipaddr']) == 0) { - return true; + $where_entry = array(); + $where_entry['if'] = $vip['if']; + $where_entry['ip_or_subnet'] = $vip['ipaddr']; + $where_configured[] = $where_entry; } } if ($check_localip) { if (is_array($config['pptpd']) && !empty($config['pptpd']['localip']) && (strcasecmp($ipaddr, $config['pptpd']['localip']) == 0)) { - return true; + $where_entry = array(); + $where_entry['if'] = 'pptp'; + $where_entry['ip_or_subnet'] = $config['pptpd']['localip']; + $where_configured[] = $where_entry; } if (!is_array($config['l2tp']) && !empty($config['l2tp']['localip']) && (strcasecmp($ipaddr, $config['l2tp']['localip']) == 0)) { - return true; + $where_entry = array(); + $where_entry['if'] = 'l2tp'; + $where_entry['ip_or_subnet'] = $config['l2tp']['localip']; + $where_configured[] = $where_entry; } } - return false; + return $where_configured; } /****f* pfsense-utils/pfSense_handle_custom_code diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 62cf658..89cff44 100644 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -636,8 +636,14 @@ if ($_POST['apply']) { if (!is_ipaddrv4($_POST['ipaddr'])) $input_errors[] = gettext("A valid IPv4 address must be specified."); else { - if (is_ipaddr_configured($_POST['ipaddr'], $if, true)) - $input_errors[] = gettext("This IPv4 address is being used by another interface or VIP."); + $where_ipaddr_configured = where_is_ipaddr_configured($_POST['ipaddr'], $if, true, true, $_POST['subnet']); + if (count($where_ipaddr_configured)) { + $subnet_conflict_text = sprintf(gettext("IPv4 address %s is being used by or overlaps with:"), $_POST['ipaddr'] . "/" . $_POST['subnet']); + foreach ($where_ipaddr_configured as $subnet_conflict) { + $subnet_conflict_text .= " " . convert_friendly_interface_to_friendly_descr($subnet_conflict['if']) . " (" . $subnet_conflict['ip_or_subnet'] . ")"; + } + $input_errors[] = $subnet_conflict_text; + } /* Do not accept network or broadcast address, except if subnet is 31 or 32 */ if ($_POST['subnet'] < 31) { @@ -661,8 +667,14 @@ if ($_POST['apply']) { if (!is_ipaddrv6($_POST['ipaddrv6'])) $input_errors[] = gettext("A valid IPv6 address must be specified."); else { - if (is_ipaddr_configured($_POST['ipaddrv6'], $if, true)) - $input_errors[] = gettext("This IPv6 address is being used by another interface or VIP."); + $where_ipaddr_configured = where_is_ipaddr_configured($_POST['ipaddrv6'], $if, true, true, $_POST['subnetv6']); + if (count($where_ipaddr_configured)) { + $subnet_conflict_text = sprintf(gettext("IPv6 address %s is being used by or overlaps with:"), $_POST['ipaddrv6'] . "/" . $_POST['subnetv6']); + foreach ($where_ipaddr_configured as $subnet_conflict) { + $subnet_conflict_text .= " " . convert_friendly_interface_to_friendly_descr($subnet_conflict['if']) . " (" . $subnet_conflict['ip_or_subnet'] . ")"; + } + $input_errors[] = $subnet_conflict_text; + } foreach ($staticroutes as $route_subnet) { list($network, $subnet) = explode("/", $route_subnet); |