diff options
author | Ermal <eri@pfsense.org> | 2014-08-18 10:25:45 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-08-18 10:25:45 +0000 |
commit | ae170e96dfcfd4d1baa17166e52ff796886a7cf4 (patch) | |
tree | c9aefef6a286d051c902ee009fc522a6743a5587 /etc | |
parent | 5d37d51581119ebe6eaf0edc04a62296164e133e (diff) | |
download | pfsense-ae170e96dfcfd4d1baa17166e52ff796886a7cf4.zip pfsense-ae170e96dfcfd4d1baa17166e52ff796886a7cf4.tar.gz |
Do not allow duplicate subnet entries on left|rightsubnet specification since it will blackhole all traffic to that subnet when connection is setup as route
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/vpn.inc | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 0b58516..0b03354 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -660,12 +660,16 @@ EOD; } } - $leftsubnet_spec[] = $leftsubnet_data; + if (empty($leftsubnet_spec[$leftsubnet_data])) + $leftsubnet_spec[$leftsubnet_data] = $leftsubnet_data; if (!isset($ph2ent['mobile'])) { - $rightsubnet_spec[] = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); + $tmpsubnet = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']); + if (empty($rightsubnet_spec[$tmpsubnet])) + $rightsubnet_spec[$tmpsubnet] = $tmpsubnet; } else if (!empty($a_client['pool_address'])) { - $rightsubnet_spec[] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; + if (empty($rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"])) + $rightsubnet_spec["{$a_client['pool_address']}/{$a_client['pool_netbits']}"] = "{$a_client['pool_address']}/{$a_client['pool_netbits']}"; } } else { $tunneltype = "type = transport"; @@ -674,11 +678,15 @@ EOD; ($ph1ent['authentication_method'] == "pre_shared_key")) && isset($ph1ent['mobile'])) { $left_spec = "%any"; } else { - $leftsubnet_spec[] = ipsec_get_phase1_src($ph1ent); + $tmpsubnet = ipsec_get_phase1_src($ph1ent); + if ($leftsubnet_spec[$tmpsubnet]) + $leftsubnet_spec[$tmpsubnet] = $tmpsubnet; } - if (!isset($ph2ent['mobile'])) - $rightsubnet_spec[] = $right_spec; + if (!isset($ph2ent['mobile'])) { + if (empty($rightsubnet_spec[$right_spec])) + $rightsubnet_spec[$right_spec] = $right_spec; + } } if (isset($a_client['pfs_group'])) |