From 83b8554f2dccff4eddf046358ddcaa977b190ed1 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Tue, 25 Apr 2006 20:48:41 +0000 Subject: MFC 11967 Do not allow user to shoot themselves in the foot (and the kernel, apparently) by adding a CARP ip to the system if a real ip on a real interface doesnt exist to match. Tickets: --- usr/local/www/firewall_virtual_ip_edit.php | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/usr/local/www/firewall_virtual_ip_edit.php b/usr/local/www/firewall_virtual_ip_edit.php index ef69d52..38df821 100755 --- a/usr/local/www/firewall_virtual_ip_edit.php +++ b/usr/local/www/firewall_virtual_ip_edit.php @@ -49,6 +49,11 @@ if (isset($_POST['id'])) else $id = $_GET['id']; +function return_first_three_octets($ip) { + $ip_split = split("\.", $ip); + return $ip_split[0] . "." . $ip_split[1] . "." . $ip_split[2]; +} + if (isset($id) && $a_vip[$id]) { $pconfig['mode'] = $a_vip[$id]['mode']; $pconfig['vhid'] = $a_vip[$id]['vhid']; @@ -103,6 +108,31 @@ if ($_POST) { } } + /* make sure new ip is within the subnet of a valid ip + * on one of our interfaces (wan, lan optX) + */ + if ($_POST['mode'] === "carp") { + $can_post = true; + $found = false; + $subnet_ip = return_first_three_octets($_POST['subnet']); + $iflist = array("lan", "wan"); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + $iflist['opt' . $i] = 'opt' . $i; + foreach($iflist as $if) { + $ww_subnet_ip = return_first_three_octets($config['interfaces'][$if]['ipaddr']); + if($ww_subnet_ip == $subnet_ip) { + $found = true; + break; + } + } + if($found == false) { + $cannot_find = $_POST['subnet']; + $can_post = false; + } + if($can_post == false) + $input_error[] = "Sorry, we could not locate an interface with a matching subnet for {$cannot_find}.

Please add an ip in this subnet on a real interface."; + } + if (!$input_errors) { $vipent = array(); -- cgit v1.1