From 776b6190d2f98825e93ddc320c3e99f24ce5b08f Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Mon, 25 Apr 2016 23:00:48 -0500
Subject: Add validation to prohibit IPv6 on firewall_nat_edit.php, where it
 will generate invalid ruleset. Ticket #6265

---
 src/usr/local/www/firewall_nat_edit.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/usr/local/www/firewall_nat_edit.php')

diff --git a/src/usr/local/www/firewall_nat_edit.php b/src/usr/local/www/firewall_nat_edit.php
index 3a77963..e36e33b 100644
--- a/src/usr/local/www/firewall_nat_edit.php
+++ b/src/usr/local/www/firewall_nat_edit.php
@@ -289,6 +289,10 @@ if ($_POST) {
 		$input_errors[] = sprintf(gettext("\"%s\" is not a valid redirect target IP address or host alias."), $_POST['localip']);
 	}
 
+	if ($_POST['localip'] && is_ipaddrv6($_POST['localip'])) {
+		$input_errors[] = sprintf(gettext("Redirect target IP must be IPv4."));
+	}
+
 	if ($_POST['srcbeginport'] && !is_portoralias($_POST['srcbeginport'])) {
 		$input_errors[] = sprintf(gettext("%s is not a valid start source port. It must be a port alias or integer between 1 and 65535."), $_POST['srcbeginport']);
 	}
@@ -316,6 +320,9 @@ if ($_POST) {
 		if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) {
 			$input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."), $_POST['src']);
 		}
+		if ($_POST['src'] && is_ipaddrv6($_POST['src'])) {
+			$input_errors[] = sprintf(gettext("Source must be IPv4."));
+		}
 		if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
 			$input_errors[] = gettext("A valid source bit count must be specified.");
 		}
@@ -325,6 +332,9 @@ if ($_POST) {
 		if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) {
 			$input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $_POST['dst']);
 		}
+		if ($_POST['dst'] && is_ipaddrv6($_POST['dst'])) {
+			$input_errors[] = sprintf(gettext("Destination must be IPv4."));
+		}
 		if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
 			$input_errors[] = gettext("A valid destination bit count must be specified.");
 		}
@@ -597,6 +607,9 @@ function build_dsttype_list() {
 
 	if (is_array($config['virtualip']['vip'])) {
 		foreach ($config['virtualip']['vip'] as $sn) {
+			if (is_ipaddrv6($sn['subnet'])) {
+				continue;
+			}
 			if ($sn['mode'] == "proxyarp" && $sn['type'] == "network") {
 				if (isset($sn['noexpand'])) {
 					continue;
-- 
cgit v1.1