From ccf5e0f14ee6175e957a408c10e8218dec71d9a5 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Tue, 30 May 2006 22:22:29 +0000
Subject: Tighten validation code.  Only allow a CARP ip to be added if its
 subnet matches the subnet mask of the real interface.

---
 usr/local/www/firewall_virtual_ip_edit.php | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'usr/local/www/firewall_virtual_ip_edit.php')

diff --git a/usr/local/www/firewall_virtual_ip_edit.php b/usr/local/www/firewall_virtual_ip_edit.php
index a1ee0c9..e77d3f5 100755
--- a/usr/local/www/firewall_virtual_ip_edit.php
+++ b/usr/local/www/firewall_virtual_ip_edit.php
@@ -77,9 +77,8 @@ if ($_POST) {
 
 	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
 
-	if (($_POST['subnet'] && !is_ipaddr($_POST['subnet']))) {
+	if (($_POST['subnet'] && !is_ipaddr($_POST['subnet']))) 
 		$input_errors[] = "A valid IP address must be specified.";
-	}
 
 	if ($_POST['ipaddr'] == $config['interfaces']['wan']['ipaddr'])
 		$input_errors[] = "The WAN IP address may not be used in a virtual entry.";
@@ -87,6 +86,9 @@ if ($_POST) {
 	if ($_POST['ipaddr'] == $config['interfaces']['lan']['ipaddr'])
 		$input_errors[] = "The LAN IP address may not be used in a virtual entry.";
 
+	 if($_POST['subnet_bits'] == "32" and $_POST['type'] == "carp") 
+	 	$input_errors[] = "The /32 subnet mask is invalid for CARP IP's.";
+
 	/* check for overlaps with other virtual IP */
 	foreach ($a_vip as $vipent) {
 		if (isset($id) && ($a_vip[$id]) && ($a_vip[$id] === $vipent))
@@ -120,13 +122,14 @@ if ($_POST) {
 			$iflist['opt' . $i] = 'opt' . $i;
 		foreach($iflist as $if) {
 			$ww_subnet_ip = return_first_two_octets($config['interfaces'][$if]['ipaddr']);
-			if($ww_subnet_ip == $subnet_ip) {
+			$ww_subnet_bits = return_first_two_octets($config['interfaces'][$if]['subnet']);
+			if($ww_subnet_ip == $subnet_ip and $ww_subnet_bits == $_POST['subnet_bits']) {
 				$found = true;
 				break;
 			}
 		}
 		if($found == false) {
-			$cannot_find = $_POST['subnet'];
+			$cannot_find = $_POST['subnet'] . "/" . $_POST['subnet_bits'] ;
 			$can_post = false;
 		}
 		if($can_post == false) 
-- 
cgit v1.1