From 6b23c19a15eb621208fa6d6fc5a8b97c3dd6ff97 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Fri, 1 Mar 2013 10:44:01 -0300
Subject: Don't allow adding IP Alias or CARP VIP on network or broadcast
 addresses. Fixes #2768

---
 usr/local/www/firewall_virtual_ip_edit.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'usr/local')

diff --git a/usr/local/www/firewall_virtual_ip_edit.php b/usr/local/www/firewall_virtual_ip_edit.php
index a018ddf..4213380 100755
--- a/usr/local/www/firewall_virtual_ip_edit.php
+++ b/usr/local/www/firewall_virtual_ip_edit.php
@@ -132,6 +132,22 @@ if ($_POST) {
 		 	$input_errors[] = gettext("The /127 and /128 subnet mask are invalid for CARP IPs.");
 	}
 
+	/* ipalias and carp should not use network or broadcast address */
+	if ($_POST['mode'] == "ipalias" || $_POST['mode'] == "carp") {
+		if (is_ipaddrv4($_POST['subnet']) && $_POST['subnet_bits'] != "32") {
+			$network_addr = gen_subnet($_POST['subnet'], $_POST['subnet_bits']);
+			$broadcast_addr = gen_subnet_max($_POST['subnet'], $_POST['subnet_bits']);
+		} else if (is_ipaddrv6($_POST['subnet']) && $_POST['subnet_bits'] != "128" ) {
+			$network_addr = gen_subnetv6($_POST['subnet'], $_POST['subnet_bits']);
+			$broadcast_addr = gen_subnetv6_max($_POST['subnet'], $_POST['subnet_bits']);
+		}
+
+		if (isset($network_addr) && $_POST['subnet'] == $network_addr)
+			$input_errors[] = gettext("You cannot use the network address for this VIP");
+		else if (isset($broadcast_addr) && $_POST['subnet'] == $broadcast_addr)
+			$input_errors[] = gettext("You cannot use the broadcast address for this VIP");
+	}
+
 	/* make sure new ip is within the subnet of a valid ip
 	 * on one of our interfaces (wan, lan optX)
 	 */
-- 
cgit v1.1