From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] BUG11278: It is not possible to create subnets of internal
 networks in firewallgroups
Date: Wed, 07 Jun 2017 15:13:56 +0200
Message-ID: <1496841236-15315-1-git-send-email-alexander.marx@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5901571549307705704=="
List-Id: <development.lists.ipfire.org>

--===============5901571549307705704==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Fixes: #11278

When creating networks which are part of an internal network, there was an er=
rormessage displayed and the creation was prohibited.
Now it is possible to create such subnets. This is used at own risk! Users ha=
ve to take care of the firewallrule sequence.
It is possible to create situations that are not wanted.

Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
---
 config/cfgroot/general-functions.pl | 24 ++++++++++++++++++++++--
 html/cgi-bin/fwhosts.cgi            |  2 +-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-fun=
ctions.pl
index 5e5417d..f448c34 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -465,6 +465,7 @@ sub checksubnets
 	my $ccdname=3D$_[0];
 	my $ccdnet=3D$_[1];
 	my $ownnet=3D$_[2];
+	my $checktype=3D$_[3];
 	my $errormessage;
 	my ($ip,$cidr)=3Dsplit(/\//,$ccdnet);
 	$cidr=3D&iporsubtocidr($cidr);
@@ -542,10 +543,15 @@ sub checksubnets
 	}
 =09
 	#call check_net_internal
-	&General::check_net_internal($ccdnet);
+	if ($checktype eq "exact")
+	{
+		&General::check_net_internal_exact($ccdnet);
+	}else{
+		&General::check_net_internal_range($ccdnet);
+	}
 }
=20
-sub check_net_internal{
+sub check_net_internal_range{
 	my $network=3Dshift;
 	my ($ip,$cidr)=3Dsplit(/\//,$network);
 	my %ownnet=3D();
@@ -559,6 +565,20 @@ sub check_net_internal{
 	if (($ownnet{'RED_NETADDRESS'} 		ne '' && $ownnet{'RED_NETADDRESS'} 		ne '0=
.0.0.0') && &IpInSubnet($ip,$ownnet{'RED_NETADDRESS'},&iporsubtodec($ownnet{'=
RED_NETMASK'}))){ $errormessage=3D$Lang::tr{'ccd err red'};return $errormessa=
ge;}
 }
=20
+sub check_net_internal_exact{
+	my $network=3Dshift;
+	my ($ip,$cidr)=3Dsplit(/\//,$network);
+	my %ownnet=3D();
+	my $errormessage;
+	$cidr=3D&iporsubtocidr($cidr);
+	#check if we use one of ipfire's networks (green,orange,blue)
+	&readhash("${General::swroot}/ethernet/settings", \%ownnet);
+	if (($ownnet{'GREEN_NETADDRESS'}  	ne '' && $ownnet{'GREEN_NETADDRESS'} 	ne=
 '0.0.0.0') && &Network::network_equal("$ownnet{'GREEN_NETADDRESS'}/$ownnet{'=
GREEN_NETMASK'}", $network)){ $errormessage=3D$Lang::tr{'ccd err green'};retu=
rn $errormessage;}
+	if (($ownnet{'ORANGE_NETADDRESS'}	ne '' && $ownnet{'ORANGE_NETADDRESS'} 	ne=
 '0.0.0.0') && &Network::network_equal("$ownnet{'ORANGE_NETADDRESS'}/$ownnet{=
'ORANGE_NETMASK'}", $network)){ $errormessage=3D$Lang::tr{'ccd err orange'};r=
eturn $errormessage;}
+	if (($ownnet{'BLUE_NETADDRESS'} 	ne '' && $ownnet{'BLUE_NETADDRESS'} 	ne '0=
.0.0.0') && &Network::network_equal("$ownnet{'BLUE_NETADDRESS'}/$ownnet{'BLUE=
_NETMASK'}", $network)){ $errormessage=3D$Lang::tr{'ccd err blue'};return $er=
rormessage;}
+	if (($ownnet{'RED_NETADDRESS'} 		ne '' && $ownnet{'RED_NETADDRESS'} 		ne '0=
.0.0.0') && &Network::network_equal("$ownnet{'RED_NETADDRESS'}/$ownnet{'RED_N=
ETMASK'}", $network)){ $errormessage=3D$Lang::tr{'ccd err red'};return $error=
message;}
+}
+
 sub validport
 {
 	$_ =3D $_[0];
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 1b0fe07..25ab489 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -301,7 +301,7 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' )
 		}
 		if($fwhostsettings{'error'} ne 'on'){
 				my $fullip=3D"$fwhostsettings{'IP'}/".&General::iporsubtocidr($fwhostset=
tings{'SUBNET'});
-				$errormessage=3D$errormessage.&General::checksubnets($fwhostsettings{'HO=
STNAME'},$fullip,"");
+				$errormessage=3D$errormessage.&General::checksubnets($fwhostsettings{'HO=
STNAME'},$fullip,"","exact");
 		}
 		#only check plausi when no error till now
 		if (!$errormessage){
--=20
2.7.4


--===============5901571549307705704==--