From 3629f376c26bbc22b94fbd5e9bbe789d08e2caa6 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 14 Sep 2022 15:11:01 +0000 Subject: openvpn: T4679: Fix incorrect verify local and remote address In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty --- src/conf_mode/interfaces-openvpn.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 7d20b3fd0..fe5898282 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -43,6 +43,7 @@ from vyos.util import chown from vyos.util import chmod_600 from vyos.util import cmd from vyos.util import dict_search +from vyos.util import is_list_equal from vyos.util import makedir from vyos.validate import is_addr_assigned @@ -159,7 +160,7 @@ def verify(openvpn): elif v6remAddr and not v6loAddr: raise ConfigError('IPv6 "remote-address" requires IPv6 "local-address"') - if (v4loAddr == v4remAddr) or (v6remAddr == v4remAddr): + if is_list_equal(v4loAddr, v4remAddr) or is_list_equal(v6loAddr, v6remAddr): raise ConfigError('"local-address" and "remote-address" cannot be the same') if dict_search('local_host', openvpn) in dict_search('local_address', openvpn): -- cgit v1.2.3