From 586f847fd9c6fb94fd794029e90351b4ff6f7e05 Mon Sep 17 00:00:00 2001
From: Stig Thormodsrud <stig@io.vyatta.com>
Date: Tue, 10 Feb 2009 16:30:32 -0800
Subject: Add more validation of firewall network-group before calling ipset.

---
 lib/Vyatta/IpTables/IpSet.pm | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'lib/Vyatta/IpTables')

diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm
index 80e20bb..f6452d9 100755
--- a/lib/Vyatta/IpTables/IpSet.pm
+++ b/lib/Vyatta/IpTables/IpSet.pm
@@ -165,12 +165,11 @@ sub check_member {
 	    return "Error: [$member] isn't valid IPv4 network\n";
 	}
 	if ($member =~ /([\d.]+)\/(\d+)/) {
-	    my $net  = $1;
-	    my $cidr = $2;
+	    my ($net, $mask) = ($1, $2);
 	    return "Error: zero net invalid in network-group\n" 
 		if $net eq '0.0.0.0';
-	    return "Error: zero cidr invalid in network-group\n" 
-		if $cidr eq '0';
+	    return "Error: invalid mask [$mask] - must be between 1-31\n"
+		if $mask < 1 or $mask > 31;
 	} else {
 	    return "Error: Invalid network group [$member]\n";
 	}
-- 
cgit v1.2.3