diff options
author | Alex Harpin <development@landsofshadow.co.uk> | 2015-06-22 08:03:30 +0100 |
---|---|---|
committer | Alex Harpin <development@landsofshadow.co.uk> | 2015-06-22 20:42:30 +0100 |
commit | 831e28ad6ea858dd434ca95bcf8bc6a76476b880 (patch) | |
tree | 231ffeb191cd088c99cb0004599f82515de49dbc | |
parent | 64fb9c14f25580ee6412643566c90879cd247ff1 (diff) | |
download | vyatta-cfg-vpn-831e28ad6ea858dd434ca95bcf8bc6a76476b880.tar.gz vyatta-cfg-vpn-831e28ad6ea858dd434ca95bcf8bc6a76476b880.zip |
vyatta-cfg-vpn: validate peer address for vti based vpn connections
Validate the peer address used for VTI based VPN connections to ensure
only either an IPv4 or IPv6 address is used. Currently VTIs can only
accept these for peer addresses, other values will fail with extraneous
error messages, trap these earlier in the configuation commit process
for now.
Bug #359 http://bugzilla.vyos.net/show_bug.cgi?id=359
-rwxr-xr-x | scripts/vpn-config.pl | 2 | ||||
-rwxr-xr-x | scripts/vyatta-vti-config.pl | 6 |
2 files changed, 7 insertions, 1 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 60b1f55..7d0289c 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -574,7 +574,7 @@ if ($vcVPN->exists('ipsec')) { or $any_peer == 1) { if ($isVti) { - vpn_die(["vpn","ipsec","site-to-site","peer",$peer],"$vpn_cfg_err The \"$peer\" is invalid ". "ip address must be specified for $tunKeyword.\n"); + vpn_die(["vpn","ipsec","site-to-site","peer",$peer],"$vpn_cfg_err The peer \"$peer\" is invalid, an ip address must be specified for $tunKeyword.\n"); } $right = '%any'; $any_peer = 1; diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index 23bead1..5373ddf 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -38,6 +38,7 @@ use Getopt::Long; use Vyatta::VPN::vtiIntf; use Vyatta::Config; use Vyatta::Misc; +use Vyatta::TypeChecker; my $vti_cfg_err = "VPN VTI configuration error:"; my $gencmds = ""; @@ -114,6 +115,11 @@ foreach my $peer (@peers) { if (!$vcVPN->exists("ipsec site-to-site peer $peer vti")) { next; } + + if (!(validateType('ipv4', $peer, 'quiet') || validateType('ipv6', $peer, 'quiet')) || ($peer eq '0.0.0.0')) { + vti_die(["vpn","ipsec","site-to-site","peer",$peer],"$vti_cfg_err The peer \"$peer\" is invalid, an ip address must be specified for VTIs.\n"); + } + # # we have the vti configured. # |