From 209d0ae7650cb76a18feedaf75052eb03036c184 Mon Sep 17 00:00:00 2001
From: Alex Harpin <development@landsofshadow.co.uk>
Date: Mon, 22 Jun 2015 08:03:30 +0100
Subject: vyatta-cfg-vpn: validate peer address for vti based vpn connections

Validate the peer address used for VTI based VPN connections to ensure
only either an IPv4 or IPv6 address is used.  Currently VTIs can only
accept these for peer addresses, other values will fail with extraneous
error messages, trap these earlier in the configuation commit process
for now.

Bug #359 http://bugzilla.vyos.net/show_bug.cgi?id=359
---
 scripts/vpn-config.pl        | 2 +-
 scripts/vyatta-vti-config.pl | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

(limited to 'scripts')

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index bb7b667..3f953b3 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -509,7 +509,7 @@ if ($vcVPN->exists('ipsec')) {
                 or $any_peer == 1)
             {
                 if ($isVti) {
-                    vpn_die(["vpn","ipsec","site-to-site","peer",$peer],"$vpn_cfg_err The \"$peer\" is invalid ". "ip address must be specified for $tunKeyword.\n");
+                    vpn_die(["vpn","ipsec","site-to-site","peer",$peer],"$vpn_cfg_err The peer \"$peer\" is invalid, an ip address must be specified for $tunKeyword.\n");
                 }
                 $right    = '%any';
                 $any_peer = 1;
diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl
index 042ef3b..fbfad64 100755
--- a/scripts/vyatta-vti-config.pl
+++ b/scripts/vyatta-vti-config.pl
@@ -38,6 +38,7 @@ use Getopt::Long;
 use Vyatta::VPN::vtiIntf;
 use Vyatta::Config;
 use Vyatta::Misc;
+use Vyatta::TypeChecker;
 
 my $vti_cfg_err = "VPN VTI configuration error:";
 my $gencmds = "";
@@ -114,6 +115,11 @@ foreach my $peer (@peers) {
     if (!$vcVPN->exists("ipsec site-to-site peer $peer vti")) {
         next;
     }
+
+    if (!(validateType('ipv4', $peer, 'quiet') || validateType('ipv6', $peer, 'quiet')) || ($peer eq '0.0.0.0')) {
+        vti_die(["vpn","ipsec","site-to-site","peer",$peer],"$vti_cfg_err The peer \"$peer\" is invalid, an ip address must be specified for VTIs.\n");
+    }
+    
     #
     # we have the vti configured.
     #
-- 
cgit v1.2.3