From 0a9ff39b48804af541ccd00f567c54014f8e1db2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 18 Jul 2021 20:36:23 +0200 Subject: ipsec: T2816: limit remote-access nameservers to two IPv4 and two for IPv6 --- src/conf_mode/vpn_ipsec.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 0bb74d2dd..078b70aee 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -33,6 +33,7 @@ from vyos.pki import wrap_crl from vyos.pki import wrap_public_key from vyos.pki import wrap_private_key from vyos.template import ip_from_cidr +from vyos.template import is_ipv4 from vyos.template import render from vyos.validate import is_ipv6_link_local from vyos.util import call @@ -259,6 +260,18 @@ def verify(ipsec): if 'pre_shared_secret' not in ra_conf['authentication']: raise ConfigError(f"Missing pre-shared-key on {name} remote-access config") + if 'pool' in ra_conf: + if 'name_server' in ra_conf['pool']: + dns_v4 = [] + dns_v6 = [] + for addr in ra_conf['pool']['name_server']: + if is_ipv4(addr): dns_v4.append(addr) + else: dns_v6.append(addr) + if len(dns_v4) > 2: + raise ConfigError(f'IPSec remote-access "{name}" supports only 2 IPv4 name-servers!') + if len(dns_v6) > 2: + raise ConfigError(f'IPSec remote-access "{name}" supports only 2 IPv6 name-servers!') + if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']: for peer, peer_conf in ipsec['site_to_site']['peer'].items(): has_default_esp = False -- cgit v1.2.3