From 35b373407cdde12c882dc6ef49b2ea5f3cf0eb78 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 22 Jul 2021 10:02:55 +0300
Subject: [PATCH] openvpn: check ipv4 tunnel prefix. v2 (#5114)

* wizard.inc: check ipv4 tunnel prefix
* vpn_openvpn_server.php: check ipv4 tunnel prefix
---
 src/etc/inc/plugins.inc.d/openvpn/wizard.inc |  8 +++++++-
 src/www/vpn_openvpn_server.php               | 12 ++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/plugins.inc.d/openvpn/wizard.inc b/src/etc/inc/plugins.inc.d/openvpn/wizard.inc
index 2dd470692..614658a7f 100644
--- a/src/etc/inc/plugins.inc.d/openvpn/wizard.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn/wizard.inc
@@ -440,6 +440,12 @@ function step10_submitphpaction()
 
     if ($result = openvpn_validate_cidr($_POST['tunnelnet'], gettext('IPv4 Tunnel Network'), false, 'ipv4')) {
         $input_errors[] = $result;
+    } elseif (!empty($_POST['tunnelnet'])) {
+        // Check IPv4 tunnelnet pool size. Wizard makes tun mode with net30 server only.
+        list($ipv4tunnel_base, $ipv4tunnel_prefix) = explode('/',trim($_POST['tunnelnet']));
+        if ($ipv4tunnel_prefix > 28) {
+            $input_errors[] = gettext('A prefix longer than 28 cannot be used with a net30 topology.');
+        }
     }
 
     if ($result = openvpn_validate_cidr($_POST['tunnelnetv6'], gettext('IPv6 Tunnel Network'), false, 'ipv6')) {
@@ -770,7 +776,7 @@ function step12_submitphpaction()
         if (strpos($proto, '4') !== false) {
             $rule['protocol'] = substr($proto, 0, -1);
             $rule['ipprotocol'] = "inet";
-        } elseif  (strpos($proto, '6') !== false) {
+        } elseif (strpos($proto, '6') !== false) {
             $rule['protocol'] = substr($proto, 0, -1);
             $rule['ipprotocol'] = "inet6";
         } else {
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index 8a9ebeb9a..635a7c46a 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -202,6 +202,18 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
 
         if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], gettext('IPv4 Tunnel Network'), false, 'ipv4')) {
             $input_errors[] = $result;
+        } elseif (!empty($pconfig['tunnel_network'])) {
+            // Check IPv4 tunnel_network pool size
+            list($ipv4tunnel_base, $ipv4tunnel_prefix) = explode('/',trim($pconfig['tunnel_network']));
+            if ($pconfig['dev_mode'] == "tun") {
+                if ($ipv4tunnel_prefix > 28 && empty($pconfig['topology_subnet'])) {
+                    $input_errors[] = gettext('A prefix longer than 28 cannot be used with a net30 topology.');
+                } elseif ($ipv4tunnel_prefix > 29 && !empty($pconfig['topology_subnet'])) {
+                    $input_errors[] = gettext('A prefix longer than 29 cannot be used for tunnel network.');
+                }
+            } elseif ($pconfig['dev_mode'] == "tap" && $ipv4tunnel_prefix > 29) {
+                $input_errors[] = gettext('A prefix longer than 29 cannot be used for tunnel network.');
+            }
         }
 
         if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], gettext('IPv6 Tunnel Network'), false, 'ipv6')) {