Commit 16503424 authored by Franco Fichtner's avatar Franco Fichtner

firewall: can't change mode, cluster menu features; closes #921

Not really satisfied with the HA split but let's just say it's a
work in progress...
parent b9095a55
......@@ -34,9 +34,8 @@
<Defaults order="50" url="/diag_defaults.php"/>
</Firmware>
<HighAvailability order="50" VisibleName="High Availability" cssClass="fa fa-refresh fa-fw">
<Synchronization url="/system_hasync.php"/>
<CARPStatus order="100" VisibleName="CARP Status" url="/carp_status.php"/>
<HAStatus order="200" VisibleName="HA backup status" url="/status_habackup.php"/>
<Settings order="100" url="/system_hasync.php"/>
<Status order="200" url="/status_habackup.php"/>
</HighAvailability>
<Routes order="40" cssClass="fa fa-map-signs fa-fw">
<All order="10" url="/system_routes.php">
......@@ -164,9 +163,12 @@
<Edit url="/firewall_nat_npt_edit.php*" visibility="hidden"/>
</NPT>
</NAT>
<VirtualIPs order="50" VisibleName="Virtual IPs" url="/firewall_virtual_ip.php" cssClass="fa fa-clone fa-fw">
<VirtualIPEdit url="/firewall_virtual_ip_edit.php*" visibility="hidden"/>
</VirtualIPs>
<VIP order="50" VisibleName="Virtual IPs" cssClass="fa fa-clone fa-fw">
<Settings url="/firewall_virtual_ip.php">
<Edit url="/firewall_virtual_ip_edit.php*" visibility="hidden"/>
</Settings>
<Status url="/carp_status.php"/>
</VIP>
<Schedules order="100" url="/firewall_schedule.php" cssClass="fa fa-calendar fa-fw">
<SchedulesEdit url="/firewall_schedule_edit.php*" visibility="hidden"/>
</Schedules>
......
......@@ -338,9 +338,7 @@ $main_buttons = array(
?>
<?php ?>
<tr>
<td colspan="5">
<?=sprintf(gettext('You can check the status of your CARP Virtual IPs and interfaces %shere%s.'),'<a href="carp_status.php">','</a>')?></span>
</td>
<td colspan="5"></td>
<td>
<a type="submit" id="move_<?=$i;?>" name="move_<?=$i;?>_x" data-toggle="tooltip" title="<?=gettext("move selected virtual IPs to end");?>" class="act_move btn btn-default btn-xs">
<span class="glyphicon glyphicon-arrow-left"></span>
......
......@@ -103,79 +103,84 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$reqdfieldsn = array(gettext("Type"));
do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
if (isset($pconfig['subnet'])) {
$pconfig['subnet'] = trim($pconfig['subnet']);
if (!is_ipaddr($pconfig['subnet'])) {
$input_errors[] = gettext("A valid IP address must be specified.");
} else {
$ignore_if = isset($id) ? $a_vip[$id]['interface'] : $pconfig['interface'];
if ($pconfig['mode'] == 'carp') {
$ignore_if .= "_vip{$pconfig['vhid']}";
}
if (is_ipaddr_configured($pconfig['subnet'], $ignore_if)) {
$input_errors[] = gettext("This IP address is being used by another interface or VIP.");
if (isset($id) && $pconfig['mode'] != $a_vip[$id]['mode']) {
$input_errors[] = gettext("Virtual IP mode may not be changed for an existing entry.");
} else {
if (isset($pconfig['subnet'])) {
$pconfig['subnet'] = trim($pconfig['subnet']);
if (!is_ipaddr($pconfig['subnet'])) {
$input_errors[] = gettext("A valid IP address must be specified.");
} else {
$ignore_if = isset($id) ? $a_vip[$id]['interface'] : $pconfig['interface'];
if ($pconfig['mode'] == 'carp') {
$ignore_if .= "_vip{$pconfig['vhid']}";
}
if (is_ipaddr_configured($pconfig['subnet'], $ignore_if)) {
$input_errors[] = gettext("This IP address is being used by another interface or VIP.");
}
}
}
}
$natiflist = get_configured_interface_with_descr();
foreach ($natiflist as $natif => $natdescr) {
if ($pconfig['interface'] == $natif && (empty($config['interfaces'][$natif]['ipaddr']) && empty($config['interfaces'][$natif]['ipaddrv6']))) {
$input_errors[] = gettext("The interface chosen for the VIP has no IPv4 or IPv6 address configured so it cannot be used as a parent for the VIP.");
}
}
/* ipalias and carp should not use network or broadcast address */
if ($pconfig['mode'] == "ipalias" || $pconfig['mode'] == "carp") {
if (is_ipaddrv4($pconfig['subnet']) && $pconfig['subnet_bits'] != "32") {
$network_addr = gen_subnet($pconfig['subnet'], $pconfig['subnet_bits']);
$broadcast_addr = gen_subnet_max($pconfig['subnet'], $pconfig['subnet_bits']);
} else if (is_ipaddrv6($pconfig['subnet']) && $_POST['subnet_bits'] != "128" ) {
$network_addr = gen_subnetv6($pconfig['subnet'], $pconfig['subnet_bits']);
$broadcast_addr = gen_subnetv6_max($pconfig['subnet'], $pconfig['subnet_bits']);
}
if (isset($network_addr) && $pconfig['subnet'] == $network_addr) {
$input_errors[] = gettext("You cannot use the network address for this VIP");
} else if (isset($broadcast_addr) && $pconfig['subnet'] == $broadcast_addr) {
$input_errors[] = gettext("You cannot use the broadcast address for this VIP");
}
}
/* make sure new ip is within the subnet of a valid ip
* on one of our interfaces (wan, lan optX)
*/
if ($pconfig['mode'] == 'carp') {
/* verify against reusage of vhids */
foreach($config['virtualip']['vip'] as $vipId => $vip) {
if(isset($vip['vhid']) && $vip['vhid'] == $pconfig['vhid'] && $vip['interface'] == $pconfig['interface'] && $vipId <> $id) {
$input_errors[] = sprintf(gettext("VHID %s is already in use on interface %s. Pick a unique number on this interface."),$pconfig['vhid'], convert_friendly_interface_to_friendly_descr($pconfig['interface']));
}
}
if (empty($pconfig['password'])) {
$input_errors[] = gettext("You must specify a CARP password that is shared between the two VHID members.");
$natiflist = get_configured_interface_with_descr();
foreach ($natiflist as $natif => $natdescr) {
if ($pconfig['interface'] == $natif && (empty($config['interfaces'][$natif]['ipaddr']) && empty($config['interfaces'][$natif]['ipaddrv6']))) {
$input_errors[] = gettext("The interface chosen for the VIP has no IPv4 or IPv6 address configured so it cannot be used as a parent for the VIP.");
}
}
if (is_ipaddrv4($pconfig['subnet'])) {
$parent_ip = get_interface_ip($pconfig['interface']);
$parent_sn = get_interface_subnet($pconfig['interface']);
$subnet = gen_subnet($parent_ip, $parent_sn);
} else if (is_ipaddrv6($pconfig['subnet'])) {
$parent_ip = get_interface_ipv6($pconfig['interface']);
$parent_sn = get_interface_subnetv6($pconfig['interface']);
$subnet = gen_subnetv6($parent_ip, $parent_sn);
/* ipalias and carp should not use network or broadcast address */
if ($pconfig['mode'] == "ipalias" || $pconfig['mode'] == "carp") {
if (is_ipaddrv4($pconfig['subnet']) && $pconfig['subnet_bits'] != "32") {
$network_addr = gen_subnet($pconfig['subnet'], $pconfig['subnet_bits']);
$broadcast_addr = gen_subnet_max($pconfig['subnet'], $pconfig['subnet_bits']);
} else if (is_ipaddrv6($pconfig['subnet']) && $_POST['subnet_bits'] != "128" ) {
$network_addr = gen_subnetv6($pconfig['subnet'], $pconfig['subnet_bits']);
$broadcast_addr = gen_subnetv6_max($pconfig['subnet'], $pconfig['subnet_bits']);
}
if (isset($network_addr) && $pconfig['subnet'] == $network_addr) {
$input_errors[] = gettext("You cannot use the network address for this VIP");
} else if (isset($broadcast_addr) && $pconfig['subnet'] == $broadcast_addr) {
$input_errors[] = gettext("You cannot use the broadcast address for this VIP");
}
}
if (isset($parent_ip) && !ip_in_subnet($pconfig['subnet'], "{$subnet}/{$parent_sn}") && !ip_in_interface_alias_subnet($pconfig['interface'], $pconfig['subnet'])) {
$cannot_find = $pconfig['subnet'] . "/" . $pconfig['subnet_bits'] ;
$input_errors[] = sprintf(gettext("Sorry, we could not locate an interface with a matching subnet for %s. Please add an IP alias in this subnet on this interface."),$cannot_find);
}
/* make sure new ip is within the subnet of a valid ip
* on one of our interfaces (wan, lan optX)
*/
if ($pconfig['mode'] == 'carp') {
/* verify against reusage of vhids */
foreach($config['virtualip']['vip'] as $vipId => $vip) {
if(isset($vip['vhid']) && $vip['vhid'] == $pconfig['vhid'] && $vip['interface'] == $pconfig['interface'] && $vipId <> $id) {
$input_errors[] = sprintf(gettext("VHID %s is already in use on interface %s. Pick a unique number on this interface."),$pconfig['vhid'], convert_friendly_interface_to_friendly_descr($pconfig['interface']));
}
}
if (empty($pconfig['password'])) {
$input_errors[] = gettext("You must specify a CARP password that is shared between the two VHID members.");
}
if ($pconfig['interface'] == "lo0") {
if (is_ipaddrv4($pconfig['subnet'])) {
$parent_ip = get_interface_ip($pconfig['interface']);
$parent_sn = get_interface_subnet($pconfig['interface']);
$subnet = gen_subnet($parent_ip, $parent_sn);
} else if (is_ipaddrv6($pconfig['subnet'])) {
$parent_ip = get_interface_ipv6($pconfig['interface']);
$parent_sn = get_interface_subnetv6($pconfig['interface']);
$subnet = gen_subnetv6($parent_ip, $parent_sn);
}
if (isset($parent_ip) && !ip_in_subnet($pconfig['subnet'], "{$subnet}/{$parent_sn}") && !ip_in_interface_alias_subnet($pconfig['interface'], $pconfig['subnet'])) {
$cannot_find = $pconfig['subnet'] . "/" . $pconfig['subnet_bits'] ;
$input_errors[] = sprintf(gettext("Sorry, we could not locate an interface with a matching subnet for %s. Please add an IP alias in this subnet on this interface."),$cannot_find);
}
if ($pconfig['interface'] == "lo0") {
$input_errors[] = gettext("For this type of vip localhost is not allowed.");
}
} else if ($pconfig['mode'] != 'ipalias' && $pconfig['interface'] == "lo0") {
$input_errors[] = gettext("For this type of vip localhost is not allowed.");
}
} else if ($pconfig['mode'] != 'ipalias' && $pconfig['interface'] == "lo0") {
$input_errors[] = gettext("For this type of vip localhost is not allowed.");
}
if (count($input_errors) == 0) {
$vipent = array();
// defaults
......@@ -321,7 +326,7 @@ $( document ).ready(function() {
</td>
</tr>
<tr>
<td><a id="help_for_mode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Type');?></td>
<td><a id="help_for_mode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Mode');?></td>
<td>
<select id="mode" name="mode" class="selectpicker" data-width="auto" data-live-search="true">
<option value="ipalias" <?=$pconfig['mode'] == "ipalias" ? "selected=\"selected\"" : ""; ?>><?=gettext("IP Alias");?></option>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment