smeserver-wireguard/contribs10/smeserver-wireguard-1.0-bz11771-more-network-check.patch

diff -Nur --no-dereference smeserver-wireguard-1.0.old/createlink smeserver-wireguard-1.0/createlink
--- smeserver-wireguard-1.0.old/createlink      2022-05-29 02:43:17.319000000 -0400
+++ smeserver-wireguard-1.0/createlink  2022-05-29 02:46:12.907000000 -0400
@@ -24,7 +24,7 @@
   masq restart
   wg-quick@wg0 restart
 ));
-event_link("wireguard-network", $event, "30");
+event_link("wireguard-network", $event, "04");
 templates2events("/etc/systemd/system-preset/49-koozali.preset", $event);
 event_link("systemd-reload", $event, "89");
 event_link("systemd-default", $event, "88");
@@ -41,7 +41,7 @@
   masq restart
   wg-quick@wg0 restart
   ));
-event_link("wireguard-network", $event, "30");
+event_link("wireguard-network", $event, "04");
 
 #wireguard-user-modify
 $event="wireguard-user-modify";
diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/events/actions/wireguard-network smeserver-wireguard-1.0/root/etc/e-smith/events/actions/wireguard-network
--- smeserver-wireguard-1.0.old/root/etc/e-smith/events/actions/wireguard-network       2022-05-29 02:43:17.315000000 -0400
+++ smeserver-wireguard-1.0/root/etc/e-smith/events/actions/wireguard-network   2022-05-29 02:44:49.245000000 -0400
@@ -8,8 +8,9 @@
 use esmith::AccountsDB;
 use NetAddr::IP;
 use Net::Netmask;
+use NetAddr::IP;
 
-my $conf = esmith::ConfigDB->open_ro;
+my $conf = esmith::ConfigDB->open;
 my $netdb = esmith::ConfigDB->open('networks');
 my $accounts = esmith::AccountsDB->open;
 esmith::ConfigDB->create('/home/e-smith/db/wireguard') unless (-f '/home/e-smith/db/wireguard');
@@ -24,14 +25,50 @@
 my $ip = $block->base;
 my $mask = $block->mask;
 
+#count clients
+my @client = $wg->get_all_by_prop(type=>"wg0");
+my $clients = scalar @client;
+
+#check is_rfc1918
+#if yes proceed
+my $skipme = 0;
+my $rfc=NetAddr::IP->new($wgip,$wgmask);
+unless ( $rfc->is_rfc1918()  ) {
+       if ($clients == 0 ) {
+               #if not and no clients make it compliant 172.16.0.1/22 as default
+               my $minimum=16;
+               my $maximum=32;
+               my $x = $minimum + int(rand($maximum - $minimum));
+               warn("$wgip/$wgmask is not considered as a LAN addressing, set default to 172.$x.0.1/22");
+               $wgip="172.$x.0.1";$wgmask="22";
+               $wg0->set_prop('ip',$wgip); $wg0->set_prop('mask',$wgmask);
+               $block = Net::Netmask->new("$wgip/$wgmask", shortnet => 1);
+               $ip = $block->base;
+               $mask = $block->mask;
+       }
+       else {
+               #if not and clients configured, disable service delete network
+               warn("$wgip/$wgmask is not considered as a LAN addressing, adding this network to SME trusted network could allow email relaying. Disabling service.");
+               warn("Please remove configured client and start your configuration from scratch");
+               $wg0->set_prop('status','disabled');
+               $skipme=1; $ip="nop";
+       }
+}
+
+#if yes proceed
+#if not and no clients make it compliant 172.16.0.1/22 as default
+#if not and clients configured, disable service delete network
+
 #First delete any already there.
 my @wg = $netdb->get_all_by_prop(Wireguard=>"wg0");
 foreach my $netwg (@wg) {
+       next if ($netwg->key eq $ip and $netwg->prop('Mask') eq $mask);
+       print "delete " . $netwg->key;
        $netwg->delete();
 }
 # and then create one from the wireguard server ip
 my $iswg=$netdb->get($ip);
-unless ($iswg) {
+unless ($iswg or $skipme == 1) {
   $netdb->new_record("$ip",{   type => "network", 
                                Mask => "$mask",
                                Wireguard => "wg0",
diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm
--- smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm   2022-05-29 02:43:17.320000000 -0400
+++ smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm       2022-05-29 02:44:49.471000000 -0400
@@ -447,14 +447,18 @@
                 ,'status' => $status
                 );
 
+        # Test Ip is inside CIDR
+    if (!test_for_private_ip($ip,$mask)) {
+       $msg = "IP must be in private range";
+       $fm->error($msg);return;                
+    }
+
+
     $cdb->get('wg-quick@wg0')->merge_props(%props)
         or $msg = "Error occurred while modifying server details.";
 
-       # Test Ip is inside CIDR
-    if (!test_for_private_ip($ip,$mask)) {$msg = "IP must be in private range";}
-    #else {$msg = "Ip is inside range $ip / $mask";}
     
-    unless ($msg eq "OK"){
+    if ($msg eq "OK"){
                # Untaint before use in system()
                ($ip) = ($ip =~ /(\d+\.+\d+\.+\d+\.+\d+\.+\/\d+\.+)/);
                system( "/sbin/e-smith/signal-event", "wireguard-conf-modify", "$ip",)
diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm smeserver-wireguard-1.0/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm
--- smeserver-wireguard-1.0.old/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm     2022-05-29 02:43:17.321000000 -0400
+++ smeserver-wireguard-1.0/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm 2022-05-29 02:51:31.997000000 -0400
@@ -345,14 +345,17 @@
                 ,'status' => $status
                 );
 
+    # Test Ip is inside CIDR
+    if (!test_for_private_ip($ip,$mask)) {
+        $msg = "IP must be in private range";
+        $fm->error($msg);return;
+    }
+
     $cdb->get('wg-quick@wg0')->merge_props(%props)
         or $msg = "Error occurred while modifying server details.";
 
-       # Test Ip is inside CIDR
-    if ( ! test_for_private_ip( $ip,$mask ) ) { $msg = "IP must be in private range"; }
-    #else {$msg = "Ip is inside range $ip / $mask";}
 
-    unless ($msg eq "OK"){
+    if ($msg eq "OK"){
                # Untaint before use in system()
                ($ip) = ($ip =~ /(\d+\.+\d+\.+\d+\.+\d+\.+\/\d+\.+)/);
                system( "/sbin/e-smith/signal-event", "wireguard-conf-modify", "$ip",)
1	diff -Nur --no-dereference smeserver-wireguard-1.0.old/createlink smeserver-wireguard-1.0/createlink
2	--- smeserver-wireguard-1.0.old/createlink 2022-05-29 02:43:17.319000000 -0400
3	+++ smeserver-wireguard-1.0/createlink 2022-05-29 02:46:12.907000000 -0400
4	@@ -24,7 +24,7 @@
5	masq restart
6	wg-quick@wg0 restart
7	));
8	-event_link("wireguard-network", $event, "30");
9	+event_link("wireguard-network", $event, "04");
10	templates2events("/etc/systemd/system-preset/49-koozali.preset", $event);
11	event_link("systemd-reload", $event, "89");
12	event_link("systemd-default", $event, "88");
13	@@ -41,7 +41,7 @@
14	masq restart
15	wg-quick@wg0 restart
16	));
17	-event_link("wireguard-network", $event, "30");
18	+event_link("wireguard-network", $event, "04");
19
20	#wireguard-user-modify
21	$event="wireguard-user-modify";
22	diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/events/actions/wireguard-network smeserver-wireguard-1.0/root/etc/e-smith/events/actions/wireguard-network
23	--- smeserver-wireguard-1.0.old/root/etc/e-smith/events/actions/wireguard-network 2022-05-29 02:43:17.315000000 -0400
24	+++ smeserver-wireguard-1.0/root/etc/e-smith/events/actions/wireguard-network 2022-05-29 02:44:49.245000000 -0400
25	@@ -8,8 +8,9 @@
26	use esmith::AccountsDB;
27	use NetAddr::IP;
28	use Net::Netmask;
29	+use NetAddr::IP;
30
31	-my $conf = esmith::ConfigDB->open_ro;
32	+my $conf = esmith::ConfigDB->open;
33	my $netdb = esmith::ConfigDB->open('networks');
34	my $accounts = esmith::AccountsDB->open;
35	esmith::ConfigDB->create('/home/e-smith/db/wireguard') unless (-f '/home/e-smith/db/wireguard');
36	@@ -24,14 +25,50 @@
37	my $ip = $block->base;
38	my $mask = $block->mask;
39
40	+#count clients
41	+my @client = $wg->get_all_by_prop(type=>"wg0");
42	+my $clients = scalar @client;
43	+
44	+#check is_rfc1918
45	+#if yes proceed
46	+my $skipme = 0;
47	+my $rfc=NetAddr::IP->new($wgip,$wgmask);
48	+unless ( $rfc->is_rfc1918() ) {
49	+ if ($clients == 0 ) {
50	+ #if not and no clients make it compliant 172.16.0.1/22 as default
51	+ my $minimum=16;
52	+ my $maximum=32;
53	+ my $x = $minimum + int(rand($maximum - $minimum));
54	+ warn("$wgip/$wgmask is not considered as a LAN addressing, set default to 172.$x.0.1/22");
55	+ $wgip="172.$x.0.1";$wgmask="22";
56	+ $wg0->set_prop('ip',$wgip); $wg0->set_prop('mask',$wgmask);
57	+ $block = Net::Netmask->new("$wgip/$wgmask", shortnet => 1);
58	+ $ip = $block->base;
59	+ $mask = $block->mask;
60	+ }
61	+ else {
62	+ #if not and clients configured, disable service delete network
63	+ warn("$wgip/$wgmask is not considered as a LAN addressing, adding this network to SME trusted network could allow email relaying. Disabling service.");
64	+ warn("Please remove configured client and start your configuration from scratch");
65	+ $wg0->set_prop('status','disabled');
66	+ $skipme=1; $ip="nop";
67	+ }
68	+}
69	+
70	+#if yes proceed
71	+#if not and no clients make it compliant 172.16.0.1/22 as default
72	+#if not and clients configured, disable service delete network
73	+
74	#First delete any already there.
75	my @wg = $netdb->get_all_by_prop(Wireguard=>"wg0");
76	foreach my $netwg (@wg) {
77	+ next if ($netwg->key eq $ip and $netwg->prop('Mask') eq $mask);
78	+ print "delete " . $netwg->key;
79	$netwg->delete();
80	}
81	# and then create one from the wireguard server ip
82	my $iswg=$netdb->get($ip);
83	-unless ($iswg) {
84	+unless ($iswg or $skipme == 1) {
85	$netdb->new_record("$ip",{ type => "network",
86	Mask => "$mask",
87	Wireguard => "wg0",
88	diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm
89	--- smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2022-05-29 02:43:17.320000000 -0400
90	+++ smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2022-05-29 02:44:49.471000000 -0400
91	@@ -447,14 +447,18 @@
92	,'status' => $status
93	);
94
95	+ # Test Ip is inside CIDR
96	+ if (!test_for_private_ip($ip,$mask)) {
97	+ $msg = "IP must be in private range";
98	+ $fm->error($msg);return;
99	+ }
100	+
101	+
102	$cdb->get('wg-quick@wg0')->merge_props(%props)
103	or $msg = "Error occurred while modifying server details.";
104
105	- # Test Ip is inside CIDR
106	- if (!test_for_private_ip($ip,$mask)) {$msg = "IP must be in private range";}
107	- #else {$msg = "Ip is inside range $ip / $mask";}
108
109	- unless ($msg eq "OK"){
110	+ if ($msg eq "OK"){
111	# Untaint before use in system()
112	($ip) = ($ip =~ /(\d+\.+\d+\.+\d+\.+\d+\.+\/\d+\.+)/);
113	system( "/sbin/e-smith/signal-event", "wireguard-conf-modify", "$ip",)
114	diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm smeserver-wireguard-1.0/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm
115	--- smeserver-wireguard-1.0.old/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm 2022-05-29 02:43:17.321000000 -0400
116	+++ smeserver-wireguard-1.0/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm 2022-05-29 02:51:31.997000000 -0400
117	@@ -345,14 +345,17 @@
118	,'status' => $status
119	);
120
121	+ # Test Ip is inside CIDR
122	+ if (!test_for_private_ip($ip,$mask)) {
123	+ $msg = "IP must be in private range";
124	+ $fm->error($msg);return;
125	+ }
126	+
127	$cdb->get('wg-quick@wg0')->merge_props(%props)
128	or $msg = "Error occurred while modifying server details.";
129
130	- # Test Ip is inside CIDR
131	- if ( ! test_for_private_ip( $ip,$mask ) ) { $msg = "IP must be in private range"; }
132	- #else {$msg = "Ip is inside range $ip / $mask";}
133
134	- unless ($msg eq "OK"){
135	+ if ($msg eq "OK"){
136	# Untaint before use in system()
137	($ip) = ($ip =~ /(\d+\.+\d+\.+\d+\.+\d+\.+\/\d+\.+)/);
138	system( "/sbin/e-smith/signal-event", "wireguard-conf-modify", "$ip",)