}
/* For dst, user can enter ip's, networks or aliases */
if (!is_specialnet($_POST['dsttype'])) {
if ($_POST['dst'] && !is_ipaddroralias($_POST['dst'])) {
$input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $_POST['dst']);
}
if ($_POST['dstmask'] && !is_numericint($_POST['dstmask'])) {
$input_errors[] = gettext("A valid destination bit count must be specified.");
}
}
/* check for overlaps with other 1:1 */
foreach ($a_1to1 as $natent) {
if (isset($id) && $a_1to1[$id] && $a_1to1[$id] === $natent) {
continue;
}
if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) {
//$input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet.";
//break;
}
}
if (!$input_errors) {
$natent = array();
$natent['disabled'] = isset($_POST['disabled']) ? true : false;
$natent['external'] = $_POST['external'];
$natent['descr'] = $_POST['descr'];
$natent['interface'] = $_POST['interface'];
pconfig_to_address($natent['source'], $_POST['src'], $_POST['srcmask'], $_POST['srcnot']);
pconfig_to_address($natent['destination'], $_POST['dst'], $_POST['dstmask'], $_POST['dstnot']);
if ($_POST['natreflection'] == "enable" || $_POST['natreflection'] == "disable") {
$natent['natreflection'] = $_POST['natreflection'];
} else {
continue;
}
if (check_subnets_overlap($_POST['external'], $_POST['subnet'], $natent['external'], $natent['subnet'])) {
//$input_errors[] = "Another 1:1 rule overlaps with the specified external subnet.";
//break;
} else {
if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) {
//$input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet.";
//break;
}
}
}
/* check for overlaps with advanced outbound NAT */
if (is_array($config['nat']['advancedoutbound']['rule'])) {
foreach ($config['nat']['advancedoutbound']['rule'] as $natent) {
if ($natent['target'] && check_subnets_overlap($_POST['external'], $_POST['subnet'], $natent['target'], 32)) {
$input_errors[] = "An advanced outbound NAT entry overlaps with the specified external subnet.";
break;
}
}
}
if (!$input_errors) {
$natent = array();
$natent['external'] = $_POST['external'];
$natent['internal'] = $_POST['internal'];
$natent['subnet'] = $_POST['subnet'];
$natent['descr'] = $_POST['descr'];
$natent['interface'] = $_POST['interface'];
if (isset($id) && $a_1to1[$id]) {
$a_1to1[$id] = $natent;
} else {
$if = get_failover_interface($phase1['interface'], "inet6");
$interfaceip = get_interface_ipv6($if);
} else {
$if = get_failover_interface($phase1['interface']);
$interfaceip = get_interface_ip($if);
}
/* skip validation for hostnames, they're subject to change anyway */
if (is_ipaddr($phase1['remote-gateway'])) {
if ($pconfig['mode'] == "tunnel") {
if (check_subnets_overlap($interfaceip, 32, $entered_local_network, $entered_local_mask) && check_subnets_overlap($phase1['remote-gateway'], 32, $entered_remote_network, $entered_remote_mask)) {
$input_errors[] = gettext("The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in its phase 1.");
break;
}
} else {
if ($pconfig['mode'] == "tunnel6") {
if (check_subnetsv6_overlap($interfaceip, 128, $entered_local_network, $entered_local_mask) && check_subnets_overlap($phase1['remote-gateway'], 128, $entered_remote_network, $entered_remote_mask)) {
$input_errors[] = gettext("The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in its phase 1.");
break;
}
}
}
}
}
}
}
/* For ESP protocol, handle encryption algorithms */
if ($pconfig['proto'] == "esp") {
$ealgos = pconfig_to_ealgos($pconfig);
if (!count($ealgos)) {
$input_errors[] = gettext("At least one encryption algorithm must be selected.");
} else {
$input_errors[] = "/32 alt ağ maskesi geçersiz CARP IP leri içeriyor.";
}
/* check for overlaps with other virtual IP */
foreach ($a_vip as $vipent) {
if (isset($id) && $a_vip[$id] && $a_vip[$id] === $vipent) {
continue;
}
if (isset($_POST['subnet']) && $_POST['subnet'] == $vipent['subnet']) {
$input_errors[] = "Tanımlanan IP adresi zaten sanal IP listesinde mevcuttur.";
break;
}
}
/* check for overlaps with 1:1 NAT */
if (is_array($config['nat']['onetoone'])) {
foreach ($config['nat']['onetoone'] as $natent) {
if (check_subnets_overlap($_POST['ipaddr'], 32, $natent['external'], $natent['subnet'])) {
$input_errors[] = "A 1:1 NAT mapping overlaps with the specified IP address.";
break;
}
}
}
/* make sure new ip is within the subnet of a valid ip
* on one of our interfaces (wan, lan optX)
*/
if ($_POST['mode'] == "carp") {
if (!$id) {
/* verify against reusage of vhids */
$idtracker = 0;
foreach ($config['virtualip']['vip'] as $vip) {
if ($vip['vhid'] == $_POST['vhid'] and $idtracker != $id) {
$input_errors[] = "VHID {$_POST['vhid']} is already in use. Pick a unique number.";
