Currently, one can say something like
vpn thing
renegotiate-time 1
location evil
## ...
and if the VPN admin failed to set a value for `renegotiate-time' then
everyone will spin their CPUs doing key exchange.
Fix this lacuna. Now user input can only modify location and site
properties. If the administrator didn't set a location-level
`restrict-nets', then a user can do this, but obviously that can't make
anything worse.
Signed-off-by: Mark Wooding <mdw@distorted.org.uk>
VPN, and location properties which are already
defined. (Assigning new properties is permitted.)
VPN, and location properties which are already
defined. (Assigning new properties is permitted.)
+ * It is not permitted to define new VPN-level
+ properties.
+
Finally, the properties.
If a property has already been defined on an item, then it is an
Finally, the properties.
If a property has already been defined on an item, then it is an
current=nl
obstack.append(current)
return [i]
current=nl
obstack.append(current)
return [i]
- if current.allow_properties.has_key(keyword):
- set_property(current,w)
- return [i]
- else:
+ if not current.allow_properties.has_key(keyword):
complain("Property %s not allowed at %s level"%
(keyword,current.type))
return []
complain("Property %s not allowed at %s level"%
(keyword,current.type))
return []
+ elif current.depth == vpnlevel.depth < allow_defs:
+ complain("Not allowed to set VPN properties here")
+ return []
+ else:
+ set_property(current,w)
+ return [i]
complain("unknown keyword '%s'"%(keyword))
complain("unknown keyword '%s'"%(keyword))