[SECNET PATCH 06/12] make-secnet-sites: Don't allow setting new VPN-level props when restricted.

[Ian Jackson]

From: Mark Wooding <mdw at distorted.org.uk>

Currently, one can say something like

	vpn thing
	renegotiate-time 1

	location evil
	## ...

and if the VPN admin failed to set a value for `renegotiate-time' then
everyone will spin their CPUs doing key exchange.

Fix this lacuna.  Now user input can only modify location and site
properties.  If the administrator didn't set a location-level
`restrict-nets', then a user can do this, but obviously that can't make
anything worse.

Signed-off-by: Mark Wooding <mdw at distorted.org.uk>
---
 README.make-secnet-sites |  3 +++
 make-secnet-sites        | 11 +++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/README.make-secnet-sites b/README.make-secnet-sites
index 9a528c1..cef4368 100644
--- a/README.make-secnet-sites
+++ b/README.make-secnet-sites
@@ -112,6 +112,9 @@ INPUT SYNTAX
 		    VPN, and location properties which are already
 		    defined.  (Assigning new properties is permitted.)
 
+		  * It is not permitted to define new VPN-level
+		    properties.
+
 	Finally, the properties.
 
 	If a property has already been defined on an item, then it is an
diff --git a/make-secnet-sites b/make-secnet-sites
index b66f950..5f271e3 100755
--- a/make-secnet-sites
+++ b/make-secnet-sites
@@ -380,13 +380,16 @@ def pline(i,allow_include=False):
 			current=nl
 		obstack.append(current)
 		return [i]
-	if current.allow_properties.has_key(keyword):
-		set_property(current,w)
-		return [i]
-	else:
+	if not current.allow_properties.has_key(keyword):
 		complain("Property %s not allowed at %s level"%
 			(keyword,current.type))
 		return []
+	elif current.depth == vpnlevel.depth < allow_defs:
+		complain("Not allowed to set VPN properties here")
+		return []
+	else:
+		set_property(current,w)
+		return [i]
 
 	complain("unknown keyword '%s'"%(keyword))
 
-- 
2.11.0