security/tinc: add support for "StrictSubnets" variable (#3528)

security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml

@@ -32,6 +32,15 @@
           If the other end doesn't respond within this time, the connection is terminated, and the others will be notified of this.
         </help>
     </field>
+    <field>
+        <id>network.StrictSubnets</id>
+        <label>StrictSubnets</label>
+        <type>checkbox</type>
+        <help>When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/netname/hosts/ directory.
+          Subnets learned via connections to other nodes and which are not present in the local host config files are ignored.
+        </help>
+        <advanced>true</advanced>
+    </field>
     <field>
       <id>network.cipher</id>
       <label>Cipher</label>

security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml

@@ -60,6 +60,10 @@
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Ping timeout must be between 1...65535</ValidationMessage>
                 </pingtimeout>
+                    <StrictSubnets type="BooleanField">
+                        <default>0</default>
+                        <Required>N</Required>
+                    </StrictSubnets>
                 <privkey type="TextField">
                     <Required>Y</Required>
                 </privkey>

security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py

@@ -69,6 +69,7 @@ class Network(NetwConfObject):
         self._payload['debuglevel'] = 'd0'
         self._payload['mode'] = 'switch'
         self._payload['PMTUDiscovery'] = 'yes'
+        self._payload['StrictSubnets'] = 'no'
         self._hosts = list()
 
     def get_id(self):
@@ -99,6 +100,12 @@ class Network(NetwConfObject):
         else:
             self._payload['PMTUDiscovery'] = 'yes'
 
+    def set_StrictSubnets(self, value):
+        if value.text != '1':
+            self._payload['StrictSubnets'] = 'no'
+        else:
+            self._payload['StrictSubnets'] = 'yes'
+
     def config_text(self):
         result = list()
         result.append('AddressFamily=any')
@@ -106,6 +113,7 @@ class Network(NetwConfObject):
         result.append('PMTUDiscovery=%(PMTUDiscovery)s' % self._payload)
         result.append('Port=%(port)s' % self._payload)
         result.append('PingTimeout=%(pingtimeout)s' % self._payload)
+        result.append('StrictSubnets=%(StrictSubnets)s' % self._payload)
         for host in self._hosts:
             if host.connect_to_this_host():
                 result.append('ConnectTo = %s' % (host.get_hostname(),))

security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml

@@ -14,6 +14,7 @@
         <port>{{network.extport}}</port>
         <debuglevel>{{network.debuglevel}}</debuglevel>
         <pingtimeout>{{network.pingtimeout}}</pingtimeout>
+        <StrictSubnets>{{network.StrictSubnets}}</StrictSubnets>
         <hosts>
             <host>
                 <hostname>{{network.hostname}}</hostname>