diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
index 1b2087b94..2545c3730 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
@@ -32,6 +32,15 @@
If the other end doesn't respond within this time, the connection is terminated, and the others will be notified of this.
+
+ network.StrictSubnets
+
+ checkbox
+ When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/netname/hosts/ directory.
+ Subnets learned via connections to other nodes and which are not present in the local host config files are ignored.
+
+ true
+ network.cipher
diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index f3aa3805c..91e71145a 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -60,6 +60,10 @@
65535Ping timeout must be between 1...65535
+
+ 0
+ N
+ Y
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index d35db341a..bd913af8d 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -69,6 +69,7 @@ class Network(NetwConfObject):
self._payload['debuglevel'] = 'd0'
self._payload['mode'] = 'switch'
self._payload['PMTUDiscovery'] = 'yes'
+ self._payload['StrictSubnets'] = 'no'
self._hosts = list()
def get_id(self):
@@ -99,6 +100,12 @@ class Network(NetwConfObject):
else:
self._payload['PMTUDiscovery'] = 'yes'
+ def set_StrictSubnets(self, value):
+ if value.text != '1':
+ self._payload['StrictSubnets'] = 'no'
+ else:
+ self._payload['StrictSubnets'] = 'yes'
+
def config_text(self):
result = list()
result.append('AddressFamily=any')
@@ -106,6 +113,7 @@ class Network(NetwConfObject):
result.append('PMTUDiscovery=%(PMTUDiscovery)s' % self._payload)
result.append('Port=%(port)s' % self._payload)
result.append('PingTimeout=%(pingtimeout)s' % self._payload)
+ result.append('StrictSubnets=%(StrictSubnets)s' % self._payload)
for host in self._hosts:
if host.connect_to_this_host():
result.append('ConnectTo = %s' % (host.get_hostname(),))
diff --git a/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml b/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
index 746cf3ece..f8120fca1 100644
--- a/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
+++ b/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
@@ -14,6 +14,7 @@
{{network.extport}}{{network.debuglevel}}{{network.pingtimeout}}
+ {{network.StrictSubnets}}{{network.hostname}}