[Openvpn-devel,v6] ipv6-pool: get rid of size constraint

Message ID 20200608201613.23750-1-a@unstable.cc
State Accepted
Headers show
Series
  • [Openvpn-devel,v6] ipv6-pool: get rid of size constraint
Related show

Commit Message

Antonio Quartulli June 8, 2020, 8:16 p.m.
Signed-off-by: Antonio Quartulli <a@unstable.cc>

---
Changes from v5:
- restyle base addr computation to avoid odd line wrapping

Changes from v4:
- make the base computation depending on the size of the pool:
	- large pools will still start at +0x1000 (backward compatible)
	- smaller pools will start at +2

 src/openvpn/helper.c  | 13 +++++++++----
 src/openvpn/options.c | 13 +++++++++----
 src/openvpn/pool.c    | 12 ++++++++++++
 3 files changed, 30 insertions(+), 8 deletions(-)

Comments

Gert Doering June 9, 2020, 2:01 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Stared-at-code and tested on the t_server machine.  And crashed.  But
that was not actually *this* patch's fault, but 6a8cd033b18's (fixed).

This code does what it says on the lid - loosen up the "/112 is the
minimum size" restriction on IPv6 pools, up to a /124 (which we can
*now* handle correctly, as we do actual size calculations and checks).

At the same time it introduces a minimum size sanity check - a pool
that has less than 2 free addresses left (::ffff/124) will error out.

(Which is not working right now, because the IPv6 pool size calculation
is not correct yet for small pools - but that will be fixed with the next 
commit)

Your patch has been applied to the master branch.

commit 1379e5271d0057fcaed82d6985e614ca2ed8c265
Author: Antonio Quartulli
Date:   Mon Jun 8 22:16:13 2020 +0200

     ipv6-pool: get rid of size constraint

     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20200608201613.23750-1-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20005.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 277e6972..fbfc287f 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -198,12 +198,17 @@  helper_client_server(struct options *o)
             print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc );
         o->ifconfig_ipv6_netbits = o->server_netbits_ipv6;
 
-        /* pool starts at "base address + 0x1000" - leave enough room */
-        ASSERT( o->server_netbits_ipv6 <= 112 );        /* want 16 bits */
+        /* basic sanity check */
+        ASSERT(o->server_netbits_ipv6 >= 64 && o->server_netbits_ipv6 <= 124);
 
         o->ifconfig_ipv6_pool_defined = true;
-        o->ifconfig_ipv6_pool_base =
-            add_in6_addr( o->server_network_ipv6, 0x1000 );
+        /* For large enough pools we keep the original behaviour of adding
+         * 0x1000 when computing the base.
+         *
+         * Smaller pools can't get that far, therefore we just increase by 2
+         */
+        o->ifconfig_ipv6_pool_base = add_in6_addr(o->server_network_ipv6,
+                                                  o->server_netbits_ipv6 < 112 ? 0x1000 : 2);
         o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;
 
         push_option( o, "tun-ipv6", M_USAGE );
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 018f6f18..9d3a8dfe 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6718,9 +6718,12 @@  add_option(struct options *options,
             msg(msglevel, "error parsing --server-ipv6 parameter");
             goto err;
         }
-        if (netbits < 64 || netbits > 112)
+        if (netbits < 64 || netbits > 124)
         {
-            msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits );
+            msg(msglevel,
+                "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
+                netbits);
+
             goto err;
         }
         options->server_ipv6_defined = true;
@@ -6840,9 +6843,11 @@  add_option(struct options *options,
             msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
             goto err;
         }
-        if (netbits < 64 || netbits > 112)
+        if (netbits < 64 || netbits > 124)
         {
-            msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits );
+            msg(msglevel,
+                "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
+                netbits);
             goto err;
         }
 
diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
index 4e303712..29667623 100644
--- a/src/openvpn/pool.c
+++ b/src/openvpn/pool.c
@@ -207,6 +207,12 @@  ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start,
                 ASSERT(0);
         }
 
+        if (pool->ipv4.size < 2)
+        {
+            msg(M_FATAL, "IPv4 pool size is too small (%d), must be at least 2",
+                pool->ipv4.size);
+        }
+
         msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv4: base=%s size=%d",
             print_in_addr_t(pool->ipv4.base, 0, &gc), pool->ipv4.size);
     }
@@ -245,6 +251,12 @@  ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start,
                           ? (1 << (128 - ipv6_netbits)) - base
                           : IFCONFIG_POOL_MAX;
 
+        if (pool->ipv6.size < 2)
+        {
+            msg(M_FATAL, "IPv6 pool size is too small (%d), must be at least 2",
+                pool->ipv6.size);
+        }
+
         msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: base=%s size=%d netbits=%d",
             print_in6_addr(pool->ipv6.base, 0, &gc), pool->ipv6.size,
             ipv6_netbits);