From patchwork Sat Dec  2 03:09:02 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <a@unstable.cc>
X-Patchwork-Id: 115
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director5.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 KxrsDWa0IlqeDAAAgoeIoA
	for <patchwork@openvpn.net>; Sat, 02 Dec 2017 09:10:46 -0500
Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6])
	by director5.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 E6jVDWa0IlqTDgAAsdCWiw
	; Sat, 02 Dec 2017 09:10:46 -0500
Received: from smtp31.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy2.mail.ord1d.rsapps.net (Dovecot) with LMTP id aKpxDWa0Ilp6WwAAfawv4w
	; Sat, 02 Dec 2017 09:10:46 -0500
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.34.181.88]
Authentication-Results: smtp31.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.34.181.88";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=unstable.cc
X-Classification-ID: 968fb95e-d76a-11e7-9209-525400b3ac8c-1-1
Received: from [216.34.181.88] ([216.34.181.88:19510]
 helo=lists.sourceforge.net)
	by smtp31.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id A7/19-13117-564B22A5; Sat, 02 Dec 2017 09:10:45 -0500
Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1eL8UU-0000am-IY; Sat, 02 Dec 2017 14:10:02 +0000
Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.191]
 helo=mx.sourceforge.net)
 by sfs-ml-1.v29.ch3.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89)
 (envelope-from <a@unstable.cc>) id 1eL8UT-0000a4-7S
 for openvpn-devel@lists.sourceforge.net; Sat, 02 Dec 2017 14:10:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:
 MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=G10cP7pNzsvSmjuBIxT87no/1n287k0Oy3n5ASuvxSE=; b=ljJ6F0YupXmQePt89dteHwek9l
 eHuKh+/N944ofxH8vNMxfnrt/PR/E7HVS/lGIqcPWDkjy6bdFOThhH0x9Ni45pBqGbivYeqGfU/VF
 80kLQVGnG7fnN4PX+EbeQdgJAYvapRWcE9DTQKzsfAVOcaGz03VdWhmSF7AetVyrBn/w=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version:
 Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=G10cP7pNzsvSmjuBIxT87no/1n287k0Oy3n5ASuvxSE=; b=OYpBxI86Nky82vwLbDRvFZ5xf2
 rCGBH5nSMvHv45hYTBkr0hhVNXVKhNPL6zRToE8ACegyNDkZJ2DS0HKS7W72+A5wnvFXuLkfSPVP4
 las2hBdUhikfpcnrpFy7AzK+3mY+t6EyRA9PILEwTrM0k0SHqyLoTGvlRKtnXFoUy1w0=;
Received: from s2.neomailbox.net ([5.148.176.60])
 by sfi-mx-1.v28.ch3.sourceforge.com with esmtps
 (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89)
 id 1eL8US-0006we-9o
 for openvpn-devel@lists.sourceforge.net; Sat, 02 Dec 2017 14:10:01 +0000
From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Sat,  2 Dec 2017 22:09:02 +0800
Message-Id: <20171202140902.19292-1-a@unstable.cc>
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
 trust [5.148.176.60 listed in list.dnswl.org]
 -0.0 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1eL8US-0006we-9o
Subject: [Openvpn-devel] [PATCH v2] Allow learning iroutes with network made
 up of all 0s (only if netbits < 8)
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Antonio Quartulli <a@unstable.cc>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

It is plausible for a user to be willing to add a route for a network
made up of all 0s via a VPN client (i.e. 0.0.0.0/1), therefore such
iroute should be supported.

As of now the option parsing code will accept such iroute, but
the learning routine will (silently) reject it after a sanity check.

Such check prevents routes with network made up of all 0s to be
learnt at all..

Change the sanity check so that it will reject iroutes to network
made up of 0s only when netbits is greater than 7.

The reason for choosing 7 is because anything within 0.0.0.0/8 is not
really routable among networks.

While at it, make the sanity check louder so that it can print the
reason why a route is being rejected.

Trac: #726
Signed-off-by: Antonio Quartulli <a@unstable.cc>
---

v2:
- rebased on top of latest master

 src/openvpn/mroute.c | 37 +++++++++++++++++++++++++++++++------
 src/openvpn/mroute.h |  3 ++-
 src/openvpn/multi.c  |  9 ++++-----
 3 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c
index 74ee360c..b92df74b 100644
--- a/src/openvpn/mroute.c
+++ b/src/openvpn/mroute.c
@@ -65,25 +65,50 @@ is_mac_mcast_maddr(const struct mroute_addr *addr)
  * Don't learn certain addresses.
  */
 bool
-mroute_learnable_address(const struct mroute_addr *addr)
+mroute_learnable_address(const struct mroute_addr *addr, int msglevel,
+                         struct gc_arena *gc)
 {
     int i;
-    bool not_all_zeros = false;
-    bool not_all_ones = false;
+    bool all_zeros = true;
+    bool all_ones = true;
 
     for (i = 0; i < addr->len; ++i)
     {
         int b = addr->raw_addr[i];
         if (b != 0x00)
         {
-            not_all_zeros = true;
+            all_zeros = false;
         }
         if (b != 0xFF)
         {
-            not_all_ones = true;
+            all_ones = false;
         }
     }
-    return not_all_zeros && not_all_ones && !is_mac_mcast_maddr(addr);
+
+    /* only networkss shorter than 8 bits are allowed to be all 0s. */
+    if (all_zeros
+        && !((addr->type & MR_WITH_NETBITS) && (addr->netbits < 8)))
+    {
+        msg(msglevel, "Can't learn %s: network is all 0s, but netbits >= 8",
+            mroute_addr_print(addr, gc));
+        return false;
+    }
+
+    if (all_ones)
+    {
+        msg(msglevel, "Can't learn %s: network is all 1s",
+            mroute_addr_print(addr, gc));
+        return false;
+    }
+
+    if (is_mac_mcast_maddr(addr))
+    {
+        msg(msglevel, "Can't learn %s: network is a multicast address",
+            mroute_addr_print(addr, gc));
+        return false;
+    }
+
+    return true;
 }
 
 static inline void
diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h
index 35361fbd..26421f88 100644
--- a/src/openvpn/mroute.h
+++ b/src/openvpn/mroute.h
@@ -141,7 +141,8 @@ bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr,
                                      const struct openvpn_sockaddr *osaddr,
                                      bool use_port);
 
-bool mroute_learnable_address(const struct mroute_addr *addr);
+bool mroute_learnable_address(const struct mroute_addr *addr, int msglevel,
+                              struct gc_arena *gc);
 
 uint32_t mroute_addr_hash_function(const void *key, uint32_t iv);
 
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 82a0b9d9..755f812c 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1074,6 +1074,7 @@ multi_learn_addr(struct multi_context *m,
     struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
     struct multi_route *oldroute = NULL;
     struct multi_instance *owner = NULL;
+    struct gc_arena gc = gc_new();
 
     /* if route currently exists, get the instance which owns it */
     he = hash_lookup_fast(m->vhash, bucket, addr, hv);
@@ -1087,11 +1088,10 @@ multi_learn_addr(struct multi_context *m,
     }
 
     /* do we need to add address to hash table? */
-    if ((!owner || owner != mi)
-        && mroute_learnable_address(addr)
+    if ((!owner || owner != mi) && mroute_learnable_address(addr, D_MULTI_LOW,
+                                                            &gc)
         && !mroute_addr_equal(addr, &m->local))
     {
-        struct gc_arena gc = gc_new();
         struct multi_route *newroute;
         bool learn_succeeded = false;
 
@@ -1148,9 +1148,8 @@ multi_learn_addr(struct multi_context *m,
         {
             free(newroute);
         }
-
-        gc_free(&gc);
     }
+    gc_free(&gc);
 
     return owner;
 }