From patchwork Wed Dec 6 04:43:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 137 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director1.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id ZL4iHKkQKFpcAwAAgoeIoA for ; Wed, 06 Dec 2017 10:45:45 -0500 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director1.mail.ord1d.rsapps.net (Dovecot) with LMTP id b+CoB6kQKFqjCAAANGzteQ ; Wed, 06 Dec 2017 10:45:45 -0500 Received: from smtp16.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net (Dovecot) with LMTP id DM3PI6kQKFq1XQAAfSg8FQ ; Wed, 06 Dec 2017 10:45:45 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp16.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Classification-ID: 85c0c016-da9c-11e7-a7c1-525400ca3ad5-1-1 Received: from [216.34.181.88] ([216.34.181.88:9206] helo=lists.sourceforge.net) by smtp16.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E3/B2-18432-9A0182A5; Wed, 06 Dec 2017 10:45:45 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eMbsa-0006S3-T3; Wed, 06 Dec 2017 15:45:00 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eMbsY-0006Rw-R2 for openvpn-devel@lists.sourceforge.net; Wed, 06 Dec 2017 15:44:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=8/ZMhNXxF7jF6vHL9laIOBc7vZ8M29gfRLL/s+hutd8=; b=N9qxEPUMoYGAGmeiF34Ym5eJWD /NKwt+6jUvvYLSBq3Lt5HGLGHMukLAfJD+tCldy3lrB65j4bFqsUzgS7AqOQSWSlfcOBTJY9xp5wY rQts1tH952neQRNiFDLb3R0V1YjE2PGuLT0ifh6BTLuDGrsp5CkfcGEIy62cO7uU1YlM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8/ZMhNXxF7jF6vHL9laIOBc7vZ8M29gfRLL/s+hutd8=; b=ZjnX1MfTCobGnpHYFHKd9vzKuB bOYXbt4XnMr8DXr0AEeoQ5nidnKa8rJsa8HVEOVz/XslfXdE2VMnhXq2MI7mRaN33eowHo+tI66HJ XJGi3bwVwj6x1y1N63DoaX6ZofpOMndi3hgJUlNWZshel+ubK/HKbssRpIm9qMjrqrPU=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1eMbsX-0005g6-04 for openvpn-devel@lists.sourceforge.net; Wed, 06 Dec 2017 15:44:58 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 6 Dec 2017 23:43:56 +0800 Message-Id: <20171206154356.30764-1-a@unstable.cc> In-Reply-To: <20171202140902.19292-1-a@unstable.cc> References: <20171202140902.19292-1-a@unstable.cc> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [5.148.176.60 listed in list.dnswl.org] -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eMbsX-0005g6-04 Subject: [Openvpn-devel] [PATCH v3] Allow learning iroutes with network made up of all 0s (only if netbits < 8) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox It is plausible for a user to be willing to add a route for a network made up of all 0s via a VPN client (i.e. 0.0.0.0/1), therefore such iroute should be supported. As of now the option parsing code will accept such iroute, but the learning routine will (silently) reject it after a sanity check. Such check prevents routes with network made up of all 0s to be learnt at all.. Change the sanity check so that it will reject iroutes to network made up of 0s only when netbits is greater than 7. The reason for choosing 7 is because anything within 0.0.0.0/8 is not really routable among networks. While at it, make the sanity check louder so that it can print the reason why a route is being rejected. Trac: #726 Signed-off-by: Antonio Quartulli --- v3: - rebased on top of master - removed msglevel argument as per David's suggestion v2: - rebased on to pof master src/openvpn/mroute.c | 36 ++++++++++++++++++++++++++++++------ src/openvpn/mroute.h | 3 ++- src/openvpn/multi.c | 8 +++----- 3 files changed, 35 insertions(+), 12 deletions(-) diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 74ee360c..bf174ad4 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -65,25 +65,49 @@ is_mac_mcast_maddr(const struct mroute_addr *addr) * Don't learn certain addresses. */ bool -mroute_learnable_address(const struct mroute_addr *addr) +mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc) { int i; - bool not_all_zeros = false; - bool not_all_ones = false; + bool all_zeros = true; + bool all_ones = true; for (i = 0; i < addr->len; ++i) { int b = addr->raw_addr[i]; if (b != 0x00) { - not_all_zeros = true; + all_zeros = false; } if (b != 0xFF) { - not_all_ones = true; + all_ones = false; } } - return not_all_zeros && not_all_ones && !is_mac_mcast_maddr(addr); + + /* only networkss shorter than 8 bits are allowed to be all 0s. */ + if (all_zeros + && !((addr->type & MR_WITH_NETBITS) && (addr->netbits < 8))) + { + msg(D_MULTI_LOW, "Can't learn %s: network is all 0s, but netbits >= 8", + mroute_addr_print(addr, gc)); + return false; + } + + if (all_ones) + { + msg(D_MULTI_LOW, "Can't learn %s: network is all 1s", + mroute_addr_print(addr, gc)); + return false; + } + + if (is_mac_mcast_maddr(addr)) + { + msg(D_MULTI_LOW, "Can't learn %s: network is a multicast address", + mroute_addr_print(addr, gc)); + return false; + } + + return true; } static inline void diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index 35361fbd..6a85b0e2 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -141,7 +141,8 @@ bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port); -bool mroute_learnable_address(const struct mroute_addr *addr); +bool mroute_learnable_address(const struct mroute_addr *addr, + struct gc_arena *gc); uint32_t mroute_addr_hash_function(const void *key, uint32_t iv); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 82a0b9d9..25b2d097 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1074,6 +1074,7 @@ multi_learn_addr(struct multi_context *m, struct hash_bucket *bucket = hash_bucket(m->vhash, hv); struct multi_route *oldroute = NULL; struct multi_instance *owner = NULL; + struct gc_arena gc = gc_new(); /* if route currently exists, get the instance which owns it */ he = hash_lookup_fast(m->vhash, bucket, addr, hv); @@ -1087,11 +1088,9 @@ multi_learn_addr(struct multi_context *m, } /* do we need to add address to hash table? */ - if ((!owner || owner != mi) - && mroute_learnable_address(addr) + if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc) && !mroute_addr_equal(addr, &m->local)) { - struct gc_arena gc = gc_new(); struct multi_route *newroute; bool learn_succeeded = false; @@ -1148,9 +1147,8 @@ multi_learn_addr(struct multi_context *m, { free(newroute); } - - gc_free(&gc); } + gc_free(&gc); return owner; }