[Openvpn-devel,v6] ipv6-pool: get rid of size constraint

Message ID	20200608201613.23750-1-a@unstable.cc
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Antonio Quartulli <a@unstable.cc> To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Jun 2020 22:16:13 +0200 Message-Id: <20200608201613.23750-1-a@unstable.cc> In-Reply-To: <20200608154650.26475-1-a@unstable.cc> References: <20200608154650.26475-1-a@unstable.cc> MIME-Version: 1.0 NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Subject: [Openvpn-devel] [PATCH v6] ipv6-pool: get rid of size constraint Precedence: list Cc: Antonio Quartulli <a@unstable.cc> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,v6] ipv6-pool: get rid of size constraint \| expand [Openvpn-devel,v6] ipv6-pool: get rid of size constraint

Message ID

20200608201613.23750-1-a@unstable.cc

State

Accepted

Headers

From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Mon,  8 Jun 2020 22:16:13 +0200
Message-Id: <20200608201613.23750-1-a@unstable.cc>
In-Reply-To: <20200608154650.26475-1-a@unstable.cc>
References: <20200608154650.26475-1-a@unstable.cc>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH v6] ipv6-pool: get rid of size constraint
Precedence: list
Cc: Antonio Quartulli <a@unstable.cc>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,v6] ipv6-pool: get rid of size constraint | expand

Commit Message

Antonio Quartulli June 8, 2020, 10:16 a.m. UTC

Signed-off-by: Antonio Quartulli <a@unstable.cc>

---
Changes from v5:
- restyle base addr computation to avoid odd line wrapping

Changes from v4:
- make the base computation depending on the size of the pool:
	- large pools will still start at +0x1000 (backward compatible)
	- smaller pools will start at +2

 src/openvpn/helper.c  | 13 +++++++++----
 src/openvpn/options.c | 13 +++++++++----
 src/openvpn/pool.c    | 12 ++++++++++++
 3 files changed, 30 insertions(+), 8 deletions(-)

Comments

Gert Doering June 9, 2020, 4:01 a.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

Stared-at-code and tested on the t_server machine.  And crashed.  But
that was not actually *this* patch's fault, but 6a8cd033b18's (fixed).

This code does what it says on the lid - loosen up the "/112 is the
minimum size" restriction on IPv6 pools, up to a /124 (which we can
*now* handle correctly, as we do actual size calculations and checks).

At the same time it introduces a minimum size sanity check - a pool
that has less than 2 free addresses left (::ffff/124) will error out.

(Which is not working right now, because the IPv6 pool size calculation
is not correct yet for small pools - but that will be fixed with the next 
commit)

Your patch has been applied to the master branch.

commit 1379e5271d0057fcaed82d6985e614ca2ed8c265
Author: Antonio Quartulli
Date:   Mon Jun 8 22:16:13 2020 +0200

     ipv6-pool: get rid of size constraint

     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20200608201613.23750-1-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20005.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 277e6972..fbfc287f 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -198,12 +198,17 @@  helper_client_server(struct options *o)
             print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc );
         o->ifconfig_ipv6_netbits = o->server_netbits_ipv6;
 
-        /* pool starts at "base address + 0x1000" - leave enough room */
-        ASSERT( o->server_netbits_ipv6 <= 112 );        /* want 16 bits */
+        /* basic sanity check */
+        ASSERT(o->server_netbits_ipv6 >= 64 && o->server_netbits_ipv6 <= 124);
 
         o->ifconfig_ipv6_pool_defined = true;
-        o->ifconfig_ipv6_pool_base =
-            add_in6_addr( o->server_network_ipv6, 0x1000 );
+        /* For large enough pools we keep the original behaviour of adding
+         * 0x1000 when computing the base.
+         *
+         * Smaller pools can't get that far, therefore we just increase by 2
+         */
+        o->ifconfig_ipv6_pool_base = add_in6_addr(o->server_network_ipv6,
+                                                  o->server_netbits_ipv6 < 112 ? 0x1000 : 2);
         o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;
 
         push_option( o, "tun-ipv6", M_USAGE );
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 018f6f18..9d3a8dfe 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6718,9 +6718,12 @@  add_option(struct options *options,
             msg(msglevel, "error parsing --server-ipv6 parameter");
             goto err;
         }
-        if (netbits < 64 || netbits > 112)
+        if (netbits < 64 || netbits > 124)
         {
-            msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits );
+            msg(msglevel,
+                "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
+                netbits);
+
             goto err;
         }
         options->server_ipv6_defined = true;
@@ -6840,9 +6843,11 @@  add_option(struct options *options,
             msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
             goto err;
         }
-        if (netbits < 64 || netbits > 112)
+        if (netbits < 64 || netbits > 124)
         {
-            msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits );
+            msg(msglevel,
+                "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
+                netbits);
             goto err;
         }
 
diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
index 4e303712..29667623 100644
--- a/src/openvpn/pool.c
+++ b/src/openvpn/pool.c
@@ -207,6 +207,12 @@  ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start,
                 ASSERT(0);
         }
 
+        if (pool->ipv4.size < 2)
+        {
+            msg(M_FATAL, "IPv4 pool size is too small (%d), must be at least 2",
+                pool->ipv4.size);
+        }
+
         msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv4: base=%s size=%d",
             print_in_addr_t(pool->ipv4.base, 0, &gc), pool->ipv4.size);
     }
@@ -245,6 +251,12 @@  ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start,
                           ? (1 << (128 - ipv6_netbits)) - base
                           : IFCONFIG_POOL_MAX;
 
+        if (pool->ipv6.size < 2)
+        {
+            msg(M_FATAL, "IPv6 pool size is too small (%d), must be at least 2",
+                pool->ipv6.size);
+        }
+
         msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: base=%s size=%d netbits=%d",
             print_in6_addr(pool->ipv6.base, 0, &gc), pool->ipv6.size,
             ipv6_netbits);

[Openvpn-devel,v6] ipv6-pool: get rid of size constraint

Commit Message

Comments

Patch