From patchwork Fri Sep 11 01:59:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 1439 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id ePctOuZmW19iBgAAIUCqbw (envelope-from ) for ; Fri, 11 Sep 2020 08:00:38 -0400 Received: from proxy5.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id SKcSOuZmW18BWAAAIasKDg (envelope-from ) for ; Fri, 11 Sep 2020 08:00:38 -0400 Received: from smtp29.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3b.rsapps.net with LMTPS id EMSfMeZmW19pIQAA13hMnw (envelope-from ) for ; Fri, 11 Sep 2020 08:00:38 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: 67e25a18-f426-11ea-b888-525400534f55-1-1 Received: from [216.105.38.7] ([216.105.38.7:42650] helo=lists.sourceforge.net) by smtp29.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CE/3F-11147-6E66B5F5; Fri, 11 Sep 2020 08:00:38 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kGhiI-00015z-RN; Fri, 11 Sep 2020 11:59:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kGhiG-00015s-SL for openvpn-devel@lists.sourceforge.net; Fri, 11 Sep 2020 11:59:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wQpDSTpUs8Q6hRRwnR3iiuDQBbd6HQijtF3e7rfp+hQ=; b=CDItMZPVN4BrvXtp8F7+H/6nQj 3IAX4ZzEzEtC//5R8ooVbnzbQHbf9SsZlNEFkmKUBpzfLLpki4TYQ+5BwfqKoLqTZzOuXWdoRAS/4 YlSt3agM9KqAutiFRIrsyxWgZNTQwnFXc27I6lGk66F5nJLYcUjpnDk0VZ8PlBzOcamg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=wQpDSTpUs8Q6hRRwnR3iiuDQBbd6HQijtF3e7rfp+hQ=; b=k VHLlrJNdegPkEGYS6a5xRv/9LwyS86lXoc7NJus3bxp5snm88KyBIL6HhC4u+e6rkN3NvinaRxasd ta4ius37MpojuTNtLIV8Nh+4k63Ie/FOvuMT4lOIg7dC7BhwLHOemZzKciXJ9oq2YFIuLmVdAtFe7 kwg7F8Kvl9Uo1j+k=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kGhi7-0045cw-KQ for openvpn-devel@lists.sourceforge.net; Fri, 11 Sep 2020 11:59:32 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.14.9/8.14.9) with ESMTP id 08BBxHL5016165 for ; Fri, 11 Sep 2020 13:59:17 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.15.2/8.14.9/Submit) id 08BBxGVv016164 for openvpn-devel@lists.sourceforge.net; Fri, 11 Sep 2020 13:59:16 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 11 Sep 2020 13:59:16 +0200 Message-Id: <20200911115916.16117-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: muc.de] -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1kGhi7-0045cw-KQ Subject: [Openvpn-devel] [PATCH] If IPv6 pool specification sets pool start to ::0 address, increment. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The first IPv6 address in a subnet is not usable (IPv6 anycast address), but our pool code ignored this. Instead of assigning an unusable address or erroring out, just log the fact, and increment the pool start to ::1 NOTE: this is a bit simplistic. A pool that is larger than /96 and has non-0 bits in the "uppermost bits" will still get the increment as we only look at the lowermost 32 bits. NOTE2: if the pool is specified with "--server-ipv6 $base/$bits", this is a non-issue, as the address for the pool start will be incremented anyway. Reported-by: NicolaF_ in Trac Trac: #1282 Signed-off-by: Gert Doering --- doc/man-sections/server-options.rst | 3 ++- src/openvpn/pool.c | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 2009953c..56ffff9a 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -204,7 +204,8 @@ fast hardware. SSL/TLS authentication must be used in this mode. ifconfig-ipv6-pool ipv6addr/bits The pool starts at ``ipv6addr`` and matches the offset determined from - the start of the IPv4 pool. + the start of the IPv4 pool. If the host part of the given IPv6 + address is ``0``, the pool starts at ``ipv6addr`` +1. --ifconfig-pool-persist args Persist/unpersist ifconfig-pool data to ``file``, at ``seconds`` diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c index 1f74ac57..2814ff46 100644 --- a/src/openvpn/pool.c +++ b/src/openvpn/pool.c @@ -224,6 +224,21 @@ ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, } pool->ipv6.base = ipv6_base; + + /* if a pool starts at ::0, that first IPv6 address is not usable + * first clients (subnet anycast address). Start with 1, then. + * NOTE: this will also fire for something like + * ifconfig-ipv6-pool 2001:db8:0:1:1234::0/64 + * as we only look at the rightmost 32 bits. So be it... + */ + if (base == 0) + { + msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: incrementing pool start " + "to avoid ::0 assignment"); + base++; + pool->ipv6.base.s6_addr[15]++; + } + pool_ipv6_size = ipv6_netbits >= 112 ? (1 << (128 - ipv6_netbits)) - base : IFCONFIG_POOL_MAX;