From patchwork Mon Jun 27 22:20:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2560 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id sFPTHvK5umLZPgAAIUCqbw (envelope-from ) for ; Tue, 28 Jun 2022 04:21:06 -0400 Received: from proxy17.mail.iad3b.rsapps.net ([172.31.255.6]) by director15.mail.ord1d.rsapps.net with LMTP id UImjHvK5umK0FgAAIcMcQg (envelope-from ) for ; Tue, 28 Jun 2022 04:21:06 -0400 Received: from smtp7.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3b.rsapps.net with LMTPS id qCBsFvK5umI9eAAA5ccGVQ (envelope-from ) for ; Tue, 28 Jun 2022 04:21:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 40e102cc-f6bb-11ec-a6fe-525400e292e5-1-1 Received: from [216.105.38.7] ([216.105.38.7:54456] helo=lists.sourceforge.net) by smtp7.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 18/F4-25966-1F9BAB26; Tue, 28 Jun 2022 04:21:05 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o66S7-0000cV-Ds; Tue, 28 Jun 2022 08:20:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o66S5-0000cP-UT for openvpn-devel@lists.sourceforge.net; Tue, 28 Jun 2022 08:20:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9GBtAuGGwWDBDiOF/Wyokcu14c3eqCKt/yMz6gMrnvk=; b=hzDsNA+hs+MuiJWM8jgI7UlUwQ 2tDmPUSbeklrqcCWM/1oAg9T7L8b5kuw0g1lg+jRJ7V2sY8OZsv6CTvd4iitkrAPLTbUyD5SOiW2k ICeAvg6Arrgeo3Q/vxzcE/pBw3tiwp27Y1eMiwtWb+8XwqBsuYAPt6OAF5TdxaUGh5bM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=9GBtAuGGwWDBDiOF/Wyokcu14c3eqCKt/yMz6gMrnvk=; b=V iDALwbF8k5dxcyT8EVQaSNb7nIGWVnbFDLwP8zToiXdNzBW8SI2acSCSWhBhS7rRtym2qcxxRa5Ai w1A0ap/5cDEgYtwKjIhLzZgqlOwM5/42RVPTB5O1l76yJFS/+PkBvlTaUR7hUkvpwkv39stmD3tDP dHjIKmgtsT+ga95E=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o66S5-00GfEm-UB for openvpn-devel@lists.sourceforge.net; Tue, 28 Jun 2022 08:20:06 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Tue, 28 Jun 2022 10:20:24 +0200 Message-Id: <20220628082024.19059-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: A server should push a route to a client only if there is no matching iroute for the same client. While this logic works fine for IPv4, there is no IPv6 counterpart. Implement the same check for IPv6 routes and discard matching ones from the push list. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1o66S5-00GfEm-UB Subject: [Openvpn-devel] [PATCH v2] do not push route-ipv6 entries that are also in the iroute-ipv6 list X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gert Doering , Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox A server should push a route to a client only if there is no matching iroute for the same client. While this logic works fine for IPv4, there is no IPv6 counterpart. Implement the same check for IPv6 routes and discard matching ones from the push list. Trac: #354 Cc: Gert Doering Signed-off-by: Antonio Quartulli --- Changes from v1: * add "&& o->iroutes{,_ipv6}" check before attempting to traverse iroutes list. This way we avoid executing getaddr or get_ipv6_addr if we already know that we have no iroutes to compare to. src/openvpn/push.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 63257348..e5b588bb 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -1002,7 +1002,7 @@ process_incoming_push_msg(struct context *c, void remove_iroutes_from_push_route_list(struct options *o) { - if (o && o->push_list.head && o->iroutes) + if (o && o->push_list.head && (o->iroutes || o->iroutes_ipv6)) { struct gc_arena gc = gc_new(); struct push_entry *e = o->push_list.head; @@ -1019,7 +1019,7 @@ remove_iroutes_from_push_route_list(struct options *o) && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ - if (p[0] && !strcmp(p[0], "route") && !p[3]) + if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes) { /* get route parameters */ bool status1, status2; @@ -1042,6 +1042,30 @@ remove_iroutes_from_push_route_list(struct options *o) } } } + else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2] + && o->iroutes_ipv6) + { + /* get route parameters */ + struct in6_addr network; + unsigned int netbits; + + /* parse route-ipv6 arguments */ + if (get_ipv6_addr(p[1], &network, &netbits, D_ROUTE_DEBUG)) + { + struct iroute_ipv6 *ir; + + /* does this route-ipv6 match an iroute-ipv6? */ + for (ir = o->iroutes_ipv6; ir != NULL; ir = ir->next) + { + if (!memcmp(&network, &ir->network, sizeof(network)) + && netbits == ir->netbits) + { + enable = false; + break; + } + } + } + } /* should we copy the push item? */ e->enable = enable;