diff options
| author | Gert Doering | 2022-08-20 16:01:24 +0200 |
|---|---|---|
| committer | Gert Doering | 2022-08-25 22:50:32 +0200 |
| commit | 104e4ef1e3d49cccb3bc677bab9c24158f91b97b (patch) | |
| tree | c5483385514b0daef676d752596a5a6af3f5f95e /src/openvpn/multi.c | |
| parent | 7286a7e1a23146607ce94841afae8b1f4b75859e (diff) | |
| download | openvpn-104e4ef1e3d49cccb3bc677bab9c24158f91b97b.zip openvpn-104e4ef1e3d49cccb3bc677bab9c24158f91b97b.tar.gz | |
DCO: require valid netbits setting for non-primary iroutes.
The existing DCO code had extra logic for "if this is not
MR_WITH_NETBITS, set 32/128 as address length", but only for
iroute addition. For iroute deletion, this was missing, and
subsequently iroute deletion for IPv4 host routes failed on
FreeBSD DCO (commit 3433577a99).
Iroute handling differenciates between "primary" iroutes (coming
from anm IP pool or ccd/ifconfig-push), and "non-primary" iroutes,
coming from --iroute and --iroute-ipv6 statements in per-client config.
"Primary" iroutes always use "-1" for their netbits, but since these
are not installed via DCO, this is of no concern here. Whether these
can and should be changed needs further study on internal route
learning and cleanup.
Refactor options.c and multi.c to ensure that netbits is always set
for non-primary iroutes - and ASSERT() on this in the DCO path, so we can
find out if there might be other code violating this.
Change options.c::option_iroute() to always set netbits=32 for IPv4
host routes (options_iroute_ipv6() never differenciated). Since
netmask_to_netbits() also insists on "-1" for host routes, change
to netmask_to_netbits2().
Remove all the extra MR_WITH_NETBITS logic from dco.c, where it should
have never appeared.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220820140124.11325-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25044.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/multi.c')
| -rw-r--r-- | src/openvpn/multi.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 9541442..b58bea7 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1241,6 +1241,7 @@ multi_learn_in_addr_t(struct multi_context *m, /* "primary" is the VPN ifconfig address of the peer and already * known to DCO, so only install "extra" iroutes (primary = false) */ + ASSERT(netbits >= 0); /* DCO requires populated netbits */ dco_install_iroute(m, mi, &addr); } @@ -1280,6 +1281,7 @@ multi_learn_in6_addr(struct multi_context *m, /* "primary" is the VPN ifconfig address of the peer and already * known to DCO, so only install "extra" iroutes (primary = false) */ + ASSERT(netbits >= 0); /* DCO requires populated netbits */ dco_install_iroute(m, mi, &addr); } |