Peter Rabbitson wrote:
James Yonan wrote:
Peter Rabbitson wrote:
James Yonan wrote:
Peter Rabbitson wrote:
Eventually the best way to deal with this is to test for
ip_addr_dotted_quad_safe and is_special_addr, and then attempt a dns
lookup on the string supplied for route. If anything comes back - use
the result as the routed IPs. Otherwise warn and carry on. This would
also fix this long-outstanding (not mine) wishlist:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=237251
I agree that this should be fixed, probably via a --route-fqdn-pull
option (as suggested) on the client to permit DNS lookups on option
parameters that previously allowed them.
I think if you go with my second suggestion (above) the option becomes
redundant. You can attempt a DNS lookup with pretty much anything (as
far as string goes), and if nothing comes back - well nothing comes back.
In any case, I'm glad this didn't fall off the radar.
Thank you for the excellent software!
This fix has been committed and will be released in 2.1-rc10.
------------------------------------------------------------------------
r3307 | james | 2008-09-04 14:35:09 -0600 (Thu, 04 Sep 2008) | 7 lines
Changed paths:
M /branches/BETA21/openvpn/openvpn.8
M /branches/BETA21/openvpn/options.c
M /branches/BETA21/openvpn/options.h
M /branches/BETA21/openvpn/socket.c
M /branches/BETA21/openvpn/socket.h
Added --allow-pull-fqdn option which allows client to pull DNS names
from server (rather than only IP address) for --ifconfig, --route, and
--route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
for these options to be pulled and translated to IP addresses by
default. Now --allow-pull-fqdn will be explicitly required on the client
to enable DNS-name to IP-address translation of pulled options.
------------------------------------------------------------------------
James
Also while we are at it, do you have any considerations of retrofitting
getaddr() (socket.c) to support
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=237251 ? It would be
very beneficial, and would take you closer to IPv6 too (as you'd use the
new getaddrinfo() instead).
It's an interesting idea -- I'd certainly consider it if someone
submitted a patch.
James
