Attention is currently required from: cron2, flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1210?usp=email
to look at the new patch set (#3).
Change subject: redirect-gateway: only redirect traffic through TUN if address
families match
......................................................................
redirect-gateway: only redirect traffic through TUN if address families match
Fixes an ifconfig push-reply bug where, if the remote is switched and the new
TUN has a different address family, the previous ifconfig options remain
assigned to the new TUN.
Adds a check in do_init_route_ipv6_list() to add default routes toward the TUN
only if the TUN has IPv6 addresses.
It also resets the ifconfig and ifconfig-ipv6 options on every PUSH_REPLY and
whenever a valid ifconfig or ifconfig-ipv6 option is found in a PUSH_UPDATE
message to avoid stale data conflicts. This may be necessary when the new
address has a different address family than the old one.
Change-Id: Ib3458a9ed2eb38e00184c4a92659b83b97fe476c
---
M src/openvpn/init.c
M src/openvpn/options.c
2 files changed, 62 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/10/1210/3
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f8a0fee..aaa0573 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1523,7 +1523,7 @@
/* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
*/
- if (options->routes_ipv6->flags & RG_REROUTE_GW)
+ if (options->routes_ipv6->flags & RG_REROUTE_GW &&
options->ifconfig_ipv6_local)
{
char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL
};
int i;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f35738d..fc18931 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5459,6 +5459,17 @@
}
}
+/* Reset all ifconfig and ifconfig-ipv6 related options to their default/NULL
state */
+#define RESET_IFCONFIG_OPTIONS(opt) \
+ do \
+ { \
+ (opt)->ifconfig_local = NULL; \
+ (opt)->ifconfig_remote_netmask = NULL; \
+ (opt)->ifconfig_ipv6_local = NULL; \
+ (opt)->ifconfig_ipv6_netbits = 0; \
+ (opt)->ifconfig_ipv6_remote = NULL; \
+ } while (0)
+
bool
apply_push_options(struct context *c, struct options *options, struct buffer
*buf,
unsigned int permission_mask, unsigned int
*option_types_found,
@@ -5470,6 +5481,14 @@
const msglvl_t msglevel = D_PUSH_ERRORS | M_OPTERR;
unsigned int update_options_found = 0;
+ /* When receiving a PUSH_REPLY, reset the ifconfig options to prevent
+ * stale data conflicts. This could be necessary when the new address has a
+ * different address family than the previous one. */
+ if (!is_update)
+ {
+ RESET_IFCONFIG_OPTIONS(options);
+ }
+
while (buf_parse(buf, ',', line, sizeof(line)))
{
char *p[MAX_PARMS + 1];
@@ -6014,7 +6033,48 @@
const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
ASSERT(MAX_PARMS >= 7);
- if (streq(p[0], "route") && p[1] && !p[5])
+ if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_UP);
+ if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
+ && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN --
may be DNS name */
+ {
+ /* When receiving a PUSH_UPDATE containing a valid ifconfig option,
+ * we should reset the ifconfig and ifconfig-ipv6 options to
prevent
+ * stale data conflicts. This could be necessary when the new
address has a
+ * different address family than the previous one. Same is true
when a valid
+ * ifconfig-ipv6 option is received. */
+ RESET_IFCONFIG_OPTIONS(options);
+ }
+ else
+ {
+ msg(msglevel, "ifconfig parms '%s' and '%s' must be valid
addresses", p[1], p[2]);
+ goto err;
+ }
+ }
+ else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
+ {
+ unsigned int netbits;
+
+ VERIFY_PERMISSION(OPT_P_UP);
+ if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) &&
ipv6_addr_safe(p[2]))
+ {
+ if (netbits < 64 || netbits > 124)
+ {
+ msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and
124, not '/%d'",
+ netbits);
+ goto err;
+ }
+
+ RESET_IFCONFIG_OPTIONS(options);
+ }
+ else
+ {
+ msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid
addresses", p[1], p[2]);
+ goto err;
+ }
+ }
+ else if (streq(p[0], "route") && p[1] && !p[5])
{
if (!(*update_options_found & OPT_P_U_ROUTE))
{
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1210?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ib3458a9ed2eb38e00184c4a92659b83b97fe476c
Gerrit-Change-Number: 1210
Gerrit-PatchSet: 3
Gerrit-Owner: mrbff <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: cron2 <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: cron2 <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
