Re: [Openvpn-devel] [PATCH] Re: Handling of subnets grammar in Packet filter file

2010-06-03 Thread Gert Doering 
Hi,

On Thu, Jun 03, 2010 at 12:47:47PM -0500, Eric F Crist wrote:
> > I upated the patch and it will now display something like:
> > WARNING: PF: /dev/shm/openvpn_pf_ff18e7030fd03ce91bd0432563e4eb1a.tmp/5: 
> > incorrect subnet 192.168.100.8/28 changed to 192.168.100.0/28
> 
> This seems rather pedantic to me...

Well, it is, but it's in line with the rest of OpenVPN - there are many
places where a (percieved) user error results in a warning, explaining
the situation...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] [PATCH] Re: Handling of subnets grammar in Packet filter file

2010-06-03 Thread Eric F Crist 
On Jun 3, 2010, at 12:38:19, chantra wrote:

> Gert Doering  greenie.muc.de> writes:
> 
> 
>> Both have merits, your fix is somewhat less code then adding an extra input
>> validation check 
>> 
>>  if ((network.s_addr & netmask) != network.s_addr )  
>>{ complain; }
>> 
>> - so: ACK from me.
>> 
>> (Since OpenVPN likes to print warnings, we *could* add code to print a 
>> warning in this case - "warning: subnet address changed to match /%d,
>> new value is %s/%d").
>> 
>> gert
> 
> Gert,
> 
> As discussed on IRC, it make sense to "warn" the admin, 
> but it seems it is all that can be done as this is 
> being going on at runtime.
> 
> I upated the patch and it will now display something like:
> WARNING: PF: /dev/shm/openvpn_pf_ff18e7030fd03ce91bd0432563e4eb1a.tmp/5: 
> incorrect subnet 192.168.100.8/28 changed to 192.168.100.0/28

This seems rather pedantic to me...

---
Eric Crist

Re: [Openvpn-devel] [PATCH] Re: Handling of subnets grammar in Packet filter file

2010-06-03 Thread Gert Doering 
Hi,

On Thu, Jun 03, 2010 at 04:48:35PM +0200, chantra wrote:
> Please find below a patch to correct the behaviour.
> 
> I have also opened a trac ticket :
> https://community.openvpn.net/openvpn/ticket/14

The patch itself looks good.

It's a bit of a philosophical issue what to do with network specifications
given like this - one approach would be to *reject* as a config error
("a /28 network cannot start at .8"), the other approach is what you have
done, to silently mask out the host bits, changing the .8/28 to .0/28.

Both have merits, your fix is somewhat less code then adding an extra input
validation check 

  if ((network.s_addr & netmask) != network.s_addr )  
{ complain; }

- so: ACK from me.

(Since OpenVPN likes to print warnings, we *could* add code to print a 
warning in this case - "warning: subnet address changed to match /%d,
new value is %s/%d").

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

[Openvpn-devel] [PATCH] Re: Handling of subnets grammar in Packet filter file

2010-06-03 Thread chantra 
Please find below a patch to correct the behaviour.

I have also opened a trac ticket :
https://community.openvpn.net/openvpn/ticket/14

chantra


http://www.debuntu.org


> 
> Hi all,
> 
> It seems that openvpn is not handling properly non-standard subnets in
> pf_file.
> This issue happened on debian etch openvpn 2.1 rc11
> 
> Today, while I made a typo, the following rule did not work properly:
> 
> # cat /dev/shm/openvpn_pf_73f2c3256a50371f057d5c0db97ede2f.tmp
> [CLIENTS DROP]
> 
> [SUBNETS ACCEPT]
> +192.168.100.0/29
> -192.168.100.8/28
> 
> [END]
> 
> 
> -192.168.100.8/28 was simply ignored which basically allowed the client
> to ping the whole subnet
> 
> The following rule behaved properly though.
> 
> # cat /dev/shm/openvpn_pf_f2b43d3cb1acd5a2720c01559cb03dc3.tmp
> [CLIENTS DROP]
> 
> [SUBNETS ACCEPT]
> +192.168.100.0/29
> -192.168.100.0/28
> [END]
> 
> 
> I agree it is not a really bug as it is a user error in the first place
> and openvpn carried on happily discarding this rule.
> But maybe openvpn could try to handle such subnets and translate it as
> 192.168.100.0/8.
> 
> I could try to look into it if you guys believe it should be handled by
> openvpn (or maybe this has already been fixed?)
> 
> Regards,
> 
> chantra
> 




!DSPAM:4c07c0c661671935912581!
>From 09ddcf75171804503119912b45876d92c3476cbc Mon Sep 17 00:00:00 2001
From: chantra 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Wed, 2 Jun 2010 12:44:26 +0200
Subject: [PATCH] Handle non standard subnets in PF grammar

Allow subnets for like 192.168.100.8/28 to be understood
---
 pf.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/pf.c b/pf.c
index 3ce2ef2..f16ec9c 100644
--- a/pf.c
+++ b/pf.c
@@ -121,7 +121,7 @@ add_subnet (const char *line, const char *prefix, const int line_num, struct pf_
 struct pf_subnet *e;
 ALLOC_OBJ_CLEAR (e, struct pf_subnet);
 e->rule.exclude = exclude;
-e->rule.network = ntohl (network.s_addr);
+e->rule.network = ntohl (network.s_addr) & netmask;
 e->rule.netmask = netmask;
 **next = e;
 *next = >next;
-- 
1.5.6.5

Re: [Openvpn-devel] Topics for today's meeting

2010-06-03 Thread reg9009 

 Am 03.06.2010 14:06, schrieb Samuli Seppänen:

Hi,

Here are some topics for today's meeting (18:00 UTC,
#openvpn-de...@irc.freenode.net).



If you have any other things you'd like to bring up, add them to the
list or send them to me.


Hi all,

I'd like to raise an additional topic, state/instance synchronization 
between OpenVPN instances (transparent failover option).


Regards,
Sebastian

[Openvpn-devel] Topics for today's meeting

2010-06-03 Thread Samuli Seppänen 
Hi,

Here are some topics for today's meeting (18:00 UTC,
#openvpn-de...@irc.freenode.net).



If you have any other things you'd like to bring up, add them to the
list or send them to me.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock