Hi all,
It seems that openvpn is not handling properly non-standard subnets in
pf_file.
This issue happened on debian etch openvpn 2.1 rc11
Today, while I made a typo, the following rule did not work properly:
# cat /dev/shm/openvpn_pf_73f2c3256a50371f057d5c0db97ede2f.tmp
[CLIENTS DROP]
[SUBNETS ACCEPT]
+192.168.100.0/29
-192.168.100.8/28
[END]
-192.168.100.8/28 was simply ignored which basically allowed the client
to ping the whole subnet
The following rule behaved properly though.
# cat /dev/shm/openvpn_pf_f2b43d3cb1acd5a2720c01559cb03dc3.tmp
[CLIENTS DROP]
[SUBNETS ACCEPT]
+192.168.100.0/29
-192.168.100.0/28
[END]
I agree it is not a really bug as it is a user error in the first place
and openvpn carried on happily discarding this rule.
But maybe openvpn could try to handle such subnets and translate it as
192.168.100.0/8.
I could try to look into it if you guys believe it should be handled by
openvpn (or maybe this has already been fixed?)
Regards,
chantra
!DSPAM:4c03f8ea61674059325257!
