Gert Doering <gert <at> greenie.muc.de> writes:
> Both have merits, your fix is somewhat less code then adding an extra input
> validation check
>
> if ((network.s_addr & netmask) != network.s_addr )
> { complain; }
>
> - so: ACK from me.
>
> (Since OpenVPN likes to print warnings, we *could* add code to print a
> warning in this case - "warning: subnet address changed to match /%d,
> new value is %s/%d").
>
> gert
Gert,
As discussed on IRC, it make sense to "warn" the admin,
but it seems it is all that can be done as this is
being going on at runtime.
I upated the patch and it will now display something like:
WARNING: PF: /dev/shm/openvpn_pf_ff18e7030fd03ce91bd0432563e4eb1a.tmp/5:
incorrect subnet 192.168.100.8/28 changed to 192.168.100.0/28
