Am 01.12.16 um 13:37 schrieb Gert Doering: > Hi, > > On Thu, Dec 01, 2016 at 01:31:31PM +0100, Arne Schwabe wrote: >> Am 30.11.16 um 23:41 schrieb David Sommerseth: >>> This adds a warning to the log file if --topology is configured to use >>> subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option >>> is not an subnet mask. The check done is to ensure the first octet is 0xff >>> (255) >> But way you actually want to test is >> >> if topology == subnet or net30: >> if gateway not in net(ip, mask): >> print ("Your gw and ip and netmask disagree!) >> >> right? And isn't there code that gets executed for the client side that >> can be disabled by ifconfig-nowarn. Can we reuse that code? > That is certainly something we should test as well, but the particular > case I had in mind was > > - someone uses --topology p2p > - they have ccd/ files with "ifconfig-push 10.4.0.14 10.4.0.13" > (for some clients that need to get a static address) > - they change their server.conf to --topology subnet > - everything works for "dynamic clients", but the static client now > receives "10.4.0.13" and interprets it as a "netmask", which will > cause the most interesting things, depending on platform code > > so the idea was to help this case by looking at only the "netmask" thing, > and see if it makes sense (simplified sense: starts with 255.) - and if > not, log this on the server side right when reading the ccd/ file so > the admin in question can see "oh, I overlooked *that* special client". > > (Since that happened to a friend of mine based on my advice, I know that > this is not a purely theoretical possibility :-) ) >
You are still very likely to catch this case If you check if in net30/subnet the netmask is indead valid (e.g. CIDR) Arne ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel