Am 01.12.16 um 13:37 schrieb Gert Doering:
> Hi,
>
> On Thu, Dec 01, 2016 at 01:31:31PM +0100, Arne Schwabe wrote:
>> Am 30.11.16 um 23:41 schrieb David Sommerseth:
>>> This adds a warning to the log file if --topology is configured to use
>>> subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option
>>> is not an subnet mask.  The check done is to ensure the first octet is 0xff 
>>> (255)
>> But way you actually want to test is
>>
>> if topology == subnet or net30:
>>    if gateway not in net(ip, mask):
>>       print ("Your gw and ip and netmask disagree!)
>>
>> right? And isn't there code that gets executed for the client side that
>> can be disabled by ifconfig-nowarn. Can we reuse that code?
> That is certainly something we should test as well, but the particular
> case I had in mind was
>
>  - someone uses --topology p2p
>  - they have ccd/ files with "ifconfig-push 10.4.0.14 10.4.0.13"
>    (for some clients that need to get a static address)
>  - they change their server.conf to --topology subnet
>  - everything works for "dynamic clients", but the static client now
>    receives "10.4.0.13" and interprets it as a "netmask", which will
>    cause the most interesting things, depending on platform code
>
> so the idea was to help this case by looking at only the "netmask" thing,
> and see if it makes sense (simplified sense: starts with 255.) - and if
> not, log this on the server side right when reading the ccd/ file so
> the admin in question can see "oh, I overlooked *that* special client".
>
> (Since that happened to a friend of mine based on my advice, I know that
> this is not a purely theoretical possibility :-) )
>

You are still very likely to catch this case If you check if in
net30/subnet the netmask is indead valid (e.g. CIDR)

Arne

------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to