On Fri, Dec 09, 2016 at 03:50:48AM +0100, David Sommerseth wrote:
> This adds a warning to the log file if --topology is configured to use
> subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option
> is not an subnet mask.
> v2 - Make use of ifconfig_sanity_check() in tun.c instead of doing the exact
>      same check and warning in prepare_push_reply().  Also improve 
> documentation
>      of ifconfig_sanity_check() while at it.

Not being the one to complain about your code all the time... but...
since trac #755 is about "topology subnet"...

static void
ifconfig_sanity_check (bool tun, in_addr_t addr, int topology)
  struct gc_arena gc = gc_new ();
  const bool looks_like_netmask = ((addr & 0xFF000000) == 0xFF000000);
  if (tun)
      if (looks_like_netmask && (topology == TOP_NET30 || topology == TOP_P2P))
        msg (M_WARN, "WARNING: Since you are using --dev tun with a point-to-poi
nt topology, the second argument to --ifconfig must be an IP address.  You are u
sing something (%s) that looks more like a netmask. %s",
             print_in_addr_t (addr, 0, &gc),
  else /* tap */

... ifconfig_sanity_check() does *nothing* for TOP_SUBNET (and the code
disagrees with your commit message for "net30").

So the v3 version of that patch would need to add the (missing today,
but actually important diagnostic aid - and the point of #755) clause

    if (!looks_like_netmask && topology == TOP_SUBNET)
        msg (M_WARN, "topology subnet needs a netmask as second argument bla 

Also we might to re-think the warning message printed - if called from
an ifconfig-push context, the text "the second argument to --ifconfig must
be an IP address" is less than clear ("my --ifconfig settings are just 
fine, what is openvpn warning about?").

Plus, it needs to be actually tested on a non-intel architecture - the
code has been like that forever, but I would not trust it to be endian-
safe (though our use of "in_addr_t" is not actually consistent with
what *should* be in one - parts of the code treat it as "network byte
order", other parts as "host byte order", and the point of using
"in_addr_t" as well defined *type* and not "a bag of 32bits, unsigned"
should have been "as defined by the socket API", which wants network
byte order).

But since this is an enhancement and not a bug, it should not be rushed -
it does not have to be in 2.4.0.  Let's do it properly, test it, then
see if we want to have it in 2.4.1  (and while at it, we should teach
check_addr_clash() that networks do have a netmask for a reason, and
"local/remote and --ifconfig are in the same /24" could be perfectly fine 
if the pushed netmask is *not* a /24).

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: signature.asc
Description: PGP signature

Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
Openvpn-devel mailing list

Reply via email to