On Mon, 22 Mar 2021 at 10:07, Paul Wouters <[email protected]> wrote: > > > > commit 6cb075ac1f1b563c629011fa9e961ca22a9c7ab1 > Author: Andrew Cagney <[email protected]> > Date: Sun Mar 21 21:18:55 2021 -0400 > > xauth: cleanup passing password file's <addresspool> > > - drop the ttorange(<address>-<address>) hack since ttorange() > parses <address> > - explicitly reject an empty range, and range starting at zero
(we're talking about the IKEv1 XAUTH password file, ranges, and the addresspool, not subnets and clients). The commit goes hand-in-hand with: commit 024c567c64189ca7a53724be83736af3a0c3a0ac (HEAD -> main, origin/main, origin/HEAD) Author: Andrew Cagney <[email protected]> Date: Sun Mar 21 20:48:31 2021 -0400 ip: in ttorange() allow :: as the start address Technically it is valid. Let caller decide if it is reasonable. More consistent - ::/0 is accepted by ranges, subnets, and selectors. So as a pair they just moved the deck chair: + if (non_zero){ + uint32_t addr = ntohl(addr_start_tmp.u.v4.sin_addr.s_addr); + if (addr == 0) + return "'0.0.0.0' not allowed as start"; + } in ttorange() to its callers - xauth / addresspool server code. It code snippet be traced back to: commit 709100e6ebba15f9bdc8cc6f2532ebc4248a878e Author: Antony Antony <[email protected]> Date: Mon Apr 21 18:00:18 2014 +0200 addresspool: code review and improvements by DHR I suspect this was to stop the addresspool handing out the zero address, i.e., :: or 0.0.0.0? (if the address pool range ::-:: aka ::/128 was allowed I'm really not sure what would happen) > What is wrong with address ranges starting at 0? Did you mean 0.0.0.0/0 ? > Because I'm using a /28 that starts at the .0 and it works fine and we > should not block the zero address from being used as a valid address. As the code stands, the server would need to be configured with 0.0.0.1-0.0.0.15? _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
