From 5a09a1205cea2c5d223f97f5d91a2e46d91c55ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= Date: Fri, 20 Mar 2015 14:02:19 +0100 Subject: [PATCH] libnm-util: allow 0.0.0.0/1 route in verify() (rh #1203904) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenVPN uses a trick to override default route by adding these two routes: 0.0.0.0/1 and 128.0.0.0/1. We should allow this and only refuse real default route (i.e. prefix == 0). Also verify IPv6 addresses and routes. See: man openvpn (search for def1) https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway https://bugzilla.redhat.com/show_bug.cgi?id=1203904 (cherry picked from commit ba35c63db60aa652528e492aa483c971b9217f1e) Signed-off-by: Jiří Klimeš --- libnm-util/nm-setting-ip4-config.c | 10 --------- libnm-util/nm-setting-ip6-config.c | 44 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/libnm-util/nm-setting-ip4-config.c b/libnm-util/nm-setting-ip4-config.c index 26ce4e5..c967f62 100644 --- a/libnm-util/nm-setting-ip4-config.c +++ b/libnm-util/nm-setting-ip4-config.c @@ -1018,16 +1018,6 @@ verify (NMSetting *setting, GSList *all_settings, GError **error) NMIP4Route *route = (NMIP4Route *) iter->data; guint32 prefix = nm_ip4_route_get_prefix (route); - if (!nm_ip4_route_get_dest (route)) { - g_set_error (error, - NM_SETTING_IP4_CONFIG_ERROR, - NM_SETTING_IP4_CONFIG_ERROR_INVALID_PROPERTY, - _("%d. route is invalid"), - i+1); - g_prefix_error (error, "%s.%s: ", NM_SETTING_IP4_CONFIG_SETTING_NAME, NM_SETTING_IP4_CONFIG_ROUTES); - return FALSE; - } - if (!prefix || prefix > 32) { g_set_error (error, NM_SETTING_IP4_CONFIG_ERROR, diff --git a/libnm-util/nm-setting-ip6-config.c b/libnm-util/nm-setting-ip6-config.c index 78be723..fb35932 100644 --- a/libnm-util/nm-setting-ip6-config.c +++ b/libnm-util/nm-setting-ip6-config.c @@ -804,6 +804,8 @@ static gboolean verify (NMSetting *setting, GSList *all_settings, GError **error) { NMSettingIP6ConfigPrivate *priv = NM_SETTING_IP6_CONFIG_GET_PRIVATE (setting); + GSList *iter; + int i; if (!priv->method) { g_set_error_literal (error, @@ -878,6 +880,48 @@ verify (NMSetting *setting, GSList *all_settings, GError **error) return FALSE; } + /* Validate addresses */ + for (iter = priv->addresses, i = 0; iter; iter = g_slist_next (iter), i++) { + NMIP6Address *addr = (NMIP6Address *) iter->data; + guint32 prefix = nm_ip6_address_get_prefix (addr); + + if (IN6_IS_ADDR_UNSPECIFIED (nm_ip6_address_get_address (addr))) { + g_set_error (error, + NM_SETTING_IP6_CONFIG_ERROR, + NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY, + _("%d. IPv6 address is invalid"), + i+1); + g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ADDRESSES); + return FALSE; + } + + if (!prefix || prefix > 128) { + g_set_error (error, + NM_SETTING_IP6_CONFIG_ERROR, + NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY, + _("%d. IPv6 address has invalid prefix"), + i+1); + g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ADDRESSES); + return FALSE; + } + } + + /* Validate routes */ + for (iter = priv->routes, i = 0; iter; iter = g_slist_next (iter), i++) { + NMIP6Route *route = (NMIP6Route *) iter->data; + guint32 prefix = nm_ip6_route_get_prefix (route); + + if (!prefix || prefix > 128) { + g_set_error (error, + NM_SETTING_IP6_CONFIG_ERROR, + NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY, + _("%d. route has invalid prefix"), + i+1); + g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ROUTES); + return FALSE; + } + } + return TRUE; } -- 2.1.0