From 5a09a1205cea2c5d223f97f5d91a2e46d91c55ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= <jklimes@redhat.com>
Date: Fri, 20 Mar 2015 14:02:19 +0100
Subject: [PATCH] libnm-util: allow 0.0.0.0/1 route in verify() (rh #1203904)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenVPN uses a trick to override default route by adding these two routes:
0.0.0.0/1 and 128.0.0.0/1.
We should allow this and only refuse real default route (i.e. prefix == 0).
Also verify IPv6 addresses and routes.
See:
man openvpn (search for def1)
https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
https://bugzilla.redhat.com/show_bug.cgi?id=1203904
(cherry picked from commit ba35c63db60aa652528e492aa483c971b9217f1e)
Signed-off-by: Jiří Klimeš <jklimes@redhat.com>
---
libnm-util/nm-setting-ip4-config.c | 10 ---------
libnm-util/nm-setting-ip6-config.c | 44 ++++++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+), 10 deletions(-)
diff --git a/libnm-util/nm-setting-ip4-config.c b/libnm-util/nm-setting-ip4-config.c
index 26ce4e5..c967f62 100644
--- a/libnm-util/nm-setting-ip4-config.c
+++ b/libnm-util/nm-setting-ip4-config.c
@@ -1018,16 +1018,6 @@ verify (NMSetting *setting, GSList *all_settings, GError **error)
NMIP4Route *route = (NMIP4Route *) iter->data;
guint32 prefix = nm_ip4_route_get_prefix (route);
- if (!nm_ip4_route_get_dest (route)) {
- g_set_error (error,
- NM_SETTING_IP4_CONFIG_ERROR,
- NM_SETTING_IP4_CONFIG_ERROR_INVALID_PROPERTY,
- _("%d. route is invalid"),
- i+1);
- g_prefix_error (error, "%s.%s: ", NM_SETTING_IP4_CONFIG_SETTING_NAME, NM_SETTING_IP4_CONFIG_ROUTES);
- return FALSE;
- }
-
if (!prefix || prefix > 32) {
g_set_error (error,
NM_SETTING_IP4_CONFIG_ERROR,
diff --git a/libnm-util/nm-setting-ip6-config.c b/libnm-util/nm-setting-ip6-config.c
index 78be723..fb35932 100644
--- a/libnm-util/nm-setting-ip6-config.c
+++ b/libnm-util/nm-setting-ip6-config.c
@@ -804,6 +804,8 @@ static gboolean
verify (NMSetting *setting, GSList *all_settings, GError **error)
{
NMSettingIP6ConfigPrivate *priv = NM_SETTING_IP6_CONFIG_GET_PRIVATE (setting);
+ GSList *iter;
+ int i;
if (!priv->method) {
g_set_error_literal (error,
@@ -878,6 +880,48 @@ verify (NMSetting *setting, GSList *all_settings, GError **error)
return FALSE;
}
+ /* Validate addresses */
+ for (iter = priv->addresses, i = 0; iter; iter = g_slist_next (iter), i++) {
+ NMIP6Address *addr = (NMIP6Address *) iter->data;
+ guint32 prefix = nm_ip6_address_get_prefix (addr);
+
+ if (IN6_IS_ADDR_UNSPECIFIED (nm_ip6_address_get_address (addr))) {
+ g_set_error (error,
+ NM_SETTING_IP6_CONFIG_ERROR,
+ NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY,
+ _("%d. IPv6 address is invalid"),
+ i+1);
+ g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ADDRESSES);
+ return FALSE;
+ }
+
+ if (!prefix || prefix > 128) {
+ g_set_error (error,
+ NM_SETTING_IP6_CONFIG_ERROR,
+ NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY,
+ _("%d. IPv6 address has invalid prefix"),
+ i+1);
+ g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ADDRESSES);
+ return FALSE;
+ }
+ }
+
+ /* Validate routes */
+ for (iter = priv->routes, i = 0; iter; iter = g_slist_next (iter), i++) {
+ NMIP6Route *route = (NMIP6Route *) iter->data;
+ guint32 prefix = nm_ip6_route_get_prefix (route);
+
+ if (!prefix || prefix > 128) {
+ g_set_error (error,
+ NM_SETTING_IP6_CONFIG_ERROR,
+ NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY,
+ _("%d. route has invalid prefix"),
+ i+1);
+ g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ROUTES);
+ return FALSE;
+ }
+ }
+
return TRUE;
}
--
2.1.0