colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vpn: allow IP configurations without addresses

Browse Source 
An IPv4-over-IPv6 (or vice-versa) IPsec VPN can return IP
configurations with routes and without addresses. For example, in this
scenario:

         +---------------+         +---------------+
         |  fd01::10/64  <-- VPN -->  fd02::20/64  |
         |     host1     |         |     host2     |
         +-------^-------+         +-------^-------+
                 |                         |
         +-------v-------+         +-------v-------+
         |    subnet1    |         |    subnet2    |
         | 172.16.1.0/24 |         | 172.16.2.0/24 |
         +---------------+         +---------------+

host1 and host2 establish a IPv6 tunnel which encapsulates packets
between the two IPv4 subnets. Therefore, in routed mode, host1 will
need to configure a route like "172.16.2.0/24 via ipsec1" even if the
host doesn't have any IPv4 address on the VPN interface.

Accept IP configurations without address from the VPN; only check that
the address and prefix are sane if they are provided.

(cherry picked from commit 97f185e1f8)
This commit is contained in:
Beniamino Galvani
2024-05-07 17:51:19 +02:00
parent 4f05de07ad
commit 518b7c5bd5
1 changed files with 27 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/core/vpn/nm-vpn-connection.c
View File

@@ -1988,6 +1988,12 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
nm_l3_config_data_set_dns_priority(l3cd, AF_INET, NM_DNS_PRIORITY_DEFAULT_VPN); nm_l3_config_data_set_dns_priority(l3cd, AF_INET, NM_DNS_PRIORITY_DEFAULT_VPN);
_vardict_to_addr(addr_family,
dict,
IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY
: NM_VPN_PLUGIN_IP6_CONFIG_INT_GATEWAY,
&priv->ip_data_x[IS_IPv4].gw_internal);
if (IS_IPv4) { if (IS_IPv4) {
address.a4 = (NMPlatformIP4Address){ address.a4 = (NMPlatformIP4Address){
.plen = 24, .plen = 24,
@@ -1998,16 +2004,17 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
}; };
} }
_vardict_to_addr(addr_family, if (_vardict_to_addr(addr_family,
dict, dict,
IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS
: NM_VPN_PLUGIN_IP6_CONFIG_INT_GATEWAY, : NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
&priv->ip_data_x[IS_IPv4].gw_internal); address.ax.address_ptr)
&& nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
_vardict_to_addr(addr_family, _LOGW("invalid IP%c config received: address is zero",
dict, nm_utils_addr_family_to_char(addr_family));
IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS : NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS, _check_complete(self, FALSE);
address.ax.address_ptr); return;
}
if (!_vardict_to_addr(addr_family, if (!_vardict_to_addr(addr_family,
dict, dict,
@@ -2024,17 +2031,20 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
&u32)) &u32))
address.ax.plen = u32; address.ax.plen = u32;
if (address.ax.plen > 0 && address.ax.plen <= (IS_IPv4 ? 32 : 128) if (!nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)
&& !nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) { && (address.ax.plen == 0 || address.ax.plen > (IS_IPv4 ? 32 : 128))) {
address.ax.addr_source = NM_IP_CONFIG_SOURCE_VPN; _LOGW("invalid IP%c config received: invalid prefix %u",
nm_l3_config_data_add_address(l3cd, addr_family, NULL, &address.ax); nm_utils_addr_family_to_char(addr_family),
} else { address.ax.plen);
_LOGW("invalid IP%c config received: no valid IP address/prefix",
nm_utils_addr_family_to_char(addr_family));
_check_complete(self, FALSE); _check_complete(self, FALSE);
return; return;
} }
if (!nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
address.ax.addr_source = NM_IP_CONFIG_SOURCE_VPN;
nm_l3_config_data_add_address(l3cd, addr_family, NULL, &address.ax);
}
if (IS_IPv4) { if (IS_IPv4) {
if (g_variant_lookup(dict, NM_VPN_PLUGIN_IP4_CONFIG_DNS, "au", &var_iter)) { if (g_variant_lookup(dict, NM_VPN_PLUGIN_IP4_CONFIG_DNS, "au", &var_iter)) {
while (g_variant_iter_next(var_iter, "u", &u32)) while (g_variant_iter_next(var_iter, "u", &u32))