libnm-util: allow 0.0.0.0/1 route in verify() (rh #1203904)

OpenVPN uses a trick to override default route by adding these two routes:
0.0.0.0/1 and 128.0.0.0/1.
We should allow this and only refuse real default route (i.e. prefix == 0).

Also verify IPv6 addresses and routes.

See:
man openvpn (search for def1)
https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

https://bugzilla.redhat.com/show_bug.cgi?id=1203904

diff --git a/libnm-util/nm-setting-ip4-config.c b/libnm-util/nm-setting-ip4-config.c
index 532231a..4db43cb 100644 (file)
--- a/libnm-util/nm-setting-ip4-config.c
+++ b/libnm-util/nm-setting-ip4-config.c
@@ -959,16 +959,6 @@ verify (NMSetting *setting, GSList *all_settings, GError **error)
                NMIP4Route *route = (NMIP4Route *) iter->data;
                guint32 prefix = nm_ip4_route_get_prefix (route);
 
-               if (!nm_ip4_route_get_dest (route)) {
-                       g_set_error (error,
-                                    NM_SETTING_IP4_CONFIG_ERROR,
-                                    NM_SETTING_IP4_CONFIG_ERROR_INVALID_PROPERTY,
-                                    _("%d. route is invalid"),
-                                    i+1);
-                       g_prefix_error (error, "%s.%s: ", NM_SETTING_IP4_CONFIG_SETTING_NAME, NM_SETTING_IP4_CONFIG_ROUTES);
-                       return FALSE;
-               }
-
                if (!prefix || prefix > 32) {
                        g_set_error (error,
                                     NM_SETTING_IP4_CONFIG_ERROR,

diff --git a/libnm-util/nm-setting-ip6-config.c b/libnm-util/nm-setting-ip6-config.c
index 654f049..4e69a07 100644 (file)
--- a/libnm-util/nm-setting-ip6-config.c
+++ b/libnm-util/nm-setting-ip6-config.c
@@ -825,6 +825,8 @@ static gboolean
 verify (NMSetting *setting, GSList *all_settings, GError **error)
 {
        NMSettingIP6ConfigPrivate *priv = NM_SETTING_IP6_CONFIG_GET_PRIVATE (setting);
+       GSList *iter;
+       int i;
 
        if (!priv->method) {
                g_set_error_literal (error,
@@ -899,6 +901,48 @@ verify (NMSetting *setting, GSList *all_settings, GError **error)
                return FALSE;
        }
 
+       /* Validate addresses */
+       for (iter = priv->addresses, i = 0; iter; iter = g_slist_next (iter), i++) {
+               NMIP6Address *addr = (NMIP6Address *) iter->data;
+               guint32 prefix = nm_ip6_address_get_prefix (addr);
+
+               if (IN6_IS_ADDR_UNSPECIFIED (nm_ip6_address_get_address (addr))) {
+                       g_set_error (error,
+                                    NM_SETTING_IP6_CONFIG_ERROR,
+                                    NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY,
+                                    _("%d. IPv6 address is invalid"),
+                                    i+1);
+                       g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ADDRESSES);
+                       return FALSE;
+               }
+
+               if (!prefix || prefix > 128) {
+                       g_set_error (error,
+                                    NM_SETTING_IP6_CONFIG_ERROR,
+                                    NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY,
+                                    _("%d. IPv6 address has invalid prefix"),
+                                    i+1);
+                       g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ADDRESSES);
+                       return FALSE;
+               }
+       }
+
+       /* Validate routes */
+       for (iter = priv->routes, i = 0; iter; iter = g_slist_next (iter), i++) {
+               NMIP6Route *route = (NMIP6Route *) iter->data;
+               guint32 prefix = nm_ip6_route_get_prefix (route);
+
+               if (!prefix || prefix > 128) {
+                       g_set_error (error,
+                                    NM_SETTING_IP6_CONFIG_ERROR,
+                                    NM_SETTING_IP6_CONFIG_ERROR_INVALID_PROPERTY,
+                                    _("%d. route has invalid prefix"),
+                                    i+1);
+                       g_prefix_error (error, "%s.%s: ", NM_SETTING_IP6_CONFIG_SETTING_NAME, NM_SETTING_IP6_CONFIG_ROUTES);
+                       return FALSE;
+               }
+       }
+
        return TRUE;
 }