Hello, Here is a patch for protocol_subnet.c with two modifications : - in tunnelserver mode, tinc must check subnets in the ".../hosts/owner" config file, not in "c->config_tree" (which is the configuration of the meta-connection from which we receive the ADD_SUBNET message). - this checking can be made before the check of the owner, especially before any "new_node" call. Thanks, -- Thomas NOEL <thomas.noel@auf.org> http://www.auf.org/ Coordinateur des infrastructures techniques Agence universitaire de la Francophonie (AUF) Services centraux Paris - 4 place de la Sorbonne - 75005 Paris T?l: +33 (0)1 44 41 18 18, poste 1822 Tlc: +33(0)1 44 41 18 19 > Merci d'?viter de m'envoyer des documents Word ou PowerPoint > cf http://www.gnu.org/philosophy/no-word-attachments.fr.html -------------- section suivante -------------- Une pi?ce jointe non texte a ?t? nettoy?e... Nom: tunnelserver-check-correct-file-for-subnet.patch Type: text/x-patch Taille: 2501 octets Desc: non disponible Url: http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20050413/b8dbd3ad/tunnelserver-check-correct-file-for-subnet.bin
On Wed, Apr 13, 2005 at 11:25:20AM +0200, Thomas NOEL wrote:> - in tunnelserver mode, tinc must check subnets in the ".../hosts/owner" > config file, not in "c->config_tree" (which is the configuration > of the meta-connection from which we receive the ADD_SUBNET message).But these two are the same, because: if(tunnelserver && owner != myself && owner != c->node) return false;> - this checking can be made before the check of the owner, especially > before any "new_node" call.I agree with that. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20050413/54b09fe6/attachment.pgp
Le 13.04.2005 15:08, Guus Sliepen a ?crit :>>- this checking can be made before the check of the owner, especially >> before any "new_node" call. > I agree with that.Here is a correct patch for this. Cheers, -- Thomas -------------- section suivante -------------- Une pi?ce jointe non texte a ?t? nettoy?e... Nom: tunnelserver-check-before-new-node.patch Type: text/x-patch Taille: 1725 octets Desc: non disponible Url: http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20050413/141679d4/tunnelserver-check-before-new-node.bin
On Wed, Apr 13, 2005 at 04:14:06PM +0200, Thomas NOEL wrote:> Le 13.04.2005 15:08, Guus Sliepen a ?crit : > >>- this checking can be made before the check of the owner, especially > >> before any "new_node" call. > >I agree with that. > > Here is a correct patch for this.Oh, I though you only meant the if(tunnelserver && owner != myself && owner != c->node) return false; part. You have to do that first, because otherwise you could allow nodes to add Subnets for other nodes. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20050413/eb537dcf/attachment.pgp