[Openvpn-devel] [PATCH] Allow reconnecting in p2p mode work under FreeBSD

[Arne Schwabe]

This commit consists of two parts.
 - explicitly removing an existing peer in p2p mode
 - ignoring the ping timeout notification that is generated by the first part

Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
 src/openvpn/dco.c         |  9 +++++++++
 src/openvpn/dco_freebsd.c |  2 ++
 src/openvpn/forward.c     | 13 +++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 03ac8438a..cbd834194 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -459,6 +459,15 @@ dco_p2p_add_new_peer(struct context *c)
 
     struct sockaddr *remoteaddr = &ls->info.lsa->actual.dest.addr.sa;
     struct tls_multi *multi = c->c2.tls_multi;
+#ifdef TARGET_FREEBSD
+    /* In Linux in P2P mode the kernel automatically removes an existing peer
+     * when adding a new peer. FreeBSD needs to explicitly be told to do that 
*/
+    if (c->c2.tls_multi->dco_peer_id != -1)
+    {
+        dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->dco_peer_id);
+        c->c2.tls_multi->dco_peer_id = -1;
+    }
+#endif
     int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id,
                            c->c2.link_socket->sd, NULL, remoteaddr, NULL, 
NULL);
     if (ret < 0)
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 4e03f52e9..a52ac8c1b 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -312,6 +312,8 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid)
     nvlist_t *nvl;
     int ret;
 
+    msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid);
+
     nvl = nvlist_create(0);
     nvlist_add_number(nvl, "peerid", peerid);
 
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 1b418b1bc..958bf0b56 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1174,9 +1174,22 @@ process_incoming_dco(struct context *c)
 
     dco_do_read(dco);
 
+    /* FreeBSD currently sends us removal notifcation with the old peer-id in
+     * p2p mode with the ping timeout reason, so ignore that one to not shout
+     * ourselves in the foot and removing the just established session */
+    if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
+    {
+        msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
+            "expected %d", __func__, dco->dco_message_peer_id,
+            c->c2.tls_multi->dco_peer_id);
+        return;
+    }
+
     if ((dco->dco_message_type == OVPN_CMD_DEL_PEER)
         && (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED))
     {
+        msg(D_DCO_DEBUG, "%s: received peer expired notification of for 
peer-id "
+            "%d", __func__, dco->dco_message_peer_id);
         trigger_ping_timeout_signal(c);
         return;
     }
-- 
2.37.1 (Apple Git-137.1)



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel