Re: [Openvpn-devel] [PATCH 1/4] Read DCO traffic stats from the kernel

Hi, On 05/12/2022 17:41, Kristof Provost via Openvpn-devel wrote: From: Kristof Provost When DCO is active userspace doesn't see all of the traffic, so when we access these stats we must update them. Retrieve kernel statistics every time we access the link_(read|write)_bytes values.

Re: [Openvpn-devel] [PATCH 1/4] Read DCO traffic stats from the kernel

Hi, On 13/12/2022 05:46, Gert Doering wrote: Hi, On Mon, Dec 12, 2022 at 09:53:36PM +0100, Antonio Quartulli wrote: On 05/12/2022 17:41, Kristof Provost via Openvpn-devel wrote: [cut] +int +dco_get_peer_stats(dco_context_t *dco, struct multi_context *m) +{ + +struct ifdrv drv; +

Re: [Openvpn-devel] [PATCH 1/4] Read DCO traffic stats from the kernel

Hi, On Tue, Dec 13, 2022 at 01:12:30PM +0100, Antonio Quartulli wrote: > Ideally a GET_PEER command is pretty standard and can also be used for > any kind of state inspection (i.e. even for 'debugging', although it's > not the primary usage) [..] > Like I said above, being this an API imho it

[Openvpn-devel] [PATCH] management: add timer to output BYTECOUNT

From: Lev Stipakov BYTECOUNT on management interface is used to display client stats, for example by openvpn-gui. At the moment BYTECOUNT is sent if there is a traffic. With DCO, userspace process doesn't see data channel traffic, BYTECOUNT is not sent and therefore stats are not updated. Fix

[Openvpn-devel] [PATCH applied] Re: Read DCO traffic stats from the kernel

I've stared at the code for a bit (reasonable, with the enhancements to come from Arne / Lev), and tested on Linux without DCO (client/server), Linux with DCO (client/server) and FreeBSD with DCO (client/server), and everything worked. To make this new code work for the "configure --disable-dco"

[Openvpn-devel] [PATCH] Improve debug logging of DCO on Linux

Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 7 --- src/openvpn/dco_linux.c | 10 -- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index feb38cd02..5cce3f641 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c

Re: [Openvpn-devel] [PATCH 3/3] Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range

Hi, On 13/12/2022 23:54, Arne Schwabe wrote: We have 6 key slots but normally only consider 3 of them to be active/valid keys. Especially the secondary key of TM_LAME_DUCK can in rare corner cases have a key that is still installed in the kernel. While this should not cause any issues since I

[Openvpn-devel] [PATCH 1/3] Improve debug logging of DCO swap key message and Linux dco_new_peer

Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 18 ++ src/openvpn/dco_linux.c | 10 -- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index feb38cd02..2396bcbf0 100644 --- a/src/openvpn/dco.c +++

[Openvpn-devel] [PATCH 3/3] Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range

We have 6 key slots but normally only consider 3 of them to be active/valid keys. Especially the secondary key of TM_LAME_DUCK can in rare corner cases have a key that is still installed in the kernel. While this should not cause any issues since I do not see way for this key to become active

[Openvpn-devel] [PATCH 2/3] Trigger a USR1 if dco_update_keys fails

When dco_update_keys fails, we are in some weird state that we are unlikely to recover since what userspace and kernel space think of the keys is very likely to not in sync anymore. So abandon the connection if this happens. Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 15

[Openvpn-devel] DCO p2p TLS ASSERT()

Hi, I've managed to break p2p TLS again... not sure how I did this, but anyway. This is "master + kp 1/4" running on FreeBSD, in a p2p --tls-server instance. It passed the first few tests, but then got left alone for an hour, trying to reestablish the connection to the "missing --tls-client".

Re: [Openvpn-devel] [PATCH 2/3] Trigger a USR1 if dco_update_keys fails

Hi, On 13/12/2022 23:54, Arne Schwabe wrote: When dco_update_keys fails, we are in some weird state that we are unlikely to recover since what userspace and kernel space think of the keys is very likely to not in sync anymore. So abandon the connection if this happens. Signed-off-by: Arne

Re: [Openvpn-devel] DCO p2p TLS ASSERT()

Hi, On Tue, Dec 13, 2022 at 10:37:32PM +0100, Gert Doering wrote: > I've managed to break p2p TLS again... not sure how I did this, but > anyway. I now have a better theory. I was not able to make OpenVPN on Linux-DCO ASSERT(), but it gets confused all the same. So, the server side of this is

[Openvpn-devel] [PATCH applied] Re: Improve debug logging of DCO swap key message and Linux dco_new_peer

As instructed I have changed the wording a bit, it's now "... currently %d keys installed" which should make it clear that we are talking about the number of keys, and not a key ID. "currently installed %d" is ambiguous here. I have not tested this beyond "does it compile?", but since this

Re: [Openvpn-devel] [PATCH 1/3] Improve debug logging of DCO swap key message and Linux dco_new_peer

On 13/12/2022 23:54, Arne Schwabe wrote: Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 18 ++ src/openvpn/dco_linux.c | 10 -- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index