On 8 Mar 2022, at 15:16, Antonio Quartulli wrote:
> Hi Kristof,
>
> A quick question for you, see below
>
> On 24/02/2022 17:55, Kristof Provost via Openvpn-devel wrote:
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -787,7 +787,20 @@ dnl
>>
On 8 Mar 2022, at 15:36, Antonio Quartulli wrote:
> On 08/03/2022 15:29, Kristof Provost wrote:
>> Theoretically I’d prefer to use the OS header, but I can certainly see the
>> upside of not having that dependency. We’ll always have to do the runtime
>> check (dco_available()) anyway, so I can
On 8 Mar 2022, at 15:23, Antonio Quartulli wrote:
> On 24/02/2022 17:55, Kristof Provost via Openvpn-devel wrote:
>> I've had to add a lot of '|| defined(TARGET_FREEBSD)', and I think the
>> code could be a bit cleaner if we'd make these calls conditional only on
>&g
Hi,
Here's an updated version of the FreeBSD DCO patch. It addresses a few
code style issues, moves the if_ovpn.h header into the tree and is
rebased on top of the latest DCO branch version.
Best regards,
Kristof
___
Openvpn-devel mailing list
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 6 +-
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c |
From: Kristof Provost
If control packets come in through the DCO interface (i.e. via
dco_do_read()) we must process them through process_incoming_link().
This doesn't currently manifest, because Linux passes control packets
through the regular socket, not via the DCO netlink interface, but other
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 15 +-
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c | 559
Hi,
Here's the current version of the patch to add FreeBSD DCO support.
The first patch isn't strictly related to FreeBSD, but fixes what I
think is a generic issue. It doesn't manifest with Linux because the
Linux DCO driver allows control packets to continue through normal UDP
processing. We
From: Kristof Provost
If IP_RECVDSTADDR exists we'll define ENABLE_IP_PKTINFO, but that
doesn't actually mean we have struct in_pktinfo. We need to check
HAVE_IN_PKTINFO for that.
This fixes DCO builds on FreeBSD.
Signed-off-by: Kristof Provost
---
src/openvpn/dco.c | 2 +-
1 file changed, 1
From: Kristof Provost
It seems clear that the intent here is to special case the EEXIST error,
not the consider anything else (i.e. 0) to also be an error.
Signed-off-by: Kristof Provost
---
src/openvpn/tun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Hi,
As said in my e-mail (from k...@freebsd.org, Feb 17th), I'm working on
adding DCO support for FreeBSD.
I ran into a few minor issues that are not directly related, but should
be addressed anyway.
These patches are all against https://github.com/OpenVPN/ovpn-dco
Best regards,
Kristof
From: Kristof Provost
Fix typo in variable name.
Signed-off-by: Kristof Provost
---
src/openvpn/dco_linux.c | 6 +++---
src/openvpn/dco_linux.h | 2 +-
src/openvpn/multi.c | 6 +++---
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/dco_linux.c
Hi,
As said in my e-mail (from k...@freebsd.org, Feb 17th), I'm working on
adding DCO support for FreeBSD.
I ran into a few minor issues that are not directly related, but should
be addressed anyway.
These patches are all against https://github.com/OpenVPN/ovpn-dco
Best regards,
Kristof
From: Kristof Provost
It seems clear that the intent here is to special case the EEXIST error,
not the consider anything else (i.e. 0) to also be an error.
Signed-off-by: Kristof Provost
---
src/openvpn/tun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
From: Kristof Provost
If IP_RECVDSTADDR exists we'll define ENABLE_IP_PKTINFO, but that
doesn't actually mean we have struct in_pktinfo. We need to check
HAVE_IN_PKTINFO for that.
This fixes DCO builds on FreeBSD.
Signed-off-by: Kristof Provost
---
src/openvpn/dco.c | 2 +-
1 file changed, 1
From: Kristof Provost
Fix typo in variable name.
Signed-off-by: Kristof Provost
---
src/openvpn/dco_linux.c | 6 +++---
src/openvpn/dco_linux.h | 2 +-
src/openvpn/multi.c | 6 +++---
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/dco_linux.c
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 6 +-
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c |
Hi,
Here's an updated version of the FreeBSD DCO patch.
It rebases on top of the latest dco branch version (mostly trivial
changes) and adds support for timing out peers.
That requires the latest version of the kernel driver:
https://reviews.freebsd.org/D34340
Best regards,
Kristof
From: Kristof Provost
---
src/openvpn/dco_freebsd.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 3f8b39e0..8c300639 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -91,6 +91,17 @@
Hi,
Here's an updated and rebased patch for FreeBSD DCO support.
The main difference to the previous version is that is passes the
peer_id in most calls. There's been some changes on the driver side to
improve server mode support, which required this information.
Best regards,
Kristof
Hi,
This is my second attempt at sending in the updated FreeBSD DCO support
patch. (The previous version had a cleanup patch but nothing else).
The main difference to the previous version is that is passes the
peer_id in most calls. There have been some changes on the driver side
to improve
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 6 +-
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c |
Hi,
During testing of FreeBSD DCO support we discovered that a DCO enabled
client does not detect that the server has gone away, even if
'keepalive' is set.
This turns out to be because we only handle DCO notification messages in
the multi-instance (i.e. server) code path.
I'm not 100% sure this
From: Kristof Provost
Handle the DCO driver telling us that the peer went away, even if we're
not running in multi-instance mode.
Signed-off-by: Kristof Provost
---
src/openvpn/forward.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
From: Kristof Provost
Handle the DCO driver telling us that the peer went away, even if we're
not running in multi-instance mode.
Signed-off-by: Kristof Provost
---
src/openvpn/forward.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
Updated version of the timeout fix for client mode.
This time with trigger_ping_timeout_signal() as suggested by Arne.
Best regards,
Kristof
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
On 27 Apr 2022, at 9:55, Antonio Quartulli wrote:
> Hi Kristof,
>
> On 27/04/2022 09:48, Kristof Provost via Openvpn-devel wrote:
>> From: Kristof Provost
>>
>> Handle the DCO driver telling us that the peer went away, even if we're
>> not running in multi-insta
On 17 May 2022, at 15:28, Antonio Quartulli wrote:
> On 16/05/2022 20:56, Kristof Provost via Openvpn-devel wrote:
>> From: Kristof Provost
>>
>> We must create the peer before we can dco_set_peer or dco_new_key.
>> On the other hand, we must first process options, beca
On 17 May 2022, at 15:25, Antonio Quartulli wrote:
> Hi,
>
> On 16/05/2022 20:56, Kristof Provost via Openvpn-devel wrote:
>> From: Kristof Provost
>>
>> Signed-off-by: Kristof Provost
>> ---
>> src/openvpn/init.c | 15 +++
>> 1 fi
Hi,
Here's an updated version for the FreeBSD DCO support, as well as a few
generic bugfixes.
Best regards,
Kristof
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Kristof Provost
We must create the peer before we can dco_set_peer or dco_new_key.
On the other hand, we must first process options, because those may
change our peer id and we should create the peer with the correct id.
Split up do_deferred_options() in do_deferred_options() and
From: Kristof Provost
multi_create_instance() can fail (i.e. return NULL).
multi_create_instance_tcp() is ready for this, but called
multi_assign_peer_id() without first checking if mi was non-NULL.
multi_assign_peer_id() assumed that mi is non-NULL, dereferencing it and
causing a crash.
Move
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 6 +-
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c |
From: Kristof Provost
Signed-off-by: Kristof Provost
---
src/openvpn/init.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 0d991ba4..701749cd 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2232,6 +2232,21 @@
On 28 Jun 2022, at 21:05, Antonio Quartulli wrote:
> On 28/06/2022 18:28, Kristof Provost via Openvpn-devel wrote:
>> Hi,
>>
>> Here's the most recent version of the FreeBSD DCO patch.
>> This is based on top of the dco branch, at
>> 480fa1c983aba9b0790ea94df20
On 29 Jun 2022, at 17:15, Arne Schwabe wrote:
> Am 28.06.22 um 18:28 schrieb Kristof Provost via Openvpn-devel:
>> Hi,
>>
>> Here's the most recent version of the FreeBSD DCO patch.
>> This is based on top of the dco branch, at
>> 480fa1c983aba9b0790ea94d
On 29 Jun 2022, at 21:08, Arne Schwabe wrote:
> Am 29.06.2022 um 19:40 schrieb Kristof Provost:
>> On 29 Jun 2022, at 17:15, Arne Schwabe wrote:
>>> Am 28.06.22 um 18:28 schrieb Kristof Provost via Openvpn-devel:
>>>> Hi,
>>>>
>>>> H
This patch fixes a crash we've seen on server instances when one more
client than 'max-clients' connects.
I believe this affects both master and DCO branches, and I think it was
introduced with this commit:
commit b364711486dc6371ad2659a5aa190941136f4f04
Author: Arne Schwabe
From: Kristof Provost
If 'max-clients' is set multi_create_instance() can return NULL (for any
client that would take us over the client limit).
If mi is NULL we don't add it to the hash map, but we do potentially
dereference it to increment the session count.
Do not attempt to do so if 'mi ==
Hi,
Here's the most recent version of the FreeBSD DCO patch.
This is based on top of the dco branch, at
480fa1c983aba9b0790ea94df209e1686f08336b.
Relatedly, the kernel side of that support has just landed in FreeBSD's
repo:
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 5 +
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c |
From: Kristof Provost
Handle the DCO driver telling us that the peer went away, even if we're
not running in multi-instance mode.
Signed-off-by: Kristof Provost
---
src/openvpn/forward.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
From: Kristof Provost
We must create the peer before we can dco_set_peer or dco_new_key.
On the other hand, we must first process options, because those may
change our peer id and we should create the peer with the correct id.
Split up do_deferred_options() in do_deferred_options() and
From: Kristof Provost
It's always used for open_tun_dco(), so we must ensure it's populated,
even if 'dev_node' is set.
Signed-off-by: Kristof Provost
---
src/openvpn/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 245a6507..7976ad11
Hi,
Here's the latest revision of the FreeBSD DCO patch, as well as three
DCO-related fixes.
Best regards,
Kristof
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
On 29 Apr 2022, at 19:02, Kristof Provost wrote:
From: Kristof Provost
We must create the peer before we can dco_set_peer or dco_new_key.
On the other hand, we must first process options, because those may
change our peer id and we should create the peer with the correct id.
Split up
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 6 +-
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c |
On 29 Aug 2022, at 21:01, Gert Doering wrote:
> On Linux, tun devices are created according to the following algorithm
> --dev tun-> try tun0, tun1, ... tun255, use first free
> --dev anything -> create a TUN device named "anything"
> (as long as "anything" is not "null" or "tap[N]")
>
>
From: Kristof Provost
Address a few minor code review remarks:
- use constants for the inet_ntop() buffers
- replace argv_printf() + argv_printf_cat() with a single argv_printf()
- net_route_v4/6 both add and remove, so adjust the error message to
reflect that.
Signed-off-by: Kristof
I’ll post a patch.
> - any particular reason you used argv_printf() + argv_printf_cat(),
>instead of just putting all into a single argv_printf() call?
>
Mostly that that’s what src/openvpn/networking_iproute2.c does too. I
don’t have particularly strong feelings either way, so I’ll add
Acked-by: Kristof Provost
Thanks!
Kristof
On 19 Aug 2022, at 20:24, Gert Doering wrote:
> During review/update phase, FreeBSD/DCO's ability to find the first
> free tun interface on "--dev tun" got broken, due to two issues:
>
> - create_interface() called msg(M_ERR|...), which is a fatal
On 20 Aug 2022, at 16:01, Gert Doering wrote:
> The existing DCO code had extra logic for "if this is not
> MR_WITH_NETBITS, set 32/128 as address length", but only for
> iroute addition. For iroute deletion, this was missing, and
> subsequently iroute deletion for IPv4 host routes failed on
>
Signed-off-by: Kristof Provost
On 12 Oct 2022, at 16:59, Gert Doering wrote:
> To be able to configure a FreeBSD interface to "subnet" mode
> (as opposed to point-to-point mode), it needs to have its
> if_iflags set to IFF_BROADCAST. For tun(4) interface this is
> done with the TUNSIFMODE
Signed-off-by: Kristof Provost
On 12 Oct 2022, at 16:59, Gert Doering wrote:
> For reasons unknown, OpenVPN has always put FreeBSD tun(4) interfaces
> into point-to-point mode (IFF_POINTOPOINT), which means "local and
> remote address, no on-link subnet".
>
> "--topology subnet" was emulated by
On 12 Sep 2022, at 14:09, Gert Doering wrote:
> it *does* bump the outside packet length up by +16 bytes ("bad length 1512" ->
> "1528"). Smells cipher algorithm padding or so - but why 16? And why pad
> at all (AES-256-GCM used, so I think we should not pad)?
>
I would still expect padding. AES
On 12 Sep 2022, at 14:45, Gert Doering wrote:
> Hi,
>
> On Mon, Sep 12, 2022 at 02:09:52PM +0200, Gert Doering wrote:
>> So, observation suggests "it's happening inside the DCO module". I'll
>> go instrument my kernel with printf()'s now... and will report if I find
>> anything useful.
>
> ok...
On 12 Sep 2022, at 14:36, Gert Doering wrote:
> On Mon, Sep 12, 2022 at 02:27:57PM +0200, Gert Doering wrote:
>> trying to load my newly-instrumented if_ovpn.ko, I kldunload'ed the
>> existing one - without shutting down *all* OpenVPN instances first.
>>
>> *Boom*...
>>
>> Console attached.
>
>
Thanks!
On 10 Aug 2022, at 18:32, Gert Doering wrote:
> Test results:
>
> - running openvpn over TCP gives me a kernel panic - this is not so
>nice... (see attached .png from the vmware console) - userland seems
>to assume "kernel can do TCP", kernel panics on "if !udp, panic()"
>(so
Hi,
Here's the updated version of the FreeBSD DCO patch. It should address
all remarks on the userspace side of things.
I'm still trying to reproduce the fragmentation issue. I've gotten
Gert's additional information, but I've not yet been able to act on it.
I'm fairly certain that any bug is
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 5 +
src/openvpn/Makefile.am| 1 +
src/openvpn/dco.c |
From: Kristof Provost
Signed-off-by: Kristof Provost
---
src/openvpn/Makefile.am | 1 +
src/openvpn/dco.c| 8 +--
src/openvpn/dco_freebsd.h| 2 +
src/openvpn/networking.h | 9 +++
src/openvpn/networking_freebsd.c | 101
Remarks inline. Mostly ACK.
I’ll post an updated version soon. (I’ve also added a check for UDP in
dco_check_option_conflict_ce().
On 10 Aug 2022, at 18:32, Gert Doering wrote:
> On Mon, Aug 08, 2022 at 04:34:23PM +0200, Kristof Provost via Openvpn-devel
> wrote:
>> diff --git a
On 13 Aug 2022, at 10:10, Gert Doering wrote:
> On Thu, Aug 11, 2022 at 05:25:05PM +0200, Kristof Provost via Openvpn-devel
> wrote:
>>> - running openvpn over TCP gives me a kernel panic - this is not so
>>>nice... (see attached .png from the vmware c
On 11 Aug 2022, at 23:11, Gert Doering wrote:
> If you're interested, I can unicast you the full file I use for
> my DCO client tests, with different ciphers, some instances with
> compression (= does it properly fall back?), some with http/socks
> proxy, etc., plus a set of client+ca certificates
On 10 Aug 2022, at 18:32, Gert Doering wrote:
> as promised, here's test results and code review.
>
> Test results:
>
> - running openvpn over TCP gives me a kernel panic - this is not so
>nice... (see attached .png from the vmware console) - userland seems
>to assume "kernel can do TCP",
From: Kristof Provost
Signed-off-by: Kristof Provost
---
src/openvpn/Makefile.am | 1 +
src/openvpn/dco.c| 8 +--
src/openvpn/dco_freebsd.h| 2 +
src/openvpn/networking.h | 9 +++
src/openvpn/networking_freebsd.c | 101
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 5 +
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c |
From: Kristof Provost
If 'max-clients' is set multi_create_instance() can return NULL (for any
client that would take us over the client limit).
If mi is NULL we don't add it to the hash map, but we do potentially
dereference it to increment the session count.
Do not attempt to do so if 'mi ==
Hi,
Now that the Linux DCO support has landed in the master tree I've
re-based the FreeBSD DCO support code.
This patch series also includes a patch to support adding iroutes on
FreeBSD.
Best regards,
Kristof
___
Openvpn-devel mailing list
Apologies,
This patch isn’t part of the series (and has in fact already landed), but got
sent because of a stray patch file in my working tree.
Kristof
On 8 Aug 2022, at 16:34, Kristof Provost wrote:
> From: Kristof Provost
>
> If 'max-clients' is set multi_create_instance() can return NULL
Hi,
This patch series is version two of the "Read DCO traffic stats from the
kernel" patch. This version should build for FreeBSD, Linux and Windows
now (although I've not tested Windows builds, because I lack Windows
machines).
It also adds the ability for DCO drivers to include counters in the
From: Kristof Provost
Remove support for reading packets through the control interface.
FreeBSD no longer does this, so there's no point in keeping the code for
it.
While here also check that we know what type of notification we're
getting. There's currently only one, but we should check
From: Kristof Provost
When DCO is active userspace doesn't see all of the traffic, so when we
access these stats we must update them.
Retrieve kernel statistics every time we access the
link_(read|write)_bytes values.
Introduce a dco_(read|write)_bytes so that we don't clobber the existing
From: Kristof Provost
When the kernel module (Linux or FreeBSD) notifies us that a peer has
disconnected we'd like to get a final count of the in/out bytes for that
peer.
We can't request that information any more, because the kernel has
already removed the peer at that point.
Have the kernel
From: Kristof Provost
Recent FreeBSD kernels supply a reason for the OVPN_NOTIF_DEL_PEER
notification. Parse this from the nvlist so we can distinguish
user-requested removals from timeouts.
Signed-off-by: Kristof Provost
---
src/openvpn/dco_freebsd.c | 13 +
From: Kristof Provost
FreeBSD allows packets to be sent through the socket even when the
if_dco driver is active, so prefer that path.
Also remove the FreeBSD dco_do_write() implementation, as this function
will never be called any more on FreeBSD. Assert this.
Signed-off-by: Kristof Provost
Hi,
The next e-mail has a patch to teach OpenVPN it can pass control packets
through the socket on FreeBSD. This patch does that, and also removes
the now unused dco_do_write() implementation.
Best regards,
Kristof
___
Openvpn-devel mailing list
From: Kristof Provost
FreeBSD allows packets to be sent through the socket even when the
if_dco driver is active, so prefer that path.
Also remove the FreeBSD dco_do_write() implementation, as this function
will never be called any more on FreeBSD. Assert this.
Signed-off-by: Kristof Provost
Hi,
Here's an initial draft for how I'd approach getting traffic statistics
in DCO mode.
Userspace doesn't see all of the traffic, so we need to ask the kernel
too.
I've added new variables for the kernel numbers so that we can keep the
userspace numbers, for the control packets which go through
From: Kristof Provost
When DCO is active userspace doesn't see all of the traffic, so when we
access these stats we must update them.
Retrieve kernel statistics every time we access the
link_(read|write)_bytes values.
Introduce a dco_(read|write)_bytes so that we don't clobber the existing
On 11 Nov 2022, at 11:36, Arne Schwabe wrote:
Am 11.11.2022 um 11:20 schrieb Kristof Provost via Openvpn-devel:
Minor update, but FreeBSD's if_ovpn now also supports AES-192-GCM.
We may as well announce this support.
This seems to be missing the patch.
Git’s send-email sent it as a separate
From: Kristof Provost
As of 2c58d0cb3bb3e3a5b714ffac940500efbe5303ca FreeBSD also allows
AES-192-GCM in DCO. Announce this support.
Signed-off-by: Kristof Provost
---
src/openvpn/dco_freebsd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/dco_freebsd.c
Minor update, but FreeBSD's if_ovpn now also supports AES-192-GCM.
We may as well announce this support.
Best regards,
Kristof
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
On 9 Mar 2023, at 1:52, Antonio Quartulli wrote:
> In order to provide better support in case of troubleshooting issues,
> it's important to know what exact DCO version is loaded on the user
> system.
>
> Therefore print the DCO version during bootup.
>
> For Windows and FreeBSD we currently
On 9 Mar 2023, at 9:57, Antonio Quartulli wrote:
> On 09/03/2023 09:36, Kristof Provost wrote:
>> On 9 Mar 2023, at 1:52, Antonio Quartulli wrote:
>>> In order to provide better support in case of troubleshooting issues,
>>> it's important to know what exact DCO version is loaded on the user
>>>
From: Kristof Provost
Implement dco_version_string() for FreeBSD.
Unlike Linux and Windows the DCO driver is built into the operating
system itself, so we log the OS version as a proxy for the DCO version.
---
src/openvpn/dco_freebsd.c | 14 +-
1 file changed, 13 insertions(+), 1
From: Kristof Provost
Implement dco_version_string() for FreeBSD.
Unlike Linux and Windows the DCO driver is built into the operating
system itself, so we log the OS version as a proxy for the DCO version.
---
src/openvpn/dco_freebsd.c | 12 +++-
1 file changed, 11 insertions(+), 1
On 9 Mar 2023, at 13:06, Arne Schwabe wrote:
> Am 09.03.23 um 10:26 schrieb Kristof Provost via Openvpn-devel:
>> From: Kristof Provost
>>
>> Implement dco_version_string() for FreeBSD.
>> Unlike Linux and Windows the DCO driver is built into the operating
>>
From: Kristof Provost
FreeBSD's if_ovpn will never emit this as a peer deletion reason
(because it doesn't support TCP), but this allows us to align the
defines between Linux and FreeBSD, and remove a Linux-specific case from
process_incoming_del_peer().
---
src/openvpn/dco_freebsd.h | 1 +
On 3 Mar 2023, at 12:48, Antonio Quartulli wrote:
> On 03/03/2023 12:27, Antonio Quartulli wrote:
>> Hi,
>>
>> On 03/03/2023 12:05, Kristof Provost via Openvpn-devel wrote:
>>> From: Kristof Provost
>>>
>>> FreeBSD's if_ovpn will never emit this a
From: Kristof Provost
Very low values for 'fragment' can result in a division by zero in
optimal_fragment_size() (because it rounds max_frag_size down with
FRAG_SIZE_ROUND_MASK).
Enforce a minimal fragment size of 68 bytes, based on RFC 791 ("Every
internet module must be able to forward a
From: Kristof Provost
The libnv check doesn't work as expected on FreeBSD 14.x, because
FreeBSD has namespaced libnv to avoid conflicts with libnvpair.
This means that the naive check generated by AC_CHECK_LIB() fails to
detect libnv even though it's present.
Instead check for the if_ovpn.h
From: Kristof Provost
Allow the kernel driver to notify us that it's time to renegotiate keys.
The intent is to avoid IV re-use after 2^32 packets.
This is a first draft intended for discussion. The accompanying kernel
change for FreeBSD can be found in https://reviews.freebsd.org/D39570
From: Kristof Provost
It's possible for the buffer we provude for OVPN_GET_PEER_STATS to be
too small. Handle the error, re-allocate a larger buffer and try again
rather than failing.
Signed-off-by: Kristof Provost
---
src/openvpn/dco_freebsd.c | 16 ++--
1 file changed, 14
94 matches
Mail list logo
