Attention is currently required from: cron2, plaisthos. selvanair has posted comments on this change by selvanair. ( http://gerrit.openvpn.net/c/openvpn/+/1415?usp=email )
Change subject: pull-filter: improve documentation ...................................................................... Patch Set 1: (1 comment) File doc/man-sections/client-options.rst: http://gerrit.openvpn.net/c/openvpn/+/1415/comment/cb5ea473_694dd9d3?usp=email : PS1, Line 349: protect against offending options pushed by a server. For example, the > Well, I see your point, but then I find your wording a bit hard to understand > - "it can not be relie […] This is what I wanted to say: Pull filter was not designed as a security measure, so do not use it for security, its easy to be defeated. That said, there is some care one could take while writing the filter commands to guard against formatting mismatches. I do not want to give an impression that its "secure" once ordered as an "allow-list". May be it is, I do not know. I just paraphrased the above into a more formal form --- "in such situations" was meant to refer to spaces/formatting mismatches, not security; "preferred" is meant to indicate that its a suggestion, not a fool-proof work-around. I see its a bit nuanced. If the intended meaning is not coming through I'll rewrite it: Option 1 -- use a less nuanced language: Warning: The pull-filter mechanism must not be regarded as a security measure for blocking undesired server-pushed options. It can be circumvented through formatting variations (e.g., added whitespace). To improve robustness against such formatting discrepancies, an "allow-list" configuration using specific `pull-filter accept` directives followed by a general `pull-filter ignore` is preferred to a "deny-list" approach. This recommendation does not imply that pull-filter provides any security guarantees. Option 2 -- Just add an extra line: "This approach improves robustness but does not guarantee security." -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1415?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a Gerrit-Change-Number: 1415 Gerrit-PatchSet: 1 Gerrit-Owner: selvanair <[email protected]> Gerrit-Reviewer: cron2 <[email protected]> Gerrit-Reviewer: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]> Gerrit-Attention: plaisthos <[email protected]> Gerrit-Attention: cron2 <[email protected]> Gerrit-Comment-Date: Mon, 08 Dec 2025 16:13:29 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 <[email protected]> Comment-In-Reply-To: selvanair <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
