Only skimmed this. A few small typo fixes and the like. On Tue, Jun 21, 2022 at 06:16:49PM +0200, Arne Schwabe wrote: > This allows tun-mtu to pushed but only up to the size of the preallocated > buffers. This is not a perfect solution but should allow most of the use > cases where the mtu is close enough to 1500. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> > --- > Changes.rst | 8 ++++ > doc/man-sections/client-options.rst | 4 ++ > doc/man-sections/vpn-network-options.rst | 5 +++ > src/openvpn/init.c | 52 ++++++++++++++++++++---- > src/openvpn/mtu.c | 1 + > src/openvpn/mtu.h | 3 ++ > src/openvpn/options.c | 15 ++++++- > src/openvpn/options.h | 2 + > src/openvpn/ssl.c | 3 ++ > 9 files changed, 85 insertions(+), 8 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index 79b79d608..e99671bcb 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -79,6 +79,14 @@ Cookie based handshake for UDP server > shake. The tls-crypt-v2 option allows controlling if older clients are > accepted. > > + > +Tun MTU can be pushed > + As part of changing the ``--tun-mtu`` default to 1420 (see below), the > + client can now also dynamically configure its MTU and the server will > + try to push the client MTU when the client supports it. The directive > + ``--tun-mtu-max`` has been introduced to specify the maximum pushable > + MTU size. > + > Deprecated features > ------------------- > ``inetd`` has been removed > diff --git a/doc/man-sections/client-options.rst > b/doc/man-sections/client-options.rst > index 8e0e4f18a..230e51e8d 100644 > --- a/doc/man-sections/client-options.rst > +++ b/doc/man-sections/client-options.rst > @@ -358,6 +358,10 @@ configuration. > The client announces the list of supported ciphers configured with > the > ``--data-ciphers`` option to the server. > > + :code:`IV_MTU=<max_mtu>` > + The client announces the support of pushable MTU and the maximum MTU > + the client is willing to accept.
"it" instead of repeating "the client"? > + > :code:`IV_GUI_VER=<gui_id> <version>` > The UI version of a UI if one is running, for example > :code:`de.blinkt.openvpn 0.5.47` for the Android app. > diff --git a/doc/man-sections/vpn-network-options.rst > b/doc/man-sections/vpn-network-options.rst > index 2e4fff5df..71aa3f4c7 100644 > --- a/doc/man-sections/vpn-network-options.rst > +++ b/doc/man-sections/vpn-network-options.rst > @@ -540,6 +540,11 @@ routing. > packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other > platforms > (like macOS) limit received packets to the same size as the MTU. > > +--tun-max-mtu maxmtu > + This configures the maximum MTU size that a server can push to ``maxmtu``. > + The default for ``maxmtu`` is 1600. This will increase internal buffers > + allocation for larger packet sizes. > + > --tun-mtu-extra n > Assume that the TUN/TAP device might return as many as ``n`` bytes more > than the ``--tun-mtu`` size on read. This parameter defaults to 0, which > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index 6cdcef628..e9f9778a3 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -2126,7 +2126,8 @@ pull_permission_mask(const struct context *c) > | OPT_P_ECHO > | OPT_P_PULL_MODE > | OPT_P_PEER_ID > - | OPT_P_NCP; > + | OPT_P_NCP > + | OPT_P_PUSH_MTU; > > if (!c->options.route_nopull) > { > @@ -2283,12 +2284,39 @@ do_deferred_options(struct context *c, const unsigned > int found) > #endif > > struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; > + if (!update_session_cipher(session, &c->options)) > + { > + /* The update_session_cipher method wil already print an error */ "will" > + return false; > + } > + > + /* Cipher is considered safe, so we can use it to calculate the max > + * MTU size */ > + if (found & OPT_P_PUSH_MTU) > + { > + /* MTU has changed, check that the pushed MTU is small enough to > + * be able to change it */ > + msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", > c->options.ce.tun_mtu); > + > + struct frame *frame = &c->c2.frame; > + > + if (c->options.ce.tun_mtu > frame->tun_max_mtu) > + { > + msg(D_PUSH_ERRORS, "Server pushed a large mtu, please add " > + "tun-mtu-max %d in the client configuration", > + c->options.ce.tun_mtu); > + } > + frame->tun_mtu = min_int(frame->tun_max_mtu, > c->options.ce.tun_mtu); > + } > + > if (!tls_session_update_crypto_params(session, &c->options, > &c->c2.frame, > frame_fragment, > get_link_socket_info(c))) > { > msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto > options"); > return false; > } > + > + Spurious whitespace change. > } > > return true; > @@ -2446,10 +2474,16 @@ frame_finalize_options(struct context *c, const > struct options *o) > struct frame *frame = &c->c2.frame; > > frame->tun_mtu = get_frame_mtu(c, o); > + frame->tun_max_mtu = o->ce.tun_mtu_max; > + > + /* max mtu needs to be at least as large as the tun mtu */ > + frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu); > > - /* We always allow at least 1500 MTU packets to be received in our buffer > - * space */ > - size_t payload_size = max_int(1500, frame->tun_mtu); > + /* We always allow at least 1600 MTU packets to be received in our buffer > + * space to allow server to push "baby giant MTU sizes */ Missing " > + frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu); > + > + size_t payload_size = frame->tun_max_mtu; > > /* The extra tun needs to be added to the payload size */ > if (o->ce.tun_mtu_defined) [...] _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel