Hi, people have alreadycomplained at me that I write so long e-mails today, so I can write more...
On Wed, Oct 12, 2022 at 08:39:31AM +0200, Gert Doering wrote:
> Factor 1: single-peer (client or p2p) vs. multi-peer
>
> single-peer -> DCO has only 1 peer, all packets that go into the
> tun/dco interface are sent out to the single peer
> ("dumb pipe mode") - exactly like tun(4) behaves
>
> If a subnet is configured on the interface, packets to
> ALL IPs (!= local) in that subnet are sent to the other
> side. No next-hop lookup is done.
This is "sort of" handled in if_ovpn.c today
ovpn_route_peer(struct ovpn_softc *sc, struct mbuf **m0,
const struct sockaddr *dst)
{
...
/* Shortcut if we're a client (or are a server and have only one
client). */
if (sc->peercount == 1)
return (ovpn_find_only_peer(sc));
... so this works for the client, but has one interesting drawback on the
server - if there is only a single client connected, the server will send
ALL to-be-tunneled packets to that client. As soon as client #2 connects,
packets are properly sorted.
[..]
> Factor 2: IFF_POINTOPOINT vs. IFF_BROADCAST
>
> This seems to be a *BSD-specific thing, aka "there is nothing in the
> Linux specific code that seems to bother with this".
I've whacked at if_ovpn.c and dco_freebsd.c a bit now, and I seem
to have working code for both ends. I am not a FreeBSD kernel coder,
so I have no idea how many behavioural standards I am violating,
but it makes "real subnet mode in OpenVPN" work for me, with DCO.
Kernel patch attached, OpenVPN patches will follow soonish (outside
of this e-mail thread).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
From ddb95b7f57d78498003f3212b23e6adb0b5a9828 Mon Sep 17 00:00:00 2001 From: Gert Doering <[email protected]> Date: Wed, 12 Oct 2022 15:30:07 +0200 Subject: [PATCH] if_ovpn(4): implement ioctl() to set if_flags Fully working openvpn(8) --iroute support needs real subnet config on ovpn(4) interfaces (IFF_BROADCAST), while client-side/p2p configs need IFF_POINTOPOINT setting. So make this configurable. --- sys/net/if_ovpn.c | 41 +++++++++++++++++++++++++++++++++++++++++ sys/net/if_ovpn.h | 1 + 2 files changed, 42 insertions(+) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index ed0ff178972..dfb475e3072 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -1081,6 +1081,44 @@ ovpn_set_peer(struct ifnet *ifp, const nvlist_t *nvl) return (0); } +static int +ovpn_set_ifmode(struct ifnet *ifp, const nvlist_t *nvl) +{ + struct ovpn_softc *sc = ifp->if_softc; + + if (nvl == NULL) + return (EINVAL); + + if (! nvlist_exists_number(nvl, "ifmode") ) + return (EINVAL); + + int ifmode = nvlist_get_number(nvl, "ifmode"); + + OVPN_WLOCK(sc); + + /* deny this if UP */ + if (ifp->if_flags & IFF_UP) { + OVPN_WUNLOCK(sc); + return (EBUSY); + } + + switch (ifmode & ~IFF_MULTICAST) { + case IFF_POINTOPOINT: + case IFF_BROADCAST: + ifp->if_flags &= + ~(IFF_BROADCAST|IFF_POINTOPOINT|IFF_MULTICAST); + ifp->if_flags |= ifmode; + break; + default: + OVPN_WUNLOCK(sc); + return (EINVAL); + } + + OVPN_WUNLOCK(sc); + + return (0); +} + static int ovpn_ioctl_set(struct ifnet *ifp, struct ifdrv *ifd) { @@ -1135,6 +1173,9 @@ ovpn_ioctl_set(struct ifnet *ifp, struct ifdrv *ifd) case OVPN_SET_PEER: ret = ovpn_set_peer(ifp, nvl); break; + case OVPN_SET_IFMODE: + ret = ovpn_set_ifmode(ifp, nvl); + break; default: ret = ENOTSUP; } diff --git a/sys/net/if_ovpn.h b/sys/net/if_ovpn.h index 26a9907711c..fd1c21e7043 100644 --- a/sys/net/if_ovpn.h +++ b/sys/net/if_ovpn.h @@ -60,5 +60,6 @@ enum ovpn_key_cipher { #define OVPN_SEND_PKT _IO ('D', 9) #define OVPN_POLL_PKT _IO ('D', 10) #define OVPN_GET_PKT _IO ('D', 11) +#define OVPN_SET_IFMODE _IO ('D', 12) #endif -- 2.37.3
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
