Attention is currently required from: its_Giaan, ordex.
Hello flichtenheld, ordex, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/525?usp=email
to look at the new patch set (#5).
The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.
Change subject: Minor fix to process_ip_header
......................................................................
Minor fix to process_ip_header
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori <[email protected]>
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/5
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, &c->c2.buf);
#ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
}
if (!c->options.block_ipv6)
{
- flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+ flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}
if (buf->len > 0)
{
- /*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
- if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+ struct buffer ipbuf = *buf;
+ if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
{
- struct buffer ipbuf = *buf;
- if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
- {
#if PASSTOS_CAPABILITY
- /* extract TOS from IP header */
- if (flags & PIPV4_PASSTOS)
- {
- link_socket_extract_tos(c->c2.link_socket, &ipbuf);
- }
+ /* extract TOS from IP header */
+ if (flags & PIPV4_PASSTOS)
+ {
+ link_socket_extract_tos(c->c2.link_socket, &ipbuf);
+ }
#endif
- /* possibly alter the TCP MSS */
- if (flags & PIP_MSSFIX)
- {
- mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
- }
-
- /* possibly do NAT on packet */
- if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
- {
- const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING
: CN_OUTGOING;
- client_nat_transform(c->options.client_nat, &ipbuf,
direction);
- }
- /* possibly extract a DHCP router message */
- if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
- {
- const in_addr_t dhcp_router =
dhcp_extract_router_msg(&ipbuf);
- if (dhcp_router)
- {
- route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
- }
- }
- }
- else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
+ /* possibly alter the TCP MSS */
+ if (flags & PIP_MSSFIX)
{
- /* possibly alter the TCP MSS */
- if (flags & PIP_MSSFIX)
- {
- mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
- }
- if (!(flags & PIP_OUTGOING) && (flags
- &(PIPV6_IMCP_NOHOST_CLIENT |
PIPV6_IMCP_NOHOST_SERVER)))
- {
- ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags &
PIPV6_IMCP_NOHOST_CLIENT));
- /* Drop the IPv6 packet */
- buf->len = 0;
- }
-
+ mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
}
+
+ /* possibly do NAT on packet */
+ if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+ {
+ const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING :
CN_OUTGOING;
+ client_nat_transform(c->options.client_nat, &ipbuf, direction);
+ }
+ /* possibly extract a DHCP router message */
+ if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
+ {
+ const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
+ if (dhcp_router)
+ {
+ route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
+ }
+ }
+ }
+ else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
+ {
+ /* possibly alter the TCP MSS */
+ if (flags & PIP_MSSFIX)
+ {
+ mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
+ }
+ if (!(flags & PIP_OUTGOING) && (flags
+ &(PIPV6_ICMP_NOHOST_CLIENT |
PIPV6_ICMP_NOHOST_SERVER)))
+ {
+ ipv6_send_icmp_unreachable(c, buf,
+ (bool)(flags &
PIPV6_ICMP_NOHOST_CLIENT));
+ /* Drop the IPv6 packet */
+ buf->len = 0;
+ }
+
}
}
}
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index e19115e..bc00ba5 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -297,8 +297,9 @@
#define PIP_OUTGOING (1<<2)
#define PIPV4_EXTRACT_DHCP_ROUTER (1<<3)
#define PIPV4_CLIENT_NAT (1<<4)
-#define PIPV6_IMCP_NOHOST_CLIENT (1<<5)
-#define PIPV6_IMCP_NOHOST_SERVER (1<<6)
+#define PIPV6_ICMP_NOHOST_CLIENT (1<<5)
+#define PIPV6_ICMP_NOHOST_SERVER (1<<6)
+
void process_ip_header(struct context *c, unsigned int flags, struct buffer
*buf);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 4344126..712456c 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3645,7 +3645,7 @@
if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
{
- unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
+ unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER;
set_prefix(item.instance);
item.instance->context.c2.buf = item.buffer->buf;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/525?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Gerrit-Change-Number: 525
Gerrit-PatchSet: 5
Gerrit-Owner: its_Giaan <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: ordex <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: its_Giaan <[email protected]>
Gerrit-Attention: ordex <[email protected]>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
