Hi Ralf, 2026-05-26, 14:45:40 +0200, Ralf Lici wrote: > ovpn accepts a userspace-provided socket and a peer remote endpoint > through netlink. For UDP peers, the remote endpoint family selects the > transmit path used later by ovpn_udp_output. > > An IPv4 UDP socket cannot be used with an IPv6 remote endpoint. If > accepted, the transmit path may reach IPv6 routing and UDP tunnel > helpers with an IPv4 socket. Similarly, an IPv6-only UDP socket cannot > be used with an IPv4 remote endpoint. Otherwise ovpn may enter the IPv4 > UDP transmit path, where IPv4 routing treats the unspecified source as a > normal source-selection request and may choose an IPv4 source address, > bypassing the check that udpv6_sendmsg would normally enforce. > > Parse the remote endpoint once in the peer new/set paths and reject UDP > remotes when the provided socket cannot send to them. Pass the parsed > endpoint into the common peer modify helper so the validation and the > stored endpoint use the same normalized sockaddr.
Since this can be changed at any time by userspace, I'm not convinced checking it at setup time is very useful. AFAIU, the next patch fixes the actual issue. This one seems to mainly help userspace avoid drops in case they incorrectly set up their socket (as long as they do that in the "right order", ie all setsockopt before passing the socket to ovpn). -- Sabrina _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
