Bug#858607: unblock: ocserv/0.11.6-2

2017-03-24 Thread Emilio Pozuelo Monfort 
Control: reopen -1

On 24/03/17 19:17, Emilio Pozuelo Monfort wrote:
> On 24/03/17 12:49, Aron Xu wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock ocserv/0.11.6-2, this update includes four simple
>> patches cherry picked from upstream later releases, used to improve
>> firewall handling and MTU/MSS calculation.
> 
> It's already unblocked.

Actually it's not. I replied to the wrong bug. Reopening.

Emilio

Processed: Re: Bug#858607: unblock: ocserv/0.11.6-2

2017-03-24 Thread Debian Bug Tracking System 
Processing control commands:

> reopen -1
Bug #858607 {Done: Emilio Pozuelo Monfort } 
[release.debian.org] unblock: ocserv/0.11.6-2
Bug reopened
Ignoring request to alter fixed versions of bug #858607 to the same values 
previously set

-- 
858607: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858607
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#858607: unblock: ocserv/0.11.6-2

2017-03-24 Thread Aron Xu 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock ocserv/0.11.6-2, this update includes four simple
patches cherry picked from upstream later releases, used to improve
firewall handling and MTU/MSS calculation.

Patches are attached.

Regards,
Aron
From 9f735613c496a17461f60a75caf2f394ae781d4c Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos 
Date: Thu, 23 Feb 2017 09:54:05 +0100
Subject: [PATCH 7/7] worker-vpn: use TCP_INFO on linux to obtain accurate MTU
 information

This provides a more accurate value than the one obtained using the
TCP MSS value. The latter is affected by many factors (such as tcp
options), to provide a reliable value.

Signed-off-by: Nikos Mavrogiannopoulos 
---
 src/worker-vpn.c | 80 +---
 1 file changed, 48 insertions(+), 32 deletions(-)

diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index ea80ebd..311fc2a 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -48,7 +48,7 @@
 #include 
 #include 
 
-#if defined(__linux__) &&!defined(IPV6_PATHMTU)
+#if defined(__linux__) && !defined(IPV6_PATHMTU)
 # define IPV6_PATHMTU 61
 #endif
 
@@ -942,11 +942,45 @@ void mtu_ok(worker_st * ws)
 			x += r % diff; \
 		}
 
+int get_pmtu_approx(worker_st *ws)
+{
+	socklen_t sl;
+	int ret, e;
+
+#if defined(__linux__) && defined(TCP_INFO)
+	struct tcp_info ti;
+	sl = sizeof(ti);
+
+	ret = getsockopt(ws->conn_fd, IPPROTO_TCP, TCP_INFO, , );
+	if (ret == -1) {
+		e = errno;
+		oclog(ws, LOG_INFO, "error in getting TCP_INFO: %s",
+		  strerror(e));
+		return -1; 
+	} else {
+		return ti.tcpi_pmtu;
+	}
+#else
+	int max = -1;
+
+	sl = sizeof(max);
+	ret = getsockopt(ws->conn_fd, IPPROTO_TCP, TCP_MAXSEG, , );
+	if (ret == -1) {
+		e = errno;
+		oclog(ws, LOG_INFO, "error in getting TCP_MAXSEG: %s",
+		  strerror(e));
+		return -1;
+	} else {
+		MSS_ADJUST(max);
+		return max;
+	}
+#endif
+}
+
 static
 int periodic_check(worker_st * ws, struct timespec *tnow, unsigned dpd)
 {
-	socklen_t sl;
-	int max, e, ret;
+	int max, ret;
 	time_t now = tnow->tv_sec;
 	time_t periodic_check_time = PERIODIC_CHECK_TIME;
 
@@ -1036,20 +1070,11 @@ int periodic_check(worker_st * ws, struct timespec *tnow, unsigned dpd)
 	}
 
 	if (ws->conn_type != SOCK_TYPE_UNIX && ws->udp_state != UP_DISABLED) {
-		sl = sizeof(max);
-		ret = getsockopt(ws->conn_fd, IPPROTO_TCP, TCP_MAXSEG, , );
-		if (ret == -1) {
-			e = errno;
-			oclog(ws, LOG_INFO, "error in getting TCP_MAXSEG: %s",
-			  strerror(e));
-		} else {
-			MSS_ADJUST(max);
-			/*oclog(ws, LOG_DEBUG, "TCP MSS is %u", max); */
-			if (max > 0 && max < ws->link_mtu) {
-oclog(ws, LOG_DEBUG, "reducing MTU due to TCP MSS to %u",
-  max);
-link_mtu_set(ws, max);
-			}
+		max = get_pmtu_approx(ws);
+		if (max > 0 && max < ws->link_mtu) {
+			oclog(ws, LOG_DEBUG, "reducing MTU due to TCP/PMTU to %u",
+			  max);
+			link_mtu_set(ws, max);
 		}
 	}
 
@@ -1571,7 +1596,7 @@ static int connect_handler(worker_st * ws)
 	struct http_req_st *req = >req;
 	struct pollfd pfd[4];
 	unsigned pfd_size;
-	int e, max, ret, t;
+	int max, ret, t;
 	char *p;
 	unsigned rnd;
 #ifdef HAVE_PPOLL
@@ -1580,7 +1605,6 @@ static int connect_handler(worker_st * ws)
 	unsigned tls_pending, dtls_pending = 0, i;
 	struct timespec tnow;
 	unsigned ip6;
-	socklen_t sl;
 	sigset_t emptyset, blockset;
 
 	sigemptyset();
@@ -1693,19 +1717,11 @@ static int connect_handler(worker_st * ws)
 	/* Attempt to use the TCP connection maximum segment size to set a more
 	 * precise MTU. */
 	if (ws->conn_type != SOCK_TYPE_UNIX) {
-		sl = sizeof(max);
-		ret = getsockopt(ws->conn_fd, IPPROTO_TCP, TCP_MAXSEG, , );
-		if (ret == -1) {
-			e = errno;
-			oclog(ws, LOG_INFO, "error in getting TCP_MAXSEG: %s",
-			  strerror(e));
-		} else {
-			MSS_ADJUST(max);
-			if (max > 0 && max < ws->vinfo.mtu) {
-oclog(ws, LOG_INFO,
-  "reducing MTU due to TCP MSS to %u (from %u)", max, ws->vinfo.mtu);
-ws->vinfo.mtu = max;
-			}
+		max = get_pmtu_approx(ws);
+		if (max > 0 && max < ws->vinfo.mtu) {
+			oclog(ws, LOG_DEBUG, "reducing MTU due to TCP/PMTU to %u",
+			  max);
+			link_mtu_set(ws, max);
 		}
 	}
 
-- 
2.1.4

From 1233f67c3f89bce5f8300c22de8c745d2ae7e9dd Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos 
Date: Wed, 22 Feb 2017 16:22:55 +0100
Subject: [PATCH 6/7] worker-vpn: corrected calculation for MTU via TCP MSS

Signed-off-by: Nikos Mavrogiannopoulos 
---
 src/worker-vpn.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index 2a00ef9..ea80ebd 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -74,6 +74,13 @@
 #define CSTP_DTLS_OVERHEAD 1
 #define CSTP_OVERHEAD 8
 
+#define IP_HEADER_SIZE 20
+#define IPV6_HEADER_SIZE 40
+#define TCP_HEADER_SIZE 20
+#define UDP_HEADER_SIZE 8
+
+#define