date:20211106

Re: [Openvpn-devel] [PATCH] resolvconf fails with -p

2021-11-06 Thread Greg Cox

On Sat, Nov 6, 2021 at 7:37 PM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

> I quickly checked resolveconf on Ubuntu {18,20,21}.04 and Debian 9-11.
> Neither of them supports the '-p' argument.
>
> I've checked Fedora 34, RHEL-{7,8} too, where I could not find any
> obvious alternative to the old version of resolvconf tool.  On RHEL-8
> and Fedora, systemd-resolved is available and provides a different
> resolveconf which targets to replace this old utility.  This replacement
> neither support '-p'.
>
> This option got added in commit 3adf2f558e157ef508 back in 2010, but
> there's too little information why it was needed back then.  But given
> that neither relevant Linux distributions supports this option today,
> it's reasonable to remove it now.
>

Openresolv uses it, and Arch offers that package.
https://github.com/NetworkConfiguration/openresolv/blob/master/resolvconf.in#L108
has a -p

That's my best guess where this came from.  And then, since this is off
buried in 'contrib', "nobody" noticed it for years.

(I don't disagree with removing it, I just like forensics).
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: resolvconf fails with -p

2021-11-06 Thread Gert Doering

Sorry that it took so long.  But here we go.

Your patch has been applied to the master and release/2.5 branch.

commit e739f41d05084c1bc9bfb6c5d49c74de37e53dc7 (master)
commit 8fcce5042865b6bed7dcde5d7d0372ae83d54708 (release/2.5)
Author: Sergio E. Nemirowski
Date:   Sat May 29 04:35:16 2021 +0300

 resolvconf fails with -p

 Signed-off-by: Sergio E. Nemirowski 
 Acked-by: David Sommerseth 
 Message-Id: <20210529013516.767555-1-ser...@outerface.net>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22467.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] resolvconf fails with -p

2021-11-06 Thread David Sommerseth


On 29/05/2021 03:35, sergio wrote:

From: "Sergio E. Nemirowski" 

resolvconf -p
resolvconf: Error: Command not recognized

Signed-off-by: Sergio E. Nemirowski 
---
  contrib/pull-resolv-conf/client.up | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/pull-resolv-conf/client.up 
b/contrib/pull-resolv-conf/client.up
index f0769740..220aeb74 100644
--- a/contrib/pull-resolv-conf/client.up
+++ b/contrib/pull-resolv-conf/client.up
@@ -91,7 +91,7 @@ out="# resolv.conf autogenerated by ${0} 
(${dev})${nl}${dns}${ds}${domains}"
  
  # use resolvconf if it's available

  if type resolvconf >/dev/null 2>&1; then
-  printf "%s\n" "${out}" | resolvconf -p -a "${dev}"
+  printf "%s\n" "${out}" | resolvconf -a "${dev}"
  else
# Preserve the existing resolv.conf
if [ -e /etc/resolv.conf ] ; then



I quickly checked resolveconf on Ubuntu {18,20,21}.04 and Debian 9-11. 
Neither of them supports the '-p' argument.


I've checked Fedora 34, RHEL-{7,8} too, where I could not find any 
obvious alternative to the old version of resolvconf tool.  On RHEL-8 
and Fedora, systemd-resolved is available and provides a different 
resolveconf which targets to replace this old utility.  This replacement 
neither support '-p'.


This option got added in commit 3adf2f558e157ef508 back in 2010, but 
there's too little information why it was needed back then.  But given 
that neither relevant Linux distributions supports this option today, 
it's reasonable to remove it now.


Acked-By: David Sommerseth 

--
kind regards,

David Sommerseth
OpenVPN Inc



OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Avoid resending reset reply more than once per client packet

2021-11-06 Thread Gert Doering

Hi,

On Thu, Jun 10, 2021 at 05:30:11PM +0200, Arne Schwabe wrote:
> For the second reply of a OpenVPN we have no completed the three
> way handshake yet and the client IP address is still untrusted.
> When retransmitting the reset packet multiple times when timing
> out for an ACK response to it, we send the packet multiple
> times to an untrusted IP which is nowadys considered bad in a
> protocol.

For the record: we have decided at the hackathon to drop this patch
for the time being, because we (Arne, Steffan and Max) came up with
a better approach.  Instead of "keep state after the first packet"
we want to move towards a syn-cookie like approach where the packet
is answered, and forgotten (= no re-sent because we do not even know
there was a packet).  Only the 3rd packet in the handshake causes
state on the server - and that confirms that the client IP+Port is
not spoofed.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de

signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v5] Refactor early initialisation and uninitialisation into methods

2021-11-06 Thread Arne Schwabe

This put the early initialisation and uninitialisation that needs to
happen between option parsing and post processing into small methods.

Signed-off-by: Arne Schwabe 
---
 src/openvpn/openvpn.c | 23 ++-
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index 0ac961429..da06f59c2 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -105,6 +105,20 @@ tunnel_point_to_point(struct context *c)
 
 #undef PROCESS_SIGNAL_P2P
 
+void init_early(struct context *c)
+{
+net_ctx_init(c, >net_ctx);
+
+/* init verbosity and mute levels */
+init_verb_mute(c, IVM_LEVEL_1);
+
+}
+
+static void uninit_early(struct context *c)
+{
+net_ctx_free(>net_ctx);
+}
+
 
 /**/
 /**
@@ -193,10 +207,9 @@ openvpn_main(int argc, char *argv[])
 open_plugins(, true, OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE);
 #endif
 
-net_ctx_init(, _ctx);
-
-/* init verbosity and mute levels */
-init_verb_mute(, IVM_LEVEL_1);
+/* Early initialisation that need to happen before option
+ * post processing and other early startup but after parsing */
+init_early();
 
 /* set dev options */
 init_options_dev();
@@ -308,7 +321,7 @@ openvpn_main(int argc, char *argv[])
 env_set_destroy(c.es);
 uninit_options();
 gc_reset();
-net_ctx_free(_ctx);
+uninit_early();
 }
 while (c.sig->signal_received == SIGHUP);
 }
-- 
2.33.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] resolvconf fails with -p

[Openvpn-devel] [PATCH applied] Re: resolvconf fails with -p

Re: [Openvpn-devel] [PATCH] resolvconf fails with -p

Re: [Openvpn-devel] [PATCH] Avoid resending reset reply more than once per client packet

[Openvpn-devel] [PATCH v5] Refactor early initialisation and uninitialisation into methods

5 matches

Site Navigation

Mail list logo

Footer information