Re: [Openvpn-devel] [PATCH] resolvconf fails with -p
On Sat, Nov 6, 2021 at 7:37 PM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > I quickly checked resolveconf on Ubuntu {18,20,21}.04 and Debian 9-11. > Neither of them supports the '-p' argument. > > I've checked Fedora 34, RHEL-{7,8} too, where I could not find any > obvious alternative to the old version of resolvconf tool. On RHEL-8 > and Fedora, systemd-resolved is available and provides a different > resolveconf which targets to replace this old utility. This replacement > neither support '-p'. > > This option got added in commit 3adf2f558e157ef508 back in 2010, but > there's too little information why it was needed back then. But given > that neither relevant Linux distributions supports this option today, > it's reasonable to remove it now. > Openresolv uses it, and Arch offers that package. https://github.com/NetworkConfiguration/openresolv/blob/master/resolvconf.in#L108 has a -p That's my best guess where this came from. And then, since this is off buried in 'contrib', "nobody" noticed it for years. (I don't disagree with removing it, I just like forensics). ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: resolvconf fails with -p
Sorry that it took so long. But here we go. Your patch has been applied to the master and release/2.5 branch. commit e739f41d05084c1bc9bfb6c5d49c74de37e53dc7 (master) commit 8fcce5042865b6bed7dcde5d7d0372ae83d54708 (release/2.5) Author: Sergio E. Nemirowski Date: Sat May 29 04:35:16 2021 +0300 resolvconf fails with -p Signed-off-by: Sergio E. Nemirowski Acked-by: David Sommerseth Message-Id: <20210529013516.767555-1-ser...@outerface.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22467.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] resolvconf fails with -p
On 29/05/2021 03:35, sergio wrote: From: "Sergio E. Nemirowski" resolvconf -p resolvconf: Error: Command not recognized Signed-off-by: Sergio E. Nemirowski --- contrib/pull-resolv-conf/client.up | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/pull-resolv-conf/client.up b/contrib/pull-resolv-conf/client.up index f0769740..220aeb74 100644 --- a/contrib/pull-resolv-conf/client.up +++ b/contrib/pull-resolv-conf/client.up @@ -91,7 +91,7 @@ out="# resolv.conf autogenerated by ${0} (${dev})${nl}${dns}${ds}${domains}" # use resolvconf if it's available if type resolvconf >/dev/null 2>&1; then - printf "%s\n" "${out}" | resolvconf -p -a "${dev}" + printf "%s\n" "${out}" | resolvconf -a "${dev}" else # Preserve the existing resolv.conf if [ -e /etc/resolv.conf ] ; then I quickly checked resolveconf on Ubuntu {18,20,21}.04 and Debian 9-11. Neither of them supports the '-p' argument. I've checked Fedora 34, RHEL-{7,8} too, where I could not find any obvious alternative to the old version of resolvconf tool. On RHEL-8 and Fedora, systemd-resolved is available and provides a different resolveconf which targets to replace this old utility. This replacement neither support '-p'. This option got added in commit 3adf2f558e157ef508 back in 2010, but there's too little information why it was needed back then. But given that neither relevant Linux distributions supports this option today, it's reasonable to remove it now. Acked-By: David Sommerseth -- kind regards, David Sommerseth OpenVPN Inc OpenPGP_signature Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Avoid resending reset reply more than once per client packet
Hi, On Thu, Jun 10, 2021 at 05:30:11PM +0200, Arne Schwabe wrote: > For the second reply of a OpenVPN we have no completed the three > way handshake yet and the client IP address is still untrusted. > When retransmitting the reset packet multiple times when timing > out for an ACK response to it, we send the packet multiple > times to an untrusted IP which is nowadys considered bad in a > protocol. For the record: we have decided at the hackathon to drop this patch for the time being, because we (Arne, Steffan and Max) came up with a better approach. Instead of "keep state after the first packet" we want to move towards a syn-cookie like approach where the packet is answered, and forgotten (= no re-sent because we do not even know there was a packet). Only the 3rd packet in the handshake causes state on the server - and that confirms that the client IP+Port is not spoofed. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] Refactor early initialisation and uninitialisation into methods
This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods. Signed-off-by: Arne Schwabe --- src/openvpn/openvpn.c | 23 ++- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 0ac961429..da06f59c2 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -105,6 +105,20 @@ tunnel_point_to_point(struct context *c) #undef PROCESS_SIGNAL_P2P +void init_early(struct context *c) +{ +net_ctx_init(c, >net_ctx); + +/* init verbosity and mute levels */ +init_verb_mute(c, IVM_LEVEL_1); + +} + +static void uninit_early(struct context *c) +{ +net_ctx_free(>net_ctx); +} + /**/ /** @@ -193,10 +207,9 @@ openvpn_main(int argc, char *argv[]) open_plugins(, true, OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE); #endif -net_ctx_init(, _ctx); - -/* init verbosity and mute levels */ -init_verb_mute(, IVM_LEVEL_1); +/* Early initialisation that need to happen before option + * post processing and other early startup but after parsing */ +init_early(); /* set dev options */ init_options_dev(); @@ -308,7 +321,7 @@ openvpn_main(int argc, char *argv[]) env_set_destroy(c.es); uninit_options(); gc_reset(); -net_ctx_free(_ctx); +uninit_early(); } while (c.sig->signal_received == SIGHUP); } -- 2.33.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel