Re: [Openvpn-devel] [PATCH v2] Document that auth-user-pass may be inlined
Hi, On 20/02/2024 18:52, selva.n...@gmail.com wrote: From: Selva Nair Commits 7d48d31b, 39619b7f added support for inlining username and, optionally, password. Add a description of its usage in the man page. Github: resolves OpenVPN/openvpn#370 Change-Id: I7a1765661f7676eeba8016024080fd1026220ced Signed-off-by: Selva Nair Acked-by: Antonio Quartulli --- v2: Add '--' prefix when referring to auth-user-pass and mention related github issue doc/man-sections/client-options.rst | 11 +++ doc/man-sections/inline-files.rst | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b92b1a46..b75fe5bd 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -73,6 +73,17 @@ configuration. If ``up`` is omitted, username/password will be prompted from the console. + This option can also be inlined + :: + + +username +[password] + + + where password is optional, and will be prompted from the console if + missing. + The server configuration must specify an ``--auth-user-pass-verify`` script to verify the username/password provided by the client. diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index f46301e8..4dba73c9 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -5,7 +5,7 @@ OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, ``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, -``--tls-crypt-v2`` and ``--verify-hash`` options. +``--tls-crypt-v2``, ``--verify-hash`` and ``--auth-user-pass`` options. Each inline file started by the line and ended by the line -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] Document that auth-user-pass may be inlined
From: Selva Nair Commits 7d48d31b, 39619b7f added support for inlining username and, optionally, password. Add a description of its usage in the man page. Github: resolves OpenVPN/openvpn#370 Change-Id: I7a1765661f7676eeba8016024080fd1026220ced Signed-off-by: Selva Nair --- v2: Add '--' prefix when referring to auth-user-pass and mention related github issue doc/man-sections/client-options.rst | 11 +++ doc/man-sections/inline-files.rst | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b92b1a46..b75fe5bd 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -73,6 +73,17 @@ configuration. If ``up`` is omitted, username/password will be prompted from the console. + This option can also be inlined + :: + + +username +[password] + + + where password is optional, and will be prompted from the console if + missing. + The server configuration must specify an ``--auth-user-pass-verify`` script to verify the username/password provided by the client. diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index f46301e8..4dba73c9 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -5,7 +5,7 @@ OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, ``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, -``--tls-crypt-v2`` and ``--verify-hash`` options. +``--tls-crypt-v2``, ``--verify-hash`` and ``--auth-user-pass`` options. Each inline file started by the line and ended by the line -- 2.34.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Document that auth-user-pass may be inlined
On Mon, Feb 19, 2024 at 02:28:22PM -0500, selva.n...@gmail.com wrote: > From: Selva Nair > > Commits 7d48d31b, 39619b7f added support for inlining username > and, optionally, password. > Add a description of its usage in the man page. Please reference Github #370 which is the same topic. > Change-Id: I7a1765661f7676eeba8016024080fd1026220ced > Signed-off-by: Selva Nair > --- > Does this have to go through gerrit? > > doc/man-sections/client-options.rst | 11 +++ > doc/man-sections/inline-files.rst | 2 +- > 2 files changed, 12 insertions(+), 1 deletion(-) > > diff --git a/doc/man-sections/client-options.rst > b/doc/man-sections/client-options.rst > index b92b1a46..b75fe5bd 100644 > --- a/doc/man-sections/client-options.rst > +++ b/doc/man-sections/client-options.rst > @@ -73,6 +73,17 @@ configuration. >If ``up`` is omitted, username/password will be prompted from the >console. > > + This option can also be inlined > + :: > + > + > +username > +[password] > + > + > + where password is optional, and will be prompted from the console if > + missing. > + >The server configuration must specify an ``--auth-user-pass-verify`` >script to verify the username/password provided by the client. > > diff --git a/doc/man-sections/inline-files.rst > b/doc/man-sections/inline-files.rst > index f46301e8..ad02c855 100644 > --- a/doc/man-sections/inline-files.rst > +++ b/doc/man-sections/inline-files.rst > @@ -5,7 +5,7 @@ OpenVPN allows including files in the main configuration for > the ``--ca``, > ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, > ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, > ``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, > -``--tls-crypt-v2`` and ``--verify-hash`` options. > +``--tls-crypt-v2``, ``--verify-hash`` and ``auth-user-pass`` options. --auth-user-pass for consistency. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Document that auth-user-pass may be inlined
Hi, On Mon, Feb 19, 2024 at 02:28:22PM -0500, selva.n...@gmail.com wrote: > Does this have to go through gerrit? As of today, there's two ways to inject patches / patch sets for "openvpn main" - the openvpn-devel@ list, "as always", and gerrit. Gerrit is nice for larger and more complex patchsets, because review can happen in pieces (= you can review the first half today, comment on the web, it will remember which parts you have seen already, and do the rest tomorrow), and also gerrit can do stuff like "so what changed from v4 to v5?" meta-diffs. For smaller patches "single file, trivially correct", openvpn-devel@ is less work for me :-) So - what is "better" depends. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: its_Giaan, ordex, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/525?usp=email ) Change subject: Minor fix to process_ip_header .. Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/525?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Gerrit-Change-Number: 525 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: ordex Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Attention: ordex Gerrit-Comment-Date: Tue, 20 Feb 2024 14:49:44 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
Attention is currently required from: flichtenheld, plaisthos. its_Giaan has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email ) Change subject: Persist-key: enable persist-key option by default .. Patch Set 1: (5 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/529/comment/e10934a7_2866e37f : PS1, Line 9: This commit changes the default behavior of the OpenVPN > Nitpick: just use "Change the default behavior". "This commit" is redundant > and clunky. Done File doc/man-sections/signals.rst: http://gerrit.openvpn.net/c/openvpn/+/529/comment/cd5281ba_35c80d22 : PS1, Line 13: remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` > Trailing whitespace Done File doc/man-sections/unsupported-options.rst: http://gerrit.openvpn.net/c/openvpn/+/529/comment/ffcf9cec_929ec0cd : PS1, Line 47: Removed in OpenVPN 2.7. Corresponding behavior is now always enabled. > "Corresponding behavior" is very vague. […] Done File sample/sample-config-files/server.conf: http://gerrit.openvpn.net/c/openvpn/+/529/comment/4fe0fe2f_2a0c3f24 : PS1, Line 277: # The persist options will try to avoid > Nitpick: "The persist options" not correct anymore, since it is only one > option now Done File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/529/comment/489e0245_c52b6bdb : PS1, Line 6963: "The corresponding behavior is now always enabled." > Same comment about "corresponding behavior" Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Gerrit-Change-Number: 529 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 20 Feb 2024 14:10:50 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. Hello flichtenheld, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email to look at the new patch set (#2). The following approvals got outdated and were removed: Code-Review-1 by flichtenheld Change subject: Persist-key: enable persist-key option by default .. Persist-key: enable persist-key option by default Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori --- M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-config-files/tls-home.conf M sample/sample-config-files/tls-office.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 15 files changed, 25 insertions(+), 49 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/2 diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 95e4ca2..4e2029a 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated -remote IP address/port based on ``--persist-tun``, ``--persist-key``, -``--persist-local-ip`` and
[Openvpn-devel] [M] Change in openvpn[master]: Route: add support for user defined routing table
Attention is currently required from: flichtenheld, plaisthos. its_Giaan has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table .. Patch Set 2: (5 comments) File doc/man-sections/vpn-network-options.rst: http://gerrit.openvpn.net/c/openvpn/+/524/comment/8ef327d5_482e958e : PS1, Line 407: default taken from ``--route-table`` if set, otherwise :code:`0`. > Please change tab to spaces Done http://gerrit.openvpn.net/c/openvpn/+/524/comment/9c8be01e_92c07a0f : PS1, Line 408: > Should document that table-id can't be pushed. Done http://gerrit.openvpn.net/c/openvpn/+/524/comment/2891fff7_f030a0a0 : PS1, Line 464: > might be a good opportunity to make the description of --route-ipv6 more > consistent with --route? Cu […] Done File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/0ca031f1_18cfb87a : PS1, Line 205: "--route-table [table_id] : Specify a custom routing table for use with --route(-ipv6).\n" > table_id is not optional, so don't use brackets here Done http://gerrit.openvpn.net/c/openvpn/+/524/comment/e912ffc8_22f4e21d : PS1, Line 6992: msg(M_WARN, "NOTE: --route-table specified, but not supported on this platform"); > Sounds good to me. Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 20 Feb 2024 13:58:11 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: its_Giaan Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Route: add support for user defined routing table
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. Hello flichtenheld, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email to look at the new patch set (#2). The following approvals got outdated and were removed: Code-Review-1 by flichtenheld Change subject: Route: add support for user defined routing table .. Route: add support for user defined routing table Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). The --route(-ipv6) directives have been extended with an additional argument (5th for --route) (4th for --route-ipv6) so that each of them can possibly use an independent routing table. Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Fixes: Trac #1399 Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Signed-off-by: Gianmarco De Gregori --- M doc/man-sections/vpn-network-options.rst M src/openvpn/helper.c M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/route.c M src/openvpn/route.h 7 files changed, 214 insertions(+), 19 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/24/524/2 diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 41d367b..9a7ba02 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -367,6 +367,14 @@ Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -379,6 +387,7 @@ route network/IP netmask route network/IP netmask gateway route network/IP netmask gateway metric + route network/IP netmask gateway metric table-id This option is intended as a convenience proxy for the ``route``\(8) shell command, while at the same time providing portable semantics @@ -394,6 +403,10 @@ ``metric`` default taken from ``--route-metric`` if set, otherwise :code:`0`. + ``table-id`` (Supported on Linux only, on other platforms this is a no-op). +Since this option must be an entirely local choice, won't be pushable. + default taken from ``--route-table`` if set, otherwise :code:`0`. + The default can be specified by leaving an option blank or setting it to :code:`default`. @@ -441,14 +454,25 @@ Setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's *tun*. - Valid syntax: + Valid syntaxes: :: + route-ipv6 ipv6addr/bits + route-ipv6 ipv6addr/bits [gateway] route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits [gateway] [metric] [table-id] + + ``gateway`` +Only used for IPv6 routes across *tap* devices, +and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or +``--route-ipv6-gateway`` is used. - The gateway parameter is only used for IPv6 routes across *tap* devices, - and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or - ``--route-ipv6-gateway`` is used. + ``metric`` +default taken from ``--route-metric`` if set, otherwise :code:`0`. + + ``table-id`` (Supported on Linux only, on other platforms this is a no-op). +Since this option must be an entirely local choice, won't be pushable. + default taken from ``--route-table`` if set, otherwise :code:`0`. --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index fa011ff..758160d 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -118,6 +118,7 @@ print_in_addr_t(network, 0, >gc), print_in_addr_t(netmask, 0, >gc), NULL, + NULL, NULL); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c5cc154..c24e736 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1481,6 +1481,7 @@ const char *gw = NULL; int dev = dev_type_enum(options->dev, options->dev_type);
[Openvpn-devel] [M] Change in openvpn[master]: Route: add support for user defined routing table
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table .. Patch Set 1: (1 comment) File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/3d97c488_535a77ac : PS1, Line 6992: msg(M_WARN, "NOTE: --route-table specified, but not supported on this platform"); > What about "Table_id is supported only on Linux when SITNL is built-in" so we > know that in case we'r […] Sounds good to me. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Tue, 20 Feb 2024 13:44:42 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: its_Giaan Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email ) Change subject: Persist-key: enable persist-key option by default .. Patch Set 1: Code-Review-1 (6 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/529/comment/99bc33fe_177eba51 : PS1, Line 9: This commit changes the default behavior of the OpenVPN Nitpick: just use "Change the default behavior". "This commit" is redundant and clunky. Patchset: PS1: Functionally looks good to me. Some documentation improvements suggested. File doc/man-sections/signals.rst: http://gerrit.openvpn.net/c/openvpn/+/529/comment/4c986d46_e82cde2f : PS1, Line 13: remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` Trailing whitespace File doc/man-sections/unsupported-options.rst: http://gerrit.openvpn.net/c/openvpn/+/529/comment/8164c8c9_a1ae98fb : PS1, Line 47: Removed in OpenVPN 2.7. Corresponding behavior is now always enabled. "Corresponding behavior" is very vague. Let's write "Keys are now always persisted across restarts" or something like that. File sample/sample-config-files/server.conf: http://gerrit.openvpn.net/c/openvpn/+/529/comment/910d57b4_d0613104 : PS1, Line 277: # The persist options will try to avoid Nitpick: "The persist options" not correct anymore, since it is only one option now File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/529/comment/a6f6455c_7e115ef1 : PS1, Line 6963: "The corresponding behavior is now always enabled." Same comment about "corresponding behavior" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Gerrit-Change-Number: 529 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Tue, 20 Feb 2024 13:42:54 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Route: add support for user defined routing table
Attention is currently required from: flichtenheld, plaisthos. its_Giaan has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table .. Patch Set 1: (2 comments) Patchset: PS1: What about "Table_id is supported only on Linux when SITNL is built-in" so we know that in case we're on Linux but there's not SITNL -> "SITNL is required", on the other hand if we're not on Linux -> "this is Linux only" File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/d372a561_90367367 : PS1, Line 6992: msg(M_WARN, "NOTE: --route-table specified, but not supported on this platform"); > This warning would be confusing with a Linux build with --enable-iproute2. […] What about "Table_id is supported only on Linux when SITNL is built-in" so we know that in case we're on Linux but there's not SITNL -> "SITNL is required", on the other hand if we're not on Linux -> "this is Linux only" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 20 Feb 2024 13:33:18 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Route: remove incorrect routes on exit
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/522?usp=email ) Change subject: Route: remove incorrect routes on exit .. Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/522?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8a67b82eb4afdc8d82c5a879c18457b41e77cbe7 Gerrit-Change-Number: 522 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Tue, 20 Feb 2024 13:32:23 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: flichtenheld, its_Giaan, ordex, plaisthos.
Hello flichtenheld, ordex, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/525?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review-1 by ordex
Change subject: Minor fix to process_ip_header
..
Minor fix to process_ip_header
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/2
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, >c2.buf);
#ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
}
if (!c->options.block_ipv6)
{
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}
if (buf->len > 0)
{
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
{
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
#if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
#endif
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, ,
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router =
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
{
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT |
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags &
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
}
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING :
CN_OUTGOING;
+client_nat_transform(c->options.client_nat, , direction);
+}
+/* possibly extract a DHCP router message */
+if
[Openvpn-devel] [S] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/525?usp=email ) Change subject: Minor fix to process_ip_header .. Patch Set 1: Code-Review-1 (1 comment) Patchset: PS1: As discussed on the mailing list with Gert, it makes more sense to simply drop the outern if() entirely as it doesn't save us much, while introduces unneded complexity. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/525?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Gerrit-Change-Number: 525 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: ordex Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 20 Feb 2024 09:24:39 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Route: remove incorrect routes on exit
Attention is currently required from: flichtenheld, plaisthos. its_Giaan has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/522?usp=email ) Change subject: Route: remove incorrect routes on exit .. Patch Set 2: (1 comment) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/522/comment/acf3689c_dd1d77a7 : PS1, Line 7: Route: remove uncorrect routes on exit. > "incorrect" […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/522?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8a67b82eb4afdc8d82c5a879c18457b41e77cbe7 Gerrit-Change-Number: 522 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 20 Feb 2024 09:20:46 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
