[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
cron2 has uploaded a new patch set (#6) to the change originally created by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email ) Change subject: Persist-key: enable persist-key option by default .. Persist-key: enable persist-key option by default Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Trac: #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori Message-Id: <20240307140355.32644-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html Signed-off-by: Gert Doering --- M Changes.rst M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 14 files changed, 24 insertions(+), 47 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/6 diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email ) Change subject: Persist-key: enable persist-key option by default .. Persist-key: enable persist-key option by default Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Trac: #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori Message-Id: <20240307140355.32644-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html Signed-off-by: Gert Doering --- M Changes.rst M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 14 files changed, 24 insertions(+), 47 deletions(-) diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP
[Openvpn-devel] [PATCH applied] Re: Persist-key: enable persist-key option by default
Thanks for this. We discussed this and nobody seemed to remember why persist-key was configurable really ("you could swap out the key + cert while openvpn is running and then SIGUSR1 it", but yeah, who does this?) - so thanks for throwing out these extra code paths. Tested with the full server/client rig. Your patch has been applied to the master branch. commit 802fcce5448741bb1e34dd06ac3674b6b6c55a94 Author: Gianmarco De Gregori Date: Thu Mar 7 15:03:55 2024 +0100 Persist-key: enable persist-key option by default Signed-off-by: Gianmarco De Gregori Message-Id: <20240307140355.32644-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] Persist-key: enable persist-key option by default
From: Gianmarco De Gregori Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/529 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated -remote IP address/port based on ``--persist-tun``, ``--persist-key``, -``--persist-local-ip`` and ``--persist-remote-ip`` options respectively -(see above). +remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` +and ``--persist-remote-ip`` options respectively (see above). This signal may also be internally generated by a timeout condition, governed by the ``--ping-restart`` option. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index a0c1232..11467ca 100644 ---
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. Hello flichtenheld, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email to look at the new patch set (#5). The following approvals got outdated and were removed: Code-Review+2 by plaisthos The change is no longer submittable: Code-Review and checks~ChecksSubmitRule are unsatisfied now. Change subject: Persist-key: enable persist-key option by default .. Persist-key: enable persist-key option by default Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori --- M Changes.rst M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 14 files changed, 24 insertions(+), 47 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/5 diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 ---
[Openvpn-devel] [PATCH v5] Minor fix to process_ip_header
From: Gianmarco De Gregori Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. While at it, fixed a typo IMCP -> ICMP for defined PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER macros. Fixes: Trac https://community.openvpn.net/openvpn/ticket/269 Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/525 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe Frank Lichtenheld diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, >c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,73 +1644,60 @@ } if (!c->options.block_ipv6) { -flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); +flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +struct buffer ipbuf = *buf; +if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) { -struct buffer ipbuf = *buf; -if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) -{ #if PASSTOS_CAPABILITY -/* extract TOS from IP header */ -if (flags & PIPV4_PASSTOS) -{ -link_socket_extract_tos(c->c2.link_socket, ); -} +/* extract TOS from IP header */ +if (flags & PIPV4_PASSTOS) +{ +link_socket_extract_tos(c->c2.link_socket, ); +} #endif -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv4(, c->c2.frame.mss_fix); -} - -/* possibly do NAT on packet */ -if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) -{ -const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; -client_nat_transform(c->options.client_nat, , direction); -} -/* possibly extract a DHCP router message */ -if (flags & PIPV4_EXTRACT_DHCP_ROUTER) -{ -const in_addr_t dhcp_router = dhcp_extract_router_msg(); -if (dhcp_router) -{ -route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); -} -} -} -else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), )) +/* possibly alter the TCP MSS */ +if (flags & PIP_MSSFIX) { -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv6(, c->c2.frame.mss_fix); -} -if (!(flags & PIP_OUTGOING) && (flags -&(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) -{ -ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); -/* Drop the IPv6 packet */ -buf->len = 0; -} - +mss_fixup_ipv4(, c->c2.frame.mss_fix); } + +/* possibly do NAT on packet */ +if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) +{ +const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; +client_nat_transform(c->options.client_nat, , direction); +} +/* possibly extract a DHCP router message */ +if (flags & PIPV4_EXTRACT_DHCP_ROUTER) +{ +const in_addr_t dhcp_router = dhcp_extract_router_msg(); +if (dhcp_router) +{ +route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); +} +} +
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: its_Giaan, ordex. Hello flichtenheld, ordex, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/525?usp=email to look at the new patch set (#5). The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now. Change subject: Minor fix to process_ip_header .. Minor fix to process_ip_header Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. While at it, fixed a typo IMCP -> ICMP for defined PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER macros. Fixes: Trac https://community.openvpn.net/openvpn/ticket/269 Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Signed-off-by: Gianmarco De Gregori --- M src/openvpn/forward.c M src/openvpn/forward.h M src/openvpn/multi.c 3 files changed, 49 insertions(+), 61 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/5 diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, >c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,73 +1644,60 @@ } if (!c->options.block_ipv6) { -flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); +flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +struct buffer ipbuf = *buf; +if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) { -struct buffer ipbuf = *buf; -if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) -{ #if PASSTOS_CAPABILITY -/* extract TOS from IP header */ -if (flags & PIPV4_PASSTOS) -{ -link_socket_extract_tos(c->c2.link_socket, ); -} +/* extract TOS from IP header */ +if (flags & PIPV4_PASSTOS) +{ +link_socket_extract_tos(c->c2.link_socket, ); +} #endif -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv4(, c->c2.frame.mss_fix); -} - -/* possibly do NAT on packet */ -if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) -{ -const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; -client_nat_transform(c->options.client_nat, , direction); -} -/* possibly extract a DHCP router message */ -if (flags & PIPV4_EXTRACT_DHCP_ROUTER) -{ -const in_addr_t dhcp_router = dhcp_extract_router_msg(); -if (dhcp_router) -{ -route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); -} -} -} -else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), )) +/* possibly alter the TCP MSS */ +if (flags & PIP_MSSFIX) { -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv6(, c->c2.frame.mss_fix); -} -if (!(flags & PIP_OUTGOING) && (flags -&(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) -{ -ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); -/* Drop the IPv6 packet */ -buf->len = 0; -} - +mss_fixup_ipv4(, c->c2.frame.mss_fix); } + +/* possibly do NAT on packet */ +if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) +{ +const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; +client_nat_transform(c->options.client_nat, , direction); +} +/* possibly extract a DHCP router message */ +if (flags &
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: its_Giaan, ordex. Hello flichtenheld, ordex, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/525?usp=email to look at the new patch set (#4). The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now. Change subject: Minor fix to process_ip_header .. Minor fix to process_ip_header Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. While at it, fixed a typo IMCP -> ICMP for defined PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER macros. Fixes: Trac https://community.openvpn.net/openvpn/ticket/269 Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Signed-off-by: Gianmarco De Gregori --- M src/openvpn/forward.c M src/openvpn/forward.h M src/openvpn/multi.c 3 files changed, 49 insertions(+), 61 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/4 diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, >c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,73 +1644,60 @@ } if (!c->options.block_ipv6) { -flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); +flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +struct buffer ipbuf = *buf; +if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) { -struct buffer ipbuf = *buf; -if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), )) -{ #if PASSTOS_CAPABILITY -/* extract TOS from IP header */ -if (flags & PIPV4_PASSTOS) -{ -link_socket_extract_tos(c->c2.link_socket, ); -} +/* extract TOS from IP header */ +if (flags & PIPV4_PASSTOS) +{ +link_socket_extract_tos(c->c2.link_socket, ); +} #endif -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv4(, c->c2.frame.mss_fix); -} - -/* possibly do NAT on packet */ -if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) -{ -const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; -client_nat_transform(c->options.client_nat, , direction); -} -/* possibly extract a DHCP router message */ -if (flags & PIPV4_EXTRACT_DHCP_ROUTER) -{ -const in_addr_t dhcp_router = dhcp_extract_router_msg(); -if (dhcp_router) -{ -route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); -} -} -} -else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), )) +/* possibly alter the TCP MSS */ +if (flags & PIP_MSSFIX) { -/* possibly alter the TCP MSS */ -if (flags & PIP_MSSFIX) -{ -mss_fixup_ipv6(, c->c2.frame.mss_fix); -} -if (!(flags & PIP_OUTGOING) && (flags -&(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) -{ -ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); -/* Drop the IPv6 packet */ -buf->len = 0; -} - +mss_fixup_ipv4(, c->c2.frame.mss_fix); } + +/* possibly do NAT on packet */ +if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) +{ +const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; +client_nat_transform(c->options.client_nat, , direction); +} +/* possibly extract a DHCP router message */ +if (flags &