[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
cron2 has uploaded a new patch set (#6) to the change originally created by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email ) Change subject: Persist-key: enable persist-key option by default .. Persist-key: enable persist-key option by default Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Trac: #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori Message-Id: <20240307140355.32644-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html Signed-off-by: Gert Doering --- M Changes.rst M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 14 files changed, 24 insertions(+), 47 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/6 diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email ) Change subject: Persist-key: enable persist-key option by default .. Persist-key: enable persist-key option by default Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Trac: #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori Message-Id: <20240307140355.32644-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html Signed-off-by: Gert Doering --- M Changes.rst M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 14 files changed, 24 insertions(+), 47 deletions(-) diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP
[Openvpn-devel] [PATCH applied] Re: Persist-key: enable persist-key option by default
Thanks for this. We discussed this and nobody seemed to remember why
persist-key was configurable really ("you could swap out the key + cert
while openvpn is running and then SIGUSR1 it", but yeah, who does this?)
- so thanks for throwing out these extra code paths.
Tested with the full server/client rig.
Your patch has been applied to the master branch.
commit 802fcce5448741bb1e34dd06ac3674b6b6c55a94
Author: Gianmarco De Gregori
Date: Thu Mar 7 15:03:55 2024 +0100
Persist-key: enable persist-key option by default
Signed-off-by: Gianmarco De Gregori
Message-Id: <20240307140355.32644-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28347.html
Signed-off-by: Gert Doering
--
kind regards,
Gert Doering
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v5] Persist-key: enable persist-key option by default
From: Gianmarco De Gregori Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/529 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated -remote IP address/port based on ``--persist-tun``, ``--persist-key``, -``--persist-local-ip`` and ``--persist-remote-ip`` options respectively -(see above). +remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` +and ``--persist-remote-ip`` options respectively (see above). This signal may also be internally generated by a timeout condition, governed by the ``--ping-restart`` option. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index a0c1232..11467ca 100644 ---
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. Hello flichtenheld, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email to look at the new patch set (#5). The following approvals got outdated and were removed: Code-Review+2 by plaisthos The change is no longer submittable: Code-Review and checks~ChecksSubmitRule are unsatisfied now. Change subject: Persist-key: enable persist-key option by default .. Persist-key: enable persist-key option by default Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori --- M Changes.rst M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 14 files changed, 24 insertions(+), 47 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/5 diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. +All the keys will be kept in memory across restart. Overview of changes in 2.6 == diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 30c990d..f8a0f48 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 ---
[Openvpn-devel] [PATCH v5] Minor fix to process_ip_header
From: Gianmarco De Gregori
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori
Acked-by: Arne Schwabe
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/525
This mail reflects revision 5 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe
Frank Lichtenheld
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, >c2.buf);
#ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
}
if (!c->options.block_ipv6)
{
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}
if (buf->len > 0)
{
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
{
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
#if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
#endif
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, ,
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router =
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
{
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT |
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags &
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
}
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING :
CN_OUTGOING;
+client_nat_transform(c->options.client_nat, , direction);
+}
+/* possibly extract a DHCP router message */
+if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
+{
+const in_addr_t dhcp_router = dhcp_extract_router_msg();
+if (dhcp_router)
+{
+route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
+}
+}
+
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: its_Giaan, ordex.
Hello flichtenheld, ordex, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/525?usp=email
to look at the new patch set (#5).
The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.
Change subject: Minor fix to process_ip_header
..
Minor fix to process_ip_header
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/5
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, >c2.buf);
#ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
}
if (!c->options.block_ipv6)
{
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}
if (buf->len > 0)
{
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
{
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
#if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
#endif
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, ,
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router =
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
{
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT |
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags &
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
}
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING :
CN_OUTGOING;
+client_nat_transform(c->options.client_nat, , direction);
+}
+/* possibly extract a DHCP router message */
+if (flags &
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: its_Giaan, ordex.
Hello flichtenheld, ordex, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/525?usp=email
to look at the new patch set (#4).
The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.
Change subject: Minor fix to process_ip_header
..
Minor fix to process_ip_header
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori
---
M src/openvpn/forward.c
M src/openvpn/forward.h
M src/openvpn/multi.c
3 files changed, 49 insertions(+), 61 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/525/4
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 0443ca0..556c465 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1460,7 +1460,7 @@
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
- | PIPV6_IMCP_NOHOST_CLIENT;
+ | PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, >c2.buf);
#ifdef PACKET_TRUNCATION_CHECK
@@ -1644,73 +1644,60 @@
}
if (!c->options.block_ipv6)
{
-flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
+flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}
if (buf->len > 0)
{
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+struct buffer ipbuf = *buf;
+if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
{
-struct buffer ipbuf = *buf;
-if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), ))
-{
#if PASSTOS_CAPABILITY
-/* extract TOS from IP header */
-if (flags & PIPV4_PASSTOS)
-{
-link_socket_extract_tos(c->c2.link_socket, );
-}
+/* extract TOS from IP header */
+if (flags & PIPV4_PASSTOS)
+{
+link_socket_extract_tos(c->c2.link_socket, );
+}
#endif
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv4(, c->c2.frame.mss_fix);
-}
-
-/* possibly do NAT on packet */
-if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
-{
-const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING
: CN_OUTGOING;
-client_nat_transform(c->options.client_nat, ,
direction);
-}
-/* possibly extract a DHCP router message */
-if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
-{
-const in_addr_t dhcp_router =
dhcp_extract_router_msg();
-if (dhcp_router)
-{
-route_list_add_vpn_gateway(c->c1.route_list, c->c2.es,
dhcp_router);
-}
-}
-}
-else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), ))
+/* possibly alter the TCP MSS */
+if (flags & PIP_MSSFIX)
{
-/* possibly alter the TCP MSS */
-if (flags & PIP_MSSFIX)
-{
-mss_fixup_ipv6(, c->c2.frame.mss_fix);
-}
-if (!(flags & PIP_OUTGOING) && (flags
-&(PIPV6_IMCP_NOHOST_CLIENT |
PIPV6_IMCP_NOHOST_SERVER)))
-{
-ipv6_send_icmp_unreachable(c, buf,
- (bool)(flags &
PIPV6_IMCP_NOHOST_CLIENT));
-/* Drop the IPv6 packet */
-buf->len = 0;
-}
-
+mss_fixup_ipv4(, c->c2.frame.mss_fix);
}
+
+/* possibly do NAT on packet */
+if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
+{
+const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING :
CN_OUTGOING;
+client_nat_transform(c->options.client_nat, , direction);
+}
+/* possibly extract a DHCP router message */
+if (flags &
