[Openvpn-devel] [PATCH applied] Re: do_open_tun: restyle 'can preserve TUN' check
This one really needs "git show -w"... and indeed, the old one was amazingly ugly, including "confusing uncrustify enough so the 'else' with no indent happened"... Client-tested on Linux. Your patch has been applied to the master branch. commit bd139689a4d2f813081aaf93149eabee8d941731 Author: Antonio Quartulli Date: Fri Aug 12 15:06:48 2022 +0200 do_open_tun: restyle 'can preserve TUN' check Signed-off-by: Antonio Quartulli Acked-by: Lev Stipakov Message-Id: <20220812130657.29899-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24884.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/2] ovpn-dco: introduce FreeBSD data-channel offload support
On 13 Aug 2022, at 10:10, Gert Doering wrote: > On Thu, Aug 11, 2022 at 05:25:05PM +0200, Kristof Provost via Openvpn-devel > wrote: >>> - running openvpn over TCP gives me a kernel panic - this is not so >>>nice... (see attached .png from the vmware console) - userland seems >>>to assume "kernel can do TCP", kernel panics on "if !udp, panic()" >>>(so intentional panic, not corruption panic). >>> >>>This is on freebsd git FreeBSD 14.0-CURRENT #1 main-n257130-c0665d5c824 >>> >> I???ve pushed a fix for this panic in >> fd6b3bede5a5c210f327e5c9bd3e415ee905048b. >> I simply didn???t think that user space might give us a non-UDP >> socket, so checking for that and rejecting the peer in that case >> fixes the panic. Thanks for finding that. > > JFTR, I have tested "main-n257320-3a3af6b2a16" with the old DCO userland > patch, and it no longer crashes. Of course the TCP tests failed, because > userland only sees "mmmh, it fails!" but has no idea it should fall back > to non-DCO (with the new userland patches, this works). > Thanks! > In case you plan to include kernel TCP support, it would be good to > have this "soonish" - like, before FreeBSD 14 and OpenVPN 2.6.0 release, > because otherwise this will be a bit painful to synchronize. > There’s not plan to add TCP support at the moment. Best regards, Kristof ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/2] ovpn-dco: introduce FreeBSD data-channel offload support
Hi, On Thu, Aug 11, 2022 at 05:25:05PM +0200, Kristof Provost via Openvpn-devel wrote: > > - running openvpn over TCP gives me a kernel panic - this is not so > >nice... (see attached .png from the vmware console) - userland seems > >to assume "kernel can do TCP", kernel panics on "if !udp, panic()" > >(so intentional panic, not corruption panic). > > > >This is on freebsd git FreeBSD 14.0-CURRENT #1 main-n257130-c0665d5c824 > > > I???ve pushed a fix for this panic in > fd6b3bede5a5c210f327e5c9bd3e415ee905048b. > I simply didn???t think that user space might give us a non-UDP > socket, so checking for that and rejecting the peer in that case > fixes the panic. Thanks for finding that. JFTR, I have tested "main-n257320-3a3af6b2a16" with the old DCO userland patch, and it no longer crashes. Of course the TCP tests failed, because userland only sees "mmmh, it fails!" but has no idea it should fall back to non-DCO (with the new userland patches, this works). In case you plan to include kernel TCP support, it would be good to have this "soonish" - like, before FreeBSD 14 and OpenVPN 2.6.0 release, because otherwise this will be a bit painful to synchronize. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/2] ovpn-dco: introduce FreeBSD data-channel offload support
On 11 Aug 2022, at 23:11, Gert Doering wrote: > If you're interested, I can unicast you the full file I use for > my DCO client tests, with different ciphers, some instances with > compression (= does it properly fall back?), some with http/socks > proxy, etc., plus a set of client+ca certificates to run against > our test server. > That’d be useful, yes. I’ve not yet been able to get the tests to run the way they’re supposed to. Best regards, Kristof ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] do_close_tun: get rid of one level of indentation
OpenVPN often uses a multi-indentation pattern with no real gain:
if (a)
{
if (b)
{
...
}
}
This approach makes the code harder to read because a lot of space is
eaten by indentation.
Cases like this can be easily converted by negating the first condition
and exiting immediately:
if (!a)
{
return;
}
if (b)
{
...
}
Apply this change to do_close_tun() only for now in order to make the
functiona bit easier to read.
Ideally, this approach should be adopted for other parts of the code as
well.
NOTE: this patch is better viewed with "git show -w" as the real change
is only about 3 lines. The rest is indentation change.
Signed-off-by: Antonio Quartulli
---
** the dco-win patchset is based on this patch. I should have sent this
earlier, but it slipped off.
src/openvpn/init.c | 174 +++--
1 file changed, 88 insertions(+), 86 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d67bc5d1..82a57bef 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1924,65 +1924,38 @@ do_close_tun_simple(struct context *c)
static void
do_close_tun(struct context *c, bool force)
{
-struct gc_arena gc = gc_new();
-if (c->c1.tuntap && c->c1.tuntap_owned)
+if (!c->c1.tuntap || !c->c1.tuntap_owned)
{
-const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name,
);
+return;
+}
+
+struct gc_arena gc = gc_new();
+const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, );
#ifdef _WIN32
-DWORD adapter_index = c->c1.tuntap->adapter_index;
+DWORD adapter_index = c->c1.tuntap->adapter_index;
#endif
-const in_addr_t local = c->c1.tuntap->local;
-const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
+const in_addr_t local = c->c1.tuntap->local;
+const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
-if (force || !(c->sig->signal_received == SIGUSR1 &&
c->options.persist_tun))
-{
-static_context = NULL;
+if (force || !(c->sig->signal_received == SIGUSR1 &&
c->options.persist_tun))
+{
+static_context = NULL;
#ifdef ENABLE_MANAGEMENT
-/* tell management layer we are about to close the TUN/TAP device
*/
-if (management)
-{
-management_pre_tunnel_close(management);
-management_up_down(management, "DOWN", c->c2.es);
-}
-#endif
-
-/* delete any routes we added */
-if (c->c1.route_list || c->c1.route_ipv6_list)
-{
-run_up_down(c->options.route_predown_script,
-c->plugins,
-OPENVPN_PLUGIN_ROUTE_PREDOWN,
-tuntap_actual,
-#ifdef _WIN32
-adapter_index,
+/* tell management layer we are about to close the TUN/TAP device */
+if (management)
+{
+management_pre_tunnel_close(management);
+management_up_down(management, "DOWN", c->c2.es);
+}
#endif
-NULL,
-c->c2.frame.tun_mtu,
-print_in_addr_t(local, IA_EMPTY_IF_UNDEF, ),
-print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF,
),
-"init",
-signal_description(c->sig->signal_received,
- c->sig->signal_text),
-"route-pre-down",
-c->c2.es);
-
-delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
- c->c1.tuntap, ROUTE_OPTION_FLAGS(>options),
- c->c2.es, >net_ctx);
-}
-/* actually close tun/tap device based on --down-pre flag */
-if (!c->options.down_pre)
-{
-do_close_tun_simple(c);
-}
-
-/* Run the down script -- note that it will run at reduced
- * privilege if, for example, "--user nobody" was used. */
-run_up_down(c->options.down_script,
+/* delete any routes we added */
+if (c->c1.route_list || c->c1.route_ipv6_list)
+{
+run_up_down(c->options.route_predown_script,
c->plugins,
-OPENVPN_PLUGIN_DOWN,
+OPENVPN_PLUGIN_ROUTE_PREDOWN,
tuntap_actual,
#ifdef _WIN32
adapter_index,
@@ -1994,59 +1967,88 @@ do_close_tun(struct context *c, bool force)
"init",
signal_description(c->sig->signal_received,
c->sig->signal_text),
-"down",
+"route-pre-down",
c->c2.es);
+
[Openvpn-devel] [PATCH applied] Re: ovpn-dco: introduce FreeBSD data-channel offload support
Acked-by: Gert Doering Stared at the code, stared at the diff, the changes are what I asked for (thanks :-) ). I'm sure we'll find more stuff to polish, but I want this to proceed so the merge conflict with dco-win can be fixed by rebasing that other tree... (which is needed anyway). Uncrustify complained about a few tab-vs-space things, which I adjusted (mostly in ovpn_dco_freebsd.h). I have also adjusted the "TCP is bah" message to be more in line with the other "does not work with DCO" messages: +msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD."); (and indeed, this is what it does -> tests 1* succeed now) I have tested this on Linux and FreeBSD "without DCO" (full client and server test, though there is no actual new code that would be compiled for Linux or for non-DCO FreeBSD), Linux "with DCO" (works), and FreeBSD 14 with DCO enabled, which looks good, besides the "double fragment fails" issue - which is not a userland thing. So far I have only tested the client side (p2p), the server side needs the iroute patch in 2/2 for full test coverage - "soon". Your patch has been applied to the master branch. commit f08fcc2f1eb15941292d6e4e520642a4e474fd1e Author: Kristof Provost Date: Fri Aug 12 15:41:53 2022 +0200 ovpn-dco: introduce FreeBSD data-channel offload support Signed-off-by: Kristof Provost Acked-by: Gert Doering Message-Id: <20220812134154.16729-2-kprov...@netgate.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24894.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: ovpn-dco: introduce FreeBSD data-channel offload support
Hi, On Sat, Aug 13, 2022 at 02:22:55PM +0200, Gert Doering wrote: > Uncrustify complained about a few tab-vs-space things, which I adjusted > (mostly in ovpn_dco_freebsd.h). And promptly forgot to do "git commit --amend" on *both* files. So here comes a whitespace correction commit again... commit 702a4a2c237842bb4adef5de98d82746e5715f78 (HEAD -> master) Author: Gert Doering Date: Sat Aug 13 14:44:38 2022 +0200 Apply uncrustify changes that were forgotten in the FreeBSD DCO 1/2 patch. *sigh* I need to be away from the keyboard now, and bake a cake for a change :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: do_close_tun: get rid of one level of indentation
Acked-by: Gert Doering Side note: Arne has changed quite a few functions in this way during TLS/Frame stuff refactorings, so this is "the agreed way" to handle "we can not do anything here if this is not true" clauses. Mildly tested on FreeBSD client. Your patch has been applied to the master branch. commit c05a0502b168fbb1b3b3b1071cee6b7e435cfb89 Author: Antonio Quartulli Date: Sat Aug 13 14:04:28 2022 +0200 do_close_tun: get rid of one level of indentation Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220813120428.6767-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24908.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v101 2/7] dco-win: check for incompatible options
At the moment dco-win doesn't support --persist-tun and --server,
so check for these options at startup time.
Signed-off-by: Antonio Quartulli
Signed-off-by: Lev Stipakov
---
Changes from v100:
* improved commit title/message
---
src/openvpn/dco.c | 17 +++--
src/openvpn/options.c | 5 +
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index b342bee1..dcb570f9 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -221,7 +221,20 @@ dco_update_keys(dco_context_t *dco, struct tls_multi
*multi)
static bool
dco_check_option_conflict_platform(int msglevel, const struct options *o)
{
-#if defined(TARGET_LINUX)
+#if defined(_WIN32)
+if (o->mode == MODE_SERVER)
+{
+msg(msglevel, "Only client and p2p data channel offload is supported "
+"with ovpn-dco-win.");
+return false;
+}
+
+if (o->persist_tun)
+{
+msg(msglevel, "--persist-tun is not supported with ovpn-dco-win.");
+return false;
+}
+#elif defined(TARGET_LINUX)
/* if the device name is fixed, we need to check if an interface with this
* name already exists. IF it does, it must be a DCO interface, otherwise
* DCO has to be disabled in order to continue.
@@ -246,7 +259,7 @@ dco_check_option_conflict_platform(int msglevel, const
struct options *o)
strerror(-ret), ret);
}
}
-#endif /* if defined(TARGET_LINUX) */
+#endif /* if defined(_WIN32) */
return true;
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 14cb4cc4..cec6cf10 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2450,6 +2450,11 @@ options_postprocess_verify_ce(const struct options
*options,
{
msg(M_USAGE, "--windows-driver wintun requires --dev tun");
}
+
+if (options->windows_driver == WINDOWS_DRIVER_DCO)
+{
+dco_check_option_conflict(M_USAGE, options);
+}
#endif /* ifdef _WIN32 */
/*
--
2.35.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v101 3/7] dco-win: implement ovpn-dco support in P2P Windows code path
With this change it is possible to use ovpn-dco-win when running OpenVPN
in client or P2P mode.
Signed-off-by: Arne Schwabe
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
Changes from v100:
* rebased (fixed conflicts in options.h and tun.h)
Changes from v3:
* rename WINDOWS_DRIVER_WINDCO to WINDOWS_DRIVER_DCO
* add reference string check
Changes from v2:
* added is_tun_type_set() and removed real_tun_init flag
* moved link-close to do_close_tun()
Changes from v1:
* use suffix _dco_win instead of _windco
* create helper function to retrieve last error from socket object
---
src/openvpn/forward.c | 8
src/openvpn/init.c| 33 ---
src/openvpn/options.c | 23 ---
src/openvpn/options.h | 15 +++
src/openvpn/socket.c | 93 ---
src/openvpn/socket.h | 25
src/openvpn/tun.c | 52 +++-
src/openvpn/tun.h | 66 +++---
8 files changed, 255 insertions(+), 60 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 14ad24fa..f6d416a3 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -864,9 +864,17 @@ read_incoming_link(struct context *c)
return;
}
+/* check_status() call below resets last-error code */
+bool dco_win_timeout = tuntap_is_dco_win_timeout(c->c1.tuntap, status);
+
/* check recvfrom status */
check_status(status, "read", c->c2.link_socket, NULL);
+if (dco_win_timeout)
+{
+trigger_ping_timeout_signal(c);
+}
+
/* Remove socks header if applicable */
socks_postprocess_incoming_link(c);
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 4d4c7192..0610f070 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1699,7 +1699,8 @@ do_init_tun(struct context *c)
c->c1.link_socket_addr.remote_list,
!c->options.ifconfig_nowarn,
c->c2.es,
->net_ctx);
+>net_ctx,
+c->c1.tuntap);
#ifdef _WIN32
c->c1.tuntap->windows_driver = c->options.windows_driver;
@@ -1723,7 +1724,7 @@ can_preserve_tun(struct tuntap *tt)
#ifdef TARGET_ANDROID
return false;
#else
-return tt;
+return is_tun_type_set(tt);
#endif
}
@@ -1810,9 +1811,12 @@ do_open_tun(struct context *c)
ovpn_dco_init(c->mode, >c1.tuntap->dco);
}
-/* open the tun device */
-open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
- c->c1.tuntap, >net_ctx);
+/* open the tun device (ovpn-dco-win already opened the device for the
socket) */
+if (!tuntap_is_dco_win(c->c1.tuntap))
+{
+open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
+ c->c1.tuntap, >net_ctx);
+}
/* set the hardware address */
if (c->options.lladdr)
@@ -1930,6 +1934,16 @@ do_close_tun_simple(struct context *c)
static void
do_close_tun(struct context *c, bool force)
{
+/* With dco-win we open tun handle in the very beginning.
+ * In case when tun wasn't opened - like we haven't connected,
+ * we still need to close tun handle
+ */
+if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
+{
+do_close_tun_simple(c);
+return;
+}
+
if (!c->c1.tuntap || !c->c1.tuntap_owned)
{
return;
@@ -3570,6 +3584,15 @@ do_close_free_key_schedule(struct context *c, bool
free_ssl_ctx)
static void
do_close_link_socket(struct context *c)
{
+/* in dco-win case, link socket is a tun handle which is
+ * closed in do_close_tun(). Set it to UNDEFINED so
+ * we won't use WinSock API to close it. */
+if (tuntap_is_dco_win(c->c1.tuntap) && c->c2.link_socket
+&& c->c2.link_socket->info.dco_installed)
+{
+c->c2.link_socket->sd = SOCKET_UNDEFINED;
+}
+
if (c->c2.link_socket && c->c2.link_socket_owned)
{
link_socket_close(c->c2.link_socket);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index cec6cf10..966d6da9 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3343,9 +3343,11 @@ options_postprocess_mutate_invariant(struct options
*options)
#ifdef _WIN32
const int dev = dev_type_enum(options->dev, options->dev_type);
-/* when using wintun, kernel doesn't send DHCP requests, so don't use it */
-if (options->windows_driver == WINDOWS_DRIVER_WINTUN
-&& (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ ||
options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
+/* when using wintun/ovpn-dco-win, kernel doesn't send DHCP requests, so
don't use it */
+if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
+ || options->windows_driver == WINDOWS_DRIVER_DCO)
+&&
[Openvpn-devel] [PATCH v101 1/7] dco-win: introduce low-level code for handling ovpn-dco-win in Windows
Signed-off-by: Arne Schwabe
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
Changes from v100:
* rebased (fixed conflict in configure.ac)
* fixed access to disable_dco member in dco.c
* renamed ovpn-dco-win.h to ovpn_dco_win.h
* make tun_open_device and close_tun_handle non static
* add ASSERT(0) to functions that should not be called on Windows
* remove real_tun_init member (unused now)
---
config-msvc.h | 2 +
configure.ac| 9 +-
dev-tools/special-files.lst | 1 +
src/openvpn/Makefile.am | 4 +-
src/openvpn/dco.c | 2 +-
src/openvpn/dco_internal.h | 1 +
src/openvpn/dco_win.c | 400
src/openvpn/dco_win.h | 57
src/openvpn/openvpn.vcxproj | 3 +
src/openvpn/openvpn.vcxproj.filters | 9 +
src/openvpn/ovpn_dco_win.h | 108
src/openvpn/tun.c | 4 +-
src/openvpn/tun.h | 10 +-
13 files changed, 602 insertions(+), 8 deletions(-)
create mode 100644 src/openvpn/dco_win.c
create mode 100644 src/openvpn/dco_win.h
create mode 100644 src/openvpn/ovpn_dco_win.h
diff --git a/config-msvc.h b/config-msvc.h
index b08beb52..b621f3fb 100644
--- a/config-msvc.h
+++ b/config-msvc.h
@@ -87,3 +87,5 @@ typedef uint16_t in_port_t;
#ifdef HAVE_CONFIG_MSVC_LOCAL_H
#include
#endif
+
+#define ENABLE_DCO 1
diff --git a/configure.ac b/configure.ac
index f715b404..be31889e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -144,7 +144,7 @@ AC_ARG_ENABLE(
AC_ARG_ENABLE(
[dco],
- [AS_HELP_STRING([--enable-dco], [enable data channel offload support
using ovpn-dco kernel module @<:@default=no@:>@])],
+ [AS_HELP_STRING([--enable-dco], [enable data channel offload support
using the ovpn-dco kernel module (always enabled on Windows)
@<:@default=no@:>@])],
,
[enable_dco="no"]
)
@@ -328,6 +328,7 @@ case "$host" in
;;
*-mingw*)
AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?])
+ AC_DEFINE([ENABLE_DCO], [1], [DCO is always enabled on Windows])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["W"], [Target prefix])
CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN"
CPPFLAGS="${CPPFLAGS} -DNTDDI_VERSION=NTDDI_VISTA
-D_WIN32_WINNT=_WIN32_WINNT_VISTA"
@@ -772,7 +773,6 @@ if test "$enable_dco" = "yes"; then
dnl
dnl Include generic netlink library used to talk to ovpn-dco
dnl
-
case "$host" in
*-*-linux*)
PKG_CHECK_MODULES([LIBNL_GENL],
@@ -792,8 +792,11 @@ dnl
AC_DEFINE(ENABLE_DCO, 1, [Enable data channel offload
for FreeBSD])
AC_MSG_NOTICE([Enabled ovpn-dco support for FreeBSD])
;;
+ *-mingw*)
+ AC_MSG_NOTICE([NOTE: --enable-dco ignored on Windows
because it's always enabled])
+ ;;
*)
- AC_MSG_NOTICE([Ignoring --enable-dco on non Linux
platform])
+ AC_MSG_NOTICE([Ignoring --enable-dco on non supported
platform])
;;
esac
fi
diff --git a/dev-tools/special-files.lst b/dev-tools/special-files.lst
index 33e830d7..e5f2fc27 100644
--- a/dev-tools/special-files.lst
+++ b/dev-tools/special-files.lst
@@ -2,3 +2,4 @@ E:doc/doxygen/doc_key_generation.h # @verbatim section gets
mistreated, excl
E:src/compat/compat-lz4.c # Preserve LZ4 upstream formatting
E:src/compat/compat-lz4.h # Preserve LZ4 upstream formatting
E:src/openvpn/ovpn_dco_linux.h # Preserve ovpn-dco upstream formatting
+E:src/openvpn/ovpn_dco_win.h # Preserve ovpn-dco-win upstream
formatting
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 2a139b23..936d038c 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -56,6 +56,7 @@ openvpn_SOURCES = \
dco.c dco.h dco_internal.h \
dco_freebsd.c dco_freebsd.h \
dco_linux.c dco_linux.h \
+ dco_win.c dco_win.h \
dhcp.c dhcp.h \
dns.c dns.h \
env_set.c env_set.h \
@@ -79,6 +80,7 @@ openvpn_SOURCES = \
memdbg.h \
misc.c misc.h \
ovpn_dco_linux.h \
+ ovpn_dco_win.h \
platform.c platform.h \
console.c console.h console_builtin.c console_systemd.c \
mroute.c mroute.h \
@@ -152,5 +154,5 @@ openvpn_LDADD = \
$(OPTIONAL_INOTIFY_LIBS)
if WIN32
openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h
ring_buffer.h
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
-lfwpuclnt -lrpcrt4 -lncrypt -lsetupapi
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
-lfwpuclnt -lrpcrt4 -lncrypt -lsetupapi -lbcrypt
endif
diff --git a/src/openvpn/dco.c
[Openvpn-devel] [PATCH v101 6/7] dco-win: ensure the DCO API is not used when running on Windows
On Windows the high level API should still use the link_socket object to
read and write packets. For this reason, even if dco_installed is true,
we still need to rely on the classic link_socket object.
Signed-off-by: Antonio Quartulli
---
Changes from v100:
* removed ASSERTs (moved to previous patch)
* improve comment text in forward.c
---
src/openvpn/forward.c | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index f6d416a3..1ee42197 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1601,6 +1601,26 @@ process_ip_header(struct context *c, unsigned int flags,
struct buffer *buf)
}
}
+/* Linux-like DCO implementations pass the socket to the kernel and
+ * disallow usage of it from userland, so (control) packets sent and
+ * received by OpenVPN need to go through the DCO interface.
+ *
+ * Windows DCO needs control packets to be sent via the normal
+ * Socket API.
+ *
+ * Hide that complexity (...especially if more platforms show up
+ * in future...) in a small inline function.
+ */
+static bool
+should_use_dco_socket(struct link_socket *sock)
+{
+#if defined(TARGET_LINUX)
+return sock->info.dco_installed;
+#else
+return false;
+#endif
+}
+
/*
* Input: c->c2.to_link
*/
@@ -1674,7 +1694,7 @@ process_outgoing_link(struct context *c)
socks_preprocess_outgoing_link(c, _addr, _delta);
/* Send packet */
-if (c->c2.link_socket->info.dco_installed)
+if (should_use_dco_socket(c->c2.link_socket))
{
size = dco_do_write(>c1.tuntap->dco,
c->c2.tls_multi->peer_id,
--
2.35.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v101 5/7] dco-win: update GH Actions config file
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
.github/workflows/build.yaml | 7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index c89d3c8c..6bd108b9 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -59,11 +59,6 @@ jobs:
steps:
- name: Install dependencies
run: sudo apt update && sudo apt install -y mingw-w64 libtool automake
autoconf man2html unzip
- - name: Checkout ovpn-dco-win
-uses: actions/checkout@v2
-with:
- repository: OpenVPN/ovpn-dco-win
- path: ovpn-dco-win
- name: Checkout OpenVPN
uses: actions/checkout@v2
with:
@@ -151,7 +146,7 @@ jobs:
run: cp ./tap-windows-${TAP_WINDOWS_VERSION}/include/tap-windows.h
${HOME}/mingw/opt/include/
- name: configure OpenVPN
-run: PKG_CONFIG_PATH=${HOME}/mingw/opt/lib/pkgconfig
DCO_SOURCEDIR=$(realpath ../ovpn-dco-win) LDFLAGS=-L$HOME/mingw/opt/lib
CFLAGS=-I$HOME/mingw/opt/include OPENSSL_LIBS="-L${HOME}/opt/lib -lssl
-lcrypto" OPENSSL_CFLAGS=-I$HOME/mingw/opt/include PREFIX=$HOME/mingw/opt
LZO_CFLAGS=-I$HOME/mingw/opt/include LZO_LIBS="-L${HOME}/mingw/opt/lib -llzo2"
./configure --host=${CHOST} --disable-lz4 --enable-dco
+run: PKG_CONFIG_PATH=${HOME}/mingw/opt/lib/pkgconfig
LDFLAGS=-L$HOME/mingw/opt/lib CFLAGS=-I$HOME/mingw/opt/include
OPENSSL_LIBS="-L${HOME}/opt/lib -lssl -lcrypto"
OPENSSL_CFLAGS=-I$HOME/mingw/opt/include PREFIX=$HOME/mingw/opt
LZO_CFLAGS=-I$HOME/mingw/opt/include LZO_LIBS="-L${HOME}/mingw/opt/lib -llzo2"
./configure --host=${CHOST} --disable-lz4
working-directory: openvpn
- name: build OpenVPN
--
2.35.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v101 7/7] dco: properly name variables
renamed remote_addrX variables to vpn_addrX to make it clear that they
refer to the address over the VPN/tunnel
Signed-off-by: Antonio Quartulli
---
src/openvpn/dco.c | 17 +
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index dcb570f9..0b56eec4 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -561,19 +561,20 @@ dco_multi_add_new_peer(struct multi_context *m, struct
multi_instance *mi)
remoteaddr = >c2.link_socket_info->lsa->actual.dest.addr.sa;
}
-struct in_addr remote_ip4 = { 0 };
-struct in6_addr *remote_addr6 = NULL;
-struct in_addr *remote_addr4 = NULL;
-
/* In server mode we need to fetch the remote addresses from the push
config */
+
+struct in_addr vpn_ip4 = { 0 };
+struct in_addr *vpn_addr4 = NULL;
if (c->c2.push_ifconfig_defined)
{
-remote_ip4.s_addr = htonl(c->c2.push_ifconfig_local);
-remote_addr4 = _ip4;
+vpn_ip4.s_addr = htonl(c->c2.push_ifconfig_local);
+vpn_addr4 = _ip4;
}
+
+struct in6_addr *vpn_addr6 = NULL;
if (c->c2.push_ifconfig_ipv6_defined)
{
-remote_addr6 = >c2.push_ifconfig_ipv6_local;
+vpn_addr6 = >c2.push_ifconfig_ipv6_local;
}
if (dco_multi_get_localaddr(m, mi, ))
@@ -582,7 +583,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct
multi_instance *mi)
}
int ret = dco_new_peer(>c1.tuntap->dco, peer_id, sd, localaddr,
- remoteaddr, remote_addr4, remote_addr6);
+ remoteaddr, vpn_addr4, vpn_addr6);
if (ret < 0)
{
return ret;
--
2.35.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v101 4/7] dco-win: add documentation to README.dco.md
Signed-off-by: Arne Schwabe Signed-off-by: Lev Stipakov Signed-off-by: Antonio Quartulli --- Changes from v100: * add URL to windows installer (openvpn+dco) and modify text --- README.dco.md | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.dco.md b/README.dco.md index c38d3de3..aa93d667 100644 --- a/README.dco.md +++ b/README.dco.md @@ -57,6 +57,13 @@ see a message like in your log. +Getting started (Windows) +- +The simplest way to test DCO under Windows is to download the latest installer +from https://build.openvpn.net/downloads/snapshots/github-actions/openvpn2/ . +This installer contains the latest OpenVPN code and the ovpn-dco-win driver. + + DCO and P2P mode DCO is also available when running OpenVPN in P2P mode without `--pull` / @@ -111,7 +118,9 @@ Limitations by design - older versions are missing support for the AEAD ciphers; - topology subnet is the only supported `--topology` for servers; - iroute directives install routes on the host operating system, see also - Routing with ovpn-dco. + Routing with ovpn-dco; +- (ovpn-dco-win) client and p2p mode only; +- (ovpn-dco-win) Chacha20-Poly1305 support available starting with Windows 11. Current implementation limitations -- 2.35.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v101 1/7] dco-win: introduce low-level code for handling ovpn-dco-win in Windows
I stared at the code, tested with tap-windows6 with this commit and with
dco driver with the latest commit in dco branch, works as expected.
All my concerns are resolved. I am still not sure if it worth to split
implementation into two parts - this commit introduces set of functions
which are not called yet - I am OK with that if it makes code easier to
review.
Disclaimer: I contributed some code to this commit, so I might be slightly
biased.
Acked-by: Lev Stipakov
la 13. elok. 2022 klo 23.43 Antonio Quartulli (a...@unstable.cc) kirjoitti:
> Signed-off-by: Arne Schwabe
> Signed-off-by: Lev Stipakov
> Signed-off-by: Antonio Quartulli
> ---
>
> Changes from v100:
> * rebased (fixed conflict in configure.ac)
> * fixed access to disable_dco member in dco.c
> * renamed ovpn-dco-win.h to ovpn_dco_win.h
> * make tun_open_device and close_tun_handle non static
> * add ASSERT(0) to functions that should not be called on Windows
> * remove real_tun_init member (unused now)
> ---
> config-msvc.h | 2 +
> configure.ac| 9 +-
> dev-tools/special-files.lst | 1 +
> src/openvpn/Makefile.am | 4 +-
> src/openvpn/dco.c | 2 +-
> src/openvpn/dco_internal.h | 1 +
> src/openvpn/dco_win.c | 400
> src/openvpn/dco_win.h | 57
> src/openvpn/openvpn.vcxproj | 3 +
> src/openvpn/openvpn.vcxproj.filters | 9 +
> src/openvpn/ovpn_dco_win.h | 108
> src/openvpn/tun.c | 4 +-
> src/openvpn/tun.h | 10 +-
> 13 files changed, 602 insertions(+), 8 deletions(-)
> create mode 100644 src/openvpn/dco_win.c
> create mode 100644 src/openvpn/dco_win.h
> create mode 100644 src/openvpn/ovpn_dco_win.h
>
> diff --git a/config-msvc.h b/config-msvc.h
> index b08beb52..b621f3fb 100644
> --- a/config-msvc.h
> +++ b/config-msvc.h
> @@ -87,3 +87,5 @@ typedef uint16_t in_port_t;
> #ifdef HAVE_CONFIG_MSVC_LOCAL_H
> #include
> #endif
> +
> +#define ENABLE_DCO 1
> diff --git a/configure.ac b/configure.ac
> index f715b404..be31889e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -144,7 +144,7 @@ AC_ARG_ENABLE(
>
> AC_ARG_ENABLE(
> [dco],
> - [AS_HELP_STRING([--enable-dco], [enable data channel offload
> support using ovpn-dco kernel module @<:@default=no@:>@])],
> + [AS_HELP_STRING([--enable-dco], [enable data channel offload
> support using the ovpn-dco kernel module (always enabled on Windows)
> @<:@default=no@:>@])],
> ,
> [enable_dco="no"]
> )
> @@ -328,6 +328,7 @@ case "$host" in
> ;;
> *-mingw*)
> AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?])
> + AC_DEFINE([ENABLE_DCO], [1], [DCO is always enabled on
> Windows])
> AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["W"], [Target prefix])
> CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN"
> CPPFLAGS="${CPPFLAGS} -DNTDDI_VERSION=NTDDI_VISTA
> -D_WIN32_WINNT=_WIN32_WINNT_VISTA"
> @@ -772,7 +773,6 @@ if test "$enable_dco" = "yes"; then
> dnl
> dnl Include generic netlink library used to talk to ovpn-dco
> dnl
> -
> case "$host" in
> *-*-linux*)
> PKG_CHECK_MODULES([LIBNL_GENL],
> @@ -792,8 +792,11 @@ dnl
> AC_DEFINE(ENABLE_DCO, 1, [Enable data channel
> offload for FreeBSD])
> AC_MSG_NOTICE([Enabled ovpn-dco support for
> FreeBSD])
> ;;
> + *-mingw*)
> + AC_MSG_NOTICE([NOTE: --enable-dco ignored on
> Windows because it's always enabled])
> + ;;
> *)
> - AC_MSG_NOTICE([Ignoring --enable-dco on non Linux
> platform])
> + AC_MSG_NOTICE([Ignoring --enable-dco on non
> supported platform])
> ;;
> esac
> fi
> diff --git a/dev-tools/special-files.lst b/dev-tools/special-files.lst
> index 33e830d7..e5f2fc27 100644
> --- a/dev-tools/special-files.lst
> +++ b/dev-tools/special-files.lst
> @@ -2,3 +2,4 @@ E:doc/doxygen/doc_key_generation.h # @verbatim section
> gets mistreated, excl
> E:src/compat/compat-lz4.c # Preserve LZ4 upstream formatting
> E:src/compat/compat-lz4.h # Preserve LZ4 upstream formatting
> E:src/openvpn/ovpn_dco_linux.h # Preserve ovpn-dco upstream
> formatting
> +E:src/openvpn/ovpn_dco_win.h # Preserve ovpn-dco-win upstream
> formatting
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index 2a139b23..936d038c 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -56,6 +56,7 @@ openvpn_SOURCES = \
> dco.c dco.h dco_internal.h \
> dco_freebsd.c dco_freebsd.h \
> dco_linux.c dco_linux.h \
> + dco_win.c dco_win.h \
>
[Openvpn-devel] [PATCH] Allow querying DCO status via management status
This is allows querying the DCO status without doing an error-prone
parsing of the startup log.
Also remove comment that serves no purpose anymore.
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 53ee3e1a1..95414429f 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -837,7 +837,7 @@ multi_print_status(struct multi_context *m, struct
status_output *so, const int
status_reset(so);
-if (version == 1) /* WAS: m->status_file_version */
+if (version == 1)
{
/*
* Status file version 1
@@ -984,6 +984,7 @@ multi_print_status(struct multi_context *m, struct
status_output *so, const int
sep, sep, mbuf_maximum_queued(m->mbuf));
}
+status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep,
dco_enabled(>top.options));
status_printf(so, "END");
}
else
--
2.32.1 (Apple Git-133)
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] error.c: remove unused crash() function
From: Lev Stipakov
This has been added in 2006 and as of now not used.
Signed-off-by: Lev Stipakov
---
src/openvpn/error.c | 9 -
src/openvpn/error.h | 5 -
2 files changed, 14 deletions(-)
diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 7cd35b17..c8c77358 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -808,15 +808,6 @@ msg_flags_string(const unsigned int flags, struct gc_arena
*gc)
return BSTR();
}
-#ifdef ENABLE_DEBUG
-void
-crash(void)
-{
-char *null = NULL;
-*null = 0;
-}
-#endif
-
#ifdef _WIN32
const char *
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index 972619fe..89adb3e6 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -220,11 +220,6 @@ __attribute__((__noreturn__))
[!!sizeof(struct { int __error_if_negative : (expr) ? 2 : -1; })]
#endif
-#ifdef ENABLE_DEBUG
-void crash(void); /* force a segfault (debugging only) */
-
-#endif
-
/* Inline functions */
static inline bool
--
2.23.0.windows.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v101 2/7] dco-win: check for incompatible options
Again, this cannot be tested yet.
Stared at the code and tested with follow-up commits, looks good and works
as expected.
Acked-by: Lev Stipakov
la 13. elok. 2022 klo 23.43 Antonio Quartulli (a...@unstable.cc) kirjoitti:
> At the moment dco-win doesn't support --persist-tun and --server,
> so check for these options at startup time.
>
> Signed-off-by: Antonio Quartulli
> Signed-off-by: Lev Stipakov
> ---
> Changes from v100:
> * improved commit title/message
> ---
> src/openvpn/dco.c | 17 +++--
> src/openvpn/options.c | 5 +
> 2 files changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
> index b342bee1..dcb570f9 100644
> --- a/src/openvpn/dco.c
> +++ b/src/openvpn/dco.c
> @@ -221,7 +221,20 @@ dco_update_keys(dco_context_t *dco, struct tls_multi
> *multi)
> static bool
> dco_check_option_conflict_platform(int msglevel, const struct options *o)
> {
> -#if defined(TARGET_LINUX)
> +#if defined(_WIN32)
> +if (o->mode == MODE_SERVER)
> +{
> +msg(msglevel, "Only client and p2p data channel offload is
> supported "
> +"with ovpn-dco-win.");
> +return false;
> +}
> +
> +if (o->persist_tun)
> +{
> +msg(msglevel, "--persist-tun is not supported with
> ovpn-dco-win.");
> +return false;
> +}
> +#elif defined(TARGET_LINUX)
> /* if the device name is fixed, we need to check if an interface with
> this
> * name already exists. IF it does, it must be a DCO interface,
> otherwise
> * DCO has to be disabled in order to continue.
> @@ -246,7 +259,7 @@ dco_check_option_conflict_platform(int msglevel, const
> struct options *o)
> strerror(-ret), ret);
> }
> }
> -#endif /* if defined(TARGET_LINUX) */
> +#endif /* if defined(_WIN32) */
> return true;
> }
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 14cb4cc4..cec6cf10 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2450,6 +2450,11 @@ options_postprocess_verify_ce(const struct options
> *options,
> {
> msg(M_USAGE, "--windows-driver wintun requires --dev tun");
> }
> +
> +if (options->windows_driver == WINDOWS_DRIVER_DCO)
> +{
> +dco_check_option_conflict(M_USAGE, options);
> +}
> #endif /* ifdef _WIN32 */
>
> /*
> --
> 2.35.1
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
-Lev
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v102 6/7] dco-win: ensure the DCO API is not used when running on Windows
On Windows the high level API should still use the link_socket object to
read and write packets. For this reason, even if dco_installed is true,
we still need to rely on the classic link_socket object.
Signed-off-by: Antonio Quartulli
---
Changes from v101:
* add defined(TARGET_FREEBSD) to the #if guard
Changes from v100:
* removed ASSERTs (moved to previous patch)
* improve comment text in forward.c
---
src/openvpn/forward.c | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index f6d416a3..8b95af64 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1601,6 +1601,26 @@ process_ip_header(struct context *c, unsigned int flags,
struct buffer *buf)
}
}
+/* Linux-like DCO implementations pass the socket to the kernel and
+ * disallow usage of it from userland, so (control) packets sent and
+ * received by OpenVPN need to go through the DCO interface.
+ *
+ * Windows DCO needs control packets to be sent via the normal
+ * Socket API.
+ *
+ * Hide that complexity (...especially if more platforms show up
+ * in future...) in a small inline function.
+ */
+static bool
+should_use_dco_socket(struct link_socket *sock)
+{
+#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
+return sock->info.dco_installed;
+#else
+return false;
+#endif
+}
+
/*
* Input: c->c2.to_link
*/
@@ -1674,7 +1694,7 @@ process_outgoing_link(struct context *c)
socks_preprocess_outgoing_link(c, _addr, _delta);
/* Send packet */
-if (c->c2.link_socket->info.dco_installed)
+if (should_use_dco_socket(c->c2.link_socket))
{
size = dco_do_write(>c1.tuntap->dco,
c->c2.tls_multi->peer_id,
--
2.35.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v100 07/10] dco-win: ensure the DCO API is not used when running on Windows
Hi,
On Fri, Aug 12, 2022 at 03:06:54PM +0200, Antonio Quartulli wrote:
> On Windows the high level API should still use the link_socket object to
> read and write packets. For this reason, even if dco_installed is true,
> we still need to rely on the classic link_socket object.
>
> Signed-off-by: Antonio Quartulli
> ---
> src/openvpn/dco_win.c | 4 ++--
> src/openvpn/forward.c | 23 ++-
> 2 files changed, 24 insertions(+), 3 deletions(-)
>
> diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
> index f1160c7d..18ce9f3a 100644
> --- a/src/openvpn/dco_win.c
> +++ b/src/openvpn/dco_win.c
> @@ -355,14 +355,14 @@ dco_available(int msglevel)
> int
> dco_do_read(dco_context_t *dco)
> {
> -/* no-op on windows */
> +ASSERT(false);
> return 0;
> }
I think this ASSERT(0) should go into the patch that introduces
dco_win.c - this is just a few patches upstream, so introducing it
and then changing it right again sounds like a bit of needless
commit noise...
> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
> index 650f7c59..8af41072 100644
> --- a/src/openvpn/forward.c
> +++ b/src/openvpn/forward.c
> @@ -1601,6 +1601,27 @@ process_ip_header(struct context *c, unsigned int
> flags, struct buffer *buf)
> }
> }
>
> +/* Depending on the platform, we may have to not use the DCO socket, even if
> DCO
> + * is being used for a specific link.
> + *
> + * This happens with Windows, where the standard link_socket API have to be
> used
> + * also with DCO.
> + *
> + * For this reason we must make the right decision and not always look at
> + * dco_installed. Note that on Windows the dco_installed field is still
> supposed
> + * to be true, because it is used in the lower level code to use the proper
> API
> + * (socket vs handle). This is why we need this function with some ifdef
> sauce
> + */
This comment could use a bit of rewording, like
/* Linux-like DCO implementations pass the socket to the kernel and
* disallow usage of it from userland, so (control) packets sent and
* received by OpenVPN need to go through the DCO interface.
*
* Windows DCO needs the control packets to be sent via the normal
* Socket API.
*
* Hide that complexity (... especially if more platforms show up
* in future...) in a small inline function
*/
> +static bool
> +should_use_dco_socket(struct link_socket *sock)
> +{
> +#if defined(TARGET_LINUX)
> +return sock->info.dco_installed;
> +#else
> +return false;
> +#endif
> +}
... which really should be "inline", no? ;-)
**WARNING** - this breaks FreeBSD DCO, so with FreeBSD DCO merged now,
it needs to be #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: ovpn-dco: print some netlink messages to debug level
Acked-by: Gert Doering As we discussed :-) - trivial enough. Without that patch: $ openvpn --verb 3 ... 2022-08-13 20:51:06 Cannot find ovpn_dco netlink component: Object not found 2022-08-13 20:51:06 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-08-13 20:51:06 OpenVPN 2.6_git [git:master/d7f16eea8e939b42] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Aug 13 2022 with that patch: 2022-08-13 20:52:12 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-08-13 20:52:12 OpenVPN 2.6_git [git:master/29f20e738531f0e6] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Aug 13 2022 and with --verb 7 it shows up again. The way we currently print some informational messages before and others after the version number is highly improvable, and I've opened a Trac ticket for it... (#1470) Your patch has been applied to the master branch. commit 29f20e738531f0e65df1bc330f598b3d1eb60b22 Author: Antonio Quartulli Date: Fri Aug 12 15:06:55 2022 +0200 ovpn-dco: print some netlink messages to debug level Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220812130657.29899-...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24892.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: dco: move message to DCO debug level and reword a bit
Acked-by: Gert Doering Indeed :-) - this message is fairly confusing on systems with multiple DCO-using OpenVPN instances, running with --verb 3 - for all new clients and client disconnects, there's noise in "other" instances, which looked quite scary. I haven't tested this (beyond a compile test), but I know when and where I saw these, and making them go to DCO debug level is reasonable. Your patch has been applied to the master branch. commit f088db208621ead8e8c7151f3e705f5ff9a0cbb5 Author: Antonio Quartulli Date: Fri Aug 12 15:06:57 2022 +0200 dco: move message to DCO debug level and reword a bit Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220812130657.29899-1...@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24893.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
