Re: [Openvpn-devel] [PATCH] USE_PF_INET6 by default for v2.3

2011-05-31 Thread JuanJo Ciarlante 
Hi,

On Tue, May 31, 2011 at 3:39 PM, Samuli Seppänen  wrote:
> JuanJo Ciarlante ha scritto:
>> On Mon, May 30, 2011 at 6:20 PM, JuanJo  wrote:
>>
>>> - put all #ifdef'd code in place, kill the cpp symbol,
>>> - thus in v2.3 it's not actually possible to --disable-ipv6 :)
>>>
>>> RATIONALE:
>>>  #1 some wacky compilers choke on #ifdef'd constructions for
>>>    concatenated strings, and given that:
>>>  #2 v2.3 has already transport ipv6 by default
>>> => doesn't justify putting effort on #1 to keep USE_PF_INET6
>>>   ifdef wraps.
>>>
>>> Signed-off-by: JuanJo Ciarlante 
>>> <...snip...>
>>>
>>
>> FWIW you can also peek at the diff at:
>>   
>> https://github.com/jjo/openvpn-ipv6/commit/77fed9c07c1461cd926ab4e86c587cac8414b957
>>   http://codereview.appspot.com/4564045/
>>
>> Cheers,
>>
> Hi JuanJo,
>
> This patch did not apply on top of the earlier "Visual Studio 2008 build
> fix" patches applied on top of "master". There was one whitespace error
> and it choked on syshead.h due to a new #include. Besides that it worked
> great!

Thanks Samuli for stuffing those bits :) !

>
> A fixed patch is attached.

Shameless ACK 8)

Cheers,

>
> --
>
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] USE_PF_INET6 by default for v2.3

2011-05-31 Thread JuanJo Ciarlante 
On Mon, May 30, 2011 at 6:20 PM, JuanJo  wrote:
> - put all #ifdef'd code in place, kill the cpp symbol,
> - thus in v2.3 it's not actually possible to --disable-ipv6 :)
>
> RATIONALE:
>  #1 some wacky compilers choke on #ifdef'd constructions for
>    concatenated strings, and given that:
>  #2 v2.3 has already transport ipv6 by default
> => doesn't justify putting effort on #1 to keep USE_PF_INET6
>   ifdef wraps.
>
> Signed-off-by: JuanJo Ciarlante 
> <...snip...>

FWIW you can also peek at the diff at:
  
https://github.com/jjo/openvpn-ipv6/commit/77fed9c07c1461cd926ab4e86c587cac8414b957
  http://codereview.appspot.com/4564045/

Cheers,
-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

[Openvpn-devel] [PATCH 3/3] ipv6-0.4.15: add --multihome support to xBSD

2011-03-24 Thread JuanJo Ciarlante 
NOTE: this is patch 3/3 over feat_ipv6_transport branch,
  commit 1b96baa8fc964bfba8bfba87f1e0e1fbabf0b47b

   - _both_ for IPv4 (which was missing) and for IPv6
   - tested on OpenBSD 4.7, FreeBSD 8.1

Signed-off-by: JuanJo Ciarlante 
---
 socket.c  |   45 -
 socket.h  |   10 ++
 syshead.h |5 +++--
 3 files changed, 57 insertions(+), 3 deletions(-)

diff --git a/socket.c b/socket.c
index d9e6bc9..a6f41b5 100644
--- a/socket.c
+++ b/socket.c
@@ -813,9 +813,17 @@ create_socket_udp (const unsigned int flags)
   else if (flags & SF_USE_IP_PKTINFO)
 {
   int pad = 1;
+#ifdef IP_PKTINFO
   if (setsockopt (sd, SOL_IP, IP_PKTINFO,
  (void*)&pad, sizeof(pad)) < 0)
 msg(M_SOCKERR, "UDP: failed setsockopt for IP_PKTINFO");
+#elif defined(IP_RECVDSTADDR)
+  if (setsockopt (sd, IPPROTO_IP, IP_RECVDSTADDR,
+ (void*)&pad, sizeof(pad)) < 0)
+msg(M_SOCKERR, "UDP: failed setsockopt for IP_RECVDSTADDR");
+#else
+#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix 
syshead.h)
+#endif
 }
 #endif
   return sd;
@@ -2474,8 +2482,15 @@ print_link_socket_actual_ex (const struct 
link_socket_actual *act,
  struct openvpn_sockaddr sa;
  CLEAR (sa);
  sa.addr.in4.sin_family = AF_INET;
+#ifdef IP_PKTINFO
  sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst;
  if_indextoname(act->pi.in4.ipi_ifindex, ifname);
+#elif defined(IP_RECVDSTADDR)
+ sa.addr.in4.sin_addr = act->pi.in4;
+ ifname[0]=0;
+#else
+#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix 
syshead.h)
+#endif
  buf_printf (&out, " (via %s%%%s)",
  print_sockaddr_ex (&sa, separator, 0, gc),
  ifname);
@@ -2819,7 +2834,12 @@ link_socket_read_tcp (struct link_socket *sock,
 struct openvpn_in4_pktinfo
 {
   struct cmsghdr cmsghdr;
+#ifdef HAVE_IN_PKTINFO
   struct in_pktinfo pi4;
+#endif
+#ifdef IP_RECVDSTADDR
+  struct in_addr pi4;
+#endif
 };
 #ifdef USE_PF_INET6
 struct openvpn_in6_pktinfo
@@ -2864,13 +2884,26 @@ link_socket_read_udp_posix_recvmsg (struct link_socket 
*sock,
   cmsg = CMSG_FIRSTHDR (&mesg);
   if (cmsg != NULL
  && CMSG_NXTHDR (&mesg, cmsg) == NULL
+#ifdef IP_PKTINFO
  && cmsg->cmsg_level == SOL_IP 
  && cmsg->cmsg_type == IP_PKTINFO
+#elif defined(IP_RECVDSTADDR)
+ && cmsg->cmsg_level == IPPROTO_IP
+ && cmsg->cmsg_type == IP_RECVDSTADDR
+#else
+#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix 
syshead.h)
+#endif
  && cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo))
{
+#ifdef IP_PKTINFO
  struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA (cmsg);
  from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
  from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst;
+#elif defined(IP_RECVDSTADDR)
+ from->pi.in4 = *(struct in_addr*) CMSG_DATA (cmsg);
+#else
+#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix 
syshead.h)
+#endif
}
 #ifdef USE_PF_INET6
   else if (cmsg != NULL
@@ -2955,7 +2988,6 @@ link_socket_write_udp_posix_sendmsg (struct link_socket 
*sock,
 case AF_INET:
   {
 struct openvpn_in4_pktinfo msgpi4;
-struct in_pktinfo *pkti;
 mesg.msg_name = &to->dest.addr.sa;
 mesg.msg_namelen = sizeof (struct sockaddr_in);
 mesg.msg_control = &msgpi4;
@@ -2963,12 +2995,23 @@ link_socket_write_udp_posix_sendmsg (struct link_socket 
*sock,
 mesg.msg_flags = 0;
 cmsg = CMSG_FIRSTHDR (&mesg);
 cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
+#ifdef HAVE_IN_PKTINFO
 cmsg->cmsg_level = SOL_IP;
 cmsg->cmsg_type = IP_PKTINFO;
+   {
+struct in_pktinfo *pkti;
 pkti = (struct in_pktinfo *) CMSG_DATA (cmsg);
 pkti->ipi_ifindex = to->pi.in4.ipi_ifindex;
 pkti->ipi_spec_dst = to->pi.in4.ipi_spec_dst;
 pkti->ipi_addr.s_addr = 0;
+   }
+#elif defined(IP_RECVDSTADDR)
+cmsg->cmsg_level = IPPROTO_IP;
+cmsg->cmsg_type = IP_RECVDSTADDR;
+*(struct in_addr *) CMSG_DATA (cmsg) = to->pi.in4;
+#else
+#error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix 
syshead.h)
+#endif
 break;
   }
 #ifdef USE_PF_INET6
diff --git a/socket.h b/socket.h
index 757c1f8..de6d525 100644
--- a/socket.h
+++ b/socket.h
@@ -86,7 +86,12 @@ struct link_socket_actual
   struct openvpn_sockaddr dest;
 #if ENABLE_IP_PKTINFO
   union {
+#ifdef HAVE_IN_PKTINFO
 struct in_pktinfo in4;
+#endif
+#ifdef IP_RECVDSTADDR

[Openvpn-devel] [PATCH 2/3] ipv6-0.4.14: fix xinetd usage

2011-03-24 Thread JuanJo Ciarlante 
NOTE: this is patch 2/3 over feat_ipv6_transport branch,
  commit 1b96baa8fc964bfba8bfba87f1e0e1fbabf0b47b

  - closes http://bugs.debian.org/574164
  - also needed for --disable-ipv6 builds
  - supports IPv6 from xinetd


Signed-off-by: JuanJo Ciarlante 
---
 socket.c |   36 ++--
 1 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/socket.c b/socket.c
index 08cab0e..d9e6bc9 100644
--- a/socket.c
+++ b/socket.c
@@ -1680,7 +1680,11 @@ link_socket_init_phase1 (struct link_socket *sock,
   /* were we started by inetd or xinetd? */
   if (sock->inetd)
 {
-  ASSERT (sock->info.proto != PROTO_TCPv4_CLIENT);
+  ASSERT (sock->info.proto != PROTO_TCPv4_CLIENT
+#ifdef USE_PF_INET6
+ && sock->info.proto != PROTO_TCPv6_CLIENT
+#endif
+  );
   ASSERT (socket_defined (inetd_socket_descriptor));
   sock->sd = inetd_socket_descriptor;
 }
@@ -1729,7 +1733,34 @@ link_socket_init_phase2 (struct link_socket *sock,
   /* were we started by inetd or xinetd? */
   if (sock->inetd)
 {
-  if (sock->info.proto == PROTO_TCPv4_SERVER)
+  if (sock->info.proto == PROTO_TCPv4_SERVER
+#ifdef USE_PF_INET6
+ || sock->info.proto == PROTO_TCPv6_SERVER
+#endif
+  ) {
+   /* AF_INET as default (and fallback) for inetd */
+   sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET;
+#ifdef USE_PF_INET6
+#ifdef HAVE_GETSOCKNAME
+ {
+   /* inetd: hint family type for dest = local's */
+   struct openvpn_sockaddr local_addr;
+   socklen_t addrlen = sizeof(local_addr);
+   if (getsockname (sock->sd, (struct sockaddr *)&local_addr, 
&addrlen) == 0) {
+ sock->info.lsa->actual.dest.addr.sa.sa_family = 
local_addr.addr.sa.sa_family;
+ dmsg (D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from 
getsockname(%d)",
+   proto2ascii(sock->info.proto, false), 
local_addr.addr.sa.sa_family,
+   sock->sd);
+   } else
+ msg (M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET",
+  proto2ascii(sock->info.proto, false), sock->sd);
+ }
+#else
+   msg (M_WARN, "inetd(%s): this OS does not provide the getsockname() "
+"function, using AF_INET",
+proto2ascii(sock->info.proto, false));
+#endif
+#endif
sock->sd =
  socket_listen_accept (sock->sd,
&sock->info.lsa->actual,
@@ -1739,6 +1770,7 @@ link_socket_init_phase2 (struct link_socket *sock,
false,
sock->inetd == INETD_NOWAIT,
signal_received);
+  }
   ASSERT (!remote_changed);
   if (*signal_received)
goto done;
-- 
1.7.1


-- 
--JuanJo
oO Juan Jose Ciarlante - juanjosec Ogmail.com - jjo O{um.edu.ar,google.com}
Oo gpg --keyserver wwwkeys.eu.pgp.net --recv-key 81276430


signature.asc
Description: Digital signature

[Openvpn-devel] [PATCH 1/3] fix --multihome for ipv6: IPV6_RECVPKTINFO

2011-03-24 Thread JuanJo Ciarlante 
NOTE: this is patch 1/3 over feat_ipv6_transport branch,
  commit 1b96baa8fc964bfba8bfba87f1e0e1fbabf0b47b

   - setsockopt IPV6_RECVPKTINFO (not IPV6_PKTINFO!)
   - do check for setsockopt() failures
   - append % in INFO msg

Signed-off-by: JuanJo Ciarlante 
---
 socket.c |   27 +--
 1 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/socket.c b/socket.c
index 810bb23..08cab0e 100644
--- a/socket.c
+++ b/socket.c
@@ -813,7 +813,9 @@ create_socket_udp (const unsigned int flags)
   else if (flags & SF_USE_IP_PKTINFO)
 {
   int pad = 1;
-  setsockopt (sd, SOL_IP, IP_PKTINFO, (void*)&pad, sizeof(pad));
+  if (setsockopt (sd, SOL_IP, IP_PKTINFO,
+ (void*)&pad, sizeof(pad)) < 0)
+msg(M_SOCKERR, "UDP: failed setsockopt for IP_PKTINFO");
 }
 #endif
   return sd;
@@ -831,7 +833,9 @@ create_socket_udp6 (const unsigned int flags)
   else if (flags & SF_USE_IP_PKTINFO)
 {
   int pad = 1;
-  setsockopt (sd, IPPROTO_IPV6, IPV6_PKTINFO, (void*)&pad, sizeof(pad));
+  if (setsockopt (sd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
+ (void*)&pad, sizeof(pad)) < 0)
+   msg(M_SOCKERR, "UDP: failed setsockopt for IPV6_RECVPKTINFO");
 }
 #endif
   return sd;
@@ -2423,6 +2427,7 @@ print_link_socket_actual_ex (const struct 
link_socket_actual *act,
 {
   if (act)
 {
+  char ifname[IF_NAMESIZE] = "[undef]";
   struct buffer out = alloc_buf_gc (128, gc);
   buf_printf (&out, "%s", print_sockaddr_ex (&act->dest, separator, flags, 
gc));
 #if ENABLE_IP_PKTINFO
@@ -2438,7 +2443,10 @@ print_link_socket_actual_ex (const struct 
link_socket_actual *act,
  CLEAR (sa);
  sa.addr.in4.sin_family = AF_INET;
  sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst;
- buf_printf (&out, " (via %s)", print_sockaddr_ex (&sa, 
separator, 0, gc));
+ if_indextoname(act->pi.in4.ipi_ifindex, ifname);
+ buf_printf (&out, " (via %s%%%s)",
+ print_sockaddr_ex (&sa, separator, 0, gc),
+ ifname);
}
 #ifdef USE_PF_INET6
  break;
@@ -2449,13 +2457,12 @@ print_link_socket_actual_ex (const struct 
link_socket_actual *act,
  CLEAR(sin6);
  sin6.sin6_family = AF_INET6;
  sin6.sin6_addr = act->pi.in6.ipi6_addr;
-   {
- if (getnameinfo((struct sockaddr *)&sin6, sizeof (struct 
sockaddr_in6),
- buf, sizeof (buf), NULL, 0, 
NI_NUMERICHOST) == 0)
-   buf_printf (&out, " (via %s)", buf);
- else
-   buf_printf (&out, " (via [getnameinfo() err])");
-   }
+ if_indextoname(act->pi.in6.ipi6_ifindex, ifname);
+ if (getnameinfo((struct sockaddr *)&sin6, sizeof (struct 
sockaddr_in6),
+ buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) 
== 0)
+   buf_printf (&out, " (via %s%%%s)", buf, ifname);
+ else
+   buf_printf (&out, " (via [getnameinfo() err]%%%s)", ifname);
}
  break;
}
-- 
1.7.1

oO Juan Jose Ciarlante - juanjosec Ogmail.com - jjo O{um.edu.ar,google.com}
Oo gpg --keyserver wwwkeys.eu.pgp.net --recv-key 81276430


signature.asc
Description: Digital signature

Re: [Openvpn-devel] [Openvpn-users] udp6 source-address wrong with more than one ipv6-address on server

2011-03-03 Thread JuanJo Ciarlante 
On Wed, Mar 2, 2011 at 11:07 PM, Stefan Hellermann
 wrote:
> Am 31.01.2011 19:43, schrieb David Sommerseth:
>>>
>>> https://community.openvpn.net/openvpn/ticket/84
>>
>> Thank you very much for your report!  I've sent a notification to the
>> developer of the IPv6 transport patch, and I hope he chimes in soon.
>>
>>
>> kind regards,
>>
>> David Sommerseth
>
> I've tested the proposed patch and it works!

Awesome, thanks =)

> Could this patch get into the 2.2 Release?

No ipv6 features aimed for 2.2 afaik.

FTR this is already at git://github.com/jjo/openvpn-ipv6.git (master), with
this patch at 1 commit (55e1742ec2bdfc52c5af5cb01aec1fb546efde8d) ahead
of git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git
(feat_ipv6_transport).

David: I rebuilt this repo from scratch, branched off openvpn-testing's
feat_ipv6_transport, so it should be safe to pull from its master branch
(famous last words ;).

Cheers,


>
> Kind regards,
> Stefan
>
> --
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] Multihomed Openvpn server setup question.

2010-09-29 Thread JuanJo Ciarlante 
On Tue, Sep 28, 2010 at 8:55 AM, David Sommerseth
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 28/09/10 02:04, Praetorian wrote:
>> I am settting up some servers to test the beta debian packages and
>> wanted to try a multihomed server.  I have two isp's coming into the
>> building and wish to make one the primarly connection side and then
>> one be the backup (ie because it is the slower of the two).  I looked
>> through the man page for 2.3 and did not see any settings in the
>>  area to do like preferences to a group of  connections
>> (other than going in the order they are located in the file).  Also
>> once connected to the backup is there a way for it to probe when the
>> other route/connection comes back online to change back over from the
>> fall back to the prefered connection?
>>
>
> Hi,
>
> We have a report [1] that the multihome feature in OpenVPN 2.1.x on
> Debian (and most probably Gentoo) and openvpn-testing.git is broken.  It
> is most probably caused by a bug in the IPv6 transport patch which is
> added on Debian.
>
> I'm working on applying a fix from the developer to the
> openvpn-testing.git tree, so I hope I can manage to solve within this
> week.  So if you're willing to test out the 'allmerged' branch, that
> should soon fix this issue completely.

Thanks David :),

In case you wanted to try it yourself, this is the patch that solves the
multihome issue:
  
http://gitorious.org/jjo/openvpn-ipv6/commit/1b96baa8fc964bfba8bfba87f1e0e1fbabf0b47b.patch

Cheers,

>
>
> kind regards,
>
> David Sommerseth
>
>
> [1] 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyhkUYACgkQDC186MBRfroMFACeMh8jt1Y3PnQCHGviknEEyVxJ
> 66oAoJSYY1cGLa9kxxLWjModbyVevqNE
> =KRnF
> -END PGP SIGNATURE-
>
> --
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [Openvpn-users] Does --multihome work in latest OpenVPN release?

2010-09-23 Thread JuanJo Ciarlante 
On Thu, Sep 23, 2010 at 11:09 AM, Arthur Titeica  wrote:
> On Thursday 23 September 2010 07:48:46 Arthur Titeica wrote:
>>  On Thu, 23 Sep 2010 01:33:24 +0200, JuanJo Ciarlante
>>
>>   wrote:
>> > Hi Arthur,
>> >
>> > Sorry for the immense delay, fortunately David ping()ed me on this
>> > issue a few days ago.
>>
>>  Hi. Better later than never.
>>
>> > I think I fixed it, is there a chance you could try recompiling
>> > openvpn
>> > with the attached patch ?
>>
>>  Will do that in the course of the day. Many thanks.
>
> Well, it looks OK so far after 3-4 hours of running.

WooHoohoo ... sweET!, thanks for the prompt feedback :)

I'll do a bit of more testing, then ask for the upstream pull.

Cheers,


>
> --
> Arthur Titeica
> PharmEc Software Constanta
> Mobil: 0729 290 969
> Tel: 0241 616 747
> Fax: 0341 815 963
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [Openvpn-users] Does --multihome work in latest OpenVPN release?

2010-09-22 Thread JuanJo Ciarlante 
Hi Arthur,

Sorry for the immense delay, fortunately David ping()ed me on this
issue a few days ago.

On Tue, Jul 20, 2010 at 10:08 PM, Arthur Titeica  wrote:
> On Tuesday 20 July 2010 01:25:47 David Sommerseth wrote:
>> On 19/07/10 22:32, Arthur Titeica wrote:
>> > On Sunday 02 May 2010 02:34:47 Peter Rabbitson wrote:
>> >> David Sommerseth wrote:
>> >>> On 01/05/10 21:39, Peter Rabbitson wrote:
>> >>>> Peter Rabbitson wrote:
>> >>>>> Peter Rabbitson wrote:
>> >>>>>> Samuli Seppänen wrote:
>> >>>>>>> Hi,
>> >>>>>>>
>> >>>>>>> Is someone successfully using the --multihome option on latest
>> >>>>>>> OpenVPN release? Or is this bug report still valid:
>> >>>>>>>
>> >>>>>>> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562099>
>> >>>>>>
>> >>>>>> I am sorry I dropped the ball on testing that one. Will test the
>> >>>>>> coming night EST, and update.
>> >>>>>
>> >>>>> Looking more at the *debian* changelog, I see that there was a 3rd
>> >>>>> party ipv6 patch, which *could* have caused these problems. However
>> >>>>> it is not very easy for me to compile a "clean" openvpn on the
>> >>>>> multihomed server. Please let me know if this can be diagnosed in
>> >>>>> any other way, if not - I will find a way to test with vanilla
>> >>>>> openvpn.
>> >>>>
>> >>>> And unfortunately I was right (proven with the help of [1]) :(
>> >>>>
>> >>>> openvpn_2.1~rc20-1_i386.deb works
>> >>>> openvpn_2.1~rc20-2_i386.deb does not
>> >>>>
>> >>>> The only code-change between the two is:
>> >>>>   * patches/jjo-ipv6-support.patch: Added ipv6 support. (Closes:
>> >>>>   #307846)
>> >>>>
>> >>>>     Patch from JuanJo Ciarlante.
>> >>>>
>> >>>> So this got to be the culprit. Attaching a -U10 diff between the
>> >>>> sources of both debian packages (not too long):
>> >>>>
>> >>>> [1] http://snapshot.debian.org/package/openvpn/
>> >>>
>> >>> Thank you very much, Peter, for tracking this one down!  One question
>> >>> though.  Do you have configuration files and a "how to test it"
>> >>> description available which you could share with us?  That would help
>> >>> others to test it out as well - and it might help JJO to follow this
>> >>> one further.
>> >
>> > Hello,
>> > I'm using the latest git
>> > (git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git)
>> > and multihome doesn't seems to work as far as I've tested.
>> >
>> > I have 2 links balanced with something like
>> >
>> > # ip route show
>> > ...
>> > default
>> >
>> >         nexthop via x.x.x.x  dev eth2 weight 2
>> >         nexthop via y.y.y.y  dev ppp5 weight 1
>> >
>> > and openvpn somehow fails with or without multihome.
>> >
>> > I'm not a programmer but I'dd gladly help with anything else (making
>> > tests, patches or even providing a test multihomed openvpn server).
>>
>> (moving over to the developers mailing list)
>>
>> Thank you for your testing!  If you put together some configuration
>> files for client and server and a clear description of how to test this,
>> that would save a lot of time for us when digging into the code.
>>
>> If your config files makes use of certificates, please make your test
>> environment work by using the keys in the source tree, located in the
>> sample-keys/ directory.
>>
>> Please try to make the config files for us as close to your setup as
>> possible.  This will really help us get closer to understand what
>> exactly happens.
>>
>> I have opened a bug ticket on this issue, to not forget this issue.  It
>> can be tracked here:
>> <https://community.openvpn.net/openvpn/ticket/28>
>>
>> Please report back with configuration files and a description of how to
>> prepare an environment for reproducing this behaviour.
>>
>>
>
> Hello,
> I've managed to setup a test dual-homed server

Re: [Openvpn-devel] Tomorrow's meeting (18th March)

2010-03-18 Thread JuanJo Ciarlante 
Hi,

2010/3/17 Samuli Seppänen :
>
>> On Wed, Mar 17, 2010 at 10:42:26AM +0200, Samuli Seppänen wrote:
>>
>>> Hi all,
>>>
>>> As usual, tomorrow's (18th March) meeting will be at #openvpn-discussion
>>> (irc.freenode.net) at 18:00 UTC. Preliminary meeting topics are
>>> available here:
>>>
>>> http://www.secure-computing.net/wiki/index.php/OpenVPN/IRC_meetings/Topics-2010-03-18
>>>
>>> David (dazo) won't be able to attend, unfortunately.
>>>
>>>
>>
>> Hi,
>>
>> I won't be able to attend either. I will next week, hopefully with news
>> on Debian packages build daily/weekly.
>>
> Too bad you're not able attend, Alberto. However, Jan will be present,
> so I think we're going to be focus on the two bugs/issues he has
> noticed, see "Possible bugs/issues" on this page:
>
> http://www.secure-computing.net/wiki/index.php/OpenVPN/IRC_meetings/Topics-2010-03-18

Unfortunately I can't attend either (regular meetings clash).
BTW  I've added this bug (forwarded by Alberto, tnx):
 +## [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574164
Assertion fails in socket.c:429 in p2p mode due to Debian ipv6 patch]

Cheers,

>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
> --
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] openvpn-testing tree available

2010-02-21 Thread JuanJo Ciarlante 
Hey David,

On Fri, Feb 19, 2010 at 12:29 PM, JuanJo Ciarlante  wrote:
> Hey David,
>
> On Fri, Feb 19, 2010 at 12:14 PM, David Sommerseth
>  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 18/02/10 22:45, JuanJo Ciarlante wrote:
>>> On Wed, Feb 17, 2010 at 6:46 PM, JuanJo Ciarlante  wrote:
>>>> > Hi David,
>>>> >
>>>> > On Tue, Feb 16, 2010 at 7:49 PM, David Sommerseth
>>>> >  wrote:
>>>
>>> Greetings all!
>>>
>>> I am now announcing the openvpn-testing.git tree as open.  Gert has
>>> already been announcing the availability as a response to some merge
>>> conflicts.  Anyhow, those issues are solved.
>>>>> >
>>>>> > \o/ !
>>>>> >
>>>
>>> The tree is also tagged with all 2.1 releases and RC releases.  I have
>>> not bothered with tagging the 2.1 beta or any 2.0 releases at all.  If
>>> somebody finds it useful and wants it, please generate a list of tag
>>> names and commit ID's and I'll update the tree.
>>>
>>>
>>> What's next:
>>>
>>> - JuanJo Ciarliante's IPv6 patches for the transport layer.
>>>  There are some merge conflicts here as well, which we need to solve.
>>>  It's most probably due to different merge roots between our copies of
>>>  the SVN tree.  I hope JJO and I can solve this soon, then it will go
>>>  into the allmerged branch immediately.
>>>>> >
>>>>> > Cool, thanks a lot for the heads-up.
>>>>> >
>>>>> > I'll try to solve this before by next week,
>>>> I've just did a cut+merge, fyi I had to use:
>>>>   git-format-patch -k --stdout stock..master |git-am -3 -k
>>>>     (stock: my svn-import'd tree, master: my local head)
>>>> , worked fine (b/c of the different svn-import history(?),
>>>> git could not find a common ancestor, then the need
>>>> to fallback to "diff | patch").
>>>> It also successful passes my tests as stated in README.ipv6.
>>>
>>>> I've pushed this to my github repo, so something in the
>>>> lines of:
>>>>   git-remote add -f -t openvpn-testing-master+jjo-ipv6 \
>>>>      jjo-ipv6 git://github.com/jjo/openvpn-ipv6
>>>
>>>> +merge should be able to fast-forward your master
>>>> head.
>>>
>>>> I still need to do some touches for allmerged, as
>>>> we conflict w/ Gert's IPv6 patch on a mroute.c chunk
>>>> IIRC.
>>>
>>
>> Great!  Thank you for your work here!
>>
>> I've created an feat_ipv6_transport branch where I'll track your
>> patches.  Gert's IPv6 patches are in feat_ipv6_payload (which are also
>> merged into the allmerged branch).  I've started the discussion about
>> the merge conflict in another mail thread.
>
> Col ! , tnx a lot.
>
>>
>> It's all pushed out to the openvpn-testing.git, so please feel free to
>> update me when you have solved these issues or have other updates!

I've added a new openvpn-testing-allmerged+jjo-ipv6 branch with the
conflict resolved at git://github.com/jjo/openvpn-ipv6, it should cleanly
fast-forward allmerged's head.

Thanks again for all your work on this!

>
> I expect to find time during the weekend to resolve the small conflict
> and be able to inject-da-zing into allmerged.
>
>>
>>
>> kind regards,
>
> Cheers,
>
>>
>> David Sommerseth
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkt+crAACgkQDC186MBRfroDNgCgsZwPBeAFzR44FB34Xv0HInAr
>> 46EAoKZtDgoSvqQIzpQu5XNEygaA7ccs
>> =rqXo
>> -END PGP SIGNATURE-
>>
>
>
>
> --
> --JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [IPv6] Merge conflicts in mroute.c (was: Re: openvpn-testing tree available)

2010-02-21 Thread JuanJo Ciarlante 
On Fri, Feb 19, 2010 at 12:10 PM, David Sommerseth
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi guys!
> On 18/02/10 22:45, JuanJo Ciarlante wrote:
>> On Wed, Feb 17, 2010 at 6:46 PM, JuanJo Ciarlante 
> wrote:
>>
>>> I still need to do some touches for allmerged, as
>>> we conflict w/ Gert's IPv6 patch on a mroute.c chunk
>>> IIRC.
>>
>
> Even though I know you both have told me that there would be a merge
> conflict in mroute.c, I decided to put it on the mailing list -
> hopefully to get an open discussion about it!
>
> I've attached the merge conflict.  It would be great if you could sort
> this out soon.  Then I'll get both of your trees into the allmerged
> branch ASAP.  Right now only Gert's code is in the allmerged branch.
>
> What I do see might be a challenge (without knowing the code in
> details), is that JJO's code is using #ifdef, while Gert's code is not.
>  With a conflict in mroute_addr_print_ex(), which includes an #ifdef I
> see a potential disaster here.
>
> Personally, I would like to evaluate Gert's patches to see if they could
> be #ifdef'ed.  Then both IPv6 branches can both use USE_PF_INET6 to
> enable or disable the IPv6 support.

IMHO they should have different #ifdef'ing, coming from eg:
  ../configure --enable-ipv6-transport --enable-ipv6-payload
, mainly to ease future debugging, and to motivate wider audience
thinking of:
* different OSes (ipv6-transport builds and (probably)runs in windowze)
* distros like Gentoo, already carrying ipv6-transport, may want to add a
   build option for the payload patch.
* size constraints (embeeded like eg. freetz.org)
* USE_PF_INET6 clearly speaks "transport" in its very name :)

>  I have not studied these patches,
> so I don't know how doable that is.  And this is my personal opinion, I
> don't mean to instruct anyone into a direction.  I will let you guys
> find the proper direction.
>
>
> kind regards,
>
> David Sommerseth
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkt+caIACgkQDC186MBRfrr5ZACgqLxiXN70pCOGY0zyvQGSCpo6
> n2EAn1le6hzZe4aThLfAKvYwK7d3CPSG
> =e7yX
> -END PGP SIGNATURE-
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [IPv6] Merge conflicts in mroute.c (was: Re: openvpn-testing tree available)

2010-02-21 Thread JuanJo Ciarlante 
On Fri, Feb 19, 2010 at 3:38 PM, Gert Doering  wrote:
> Hi,
>
> On Fri, Feb 19, 2010 at 03:21:34PM +0100, JuanJo Ciarlante wrote:
>> > JJO's patch does more than that, he does DNS lookups to print the
>> > DNS name for the IPv6 address in question.
>>
>> Wrong.
>> From getaddrinfo(3):
>>    """
>>       If hints.ai_flags contains the AI_NUMERICHOST flag then the node
>>       parameter must be a numerical network address.
>>       The AI_NUMERICHOST flag suppresses any potentially  lengthy
>>       network host address lookups.
>>    """
>
> Ah!  Learned something new today.  So what's the specific advantage of
> using getnameinfo() instead of inet_ntop() instead?
>
> (I've only ever used getnameinfo() if I really wanted to do DNS lookups).
>
>> > Now we enter religious
>> > territory - *I* think that this is not a good thing.
>>
>> I can't more eagerly _agree_ on tossing out any reverse
>> DNS lookups at this level.
>
> OK, good.  Glad that this was just a misreading of the code.
>
>
>> > The existing
>> > code doesn't do reverse DNS lookups for IPv4 mroute printing, and so
>> > the IPv6 code should behave similar to the IPv4 code, and not do DNS
>> > either (also, depending on DNS lookup in this place might lead to
>> > weird delays in unexpected situations).  But this is partly religious,
>> > partly "follow the coding style of the existing code" stuff.
>>
>> IMO we should void using inet_ntop() and friends, personally
>> I don't like locking around their lack of multi-threading.
>
> Mmmh, ok.  I wasn't aware that inet_ntop() is not thread-safe.  (Looking
> at the FreeBSD implementation, at least that one *is* thread-safe - no
> static buffers, etc.).

And now I learned something new, by *actually* closely looking
inet_ntop() manpage, heh (had a totally wrong braino on it using
static buffers).
Please just ignore this non MT-safe state from me.

>
> If it is not thread-safe, it won't break anything in my code, though
> (lucky me :-) ) - my use of it in print_in6_addr() is mutex-locked anyway,
> due to the use of a static buffer there.
>
> Is getnameinfo() *guaranteed* to be thread-safe?
>
> Do you have a reference that documents that inet_ntop() and inet_pton()
> are unsave to be used in a threaded context?
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             g...@greenie.muc.de
> fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [IPv6] Merge conflicts in mroute.c (was: Re: openvpn-testing tree available)

2010-02-19 Thread JuanJo Ciarlante 
On Fri, Feb 19, 2010 at 2:46 PM, Gert Doering  wrote:
> Hi,
>
> On Fri, Feb 19, 2010 at 12:10:29PM +0100, David Sommerseth wrote:
>> >> I still need to do some touches for allmerged, as
>> >> we conflict w/ Gert's IPv6 patch on a mroute.c chunk
>> >> IIRC.
>>
>> Even though I know you both have told me that there would be a merge
>> conflict in mroute.c, I decided to put it on the mailing list -
>> hopefully to get an open discussion about it!
>
> Good :-)

Indeed ... FigHT!! :)

>
>> I've attached the merge conflict.  It would be great if you could sort
>> this out soon.  Then I'll get both of your trees into the allmerged
>> branch ASAP.  Right now only Gert's code is in the allmerged branch.
>
> For the allmerged, you could use either one, or none at all(!) :-)
>
> *I* think you should use mine, of course.  Reason explained below.

I agree, but not for the reason you expose ... but just
because you "own" this 6layer.

>
>
>> What I do see might be a challenge (without knowing the code in
>> details), is that JJO's code is using #ifdef, while Gert's code is not.
>>  With a conflict in mroute_addr_print_ex(), which includes an #ifdef I
>> see a potential disaster here.
>
> The code basically does the same thing "add printing of the IPv6
> information for a mroute structure containing IPv6 information".
>
> For OpenVPN to *work*, you need neither, it's just helpful diagnostic
> output :-) - if the code is unpatched,  it will just do
>
>         buf_printf (&out, "IPV6");
>
> for IPv6 mroutes, but not error-abort or fail.  So no danger here.
>
>
> Now, for the different patches.
>
> My patch "just prints the IPv6 address", using a helper function that
> I added elsewhere (print_in6_addr()).  This function is not available
> in the official tree, so JJO cannot use it for his branch.
>
> JJO's patch does more than that, he does DNS lookups to print the
> DNS name for the IPv6 address in question.

Wrong.
>From getaddrinfo(3):
   """
  If hints.ai_flags contains the AI_NUMERICHOST flag then the node
  parameter must be a numerical network address.
  The AI_NUMERICHOST flag suppresses any potentially  lengthy
  network host address lookups.
   """

> Now we enter religious
> territory - *I* think that this is not a good thing.

I can't more eagerly _agree_ on tossing out any reverse
DNS lookups at this level.

> The existing
> code doesn't do reverse DNS lookups for IPv4 mroute printing, and so
> the IPv6 code should behave similar to the IPv4 code, and not do DNS
> either (also, depending on DNS lookup in this place might lead to
> weird delays in unexpected situations).  But this is partly religious,
> partly "follow the coding style of the existing code" stuff.

IMO we should void using inet_ntop() and friends, personally
I don't like locking around their lack of multi-threading.

>
> JJO's patch also adds the port number for MR_WITH_PORT mroutes - which
> is something that never happens for my usage of IPv6 mroutes for
> IPv6 payload - but that could be easily added to my code.
>
>
>> Personally, I would like to evaluate Gert's patches to see if they could
>> be #ifdef'ed.  Then both IPv6 branches can both use USE_PF_INET6 to
>> enable or disable the IPv6 support.  I have not studied these patches,
>> so I don't know how doable that is.  And this is my personal opinion, I
>> don't mean to instruct anyone into a direction.  I will let you guys
>> find the proper direction.
>
> Most changes of my patch could be #ifdef'ed easily - places that just add
> extra lines of code, extra fields to a structure, and such.  That's the easy
> stuff.
>
> Other parts are much harder, changes like this one:
>
>       /* possibly add routes */
>       if (!c->options.route_delay_defined)
> -       do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, 
> c->c2
> .es);
> +       do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,
> +                 c->c1.tuntap, c->plugins, c->c2.es);
>
>
> ... where I had to add extra arguments to a function call.  #ifdef'ing
> that is going to produce really ugly and much harder-to-maintain code
> (because you have to have an #else, with the old call syntax, and
> future changes of this function call always have to adjust *both*
> changes).
>
>
> I've just re-checked JJO's patch - the #ifdef's in there don't cover
> all the changes either, just the IPv6-specific stuff.  The necessary
> changes to the existing IPv4 infrastructure (data structures etc) are
> not #ifdef'ed - so the #ifdef's here don't serve to deactivate the
> whole patch, but only to disable the actual IPv6 transport functionality.
>
>
> Personally, I'm not a big fan of #ifdef'ing changes that affect so many
> different places of the code (JJO's patch has 109 chunks, my patch
> has 119 chunks) because it will make the code much harder to read, and
> also harder to test ("how many different combinations of compile-time
> options need to be enabled to cover all possible code paths?").
>
>

Re: [Openvpn-devel] openvpn-testing tree available

2010-02-19 Thread JuanJo Ciarlante 
Hey David,

On Fri, Feb 19, 2010 at 12:14 PM, David Sommerseth
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 18/02/10 22:45, JuanJo Ciarlante wrote:
>> On Wed, Feb 17, 2010 at 6:46 PM, JuanJo Ciarlante  wrote:
>>> > Hi David,
>>> >
>>> > On Tue, Feb 16, 2010 at 7:49 PM, David Sommerseth
>>> >  wrote:
>>
>> Greetings all!
>>
>> I am now announcing the openvpn-testing.git tree as open.  Gert has
>> already been announcing the availability as a response to some merge
>> conflicts.  Anyhow, those issues are solved.
>>>> >
>>>> > \o/ !
>>>> >
>>
>> The tree is also tagged with all 2.1 releases and RC releases.  I have
>> not bothered with tagging the 2.1 beta or any 2.0 releases at all.  If
>> somebody finds it useful and wants it, please generate a list of tag
>> names and commit ID's and I'll update the tree.
>>
>>
>> What's next:
>>
>> - JuanJo Ciarliante's IPv6 patches for the transport layer.
>>  There are some merge conflicts here as well, which we need to solve.
>>  It's most probably due to different merge roots between our copies of
>>  the SVN tree.  I hope JJO and I can solve this soon, then it will go
>>  into the allmerged branch immediately.
>>>> >
>>>> > Cool, thanks a lot for the heads-up.
>>>> >
>>>> > I'll try to solve this before by next week,
>>> I've just did a cut+merge, fyi I had to use:
>>>   git-format-patch -k --stdout stock..master |git-am -3 -k
>>>     (stock: my svn-import'd tree, master: my local head)
>>> , worked fine (b/c of the different svn-import history(?),
>>> git could not find a common ancestor, then the need
>>> to fallback to "diff | patch").
>>> It also successful passes my tests as stated in README.ipv6.
>>
>>> I've pushed this to my github repo, so something in the
>>> lines of:
>>>   git-remote add -f -t openvpn-testing-master+jjo-ipv6 \
>>>      jjo-ipv6 git://github.com/jjo/openvpn-ipv6
>>
>>> +merge should be able to fast-forward your master
>>> head.
>>
>>> I still need to do some touches for allmerged, as
>>> we conflict w/ Gert's IPv6 patch on a mroute.c chunk
>>> IIRC.
>>
>
> Great!  Thank you for your work here!
>
> I've created an feat_ipv6_transport branch where I'll track your
> patches.  Gert's IPv6 patches are in feat_ipv6_payload (which are also
> merged into the allmerged branch).  I've started the discussion about
> the merge conflict in another mail thread.

Col ! , tnx a lot.

>
> It's all pushed out to the openvpn-testing.git, so please feel free to
> update me when you have solved these issues or have other updates!

I expect to find time during the weekend to resolve the small conflict
and be able to inject-da-zing into allmerged.

>
>
> kind regards,

Cheers,

>
> David Sommerseth
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkt+crAACgkQDC186MBRfroDNgCgsZwPBeAFzR44FB34Xv0HInAr
> 46EAoKZtDgoSvqQIzpQu5XNEygaA7ccs
> =rqXo
> -END PGP SIGNATURE-
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] openvpn-testing tree available

2010-02-18 Thread JuanJo Ciarlante 
On Wed, Feb 17, 2010 at 6:46 PM, JuanJo Ciarlante  wrote:
> Hi David,
>
> On Tue, Feb 16, 2010 at 7:49 PM, David Sommerseth
>  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>>
>> Greetings all!
>>
>> I am now announcing the openvpn-testing.git tree as open.  Gert has
>> already been announcing the availability as a response to some merge
>> conflicts.  Anyhow, those issues are solved.
>
> \o/ !
>
>>
>> The tree is also tagged with all 2.1 releases and RC releases.  I have
>> not bothered with tagging the 2.1 beta or any 2.0 releases at all.  If
>> somebody finds it useful and wants it, please generate a list of tag
>> names and commit ID's and I'll update the tree.
>>
>>
>> What's next:
>>
>> - - JuanJo Ciarliante's IPv6 patches for the transport layer.
>>  There are some merge conflicts here as well, which we need to solve.
>>  It's most probably due to different merge roots between our copies of
>>  the SVN tree.  I hope JJO and I can solve this soon, then it will go
>>  into the allmerged branch immediately.
>
> Cool, thanks a lot for the heads-up.
>
> I'll try to solve this before by next week,

I've just did a cut+merge, fyi I had to use:
  git-format-patch -k --stdout stock..master |git-am -3 -k
(stock: my svn-import'd tree, master: my local head)
, worked fine (b/c of the different svn-import history(?),
git could not find a common ancestor, then the need
to fallback to "diff | patch").
It also successful passes my tests as stated in README.ipv6.

I've pushed this to my github repo, so something in the
lines of:
  git-remote add -f -t openvpn-testing-master+jjo-ipv6 \
 jjo-ipv6 git://github.com/jjo/openvpn-ipv6

+merge should be able to fast-forward your master
head.

I still need to do some touches for allmerged, as
we conflict w/ Gert's IPv6 patch on a mroute.c chunk
IIRC.

Cheers,

> it's
> sooo great to see all the community contributed bits
> being taken good care   :)))
>
>>
>> - - Go through the mailing list to pick up branches which has not been
>>  included into the the OpenVPN SVN tree.  I will probably not go much
>>  further than the last 9-12 months.  If you have a patch you want to
>>  be sure gets into the tree, please raise the attention by sending an
>>  e-mail to this mailing list.  I don't intend to deliberately ignore
>>  patches.
>>
>>  James: Do you have an overview over patches you have included already?
>>  And patches you've received which has not been processed yet?
>>
>> - - The eurephia patch got a review, with one comment I'd like to
>>  investigate a little bit more (If ctx->current_cert->sha1_hash is
>>  always valid).  When this is done, the feat_eurephia branch will be
>>  merged into the allmerged branch.
>>
>> - - Update the developers documentation on the wiki, with some
>>  "requirements" to get patches included.  For already submitted patches
>>  I will be a little bit nicer.  Patches after this mail should strive
>>  to follow the guidelines found in the mail discussion here [1].  All
>>  patches are *expected* to apply cleanly against the latest SVN
>>  BETA21/openvpn branch or the git master branch.
>>
>> The next big test for this is when James does some more commits, and to
>> see how smoothly it will merge in those changes.
>>
>>
>> For those wanting to contact me, I'm available on e-mail:
>>  or on IRC (freenode, #openvpn-devel)
>>
>> The git tree is available here:
>> 
>>
>> Web view of the git tree can be found here:
>> <http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git>
>>
>>
>>
>> kind regards,
>
> Cheers,
>
>>
>> David Sommerseth
>>
>>
>> [1]
>> <http://sourceforge.net/mailarchive/message.php?msg_name=4B6A9823.8010800%40topphemmelig.net>
>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkt66NMACgkQDC186MBRfrp4KACfQpqkUvcbB2GLxiBUx/ETX1Xw
>> 0ZwAoIbajA0Q5/Rm7cP+AUGgNPezlEwg
>> =MvpN
>> -END PGP SIGNATURE-
>>
>
>
>
> --
> --JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [IPv6 support] - usage of gethostbyname() in getaddr()

2010-02-17 Thread JuanJo Ciarlante 
On Wed, Feb 17, 2010 at 2:47 PM, David Sommerseth
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi all!
>
> When reviewing the patch "FQDN for routes should expand to all IPs"
> today, I spotted that there is a function called getaddr() (renamed to
> getaddr_all() in the mentioned patch).  This function again makes use of
> the old gethostbyname() function.  This is not compatible with IPv6
> addresses.
>
> I would strongly recommend a move to getaddrinfo() instead.  This is
> based on an article [1] written by Ulrich Drepper, who is a glibc
> maintainer.  Any thoughts about that?  It might even be more functions
> needing to be ported as well.  The mentioned article lists most
> important functions which should be ported to newer APIs.
>
> Any comments on this issue would be appreciated.  Another issue is of
> course how this will influence other platforms than Linux.

Plenty adhere to this.

In my ipv6 transport patch I only use getaddrinfo()/getnameinfo(), not
only for the 'nixes, but also for the win32 build (x-compiled under Linux
with mingw32xxx and tested under wine by me and by other fellow
in the field [1] ).

[1]  http://github.com/jjo/openvpn-ipv6/downloads
   naked openvpn.exe built w/ipv6 transport support

>
>
> kind regards,
>
> David Sommerseth
>
>
>
> [1] 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkt783AACgkQDC186MBRfrrIxgCgnpCvbJMWzxutz4You8Qj8Qki
> DFcAoJp5eGTHkee7Lz6AU+gKl5BOXiNv
> =5ITZ
> -END PGP SIGNATURE-
>
> --
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] openvpn-testing tree available

2010-02-17 Thread JuanJo Ciarlante 
Hi David,

On Tue, Feb 16, 2010 at 7:49 PM, David Sommerseth
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> Greetings all!
>
> I am now announcing the openvpn-testing.git tree as open.  Gert has
> already been announcing the availability as a response to some merge
> conflicts.  Anyhow, those issues are solved.

\o/ !

>
> The tree is also tagged with all 2.1 releases and RC releases.  I have
> not bothered with tagging the 2.1 beta or any 2.0 releases at all.  If
> somebody finds it useful and wants it, please generate a list of tag
> names and commit ID's and I'll update the tree.
>
>
> What's next:
>
> - - JuanJo Ciarliante's IPv6 patches for the transport layer.
>  There are some merge conflicts here as well, which we need to solve.
>  It's most probably due to different merge roots between our copies of
>  the SVN tree.  I hope JJO and I can solve this soon, then it will go
>  into the allmerged branch immediately.

Cool, thanks a lot for the heads-up.

I'll try to solve this before by next week, it's
sooo great to see all the community contributed bits
being taken good care   :)))

>
> - - Go through the mailing list to pick up branches which has not been
>  included into the the OpenVPN SVN tree.  I will probably not go much
>  further than the last 9-12 months.  If you have a patch you want to
>  be sure gets into the tree, please raise the attention by sending an
>  e-mail to this mailing list.  I don't intend to deliberately ignore
>  patches.
>
>  James: Do you have an overview over patches you have included already?
>  And patches you've received which has not been processed yet?
>
> - - The eurephia patch got a review, with one comment I'd like to
>  investigate a little bit more (If ctx->current_cert->sha1_hash is
>  always valid).  When this is done, the feat_eurephia branch will be
>  merged into the allmerged branch.
>
> - - Update the developers documentation on the wiki, with some
>  "requirements" to get patches included.  For already submitted patches
>  I will be a little bit nicer.  Patches after this mail should strive
>  to follow the guidelines found in the mail discussion here [1].  All
>  patches are *expected* to apply cleanly against the latest SVN
>  BETA21/openvpn branch or the git master branch.
>
> The next big test for this is when James does some more commits, and to
> see how smoothly it will merge in those changes.
>
>
> For those wanting to contact me, I'm available on e-mail:
>  or on IRC (freenode, #openvpn-devel)
>
> The git tree is available here:
> 
>
> Web view of the git tree can be found here:
> 
>
>
>
> kind regards,

Cheers,

>
> David Sommerseth
>
>
> [1]
> 
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkt66NMACgkQDC186MBRfrp4KACfQpqkUvcbB2GLxiBUx/ETX1Xw
> 0ZwAoIbajA0Q5/Rm7cP+AUGgNPezlEwg
> =MvpN
> -END PGP SIGNATURE-
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

[Openvpn-devel] [PATCH] openvpn over ipv6 support v0.4.10, rebased to 2.1_rc21

2009-11-12 Thread JuanJo Ciarlante 
Hi,
I rebased the latest incarnation of the ipv6 patch (0.4.10)
to openvpn 2.1_rc21 release.

Changes from v0.4.9..v0.4.10:
* All platforms:
 - implemented redirect-gateway support for ipv4 on ipv6 endpoints
 - several src cleanups (no actual code changes)
 - doc updates
* win32:
 - expanded usage of proto_is_udp(), proto_is_tcp()
 - replaced some memset(&obj, 0, sizeof obj) by openvpn's CLEAR(obj)
* openbsd:
 - there's no IFF_MULTICAST, #ifdef'd around it (not specific to ipv6-patch)

Available from my git repo[1], also as patch over 2.1_rc21 [2].
There's also a win32 x-compiled binary (YMMV), built
w/openssl-0.9.8l from source [3].

[1] http://github.com/jjo/openvpn-ipv6/
[2] 
http://cloud.github.com/downloads/jjo/openvpn-ipv6/openvpn-2.1_rc21-ipv6-0.4.10.uncached.patch.gz
 mehh... there is some staleness in github that keeps serving a
failed 1st upload,
 I temp added the ".uncached"; will let it "drain" and try to
serve the orig filename
 in a few hours.
[3] 
http://cloud.github.com/downloads/jjo/openvpn-ipv6/openvpn.exe-2.1_rc21-ipv6-0.4.10.zip

-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support v0.4.9, rebased on 2.1_rc20 [was: v0.4.6]

2009-10-11 Thread JuanJo Ciarlante 
Hey Marcel,

On Sun, Oct 11, 2009 at 1:13 PM, Marcel Pennewiß
 wrote:
> On Monday 05 October 2009 16:45:24 JuanJo Ciarlante wrote:
>> Thank you Marcel for the invaluable debugging and re-patching.
>>
>> FYI I rebased my current tree onto 2.1_rc20, git-push'd[1]
>> and uploaded rc20 diffs [2].
>
> Your patch will now be (re-)included in the official gentoo portage-tree. [1]
>
> [1] https://bugs.gentoo.org/show_bug.cgi?id=287896

Cool \o/, tnx a lot for the support !:)

Cheers,

>
> Marcel
>
> --
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support v0.4.9, rebased on 2.1_rc20 [was: v0.4.6]

2009-10-06 Thread JuanJo Ciarlante 
Hola Alberto,

On Tue, Oct 6, 2009 at 1:33 PM, Alberto Gonzalez Iniesta
 wrote:
> On Mon, Oct 05, 2009 at 04:45:24PM +0200, JuanJo Ciarlante wrote:
>> Hi
>>
>> On Mon, Oct 5, 2009 at 4:11 PM, Marcel Pennewiß
>>  wrote:
>> > On Wednesday 30 September 2009 19:41:01 Marcel Pennewiß wrote:
>> >> On Friday 25 September 2009 23:36:19 JuanJo Ciarlante wrote:
>> >> > Hi,
>> >> >
>> >> > I'm(back) working on openvpn/ipv6 endpoint support, aka udp6/tcp6,
>> >> > please refer to README.ipv6[1] and TODO.ipv6[2] for more details.
>> >>
>> >> OpenVPN 2.1-rc19 crashs on Gentoo (Xen DomU, AMD64( using tcp6-server with
>> >> and segfaulted using "tcp-server"
>> >
>> > Both problems fixed in 0.4.8-patch. big thx to JuanJo.
>>
>> Thank you Marcel for the invaluable debugging and re-patching.
>>
>> FYI I rebased my current tree onto 2.1_rc20, git-push'd[1]
>> and uploaded rc20 diffs [2].
>
> Hi All!
>
> I just included the patch on the official Debian package. It will enter
> the Sid repository today,

wooHooo, cool! ... muchas gracias, Alberto =)

>  hopefully a bunch of new people will test it
> now. :)

Indeed!  0:)

Cheers,

>
> Regards,
>
> Alberto
>
> --
> Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
> agi@(inittab.org|debian.org)| en GNU/Linux y software libre
> Encrypted mail preferred    | http://inittab.com
>
> Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3
>
> --
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

[Openvpn-devel] [PATCH] openvpn over ipv6 support v0.4.9, rebased on 2.1_rc20 [was: v0.4.6]

2009-10-05 Thread JuanJo Ciarlante 
Hi

On Mon, Oct 5, 2009 at 4:11 PM, Marcel Pennewiß
 wrote:
> On Wednesday 30 September 2009 19:41:01 Marcel Pennewiß wrote:
>> On Friday 25 September 2009 23:36:19 JuanJo Ciarlante wrote:
>> > Hi,
>> >
>> > I'm(back) working on openvpn/ipv6 endpoint support, aka udp6/tcp6,
>> > please refer to README.ipv6[1] and TODO.ipv6[2] for more details.
>>
>> OpenVPN 2.1-rc19 crashs on Gentoo (Xen DomU, AMD64( using tcp6-server with
>> and segfaulted using "tcp-server"
>
> Both problems fixed in 0.4.8-patch. big thx to JuanJo.

Thank you Marcel for the invaluable debugging and re-patching.

FYI I rebased my current tree onto 2.1_rc20, git-push'd[1]
and uploaded rc20 diffs [2].

Cheers,

[1] http://github.com/jjo/openvpn-ipv6
[2] http://github.com/jjo/openvpn-ipv6/downloads


>
> Marcel
>
> --
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-10-02 Thread JuanJo Ciarlante 
On Thu, Oct 1, 2009 at 8:22 PM, Marcel Pennewiß
 wrote:
>
> On Thursday 01 October 2009 12:14:14 JuanJo Ciarlante wrote:
> > Could you please show a diff between config.h from stock
> > and patched build?
>
> the problem seems to be caused by
> ./configure ... --disable-iproute2.

this worked ok for me (?)

>
> if i enable iproute2:
> ./configure ... --enable-iproute2
> the build of openvpn works.
>
> But if the first client connects the openvpn server generate a segfault (with
> tcp-server and tcp6-server as option).
> The last lines via strace - maybe they could help you:

Thanks for the detailed report, I'll try to reproduce this
and come back to you.

Cheers,

>
> [    2b82cc06da13] epoll_wait(6, {{EPOLLIN, {u32=2, u64=2}}}, 1028, 1) = 1
> [    2b82cbd8e840]
> read(5, 
> "\377\377\377\377\377\377\0\377Gs\311\210\10\6\0\1\10\0\6\4\0\1\0\377Gs\311\210\300\250*s\0"...,
> 1532) = 42
> [    2b82cc06da13] epoll_wait(6, {{EPOLLIN, {u32=2, u64=2}}}, 1028, 1) = 1
> [    2b82cbd8e840]
> read(5, 
> "\377\377\377\377\377\377\0\377Gs\311\210\10\6\0\1\10\0\6\4\0\1\0\377Gs\311\210\300\250*s\0"...,
> 1532) = 42
> [    2b82cc06da13] epoll_wait(6, {{EPOLLIN, {u32=2, u64=2}}}, 1028, 1) = 1
> [    2b82cbd8e840]
> read(5, 
> "\377\377\377\377\377\377\0\377Gs\311\210\10\6\0\1\10\0\6\4\0\1\0\377Gs\311\210\300\250*s\0"...,
> 1532) = 42
> [    2b82cc06da13] epoll_wait(6, {{EPOLLIN, {u32=1, u64=1}}}, 1028, 1) = 1
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 72,
> MSG_NOSIGNAL, NULL, 0) = 72
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 61,
> MSG_NOSIGNAL, NULL, 0) = 61
> [    2b82cc06a2ea] mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> MAP_ANONYMOUS, -1, 0) = 0x2b82cb19
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 64,
> MSG_NOSIGNAL, NULL, 0) = 64
> [    2b82cc06602a] brk(0x6dd000)        = 0x6dd000
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 100,
> MSG_NOSIGNAL, NULL, 0) = 100
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 108,
> MSG_NOSIGNAL, NULL, 0) = 108
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 76,
> MSG_NOSIGNAL, NULL, 0) = 76
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 86,
> MSG_NOSIGNAL, NULL, 0) = 86
> [    2b82cbd8eac0] accept(4, {sa_family=AF_INET6, sin6_port=htons(55430),
> inet_pton(AF_INET6, ":::141.xx.xx.xxx", &sin6_addr), sin6_flowinfo=0,
> sin6_scope_id=0}, [30146066212978716]) = 7
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 105,
> MSG_NOSIGNAL, NULL, 0) = 105
> [    2b82cc06e20a] getsockopt(7, SOL_SOCKET, SO_SNDBUF, [1718256], [4]) =
> 0
> [    2b82cc06e20a] getsockopt(7, SOL_SOCKET, SO_RCVBUF, [30146066213109760],
> [4]) = 0
> [    2b82cc06e68a] setsockopt(7, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0
> [    2b82cc06e68a] setsockopt(7, SOL_SOCKET, SO_RCVBUF, [65536], 4) = 0
> [    2b82cc06e20a] getsockopt(7, SOL_SOCKET, SO_SNDBUF, [1718256], [4]) =
> 0
> [    2b82cc06e20a] getsockopt(7, SOL_SOCKET, SO_RCVBUF, [30146066213109760],
> [4]) = 0
> [    2b82cc06e4b5] sendto(3, "<29>Oct  1 20:24:45 openvpn[15698"..., 90,
> MSG_NOSIGNAL, NULL, 0) = 90
> [    2b82cbd8ea1b] fcntl(7, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
> [    2b82cbd8ea1b] fcntl(7, F_SETFD, FD_CLOEXEC) = 0
> [    2b82cc06e68a] setsockopt(7, SOL_IP, IP_RECVERR, [1], 4) = 0
> [    2b82cc017fd0] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> Process 15698 detached
>
>
> Oct  1 20:09:45 larissa openvpn[15446]: segfault at 0002 rip
> 2b07e075bfd0 rsp 7fffcb1f79b8 error 4
>
> Marcel
>
>
> --
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



--
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-10-01 Thread JuanJo Ciarlante 
Hi Marcel,

On Thu, Oct 1, 2009 at 11:41 AM, Marcel Pennewiß
wrote:

> On Thursday 01 October 2009 09:22:31 JuanJo Ciarlante wrote:
> > Compiled from
> >
> >
> http://cloud.github.com/downloads/jjo/openvpn-ipv6/openvpn-2.1_rc19c-ipv6-0
> >.4.7.tar.gz , it went find for both, as the symbol(s) are ok at the
> objects:
> >
> > $ nm -p multi.o ssl.o | egrep 'o:|tls_auth'
> > multi.o:
> >  U tls_authenticate_key
> >  U tls_authentication_status
> > ssl.o:
> > 0080 T tls_authenticate_key
> > 0ba0 T tls_auth_standalone_init
> > 0d80 T tls_auth_standalone_finalize
> > 0ff0 T tls_authentication_status
> >
> > , ie: tls_authenticate_key symbol present as code ("T "ext) in ssl.o
> > , could be there something fishy/unclean in your building env?
>
> i don't know but build log seems not to show any problems. after the build
> error my multi.o and ssl.o are are different from yours:
>
> larissa openvpn-2.1_rc19 # nm -p multi.o ssl.o | egrep 'o:|tls_auth'
> multi.o:
> U tls_authenticate_key
> U tls_authentication_status
> ssl.o:
> 0080 T tls_authentication_status
> 0be0 T tls_auth_standalone_init
> 0da0 T tls_auth_standalone_finalize
>

This is even more weird, cool ...


> the problem only exists when i add your patch. without your patch
> everything
> runs fine. i'm using openvpn-source from
> http://ftp.tu-ilmenau.de/mirror/gentoo/distfiles/openvpn-2.1_rc19.tar.gz
> which is the official source from gentoo-portage and apply your patch.
>
> i'll try your sources asap.
>

They must^Wshould output the very same source, as the
patch is created from a "diff -ur ..." between stock and
my src tree.

Could you please show a diff between config.h from stock
and patched build?

Cheers,


> Regards,
> Marcel
>
>
>
>
> --
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-10-01 Thread JuanJo Ciarlante 
On Thu, Oct 1, 2009 at 8:33 AM, JuanJo Ciarlante  wrote:
> On Thu, Oct 1, 2009 at 8:14 AM, Marcel Pennewiß
>  wrote:
>> On Thursday 01 October 2009 00:26:15 JuanJo Ciarlante wrote:
>>> Marcel,
>>> > Please apply this patch:
>>>
>>> also available as full patch at
>>>   http://cloud.github.com/downloads/jjo/openvpn-ipv6/openvpn-2.1_rc19-2.1_r
>>>c19c-ipv6-0.4.7.patch.gz
>>
>> compiling failed with:
>>
>> x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I.   -I.    -march=athlon64 -O2 
>> -pipe -msse3 -D_REENTRANT -pthread -MT
>> cryptoapi.o -MD -MP -MF .deps/cryptoapi.Tpo -c -o cryptoapi.o cryptoapi.c
>> mv -f .deps/cryptoapi.Tpo .deps/cryptoapi.Po
>>
>> x86_64-pc-linux-gnu-gcc  -march=athlon64 -O2 -pipe -msse3 -D_REENTRANT 
>> -pthread  -Wl,-O1 -o
>> openvpn base64.o buffer.o crypto.o dhcp.o error.o event.o fdmisc.o forward.o
>> fragment.o gremlin.o helper.o lladdr.o init.o interval.o list.o lzo.o
>> manage.o mbuf.o misc.o mroute.o mss.o mtcp.o mtu.o mudp.o multi.o ntlm.o
>> occ.o pkcs11.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o
>> plugin.o pool.o proto.o proxy.o ieproxy.o ps.o push.o reliable.o route.o
>> schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o status.o
>> thread.o tun.o win32.o cryptoapi.o  -lssl -lcrypto -llzo2 -ldl
>>
>> multi.o: In function `management_client_auth':
>> multi.c:(.text+0x22ee): undefined reference to `tls_authenticate_key'
>> collect2: ld returned 1 exit status
>
> Weird, cos I didn't touch anything related to crypto (?), anyway
> I'll test the build from patch in x86{,_64} to see if I can get that.

Compiled from
  
http://cloud.github.com/downloads/jjo/openvpn-ipv6/openvpn-2.1_rc19c-ipv6-0.4.7.tar.gz
, it went find for both, as the symbol(s) are ok at the objects:

$ nm -p multi.o ssl.o | egrep 'o:|tls_auth'
multi.o:
 U tls_authenticate_key
 U tls_authentication_status
ssl.o:
0080 T tls_authenticate_key
0ba0 T tls_auth_standalone_init
0d80 T tls_auth_standalone_finalize
0ff0 T tls_authentication_status

, ie: tls_authenticate_key symbol present as code ("T "ext) in ssl.o
, could be there something fishy/unclean in your building env?


>
> Cheers,
>
>>
>> make[1]: *** [openvpn] Error 1
>> make[1]: Leaving directory
>> `/var/tmp/portage/net-misc/openvpn-2.1_rc19/work/openvpn-2.1_rc19'
>> make: *** [install-recursive] Error 1
>>
>>
>> using:
>> ./configure --prefix=/usr --build=x86_64-pc-linux-gnu 
>> --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info 
>> --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib 
>> --libdir=/usr/lib64 --disable-pkcs11 --disable-password-save --enable-ssl 
>> --enable-crypto --enable-pthread --disable-iproute2
>> and gcc version 4.3.2 (Gentoo 4.3.2-r3 p1.6, pie-10.1.5)
>>
>> Regards,
>>
>> Marcel
>>
>> --
>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9-12, 2009. Register now!
>> http://p.sf.net/sfu/devconf
>> ___
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>
>
>
> --
> --JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-10-01 Thread JuanJo Ciarlante 
On Thu, Oct 1, 2009 at 8:14 AM, Marcel Pennewiß
 wrote:
> On Thursday 01 October 2009 00:26:15 JuanJo Ciarlante wrote:
>> Marcel,
>> > Please apply this patch:
>>
>> also available as full patch at
>>   http://cloud.github.com/downloads/jjo/openvpn-ipv6/openvpn-2.1_rc19-2.1_r
>>c19c-ipv6-0.4.7.patch.gz
>
> compiling failed with:
>
> x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I.   -I.    -march=athlon64 -O2 
> -pipe -msse3 -D_REENTRANT -pthread -MT
> cryptoapi.o -MD -MP -MF .deps/cryptoapi.Tpo -c -o cryptoapi.o cryptoapi.c
> mv -f .deps/cryptoapi.Tpo .deps/cryptoapi.Po
>
> x86_64-pc-linux-gnu-gcc  -march=athlon64 -O2 -pipe -msse3 -D_REENTRANT 
> -pthread  -Wl,-O1 -o
> openvpn base64.o buffer.o crypto.o dhcp.o error.o event.o fdmisc.o forward.o
> fragment.o gremlin.o helper.o lladdr.o init.o interval.o list.o lzo.o
> manage.o mbuf.o misc.o mroute.o mss.o mtcp.o mtu.o mudp.o multi.o ntlm.o
> occ.o pkcs11.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o
> plugin.o pool.o proto.o proxy.o ieproxy.o ps.o push.o reliable.o route.o
> schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o status.o
> thread.o tun.o win32.o cryptoapi.o  -lssl -lcrypto -llzo2 -ldl
>
> multi.o: In function `management_client_auth':
> multi.c:(.text+0x22ee): undefined reference to `tls_authenticate_key'
> collect2: ld returned 1 exit status

Weird, cos I didn't touch anything related to crypto (?), anyway
I'll test the build from patch in x86{,_64} to see if I can get that.

Cheers,

>
> make[1]: *** [openvpn] Error 1
> make[1]: Leaving directory
> `/var/tmp/portage/net-misc/openvpn-2.1_rc19/work/openvpn-2.1_rc19'
> make: *** [install-recursive] Error 1
>
>
> using:
> ./configure --prefix=/usr --build=x86_64-pc-linux-gnu 
> --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info 
> --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib 
> --libdir=/usr/lib64 --disable-pkcs11 --disable-password-save --enable-ssl 
> --enable-crypto --enable-pthread --disable-iproute2
> and gcc version 4.3.2 (Gentoo 4.3.2-r3 p1.6, pie-10.1.5)
>
> Regards,
>
> Marcel
>
> --
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-30 Thread JuanJo Ciarlante 
Marcel,

On Thu, Oct 1, 2009 at 12:19 AM, JuanJo Ciarlante  wrote:
>
> On Wed, Sep 30, 2009 at 11:21:41PM +0200, JuanJo Ciarlante wrote:
> > On Wed, Sep 30, 2009 at 8:47 PM, Marcel Pennewiß
> > wrote:
> >
> > > On Wednesday 30 September 2009 20:20:40 JuanJo Ciarlante wrote:
> > > > Could you please copy me the the exact cmdline and context (inetd?)
> > > > you are using in both cases?, also if there's any extra patch applied,
> > > etc.
> > >
> > > /usr/sbin/openvpn --config /etc/openvpn/tcp.conf --writepid
> > > /var/run/openvpn.tcp.pid --daemon --setenv
> > > SVCNAME openvpn.tcp --cd /etc/openvpn
> > >
> > > /etc/openvpn/tcp.conf:
> > > port 897
> > > proto tcp6-server
> > > dev tap1
> > > server-bridge 192.168.42.253 255.255.255.0 192.168.42.1 192.168.42.200
> > >
> > > tls-server
> > > dh /etc/openvpn/files/dh2048.pem
> > > ca /etc/openvpn/files/ca.pem
> > > cert /etc/openvpn/files/cert.pem
> > > key /etc/openvpn/files/key.pem
> > > comp-lzo
> > > client-to-client
> > > client-config-dir /etc/openvpn/clients
> > > persist-tun
> > > persist-key
> > > keepalive 10 120
> > > script-security 2
> > > user nobody
> > > group nogroup
> > > verb 3
> > >
> > > patch applied from gentoo ebuild:
> > > --- socket.c~   2008-11-02 01:39:00.40600 +0100
> > > +++ socket.c    2008-11-02 01:39:00.40600 +0100
> > > @@ -22,6 +22,7 @@
> > >  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> > >  */
> > >
> > > +#define _GNU_SOURCE
> > >  #include "syshead.h"
> > >
> > >  #include "socket.h"
> > >
> > > thx,
> > >
> >
> > Cool ... it's crashing for me also (yaY!) , it's something in the
> > multi-client path
> > that I hadn't handled, will work on it tomorrow.
>
> Please apply this patch:

also available as full patch at
  
http://cloud.github.com/downloads/jjo/openvpn-ipv6/openvpn-2.1_rc19-2.1_rc19c-ipv6-0.4.7.patch.gz


>
> >From 3afb64b8255fa28e488e793259b2f3de94840b01 Mon Sep 17 00:00:00 2001
> From: JuanJo Ciarlante 
> Date: Thu, 1 Oct 2009 00:15:12 +0200
> Subject: [PATCH] * fix multi-tcp crash (corrected assertion)
>
> ---
>  mtcp.c   |    6 +-
>  socket.c |    6 +-
>  2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/mtcp.c b/mtcp.c
> index f578429..7e2b07d 100644
> --- a/mtcp.c
> +++ b/mtcp.c
> @@ -153,7 +153,11 @@ multi_tcp_instance_specific_init (struct multi_context 
> *m, struct multi_instance
>   ASSERT (mi->context.c2.link_socket);
>   ASSERT (mi->context.c2.link_socket->info.lsa);
>   ASSERT (mi->context.c2.link_socket->mode == LS_MODE_TCP_ACCEPT_FROM);
> -  ASSERT 
> (mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == 
> AF_INET);
> +  ASSERT 
> (mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == 
> AF_INET
> +#ifdef USE_PF_INET6
> +         || 
> mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == 
> AF_INET6
> +#endif
> +         );
>   if (!mroute_extract_openvpn_sockaddr (&mi->real, 
> &mi->context.c2.link_socket->info.lsa->actual.dest, true))
>     {
>       msg (D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined");
> diff --git a/socket.c b/socket.c
> index 00d841e..97e6234 100644
> --- a/socket.c
> +++ b/socket.c
> @@ -1616,7 +1616,11 @@ link_socket_init_phase1 (struct link_socket *sock,
>   if (mode == LS_MODE_TCP_ACCEPT_FROM)
>     {
>       ASSERT (accept_from);
> -      ASSERT (sock->info.proto == PROTO_TCPv4_SERVER);
> +      ASSERT (sock->info.proto == PROTO_TCPv4_SERVER
> +#ifdef USE_PF_INET6
> +             || sock->info.proto == PROTO_TCPv6_SERVER
> +#endif
> +            );
>       ASSERT (!sock->inetd);
>       sock->sd = accept_from->sd;
>     }
> --
> 1.5.4.3
>
> I tested your config upto full connection, and seems to work.
>
> Cheers,

--
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-30 Thread JuanJo Ciarlante 
On Wed, Sep 30, 2009 at 11:21:41PM +0200, JuanJo Ciarlante wrote:
> On Wed, Sep 30, 2009 at 8:47 PM, Marcel Pennewiß
> wrote:
> 
> > On Wednesday 30 September 2009 20:20:40 JuanJo Ciarlante wrote:
> > > Could you please copy me the the exact cmdline and context (inetd?)
> > > you are using in both cases?, also if there's any extra patch applied,
> > etc.
> >
> > /usr/sbin/openvpn --config /etc/openvpn/tcp.conf --writepid
> > /var/run/openvpn.tcp.pid --daemon --setenv
> > SVCNAME openvpn.tcp --cd /etc/openvpn
> >
> > /etc/openvpn/tcp.conf:
> > port 897
> > proto tcp6-server
> > dev tap1
> > server-bridge 192.168.42.253 255.255.255.0 192.168.42.1 192.168.42.200
> >
> > tls-server
> > dh /etc/openvpn/files/dh2048.pem
> > ca /etc/openvpn/files/ca.pem
> > cert /etc/openvpn/files/cert.pem
> > key /etc/openvpn/files/key.pem
> > comp-lzo
> > client-to-client
> > client-config-dir /etc/openvpn/clients
> > persist-tun
> > persist-key
> > keepalive 10 120
> > script-security 2
> > user nobody
> > group nogroup
> > verb 3
> >
> > patch applied from gentoo ebuild:
> > --- socket.c~   2008-11-02 01:39:00.40600 +0100
> > +++ socket.c2008-11-02 01:39:00.40600 +0100
> > @@ -22,6 +22,7 @@
> >  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
> >  */
> >
> > +#define _GNU_SOURCE
> >  #include "syshead.h"
> >
> >  #include "socket.h"
> >
> > thx,
> >
> 
> Cool ... it's crashing for me also (yaY!) , it's something in the
> multi-client path
> that I hadn't handled, will work on it tomorrow.

Please apply this patch:
>From 3afb64b8255fa28e488e793259b2f3de94840b01 Mon Sep 17 00:00:00 2001
From: JuanJo Ciarlante 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thu, 1 Oct 2009 00:15:12 +0200
Subject: [PATCH] * fix multi-tcp crash (corrected assertion)

---
 mtcp.c   |6 +-
 socket.c |6 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/mtcp.c b/mtcp.c
index f578429..7e2b07d 100644
--- a/mtcp.c
+++ b/mtcp.c
@@ -153,7 +153,11 @@ multi_tcp_instance_specific_init (struct multi_context *m, 
struct multi_instance
   ASSERT (mi->context.c2.link_socket);
   ASSERT (mi->context.c2.link_socket->info.lsa);
   ASSERT (mi->context.c2.link_socket->mode == LS_MODE_TCP_ACCEPT_FROM);
-  ASSERT (mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family 
== AF_INET);
+  ASSERT (mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family 
== AF_INET
+#ifdef USE_PF_INET6
+ || 
mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6
+#endif
+ );
   if (!mroute_extract_openvpn_sockaddr (&mi->real, 
&mi->context.c2.link_socket->info.lsa->actual.dest, true))
 {
   msg (D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined");
diff --git a/socket.c b/socket.c
index 00d841e..97e6234 100644
--- a/socket.c
+++ b/socket.c
@@ -1616,7 +1616,11 @@ link_socket_init_phase1 (struct link_socket *sock,
   if (mode == LS_MODE_TCP_ACCEPT_FROM)
 {
   ASSERT (accept_from);
-  ASSERT (sock->info.proto == PROTO_TCPv4_SERVER);
+  ASSERT (sock->info.proto == PROTO_TCPv4_SERVER
+#ifdef USE_PF_INET6
+ || sock->info.proto == PROTO_TCPv6_SERVER
+#endif
+);
   ASSERT (!sock->inetd);
   sock->sd = accept_from->sd;
 }
-- 
1.5.4.3

I tested your config upto full connection, and seems to work.

Cheers,
-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-30 Thread JuanJo Ciarlante 
On Wed, Sep 30, 2009 at 8:47 PM, Marcel Pennewiß
wrote:

> On Wednesday 30 September 2009 20:20:40 JuanJo Ciarlante wrote:
> > Could you please copy me the the exact cmdline and context (inetd?)
> > you are using in both cases?, also if there's any extra patch applied,
> etc.
>
> /usr/sbin/openvpn --config /etc/openvpn/tcp.conf --writepid
> /var/run/openvpn.tcp.pid --daemon --setenv
> SVCNAME openvpn.tcp --cd /etc/openvpn
>
> /etc/openvpn/tcp.conf:
> port 897
> proto tcp6-server
> dev tap1
> server-bridge 192.168.42.253 255.255.255.0 192.168.42.1 192.168.42.200
>
> tls-server
> dh /etc/openvpn/files/dh2048.pem
> ca /etc/openvpn/files/ca.pem
> cert /etc/openvpn/files/cert.pem
> key /etc/openvpn/files/key.pem
> comp-lzo
> client-to-client
> client-config-dir /etc/openvpn/clients
> persist-tun
> persist-key
> keepalive 10 120
> script-security 2
> user nobody
> group nogroup
> verb 3
>
> patch applied from gentoo ebuild:
> --- socket.c~   2008-11-02 01:39:00.40600 +0100
> +++ socket.c2008-11-02 01:39:00.40600 +0100
> @@ -22,6 +22,7 @@
>  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
>  */
>
> +#define _GNU_SOURCE
>  #include "syshead.h"
>
>  #include "socket.h"
>
> thx,
>

Cool ... it's crashing for me also (yaY!) , it's something in the
multi-client path
that I hadn't handled, will work on it tomorrow.

Thanks a lot for the detailed report and info :)

Cheers,

-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-30 Thread JuanJo Ciarlante 
Hi Marcel,

On Wed, Sep 30, 2009 at 7:41 PM, Marcel Pennewiß
 wrote:
> On Friday 25 September 2009 23:36:19 JuanJo Ciarlante wrote:
>> Hi,
>>
>> I'm(back) working on openvpn/ipv6 endpoint support, aka udp6/tcp6,
>> please refer to README.ipv6[1] and TODO.ipv6[2] for more details.
>
> OpenVPN 2.1-rc19 crashs on Gentoo (Xen DomU, AMD64( using tcp6-server with
>
> Sep 30 19:42:00 larissa openvpn[25441]: Assertion failed at socket.c:1620
> Sep 30 19:42:00 larissa openvpn[25441]: Exiting
>
> and segfaulted using "tcp-server"
>
> Sep 30 19:39:09 larissa openvpn[25238]: segfault at 0002 rip
> 2b3486469fd0 rsp 7fff254e9c98 error 4
>
> {...snip...}

Could you please copy me the the exact cmdline and context (inetd?)
you are using in both cases?, also if there's any extra patch applied, etc.

Thanks a lot,

>
> Any ideas?
>
> Marcel
>
> --
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>


-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-29 Thread JuanJo Ciarlante 
Hey Marcel,

On Tue, Sep 29, 2009 at 6:23 PM, Marcel Pennewiß
 wrote:
> On Friday 25 September 2009 23:36:19 JuanJo Ciarlante wrote:
>> Hi,
>
> Hi JuanJo,
>
>> I'm(back) working on openvpn/ipv6 endpoint support, aka udp6/tcp6,
>> please refer to README.ipv6[1] and TODO.ipv6[2] for more details.
>
> Great news! Thank you very much for your work.
> So i needn't adapt your patch in future ;)

=)

>
>> All snapshots are unittested for correct {udp,tcp}v{4,6} operation
>> under GNU/Linux and win32 (the latter x-compiled under the former ;).
>
> I will update my gentoo ebuilds with the current patch in the next days.
> After this i will publish the URL for the ebuilds.

Cool, thanks!, plz ping me back as soon as you have it, to add it to
the README.

>
> Regards,
> Marcel
>

Cheers,
-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-28 Thread JuanJo Ciarlante 
Hi Farkas,

On Sat, Sep 26, 2009 at 5:13 PM, Farkas Levente  wrote:
> any change to megre it into upstream openvpn?

hummm... one important "thing" I've been voiding to face is mgmt console
support (mainly b/c I don't use it), but I'm certainly sure this would be
an absolute requirement for getting it in  ;o)

For the moment, I added this fact to TODO.ipv6 ... so that doesn't appear
that there's no love for that support :)

Cheers,

>
> On 09/26/2009 04:05 PM, Bernhard Schmidt wrote:
>> JuanJo Ciarlante  wrote:
>>
>> Hello JuanJo,
>>
>>> I'm(back) working on openvpn/ipv6 endpoint support, aka udp6/tcp6,
>>> please refer to README.ipv6[1] and TODO.ipv6[2] for more details.
>>>
>>> All snapshots are unittested for correct {udp,tcp}v{4,6} operation
>>> under GNU/Linux and win32 (the latter x-compiled under the former ;).
>>
>> Thank you very much, your work is highly appreciated!
>>
>> I've updated my Ubuntu PPA repository of IPv6-enabled OpenVPN with your
>> patch. It contains the Ubuntu Karmic 2.1~rc19-1ubuntu2 package patched
>> for IPv6 transport, compiled for Karmic and Intrepid. The Intrepid
>> version should work fine on Debian Lenny as well.
>>
>> You can find those packages on
>> https://launchpad.net/~berni/+archive/ipv6/+packages . I have not
>> observed any problems in my easy usecase (static Point-to-point tunnel
>> over UDPv6), but no guarantees for anything.
>
>
> --
>   Levente                               "Si vis pacem para bellum!"
>
> --
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-28 Thread JuanJo Ciarlante 
Hi Bernhard,

On Sat, Sep 26, 2009 at 4:05 PM, Bernhard Schmidt  wrote:
> JuanJo Ciarlante  wrote:
>
> Hello JuanJo,
>
>> I'm(back) working on openvpn/ipv6 endpoint support, aka udp6/tcp6,
>> please refer to README.ipv6[1] and TODO.ipv6[2] for more details.
>>
>> All snapshots are unittested for correct {udp,tcp}v{4,6} operation
>> under GNU/Linux and win32 (the latter x-compiled under the former ;).
>
> Thank you very much, your work is highly appreciated!

heh ... thanks :)

>
> I've updated my Ubuntu PPA repository of IPv6-enabled OpenVPN with your
> patch. It contains the Ubuntu Karmic 2.1~rc19-1ubuntu2 package patched
> for IPv6 transport, compiled for Karmic and Intrepid. The Intrepid
> version should work fine on Debian Lenny as well.

wohooo ... thanks a lot!, with you help this effort will be able
to reach ++people .

>
> You can find those packages on
> https://launchpad.net/~berni/+archive/ipv6/+packages .

Cool, I added this to README.ipv6.

> I have not
> observed any problems in my easy usecase (static Point-to-point tunnel
> over UDPv6), but no guarantees for anything.

heh... I sieve my changes thru a set of crude but effective unittests
for basic protocol xchg and conn establishment for {tcp,udp}x{4,6};
surprisingly nuff, both for ./openvpn and ./openvpn.exe :P

>
> Regards,
> Bernhard
>

Cheers,

-- 
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

[Openvpn-devel] [PATCH] openvpn over ipv6 support -v0.4.6

2009-09-25 Thread JuanJo Ciarlante 
Hi,

I'm(back) working on openvpn/ipv6 endpoint support, aka udp6/tcp6,
please refer to README.ipv6[1] and TODO.ipv6[2] for more details.

All snapshots are unittested for correct {udp,tcp}v{4,6} operation
under GNU/Linux and win32 (the latter x-compiled under the former ;).

You can find my current git repo[3], available under GPLv2, plus
patches and complete tarballs in downloads/ area.

Enjoy! ... and please send feedback :)

[1] http://github.com/jjo/openvpn-ipv6/blob/master/README.ipv6
[2] http://github.com/jjo/openvpn-ipv6/blob/master/TODO.ipv6
[3] http://github.com/jjo/openvpn-ipv6

Cheers,
--
--JuanJo ; echo j...@gomosglep.com | sed 's/[SPAM]//g'

Re: [Openvpn-devel] OpenVPN 2.0.9 and 2.1-beta16 released

2006-10-01 Thread JuanJo Ciarlante 
On Sun, Oct 01, 2006 at 07:02:10AM -0600, James Yonan wrote:
> 2006.10.01 -- Version 2.1-beta16

James ... I've migrated IPv6 support to latests betas (about 1mo ago),
I can rebase it if you are still interested; compared to previous
instance (@beta2.5) I've simplified it a lot, killed AF_UNIX &other
minorbits by now so as to minimize diff.

Regards

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] OpenVPN Protocol

2005-09-02 Thread JuanJo Ciarlante 
On Fri, Sep 02, 2005 at 12:50:30PM +, Gervasio Bernal wrote:
> First of all, I will explain what we are trying to develop. Basically, our 
> idea 
> is to make OpenVPN works at kernel level, not at user level, and use the 
> linux 
> cryptoapi instead of openssl. We will not use de /dev/net/tun (that is user 
> level space) and will create some new interfaces (something like openvpn0, 
> openvpn1, etc.).

Obviously you mean to implement the actual traffic protection,
encapsulation, etc ... keeping the session mgmt and key exchange
at user level ('ala IPSec).

FYI: they are working on this project for their college thesis under my
 direction

> ...
>
> Gervasio Bernal, from Mendoza - Argentina
> Pedro Deis, from Mendoza - Argentina
> 

Regards ...

-- 
--Juanjo   OpenVPN udp6/tcp6 support (including MH for ipv4/ipv6)
   http://www.irrigacion.gov.ar/juanjo/openvpn/

#  Juan Jose Ciarlante (JuanJo PGP) jjo ;at; mendoza.gov.ar  #
#  Key fingerprint = 76 60 A5 76 FD D2 53 E3  50 C7 90 20 22 8C F1 2D#

Re: [Openvpn-devel] Status and Roadmap for IPv6 Support

2005-07-01 Thread JuanJo Ciarlante 
On Thu, Jun 30, 2005 at 10:29:34AM +0200, Hartmut Goebel wrote:
> Hello,
> 
> Thanks for your answer.
> 
> >>1a) As far as I've found out, OpenVPN 2.0 supports forwarding IPv6 when
> >>using tun+tun-ipv6 or tap. But neither of the build-in commands (like
> >>route, ifconfig, server, push/pull) supprot IPv6-addresses or IPv6
> >>Name-lookup.
> >>
> >>Is this correct, or have I overlooked something?
> > 
> > 
> > That is correct for OpenVPN 1.6 and 2.0...  But JuanJo Ciarlante's IPv6 
> > patch against 2.0 adds IPv6 support in a much more substantial way.
> 
> I tested this patch but it seams to only target issues about forwarding
> IPv6 packets. OpenVPn options/commands like 'route' are anchanged and
> still not able to handle IPvp addresses. This is since
> openvpn_inet_aton() does only suppport dotted quads.
> 
> Or have I overlooked something?

Indeed my patch adds OpenVPN/IPv6 streams (udp6,tcp6) support , and nothing 
about
IPv6/OpenPVN links (albeit some ipv6-related infrastructure that could be used 
in
this respect in the future).

Regards..
-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

[Openvpn-devel] IPv6 support for OpenVPN 2.0 release (UDPv6, --udp6)

2005-04-29 Thread JuanJo Ciarlante 
: local.addr, local.in, local.in6 ... etc

  - several function prototypes moved from
sockaddr_in to sockaddr args type
  - several new sockaddr functions needed to "generalize" AF_ operations:
addr_copy(), addr_zero(), ...etc
proto_is_udp(), proto_is_dgram(), proto_is_net()

* TODO: (D: Done, !: fundamental, w: wanted, n: nah ... not critical, ?: need 
more thought)
 --
  [D]-  ./configure [ --disable-ipv6 ] [ --enable-unix-sockets ] 
map to USE_PF_INET6 and USE_PF_UNIX
  [D]-  merge MH patch
 --
  [!]-  -p tcp6
  [!]-  Implement comparison for mapped addesses: server in dual stack listening
IPv6 must permit incoming streams from allowed IPv4 peer (ie without 
--float).
  [!]-  IPv6 with actual host resolution, currently only numerical 
(AI_NUMERICHOST)
  [n]-  call socket() lately, after getaddrinfo() to decide IPv4 or IPv6 host 
(hence socket()) instead of needing -p {udp|udp6}
NOT ACTUALLY a big trouble, given that you _do_ setup both sides
(keys, certs, etc), using udp or udp6 is actually _another_ setup bit.
  [?]-  integrate both IPv4 and IPv6 addr resolution with getaddrinfo instead of
venerable gethostbyname&friends, problem: horizontal portability (across
platforms) and vertical portab. (across versions)

--
JuanJo Ciarlante   jjo|at|mendoza.gov.ar
:  :
. Linux IP Aliasing author .
.   Modular algo (AES et all) support for FreeSWAN/OpenSWAN author .
:...   plus  other scattered free software bits in the wild ...:

Re: [Openvpn-devel] OpenVPN 2.0 released

2005-04-26 Thread JuanJo Ciarlante 
On Mon, Apr 25, 2005 at 11:25:14AM -0600, James Yonan wrote:
> On Mon, 25 Apr 2005, JuanJo Ciarlante wrote:
> 
> > On Thu, Apr 21, 2005 at 06:27:03PM -0600, James Yonan wrote:
> > > I would like to merge your IPv6 patch into the 2.1 branch, once it gets 
> > > started (I'd like to keep the 2.0.x branch as stable as possible, with 
> > > minimalistic changes that don't go beyond bug fixes and small patches).
> > > 
> > > One potential speed bump will be in merging both IPv6 + the multihomed 
> > > patch which will definitely be going into 2.1:
> > > 
> > > http://openvpn.net/patch/openvpn-2.0_rc16MH.patch
> > > 
> > > Because both patches touch much of the same code, there will likely be a
> > > need for manual merging.
> > 
> > Ok ... indeed I tested "patch --dry ..." and shouted about 80% rejects.
> > I could merge both in my own CVS, but because it's a rather daunting task, 
> > I would like to be sure it's a productive one :-) ie. that it will have a
> > high chance to be merged , of course, if resulting patch quality qualifies.
> 
> The MH (multihomed) patch has a near 100% chance of being merged, since it
> is necessary for OpenVPN to operate properly as a multihomed server.  Here 
> is more info about it:
> 
> http://openvpn.net/archive/openvpn-users/2005-02/msg00640.html
> 
> The important thing in doing the merge is not so much to make the
> multihomed feature work with IPv6 (right away) as it is to do the correct 
> accounting and authentication of both source and destination address of 
> received packets (without this patch, OpenVPN does not keep track of 
> destination IP address of received packets when running in a multi-homed 
> context).

Ok
I've borrowed some sleep hours last night and ended having a consistent
merge, some polishing bits remain still (I'post as soon as I have it ready).

Nice to see same mechanism (w/ diff. goals) in MH and IPv6 patch: 
generalization of socket address type.
I've actually "moved upper" the pktinfo to the openvpn_sockaddr type:

  struct openvpn_sockaddr {
union {
  struct sockaddr addr;
  struct sockaddr_in in;
  #ifdef USE_PF_INET6
  struct sockaddr_in6 in6;
  #endif
  #ifdef USE_PF_UNIX
  struct sockaddr_un un;
  #endif
} /* u */; /* use GCC anon union for now ... */
  #if ENABLE_IP_PKTINFO
struct in_pktinfo pi;
  #endif
  };

and corresponding link_socket_addr:
  struct link_socket_addr
  {
struct openvpn_sockaddr local;
struct openvpn_sockaddr remote;
struct openvpn_sockaddr actual;
  };

RATIONALE:
I this that moving ip_pktinfo to "main" openvpn_sockaddr struct allows
specifing output interface/etc even for client mode; so this
"generalization" is a good thing IMO.
There are new functions like addr_copy() , addr_zero() which replace
sin.sin_ ... asignments to cope w/different AFs.

That "GCC (and others cc's)  anon. union " usage is temporary there, 
as a syntatic sugar:
  eg:   addr->in.sin_addr
  instead of:   addr->u.in.sin_addr
but I'll  obviously be changed.

> I think it's a fairly high priority to get your IPv6 patch + MH + the 
> BETA2.0-THREAD branch in the CVS merged as a baseline for 2.1.  I don't 
> expect the BETA2.0-THREAD code to conflict either with the MH or IPv6 
> patches.

cool ... as soon as I stabilize the merge we could try to apply to THREAD
branch.

> I'd be glad to work with you on this, as I am also interested in 
> extending the IPv6 support to allow IPv6 tunnels over OpenVPN in 
> client/server mode (right now, IPv6 tunnels are only supported in 
> point-to-point mode).

wow thanks... nice.

> 
> Incidentally, does your IPv6 patch affect performance when it is inactive, 
> i.e. when IPv4 is being used?

Some memory extra to hold the ipv4+ipv6 af union above; and new code paths
are more or less:
  +   switch(addr.sa_family) {
  + case AF_INET:
   /* current code */
  + case AF_INET6:
  +/* ipv6 code */
  + }

So I think the performance impact it's quite negligible.

Anyway ... all IPv6 code is ifdef'd as  #ifdef USE_PF_INET6.

Regards!

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] OpenVPN 2.0 released

2005-04-25 Thread JuanJo Ciarlante 
On Thu, Apr 21, 2005 at 06:27:03PM -0600, James Yonan wrote:
> I would like to merge your IPv6 patch into the 2.1 branch, once it gets 
> started (I'd like to keep the 2.0.x branch as stable as possible, with 
> minimalistic changes that don't go beyond bug fixes and small patches).
> 
> One potential speed bump will be in merging both IPv6 + the multihomed 
> patch which will definitely be going into 2.1:
> 
> http://openvpn.net/patch/openvpn-2.0_rc16MH.patch
> 
> Because both patches touch much of the same code, there will likely be a
> need for manual merging.

Ok ... indeed I tested "patch --dry ..." and shouted about 80% rejects.
I could merge both in my own CVS, but because it's a rather daunting task, 
I would like to be sure it's a productive one :-) ie. that it will have a
high chance to be merged , of course, if resulting patch quality qualifies.

Regards...

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

[Openvpn-devel] Re: UDPv6 support for OpenVPN

2005-04-21 Thread JuanJo Ciarlante 
On Thu, Apr 21, 2005 at 12:41:03AM +0200, Bernhard Schmidt wrote:
> JuanJo Ciarlante schrieb:
> 
> >>I've been just trying the OpenVPN IPv6 transport patch you posted ...
> > I've finished 2.0 final port of my patch; I've tested under FreeBSD-5.3
> > (compilation and run OK).
> > 
> > Get from:
> >http://www.irrigacion.gov.ar/juanjo/openvpn/
> 
> Great, thanks ... Now it got just another problem :-)
> 
> When you do something with routes (--route for example, or
> --redirect-gateway) you get
> 
> Thu Apr 21 00:38:53 2005 OpenVPN 2.0 i386-unknown-freebsd5.3 [SSL]
> [PF_INET6] built on Apr 21 2005
> Thu Apr 21 00:38:53 2005 Static Encrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Thu Apr 21 00:38:53 2005 Static Encrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Thu Apr 21 00:38:53 2005 Static Decrypt: Cipher 'BF-CBC' initialized
> with 128 bit key
> Thu Apr 21 00:38:53 2005 Static Decrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Thu Apr 21 00:38:53 2005 Assertion failed at socket.c:1495
> Thu Apr 21 00:38:53 2005 Exiting
> 
> same on linux. Any idea? :-)

Yep .. redirect-default-gateway semantics (even if NOT used ) are triggering
this, please try attached patch 

Feedbacck very welcome!

Regards

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #
? .deps
? .gdb_history
? .socket.c.swp
? Makefile
? autom4te.cache
? config.h
? config.log
? config.status
? occ.d
? openvpn
? out.k
? stamp-h1
? tspc.log
Index: socket.c
===
RCS file: /home/jjo/cvs.juanjo/openvpn/openvpn-2/socket.c,v
retrieving revision 1.4.2.1
diff -u -r1.4.2.1 socket.c
--- socket.c19 Apr 2005 18:25:11 -  1.4.2.1
+++ socket.c21 Apr 2005 17:32:58 -
@@ -1492,7 +1492,20 @@
 {
   const struct link_socket_addr *lsa = info->lsa;

+/* 
+ * This logic supports "redirect-gateway" semantic, which 
+ * makes sense only for PF_INET routes over PF_INET endpoints
+ *
+ * Maybe in the future consider PF_INET6 endpoints also ...
+ * by now just ignore it
+ *
+ */
+#if defined ( USE_PF_INET6 ) || defined ( USE_PF_UNIX )
+  if(lsa->actual.addr.sa_family != AF_INET)
+ return 0;
+#else
   ASSERT(lsa->actual.addr.sa_family == AF_INET);
+#endif
   if (addr_defined (&lsa->actual.addr))
 return ntohl (lsa->actual.in.sin_addr.s_addr);
   else if (addr_defined (&lsa->remote.addr))
Index: socket.h
===
RCS file: /home/jjo/cvs.juanjo/openvpn/openvpn-2/socket.h,v
retrieving revision 1.4.2.1
diff -u -r1.4.2.1 socket.h
--- socket.h19 Apr 2005 18:25:11 -  1.4.2.1
+++ socket.h21 Apr 2005 17:32:58 -
@@ -84,7 +84,9 @@
 union sockaddr_ovpn {
struct sockaddr addr;
struct sockaddr_in in;
+#ifdef USE_PF_INET6
struct sockaddr_in6 in6;
+#endif
 #ifdef USE_PF_UNIX
struct sockaddr_un un;
 #endif

Re: [Openvpn-devel] OpenVPN 2.0 released

2005-04-20 Thread JuanJo Ciarlante 
On Wed, Apr 20, 2005 at 11:28:18AM -0600, James Yonan wrote:
> 
> On Wed, 20 Apr 2005, JuanJo Ciarlante wrote:
> 
> > On Sun, Apr 17, 2005 at 10:35:36PM -0600, James Yonan wrote:
> > > I'm happy to announce that OpenVPN 2.0 has been released!
> > > 
> > > http://openvpn.net/download.html
> > > 
> > > Thanks to all who have supported the project with donations, developing
> > > code, writing articles, and helping to support people on the mailing
> > > lists.
> > > 
> > > I'm going to sit back now, relax, maybe try to get my server slashdotted, 
> > > and I'll try not to think too much about OpenVPN 3.0 until the middle of 
> > > the week :)
> > 
> > Congratulations for the great work!, openvpn-2 rocks.
> > 
> > BTW I've finished my UDPv6 "port" for openvpn-2.0-final, I'll announce the 
> > details
> > ASAP.
> 
> Excellent -- I'm glad you've been keeping the patch in sync.

Yep; fortunately there are several ppl using it, they feedback'd several fixes 
(the
latest one related to FreeBSD compilation and semantics).

Regards

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] OpenVPN 2.0 released

2005-04-20 Thread JuanJo Ciarlante 
On Sun, Apr 17, 2005 at 10:35:36PM -0600, James Yonan wrote:
> I'm happy to announce that OpenVPN 2.0 has been released!
> 
> http://openvpn.net/download.html
> 
> Thanks to all who have supported the project with donations, developing
> code, writing articles, and helping to support people on the mailing
> lists.
> 
> I'm going to sit back now, relax, maybe try to get my server slashdotted, 
> and I'll try not to think too much about OpenVPN 3.0 until the middle of 
> the week :)

Congratulations for the great work!, openvpn-2 rocks.

BTW I've finished my UDPv6 "port" for openvpn-2.0-final, I'll announce the 
details
ASAP.

Regards

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)

2004-09-25 Thread JuanJo Ciarlante 
On Fri, Sep 24, 2004 at 05:09:28PM -0300, JuanJo Ciarlante wrote:
> 
> I've finished ./configure [ --disable-ipv6] [ --enable-unix-sockets ];
> tested compilation for the 4 combinations, and testbed runs too.
> Expect new patch for tomorrow

Done.

CHANGES.IPv6 excerpt:

* v0.2.2
  - IPv6, unix-socket support selectable at configure-time (all 4 combinations 
tested)
./configure --disable-ipv6(enabled by default)
./configure --enable-unix-sockets (disabled by default)
(internal) USE_PF_INET6, USE_PF_UNIX from autoconf
  - Change PROTO_x from #define to enum, to allow easier/cleanersupport for
optional protocols
  - Added IPV6__HEADER_SIZE

Available (GPL) at
  http://www.irrigacion.gov.ar/juanjo/openvpn/

Regards ..

--
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)

2004-09-24 Thread JuanJo Ciarlante 
On Fri, Sep 24, 2004 at 02:01:46PM -0600, James Yonan wrote:
> 
> 
> On Fri, 24 Sep 2004, JuanJo Ciarlante wrote:
> 
> > On Fri, Sep 24, 2004 at 10:39:59AM +0200, Matthias Andree wrote:
> > > On Fri, 24 Sep 2004, JuanJo Ciarlante wrote:
> > > 
> > > > This README covers UDP/IPv6 ( --udp6 ) support for openvpn-2.0_beta11
> > > > Also, with address family "generalization" changes came local AF_UNIX 
> > > > socket
> > > > support.
> > > 
> > > Is there a use for AF_UNIX in a VPN driver?
> > 
> > It stated in README file.. it allows the creation of local specialized
> > proxys that can  take full advantage of POSIX fileystem perm. semantics.
> > 
> > Currently I;'m working on a Jabber one 8))
> > regards...
> 
> I must say that the thought of running a VPN over Jabber is deliciously 
> subversive :)

yeahhh

> But I cringe when I think of the potential complexification in the sockets 
> code.
> 
> We are already moving in the direction of having lots of transport layer
> options (i.e. TCP, UDP, IPv4, IPv6, HTTP, Socks).  Now we're talking about
> local unix sockets and Jabber!  Maybe it's time to formally codify a
> transport layer driver model, i.e. a pluggable architecture.

Totally agreed, in fact my 1st thought was to try to abstract proxys code
paths, but I left for new now the of the impact.

My patch has a lot of work in this direction (functions like
proto_is_dgram... addr_copy, etc ); you know my first approach was to thinks
AF_UNIX as http/socks, but later I concluded that if we DONT require openvpn
to specify destination to the proxy entity its not a proxy, its a (tunneled)
pee; in the JAbber case , this could be an _already_ connected, _already_
configured destination JID not even known to openvpn, ... for openvpn its
just another channel (socket).

Indeed , AF_INET , AF_INET6 and AF_UNIX are mostly "siblings" from the
connection pointo of view.


> Then people
> can add new drivers to their heart's content, while OpenVPN itself will
> conveniently interact with a generalized abstraction of the model.

Count on me for that ... hope I can resist the temptation 8)))

Regards
-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)

2004-09-24 Thread JuanJo Ciarlante 
On Fri, Sep 24, 2004 at 01:50:07PM -0600, James Yonan wrote:
> Juanjo,
> 
> Great work on the IPv6 support!

Thanks, Jim ...

> I see there are still a few TODO items,

Indeed, some of them may require code flow changes, mainly because of:
DNS may return A or  records,  iff we _require_ to specify --udp|--udp6 
(which
I think is wise given you DO know/coordinate you r peer's setup), these 
"ambiguities" 
disappear.

> and of course the OpenVPN project itself is in the transition zone between
> the end of the 2.0 beta series and the start of 2.0 release candidates, so
> I think it would make sense to hold off on merging your contribution until
> after 2.0 final is released.

Agreed.

I've finished ./configure [ --disable-ipv6] [ --enable-unix-sockets ];
tested compilation for the 4 combinations, and testbed runs too.
Expect new patch for tomorrow

Regards..

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)

2004-09-24 Thread JuanJo Ciarlante 
On Fri, Sep 24, 2004 at 09:24:39AM -0300, JuanJo Ciarlante wrote:
> On Fri, Sep 24, 2004 at 10:39:59AM +0200, Matthias Andree wrote:
> > Is there a use for AF_UNIX in a VPN driver?
> 
> It stated in README file.. it allows the creation of local specialized
> proxys that can  take full advantage of POSIX fileystem perm. semantics.

As a clarification, AF_UNIX gets autoconf'd on sys/un.h presence (every
AF_UNIX src section is #ifdef'd HAVE_SYS_UN_H) , but I'll make it selectable at
configure time.

For IPV6 code, I followed Itojun's guidelines (RFC) , it _should_
compile and work on all platforms [last famous words]; I'll truly
appreciacte feedback on this .


Regards...
-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

Re: [Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)

2004-09-24 Thread JuanJo Ciarlante 
On Fri, Sep 24, 2004 at 10:39:59AM +0200, Matthias Andree wrote:
> On Fri, 24 Sep 2004, JuanJo Ciarlante wrote:
> 
> > This README covers UDP/IPv6 ( --udp6 ) support for openvpn-2.0_beta11
> > Also, with address family "generalization" changes came local AF_UNIX socket
> > support.
> 
> Is there a use for AF_UNIX in a VPN driver?

It stated in README file.. it allows the creation of local specialized
proxys that can  take full advantage of POSIX fileystem perm. semantics.

Currently I;'m working on a Jabber one 8))
regards...

-- 
--Juanjo

#  Juan Jose Ciarlante (JuanJo) jjo ;at; mendoza.gov.ar #
#  GnuPG Public Key: gpg --keyserver wwwkeys.eu.pgp.net --recv-key 66727177 #
#   Key fingerprint: 0D2F 3E5D 8B5C 729E 0560  F453 A3F7 E249 6672 7177 #

[Openvpn-devel] [PATCH] UDPv6 support (UDP/IPv6)

2004-09-23 Thread JuanJo Ciarlante 
 /tmp/o2.s
peer2# openvpn --proto unix-dgram --local /tmp/o2.s --remote /tmp/o1.s
  :
  Wed Sep 22 12:49:03 2004 Peer Connection Initiated with [AF_UNIX]/tmp/o1.s
  :


* Main code changes summary:
  - New sockaddr type (could have been sockaddr_storage but
it lacks simple type overloading and maybe portability)
union sockaddr_ovpn {
struct sockaddr addr;
struct sockaddr_in in;
struct sockaddr_in6 in6;
#ifdef HAVE_SYS_UN_H
struct sockaddr_un un;
#endif
};

typedef union sockaddr_ovpn sockaddr_ovpn_t;
struct link_socket_addr
{
sockaddr_ovpn_t local;
sockaddr_ovpn_t remote;
sockaddr_ovpn_t actual;
};

... leads to simple type overloading: local.addr
local.in, local.in6 ... etc

  - several function prototypes moved from
sockaddr_in to sockaddr args type
  - several new sockaddr functions:
addr_copy(), addr_zero(), ...etc
proto_is_udp(), proto_is_dgram(), proto_is_net()

* TODO:
  - call socket() lately, after getaddrinfo() to decide IPv4 or IPv6 host 
(hence socket()) instead of needing -p {udp|udp6}
Not actually a big trouble, given that you _do_ setup both sides
(keys, certs, etc), using udp or udp6 is actually another setup bit.
  - Implement comparison for mapped addesses: server in dual stack listening
IPv6 must permit incoming streams from allowed IPv4 peer (ie without 
--float).
  - IPv6 with actual host resolution, currently only numerical (AI_NUMERICHOST)
  - integrate both IPv4 and IPv6 addr resolution with getaddrinfo instead of
venerable gethostbyname&friends, problem: portability across platforms, 
across libc versions? (dunno).

--
JuanJo Ciarlante   jjo|at|mendoza.gov.ar
:  :
. Linux IP Aliasing author .
.   Modular algo (AES et all) support for FreeSWAN/OpenSWAN author .
:...   plus  other scattered free software bits in the wild ...:


openvpn-2.0_beta11-udp6-jjo-v0.2.1.patch.gz
Description: application/gunzip