| Message ID | 20250324182735.12657-1-gert@greenie.muc.de |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:81e:b0:60a:d70a:d3c7 with SMTP id
jj30csp2073326mab;
Mon, 24 Mar 2025 11:27:56 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AJvYcCU+dY2T4RHVx31Gfa/xRQey/3LztvmegiZ0eAYG2Tq3ojT6URZPuYG2+UGbsP1kHBWTmaAYb+AviZ8=@openvpn.net
X-Google-Smtp-Source:
AGHT+IEzdNQSz0m9pynSTXRYGEFVlg1wtBKqDjFlEuIj8mlevpGenvedITWKIjjqD8GXh+B5CCvu
X-Received: by 2002:a05:6870:959f:b0:2b8:3c87:b491 with SMTP id
586e51a60fabf-2c780495004mr9055367fac.26.1742840876173;
Mon, 24 Mar 2025 11:27:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1742840876; cv=none;
d=google.com; s=arc-20240605;
b=YJamR4V32L8enxh6uyBfgoXpYIXXWmy7IYeef2aKISPKhFSWlg85rBWdSW6cW6Corr
FCQ65EbOBsMKvMAtgeNVYxZxpZ77TYUfZ6JbG/z2gO/nzTUEVzSQt6FvaINkPOitm5QC
wRvqgxOyrDQITGOK4eZwFnL3JyuWlLsONRwfnFGHX7f/2HCYOu6JA4uRrN9r/WyZ9myR
SNHCyTZpeXPWOzbR26Q7gzJH6Nrb9YX4EJwxPFAWuFQoSiAG2CJ77mP0FZpXxcsZysN/
DWpyWmxyrcbDAGYbIMQ09kCKvZBOwwBC72f8JF9adyb5Tc/fQOVs+oOvrV4EBlKveIof
I3nA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature;
bh=39Jseb6r93+P02S8y4p8bYrKXprqiUyKPhxfNBqIPBI=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=Y0n7A1kh9yC7iw1+HuhAdTfPx0RSu4OVkGZTGIZHhNk+RgUJbTDYWyu58veYaLzLW7
ohFv+b1nKZADEJ832Jd445WR5iLAWevmwN3UpwbmmxAU7583VQqeJLXHjP9B/kwT07tz
o/PA2Bkp7Qf/yOtUD/V2+Nygs11bmPDj74ycPXOpOtooJkIa9s6IgTZHFirWAjgxhIZ4
8Py2DLhpvNmxR6SyYOrv42lbi4EkH7pnWi8JmUu3A3hVTKCviydqM+oB2olEnq65fYjw
V8p+UT708UH1aKQC+eu//lzHPcA1yNNjw0J81xSPQu5DXxeeJOOqBH7C+BEOVFy1mDC0
mUFQ==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=MPxqJXky;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b="cV+1vE/T";
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
586e51a60fabf-2c77f1779b1si6189470fac.262.2025.03.24.11.27.55
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 24 Mar 2025 11:27:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=MPxqJXky;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b="cV+1vE/T";
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1twmWc-0002Ma-Tm;
Mon, 24 Mar 2025 18:27:51 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gert@blue.greenie.muc.de>) id 1twmWa-0002MF-RZ
for openvpn-devel@lists.sourceforge.net;
Mon, 24 Mar 2025 18:27:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=J/hvy4TxuHaqh9Pw2gOxCI3kQaxAKoHnnpPyoPhzcsU=; b=MPxqJXkymX76blvwGTe5F7bANQ
DXpW4DW0xg7vRnSzYwrm0tIBVqj0mU9g1O49ZOzfNwRCCcaKiVqrYqzHIb8SVqpyeTHYyVLnkunAX
oY13YUkmDCpQbHgo0XQt+FzYHy2v5lwKQDa+u4wHS/sxda3BtlFw59C1RUdGIcoEqqvg=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=J/hvy4TxuHaqh9Pw2gOxCI3kQaxAKoHnnpPyoPhzcsU=; b=cV+1vE/TzGJtookiuNr431BofC
pZspZdGXLz9RRZN2mRwaiJ2XOcrVrwp4PO0B0Ug6zRr6MPuM40QUAo6QBm6B1xGlrqBzu1qDq04UU
GMKVZfLRZNxuXONdQXmu9Ge2y2Vf00g2TlUmijJiWOezVyoxfOt7cQdh0ooHEuTlT4Fk=;
Received: from dhcp-174.greenie.muc.de ([193.149.48.174]
helo=blue.greenie.muc.de)
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1twmWa-0001ud-7g for openvpn-devel@lists.sourceforge.net;
Mon, 24 Mar 2025 18:27:49 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 52OIRafB013958
for <openvpn-devel@lists.sourceforge.net>; Mon, 24 Mar 2025 19:27:36 +0100
Received: (from gert@localhost)
by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 52OIRa9d013951
for openvpn-devel@lists.sourceforge.net; Mon, 24 Mar 2025 19:27:36 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 24 Mar 2025 19:27:26 +0100
Message-ID: <20250324182735.12657-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.45.2
In-Reply-To:
<gerrit.1742829972000.I1976307a7643c82f31d55ca32c79cbe64b6fffc6@gerrit.openvpn.net>
References:
<gerrit.1742829972000.I1976307a7643c82f31d55ca32c79cbe64b6fffc6@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-1.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: 'lport <anything>' used to trigger 'do socket bind', which
is not useful in itself for the 'lport 0' case (port 0 -> OS assigns a random
port, as it is done for unbound sockets) unless also binding to [...]
Content analysis details: (0.0 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[193.149.48.174 listed in sa-trusted.bondedsender.org]
0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[193.149.48.174 listed in bl.score.senderscore.com]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
X-Headers-End: 1twmWa-0001ud-7g
Subject: [Openvpn-devel] [PATCH v1] Make 'lport 0' no longer sufficient to
do '--bind'.
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1827501114433718827?=
X-GMAIL-MSGID: =?utf-8?q?1827501114433718827?=
|
| Series |
[Openvpn-devel,v1] Make 'lport 0' no longer sufficient to do '--bind'.
|
|
Commit Message
Gert Doering
March 24, 2025, 6:27 p.m. UTC
'lport <anything>' used to trigger 'do socket bind', which is not
useful in itself for the 'lport 0' case (port 0 -> OS assigns a
random port, as it is done for unbound sockets) unless also binding
to a particular local IP address ('--local 192.0.2.1').
The trigger for 'lport has been used, do socket bind' is
ce.local_port_defined -> change the code to test for "0", and
only set this for non-0 ports (NOTE: this is a string match,
so if you really really want the old "lport 0" behaviour, using
"lport 00" still does that...).
The ce.local_port value is still set, so '--lport 0' together
with '--local 192.0.2.1' will give you a random port number
bound to that IP address - without 'lport 0' it would default
to 1194 or the value of '--port' (if not using '--rport').
Summary: socket bind is now only done if one of these is set
- --port <port> with <port> not "0"
- --bind (default on the client is "--nobind")
- --local <address>
Change-Id: I1976307a7643c82f31d55ca32c79cbe64b6fffc6
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/916
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>
Comments
Tested this with various combinations of --port, --bind, --lport,
--local <v4|v6>, etc. - a fascinating world of interesting effects.
I've fixed a small oversight in the commit message - the line needs to
read
Summary: socket bind is now only done if one of these is set
- --lport <port> with <port> not "0"
(with "--lport", as "--port" never leads to an automatic bind)
Also added a reference to GH schwabe/ics-openvpn#1794 where half the
problems go away if "lport 0" is removed from the config - which, in
these cases, translates to "is not enabling --bind" (the real issue
is "any" bind AF vs. getaddrinfo(), but not binding at all helps).
Patch has been applied to the master branch.
commit c91948a0e03f0ad03e7fdde59ed9fce87ba00885
Author: Gert Doering
Date: Mon Mar 24 19:27:26 2025 +0100
Make 'lport 0' no longer sufficient to do '--bind'.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250324182735.12657-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31222.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index d48021e..287473e 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -122,7 +122,9 @@ --lport port Set default TCP/UDP port number. Cannot be used together with - ``--nobind`` option. + ``--nobind`` option. A port number of ``0`` is only honoured to + achieve "bind() to a random assigned port number" if a bind-to IP + address is specified with ``--local``. --mark value Mark encrypted packets being sent with ``value``. The mark value can be diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ab56609..99dd60a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6710,7 +6710,12 @@ else if (streq(p[0], "lport") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); - options->ce.local_port_defined = true; + + /* only trigger bind() if port is not 0 (or --local is used) */ + if (!streq(p[1], "0")) + { + options->ce.local_port_defined = true; + } options->ce.local_port = p[1]; } else if (streq(p[0], "rport") && p[1] && !p[2])