From patchwork Sun Dec 30 00:29:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 653 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WC+WHpWsKFyRSAAAIUCqbw for ; Sun, 30 Dec 2018 06:31:33 -0500 Received: from proxy19.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id uJCqG5WsKFzLPAAAovjBpQ ; Sun, 30 Dec 2018 06:31:33 -0500 Received: from smtp17.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3b.rsapps.net with LMTP id oPYXFZWsKFxIUAAAIG4riQ ; Sun, 30 Dec 2018 06:31:33 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 75208cf2-0c26-11e9-811f-52540094e46f-1-1 Received: from [216.105.38.7] ([216.105.38.7:51135] helo=lists.sourceforge.net) by smtp17.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BA/35-11247-49CA82C5; Sun, 30 Dec 2018 06:31:33 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gdZIi-0003fn-SZ; Sun, 30 Dec 2018 11:30:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gdZIh-0003fQ-Dc for openvpn-devel@lists.sourceforge.net; Sun, 30 Dec 2018 11:30:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gC4sxUA6ghjx/oGPHwdkvdRytdpaYi1RVgSc6YOSiC0=; b=iduqm7cImoUv5TkEGG1kF3aJIr geeeInDf5EepvAkM1hWR7dpGVveh4Ic3ViXH0V6ITI5/jNimRxhHBqSfk+bigqS9p/Pz93+hEddwL akU+qxy1JODrUw16oJVnf4gYCyGEnLGyIe4m6YADa2UdT2l8eVbUm2x3pbXiKxelo8mk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gC4sxUA6ghjx/oGPHwdkvdRytdpaYi1RVgSc6YOSiC0=; b=bZuTWoVgZjl2Fk5NQTUJIR4yIx 4hXCnKvihAgtlcr7ahwpTSefxLu2Sk/qfIRsJ4ek76uez7bFZ+0RIX4itVXKrX4+HOanVMsemqAdO BProKHvQjRqjA82B/Z4ZMg1oIGn5GofHN+bii1hXyvtzTUYmypqNSiQgO9XrcRQ9HRmU=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gdZIf-005zfg-Oz for openvpn-devel@lists.sourceforge.net; Sun, 30 Dec 2018 11:30:35 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sun, 30 Dec 2018 21:29:00 +1000 Message-Id: <20181230112901.29241-4-a@unstable.cc> In-Reply-To: <20181230112901.29241-1-a@unstable.cc> References: <20181230112901.29241-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [5.148.176.60 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1gdZIf-005zfg-Oz Subject: [Openvpn-devel] [PATCH 3/4] options: add support for --transport-plugin X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: antonio@openvpn.net, Robin Tarsiger Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Robin Tarsiger Add a new config option to allow the user to specify a transport plugin implementing the new API. This plugin can be used to manipulate traffic in any way, as designed by the plugin developer. The fondamental advantage of this plugin is that the core codebase does not need to know anything about its implementation, as soon as it implements the transport API properly. A plugin specified with --transport-plugin must be already loaded via --plugin. --transport-plugin is a per-connection-block option and specifies which plugin to use for this particular connection. It can take additional arguments, if required by the specific plugin. The manpage has been extended accordingly. Signed-off-by: Robin Tarsiger [antonio@openvpn.net: refactored commits, restyled code] --- doc/openvpn.8 | 40 ++++++++++++++++++++++++++++++++++++++++ src/openvpn/init.c | 1 + src/openvpn/options.c | 31 +++++++++++++++++++++++++++++++ src/openvpn/options.h | 1 + src/openvpn/socket.c | 2 ++ src/openvpn/socket.h | 1 + 6 files changed, 76 insertions(+) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 7abcaf1e..9325dabd 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2847,6 +2847,46 @@ every module and script must return success (0) in order for the connection to be authenticated. .\"********************************************************* .TP +.B \-\-transport-plugin module-pathname [connection-args] +Use the loaded plugin module identified by +.B module-pathname +to provide a transport layer for the connection. The +.B module-pathname +must be exactly equivalent to a pathname supplied to a +.B \-\-plugin +option. The same transport plugin may be used for +multiple connections, in which case the +.B \-\-plugin +option which loads it should only occur once. However, +only one transport plugin may be specified per +connection. + +If +.B connection-args +are present, these arguments are passed to the transport +plugin when establishing this connection specifically; this +is distinct from any per-plugin arguments which may have +been specified using the +.B \-\-plugin +option. Documentation for possible +.B connection-args +may be provided along with the plugin in use. + +When a transport plugin is in use, the +.B \-\-proto +option should not normally be used and will usually result in +an error, as the transport plugin takes over from the native +transport protocol that would otherwise be specified. The +rest of OpenVPN will operate in a manner similar to that of +UDP mode, using the pseudo-protocol "indirect". There is one +remaining rare use for +.B \-\-proto +in this case, which is to force a specific address family for +transport plugins for which this is still meaningful. This can +be done by specifying "indirect4" or "indirect6" as the +protocol. +.\"********************************************************* +.TP .B \-\-keying\-material\-exporter label len Save Exported Keying Material [RFC5705] of len bytes (must be between 16 and 4095 bytes) using label in environment diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 560d87db..9f7b5fdd 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3335,6 +3335,7 @@ do_init_socket_1(struct context *c, const int mode) &c->c1.link_socket_addr, c->options.ipchange, c->plugins, + c->options.ce.transport_plugin_argv, c->options.resolve_retry_seconds, c->options.ce.mtu_discover_type, c->options.rcvbuf, diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0cf8db76..7e905532 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -403,6 +403,9 @@ static const char usage_message[] = #ifdef ENABLE_PLUGIN "--plugin m [str]: Load plug-in module m passing str as an argument\n" " to its initialization function.\n" + "--transport-plugin m [args]: Use plug-in module m to provide the transport\n" + " layer, with optional per-connection args. The\n" + " module must already be loaded with --plugin.\n" #endif #if P2MP #if P2MP_SERVER @@ -2005,6 +2008,22 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); } +#ifdef ENABLE_PLUGIN + /* + * "proto indirect" may not be specified directly without a + * transport-plugin, and vice versa. + */ + if (ce->proto == PROTO_INDIRECT && !ce->transport_plugin_argv) + { + msg(M_USAGE, "--proto indirect may not be used without a transport-plugin line"); + } + + if (ce->transport_plugin_argv && ce->proto != PROTO_INDIRECT) + { + msg(M_USAGE, "--transport-plugin must be used with --proto indirect"); + } +#endif + /* * Sanity check on daemon/inetd modes */ @@ -5190,6 +5209,18 @@ add_option(struct options *options, goto err; } } + else if (streq(p[0], "transport-plugin") && p[1]) + { + VERIFY_PERMISSION(OPT_P_PLUGIN|OPT_P_CONNECTION); + + /* p[1] is the shared object name, which becomes + * argv[0]. p[2..] are connection-specific transport + * parameters, which become argv[1..]. + */ + options->ce.transport_plugin_argv = make_extended_arg_array(&p[1], + &options->gc); + options->ce.proto = PROTO_INDIRECT; + } #endif else if (streq(p[0], "mode") && p[1] && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index e2b38939..c2d0e9ac 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -85,6 +85,7 @@ struct options_pre_pull struct connection_entry { + const char **transport_plugin_argv; int proto; sa_family_t af; const char *local_port; diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index b548ab7a..e8f790ea 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1916,6 +1916,7 @@ link_socket_init_phase1(struct link_socket *sock, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, + const char **transport_plugin_argv, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, @@ -1955,6 +1956,7 @@ link_socket_init_phase1(struct link_socket *sock, sock->info.bind_ipv6_only = bind_ipv6_only; sock->info.ipchange_command = ipchange_command; sock->info.plugins = plugins; + sock->info.transport_plugin_argv = transport_plugin_argv; sock->server_poll_timeout = server_poll_timeout; sock->mode = mode; diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 73a4ab6f..eb0b2a73 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -327,6 +327,7 @@ link_socket_init_phase1(struct link_socket *sock, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, + const char **transport_plugin_argv, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf,