From patchwork Wed Oct 9 03:34:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 854 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WIWVANXwnV2ncAAAIUCqbw for ; Wed, 09 Oct 2019 10:38:13 -0400 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id QBBBANXwnV2bEgAAfY0hYg ; Wed, 09 Oct 2019 10:38:13 -0400 Received: from smtp23.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTP id QER3O9TwnV2GbgAATCaURg ; Wed, 09 Oct 2019 10:38:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 6b442102-eaa2-11e9-9d9a-525400bfb165-1-1 Received: from [216.105.38.7] ([216.105.38.7:59120] helo=lists.sourceforge.net) by smtp23.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F8/00-12366-4D0FD9D5; Wed, 09 Oct 2019 10:38:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1iID5r-0003Qm-B4; Wed, 09 Oct 2019 14:37:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1iID5p-0003Qd-KI for openvpn-devel@lists.sourceforge.net; Wed, 09 Oct 2019 14:37:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LA4Pie6a/UB4lIs9UF+xM4+WTDGdkR3GDrr9Z4sDId0=; b=Tx7FeaTIWgmjOOIrqgKowoI4th sM8DoFfUPi9ENc0caHeN3jcKrneQTughSupDGGOGHmkxF3z6oUWOeAJ8l/+vv1TchuxsJcddMLJ4Y EBINzwWpwIuhjm8G4qLfPo1q1BpTDeQbCn9nZZ5QfbJLAvzReAp91IQ44fKXN+oH2Jgo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LA4Pie6a/UB4lIs9UF+xM4+WTDGdkR3GDrr9Z4sDId0=; b=dgQYXjhFOA8z0s3MYWHt+KDvX7 DMRikAAIY1o09/Y1Ey7BI1H98dkn+JiC6YVhXXzBP65RDrtdMe/eUzvRqbg70eUMX9ZT2uat8qdLh A1I8+jNRTnDq6/eWYJtwfIffTZldTPF+Hvq2C3TvBEMicyHiI9JU5nkgYTES3CZrZr3Q=; Received: from [5.148.176.60] (helo=s2.neomailbox.net) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1iID5m-003zZ5-7d for openvpn-devel@lists.sourceforge.net; Wed, 09 Oct 2019 14:37:33 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 9 Oct 2019 16:34:20 +0200 Message-Id: <20191009143422.9419-8-a@unstable.cc> In-Reply-To: <20191009143422.9419-1-a@unstable.cc> References: <20191009143422.9419-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [5.148.176.60 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.4 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1iID5m-003zZ5-7d Subject: [Openvpn-devel] [PATCH 7/9] VLAN: allow forwarding tagged and untagged packets on the server TAP device X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This changes allows the user to configure the server TAP interface to forward both VLAN tagged and untagged packets (i.e. vlan_accept == VLAN_ALL). Untagged packets are marked with the VID configured in the server configuration file, while tagged packets will keep their header as it is. Forwarding is then performed following the standard rules, while ensuring that pakcets do not leave the VLAN they belong to. Signed-off-by: Fabian Knittel Signed-off-by: Antonio Quartulli Acked-by: Gert Doering --- src/openvpn/options.c | 12 +++++++++--- src/openvpn/options.h | 1 + src/openvpn/vlan.c | 17 +++++++++++++++++ 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 5be6a6a8..3bcb9063 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -406,7 +406,7 @@ static const char usage_message[] = " to its initialization function.\n" #endif "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n" - "--vlan-accept tagged|untagged : Set VLAN tagging mode.\n" + "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n" "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n" #if P2MP #if P2MP_SERVER @@ -853,7 +853,7 @@ init_options(struct options *o, const bool init_gc) o->route_method = ROUTE_METHOD_ADAPTIVE; o->block_outside_dns = false; #endif - o->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY; + o->vlan_accept = VLAN_ALL; o->vlan_pvid = 1; #if P2MP_SERVER o->real_hash_size = 256; @@ -1239,6 +1239,8 @@ print_vlan_accept(enum vlan_acceptable_frames mode) return "tagged"; case VLAN_ONLY_UNTAGGED_OR_PRIORITY: return "untagged"; + case VLAN_ALL: + return "all"; } return NULL; } @@ -8418,9 +8420,13 @@ add_option(struct options *options, { options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY; } + else if (streq(p[1], "all")) + { + options->vlan_accept = VLAN_ALL; + } else { - msg(msglevel, "--vlan-accept must be 'tagged', 'untagged'"); + msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'"); goto err; } } diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 3447b7e2..6f5e1f53 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -173,6 +173,7 @@ enum vlan_acceptable_frames { VLAN_ONLY_TAGGED, VLAN_ONLY_UNTAGGED_OR_PRIORITY, + VLAN_ALL, }; struct remote_host_store diff --git a/src/openvpn/vlan.c b/src/openvpn/vlan.c index 88c90574..a5885de2 100644 --- a/src/openvpn/vlan.c +++ b/src/openvpn/vlan.c @@ -74,6 +74,10 @@ vlanhdr_set_vid(struct openvpn_8021qhdr *hdr, const uint16_t vid) * returned. Any included priority information is lost. * If a frame isn't VLAN-tagged, the frame is dropped. * + * For vlan_accept == VLAN_ALL: + * Accepts both VLAN-tagged and untagged (or priority-tagged) frames and + * and handles them as described above. + * * @param c The global context. * @param buf The ethernet frame. * @return Returns -1 if the frame is dropped or the VID if it is accepted. @@ -133,6 +137,7 @@ vlan_decapsulate(const struct context *c, struct buffer *buf) /* vid == 0 means prio-tagged packet: don't drop and fall-through */ case VLAN_ONLY_TAGGED: + case VLAN_ALL: /* tagged frame can be accepted: extract vid and strip encapsulation */ /* in case of prio-tagged frame (vid == 0), assume the sender @@ -310,6 +315,18 @@ vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi) mi->context.c2.to_tun.len = 0; } } + else if (m->top.options.vlan_accept == VLAN_ALL) + { + /* Packets either need to be VLAN-tagged or not, depending on the + * packet's originating VID and the port's native VID (PVID). */ + + if (m->top.options.vlan_pvid != mi->context.options.vlan_pvid) + { + /* Packets need to be VLAN-tagged, because the packet's VID does not + * match the port's PVID. */ + vlan_encapsulate(&mi->context, &mi->context.c2.to_tun); + } + } else if (m->top.options.vlan_accept == VLAN_ONLY_TAGGED) { /* All packets on the port (the tap device) need to be VLAN-tagged. */