[Openvpn-devel,0/9] Various patches to improve DCO behaviour

Message ID 20221224194253.3202231-1-arne@rfc2549.org
Headers show
Series Various patches to improve DCO behaviour | expand


Arne Schwabe Dec. 24, 2022, 7:42 p.m. UTC
This is a list of various patches that improve certain corner cases of DCO
behaviour or improve. The remaining issues seem to be in the ovpn-dco module
and need to fixed there first. Remaining issues in ovpn-dco:

- if there are a lot of event, the recvfrom the netlink socket will give
  a ENOMEM. Using Control-S and Control-Q to temporarily pause the OpenVPN
  daemon is a reliable way for me to trigger it.

- OpenVPN tcp sessions that are gone, especially when doing TCP reset are
  not notified to the user space

- With UDP and bombarding server already when starting up gives me a hard

- Unload ovpn-dco sometimes does not work. Getting 'In use by xy ' failures.

- Latest FreeBSD dco module seems to be very broken. Reverting latest commit
  fixes it.

Arne Schwabe (9):
  Always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL

These two could be smashed into one commit but two makes reviewing easier. They
clean up the state machine a bit and by doing so fix an obscore corner case
that would not work in p2p dco.

  Move dco_installed back to link_socket from link_socket.info.actual

With the intention of moving back to using normal send/recv instead of using
netlink, the special handling of figuring out which peer address uses wht
mechansim is no longer necessary. Instead of hunting the bug down, just always
use sendto when wanting to send something.

  Ensure we do not promote a TA_TIMEOUT to a TA_WRITE/TA_READ event with
Ensures that we do not go to a socket write/read on a DCO installed TCP

  Also drop incoming dco packet content when dropping the packet
  otherwise we would not clear the received packet and the dco code
  would refuse to put a new one there.

  Do not set nl socket buffer size
This does not change anything and is more cosmetic.

  Bail out when trying to install a TCP socket with residual data to DCO

This is something we could probably fix if we spent a lot more time and
only ever read as little as possible (i.e. read 2 bytes to know next
packet length, and then read only the length of the next packet). But instead
of adding a lot of extra code, I rather want to wait for the plans of ovpn-dco
and tcp and how the API evolves.

  Improve logging when seeing a message for an unkown peer
  Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions

This commit fixes a race condition that lead to OpenVPN trying to add
a peer that already existed.

 src/openvpn/dco.c        |  23 +-------
 src/openvpn/dco_linux.c  |   3 --
 src/openvpn/forward.c    |  27 ++--------
 src/openvpn/forward.h    |  30 +++++++++++
 src/openvpn/init.c       |   2 +-
 src/openvpn/mtcp.c       |  20 +++++--
 src/openvpn/mudp.c       |   2 +-
 src/openvpn/multi.c      |  45 +++++++++++++---
 src/openvpn/socket.c     |   8 +--
 src/openvpn/socket.h     |  11 ++--
 src/openvpn/ssl.c        | 113 +++++++++++++++------------------------
 src/openvpn/ssl.h        |   2 +-
 src/openvpn/ssl_common.h |   2 +-
 13 files changed, 144 insertions(+), 144 deletions(-)