[Openvpn-devel,ovpn,net,v2,0/4] ovpn: harden UDP TX against mutable socket state

Message ID	cover.1780663425.git.ralf@mandelbit.com
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Ralf Lici <ralf@mandelbit.com> To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Jun 2026 15:13:07 +0200 Message-ID: <cover.1780663425.git.ralf@mandelbit.com> MIME-Version: 1.0 preview: Hi, v1 added setup-time validation for userspace-provided sockets and TX-time checks for socket state that can still change after the socket is attached to ovpn. In v1, ovpn_udp_send_skb consumed the error internally, so ovpn_encrypt_post could still update link TX stats and last_sent for a packet that was dropped before transmit. v2 propagates those errors ba [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Subject: [Openvpn-devel] [PATCH ovpn net v2 0/4] ovpn: harden UDP TX against mutable socket state Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	ovpn: harden UDP TX against mutable socket state \| expand [Openvpn-devel,ovpn,net,v2,0/4] ovpn: harden UDP TX against mutable socket state [Openvpn-devel,ovpn,net,v2,1/4] ovpn: avoid sending UDP packets with source port 0 [Openvpn-devel,ovpn,net,v2,2/4] ovpn: validate sockets before attaching peer transports [Openvpn-devel,ovpn,net,v2,3/4] ovpn: reject UDP remotes incompatible with socket family [Openvpn-devel,ovpn,net,v2,4/4] ovpn: recheck UDP socket family before transmit

Message ID

cover.1780663425.git.ralf@mandelbit.com

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
From: Ralf Lici <ralf@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Fri,  5 Jun 2026 15:13:07 +0200
Message-ID: <cover.1780663425.git.ralf@mandelbit.com>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH ovpn net v2 0/4] ovpn: harden UDP TX against
 mutable socket state
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

ovpn: harden UDP TX against mutable socket state | expand

Message

Ralf Lici June 5, 2026, 1:13 p.m. UTC

Hi,

v1 added setup-time validation for userspace-provided sockets and TX-time
checks for socket state that can still change after the socket is attached
to ovpn.

In v1, ovpn_udp_send_skb consumed the error internally, so
ovpn_encrypt_post could still update link TX stats and last_sent for a
packet that was dropped before transmit. v2 propagates those errors back
to the common TX completion path, so TX-side checks are handled as local
transmit failures, not as successful handoff to the UDP stack.

v2 also makes socket/remote address-family mismatches fatal for the peer.
Those mismatches mean the peer can no longer transmit with the socket it
was configured with, so keeping it around would just keep dropping packets.
The peer deletion is deferred through a common transport-error work item,
which is also reused by the TCP transport-error paths.

The source-port-zero case is kept as drop+warning for now. It is still a
broken socket state for ovpn TX, but it is not treated as a peer-fatal
address-family mismatch in this series.

Thanks,
Ralf

---
Changes since v1 https://lore.kernel.org/openvpn-devel/20260526124544.425791-1-ralf@mandelbit.com/T/
- Add ratelimited warnings for TX-side socket state failures.
- Propagate local UDP TX errors to ovpn_encrypt_post, so local drops do
not update link TX stats or last_sent.
- Delete peers with TRANSPORT_ERROR on UDP socket/remote address-family
mismatches.
- Add a common deferred transport-error deletion helper shared by TCP and
UDP.
- Clarify that netlink socket/remote validation is setup-time diagnostics;
the TX path remains the runtime gate for mutable socket state.
- Use a single READ_ONCE() snapshot of sk->sk_family in the netlink helper.
- Fix the IPV6_V6ONLY typo.

Ralf Lici (4):
ovpn: avoid sending UDP packets with source port 0
ovpn: validate sockets before attaching peer transports
ovpn: reject UDP remotes incompatible with socket family
ovpn: recheck UDP socket family before transmit