From patchwork Mon Nov 25 14:37:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "kallisti5 (Code Review)" X-Patchwork-Id: 3959 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:92cd:b0:5db:5963:ef83 with SMTP id e13csp1359950mai; Mon, 25 Nov 2024 06:38:07 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWtuMtRpQ+VWzmLyg9VMNq+RG9STeDM96egf4i72d2AfNNiuczoUA8iQqYj9b3msnWQCv4/IMxFHr8=@openvpn.net X-Google-Smtp-Source: AGHT+IFQ0jQ0fw3LAx2GTV241m0T2gptglDcV924DrI9yIWuW+808Y6cKiroG25bFJTiNHF8OozV X-Received: by 2002:a05:6602:6b08:b0:82d:9b0:ecb7 with SMTP id ca18e2360f4ac-83ecdc4c9fcmr1268463739f.3.1732545487321; Mon, 25 Nov 2024 06:38:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1732545487; cv=none; d=google.com; s=arc-20240605; b=jleFcf5+hp2+DpJaqGDrnUP8FEgYVI4g8aO95CKxJdggVM8F+YZDgpgkjPLAP9g+Sx hwhpRgQnfN2mDhxRhkBq4NeGtU/sGMCjEBf9MKfi96FMu4K6SEEZjpLZjEBxuzYazzAH QhNhtQ+ups2r/do/4NzPCEG6CLfQzBAMi3yfvye0SeZBifJVzYlXp/JBN3x9nvfMFr6K UEfuADj93o3VCEOJol1RWe6dw1SN2YUsFCAxG7XxZ5G+/xqCPMLgk6q9+Nb5Uv28kTB+ FA70sLdaCU5uNm/Ltb7t3b4vyvxOVSaEFgHI/bxKLgb5rpboYZaEb/WpGy58cvGgV8rj wmBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=Z7wggIyWOV29dmXP6rD8ixFAGprpBRrGMAcvCb0Eohw=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=YSBmVwDVHXcl5Wnd5QrkE0pl3SfYkURlIVo0NgLcz/gkLTh5sGVQvdxxtBdcHzo6T/ SvMysySDcH2lwg7fUzV2ALIqtVT6NzHgOnIU97PQQXnNFsqN1qMmKdd6FauFAWKScbQo SRZmkaABXaERMIwIkPI2+EPjgqdvDdkKdVT+adkFfTLRyWF7XnIzEqcE8Xh0Q11zyndB BDlgPG09HIrHOF2vmKI1CzrVQPXAIayFdo6/f77wyC6uAPuBa2Fz0ya1/p6YMNM0DSi0 sF8gGi/GYwUZ2uTLWeRxlQqLzS+mS6CvdVHWZ6Px2LI+b0an24pxDaiy7MFihgRxqJ8A dn/g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eXePizpa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eFs5muJm; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=D2htUpIC; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ca18e2360f4ac-841951b74a6si128378639f.44.2024.11.25.06.38.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Nov 2024 06:38:07 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eXePizpa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eFs5muJm; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=D2htUpIC; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tFaDs-0005Xw-FY; Mon, 25 Nov 2024 14:37:56 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tFaDq-0005Xn-BY for openvpn-devel@lists.sourceforge.net; Mon, 25 Nov 2024 14:37:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=W5vEtyoFPfzpjMBeJncr8zINwPenq8+AAwnR9ZjFLWM=; b=eXePizpa9DVn5MMb65PqD80TWm Zzm+cEpLNTnXUKXGs+lxnT2fip/A4yNJ3jDmBmFnP4M814k3QfrSxZvTg+8XkAbhKD1I5W4GlOqbo cvauutWUI+9gPfNCfrU1wiPWDlNeIKD7TlT9ltKJY8c6zveoH/1PLPxgiXQcqHRsNc4I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=W5vEtyoFPfzpjMBeJncr8zINwPenq8+AAwnR9ZjFLWM=; b=e Fs5muJmer75T6k4NUGRd9y0vT6R9YRY/Mu+4SatciIXrfiZoYWwN6LEmemqwIQlhXS2G0PfxoDC3A J7ZLjaMSu6mgNctA+ktYVkr0xf7gsp2yqjJpG58F+D++vERIMMzD/eKv5izxteODyrvnhsIcIy4M9 WCQdEVPzjJEZAEnw=; Received: from mail-wr1-f41.google.com ([209.85.221.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tFaDp-0000S6-FL for openvpn-devel@lists.sourceforge.net; Mon, 25 Nov 2024 14:37:54 +0000 Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-3822ec43fb0so3524845f8f.3 for ; Mon, 25 Nov 2024 06:37:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1732545467; x=1733150267; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=W5vEtyoFPfzpjMBeJncr8zINwPenq8+AAwnR9ZjFLWM=; b=D2htUpIC41a9734xQ4FPO33/uC/kdOjA4oNMeWxsvsFjDol777PwXZ4m3+lkNQGpua EPpXiWCN5IZ8gMbhldROw5CTa6sFDJq8+Pi2djjUK/AtBv/I+SaSXyR+TmMcYuz6knEX l57qKeXkautSmEBh2CAnAyuO9VKbY12Czv2Zjo5LMaj2iw7fhyJe37Fnnq5D1RtWm1Yq cZPU8c1HbA6kUsKSN9ft7gRgL9Q+6OvxKm8adc86mgEEXaoQ+bvgDumlMyAEHpLxmf8N b/2nERDX4ojYgD2e+C0iyfNxZ+9jvJk8hpWQgrhUxQYQuDcraSv868IlfeP0LvPZtJCo sr4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732545467; x=1733150267; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=W5vEtyoFPfzpjMBeJncr8zINwPenq8+AAwnR9ZjFLWM=; b=Ay+YgaBJNqd1x5D2cdtlojKxLcFiG2/zo9VqNFsVhYNJnZ1dV3+aSZp7Xixhv0rHJX fvDHLZA/g2TyPDQblJ/QUbDDRH29xCm/i2rM0hNbdf4Do6lcrwSzMslZEf+sGiNhgDFa 1L3nggW6PCZfw0feqz50btEk+Q3/lvsJrRima4kcnu+yElJYwyMy6Yh07If33VTj3bNa nn1foLYu5HnOx6M3LY8H1n/VG0fWyQXdqah8vw5wAPQX1TRd/cCoFGxHJ1BrnScwZuUO mXgbXwCFiFTVMbPVCTwF0wMoocd2VVt020pInWcnSqoXTn2yU4KVFQhLhy7CLteQww6z B2Jw== X-Gm-Message-State: AOJu0YzmBi4N90f6EzSrIOhSCHL/hDedeOqdGY+GlZn92VG2Pp40wSTA K9foZuVShs/1tKQNlh8R+q9rlfEfMplRcMbYTSgFWygzMYpdzqp5svmlwDkirTY= X-Gm-Gg: ASbGncu2Y0bSjFYexjw8ykD3PoZQQaL1k5OZmAky2glh8BLKHDEhQZy966i6vyKDD+N 6KEwYbaMFmFaxnUwV+hQ5NH4Og6aCMyGcZn1h/ihtJusy4lxhmh9U1daUF1hy+lfd42/WC0FsoJ lyTaJ567StQFw+gp/3Ckwa4terCcj1i02/r/FUuP/2iY4dDxqXEweRyEhU+sfIWNSGEahA2AVep ausxnaV2DCt1GmW4mMwqxF99eP2eN0muNxHiNOirHsEBuqLM35k/WRyWBYpcZLqnp3GyOIzvwh7 QdrNzI7H0qua8B90EcDlyqBfvetYWaJ0pqg2u5Fh/g== X-Received: by 2002:a5d:5f55:0:b0:382:47d0:64be with SMTP id ffacd0b85a97d-38260b8059cmr9337101f8f.29.1732545466924; Mon, 25 Nov 2024 06:37:46 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-433cde98988sm130182975e9.42.2024.11.25.06.37.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Nov 2024 06:37:46 -0800 (PST) From: "ordex (Code Review)" X-Google-Original-From: "ordex (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 25 Nov 2024 14:37:46 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I6816f61b308ca9f6d1f9f687a6dc8e0aa2d044e0 X-Gerrit-Change-Number: 819 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: ea4afa3f2f8aa96b9db7cc926da63fdfd03bbe58 References: Message-ID: <0ba3c0296fe0e52ef01cd4a63d4ea8db344d59b3-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -1.1 (-) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-1.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.41 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.41 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.41 listed in sa-trusted.bondedsender.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.9 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.41 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tFaDp-0000S6-FL Subject: [Openvpn-devel] [XS] Change in openvpn[master]: man: extend --persist-tun section X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: a@unstable.cc, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1816705616751667953?= X-GMAIL-MSGID: =?utf-8?q?1816705616751667953?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/819?usp=email to review the following change. Change subject: man: extend --persist-tun section ...................................................................... man: extend --persist-tun section The current persist-tun section has no mention of retaining IP/routes and its potential usage in traffic leaking protection. Spell this out to allow the user to better understand when this option can play an important role. Change-Id: I6816f61b308ca9f6d1f9f687a6dc8e0aa2d044e0 Signed-off-by: Antonio Quartulli --- M doc/man-sections/vpn-network-options.rst 1 file changed, 9 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/19/819/1 diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index fc76939..cfa6af9 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -312,6 +312,15 @@ :code:`SIGUSR1` is a restart signal similar to :code:`SIGHUP`, but which offers finer-grained control over reset options. + On Linux, this option can be useful when OpenVPN is not executed as + root and the CAP_NET_ADMIN has not been granted, because the process + would otherwise not be allowed to bring the interface down and back up. + + Alongside the above, using ``--persist-tun`` allows the tunnel interface + to retain all IP/route settings, thus allowing the user to implement + any advanced traffic leaking protection (please ntoe that for full + protection, extra route/firewall rules must be in place). + --redirect-gateway flags Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option.