From patchwork Mon Dec 14 06:24:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1548 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id GA7eGQag118DQgAAIUCqbw (envelope-from ) for ; Mon, 14 Dec 2020 12:25:26 -0500 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id OIBbGQag11/9NAAAfY0hYg (envelope-from ) for ; Mon, 14 Dec 2020 12:25:26 -0500 Received: from smtp28.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTPS id gJUXGQag11/PMwAAtEH5vw (envelope-from ) for ; Mon, 14 Dec 2020 12:25:26 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp28.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 59fd7766-3e31-11eb-9189-525400ea129b-1-1 Received: from [216.105.38.7] ([216.105.38.7:58060] helo=lists.sourceforge.net) by smtp28.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 56/8C-19002-500A7DF5; Mon, 14 Dec 2020 12:25:25 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1koraN-00059J-Iw; Mon, 14 Dec 2020 17:24:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1koraL-000597-R0 for openvpn-devel@lists.sourceforge.net; Mon, 14 Dec 2020 17:24:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wHlLVYhU7AAufIHwhWdZ2giZjH+6LmS3v2fFGF+Bnl4=; b=aZ3BlbvT+eqxYegFFxKTiHtRJ1 ox2eF5KLA55JILC0PCemlQJnPY9pA1EfAK0Tf8i73bMLJEt6gCHvw4qkub53h0edP4BabNyPXJboh RqDiQP31w4acruE1kVxHn4xMeXCYkIBpOEvfmJdm28ACY4UAyksA719pMS7siVJO/yUk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=wHlLVYhU7AAufIHwhWdZ2giZjH+6LmS3v2fFGF+Bnl4=; b=fUBJcH+/AHMC2rfgQgusLXkA3a Umgk/vtlH/qY4knuV4izuuFwHWdewR6GEMdGPqYj0dxX1mlk+3zE7qX0Y15npE8pxlmDYk2rl2dS4 QLSEoiHvJQHcyP7aVPX7jz0Ya91U93FFJWmNhudKum0cQYIojzvHd2S62QUbHtSvddQE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1koraF-00DvGN-46 for openvpn-devel@lists.sourceforge.net; Mon, 14 Dec 2020 17:24:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1korZw-000L1Y-3y for openvpn-devel@lists.sourceforge.net; Mon, 14 Dec 2020 18:24:08 +0100 Received: (nullmailer pid 30496 invoked by uid 10006); Mon, 14 Dec 2020 17:24:07 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 14 Dec 2020 18:24:07 +0100 Message-Id: <20201214172407.30451-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1koraF-00DvGN-46 Subject: [Openvpn-devel] [PATCH] Remove inetd support from OpenVPN X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This code is from another time and has almost no relevance today. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 7 + doc/man-sections/link-options.rst | 4 - doc/man-sections/log-options.rst | 4 +- doc/man-sections/server-options.rst | 31 --- .../sample-config-files/xinetd-client-config | 11 - .../sample-config-files/xinetd-server-config | 25 --- src/openvpn/error.c | 4 +- src/openvpn/forward.c | 18 +- src/openvpn/init.c | 22 -- src/openvpn/misc.c | 20 -- src/openvpn/misc.h | 7 - src/openvpn/options.c | 121 ----------- src/openvpn/options.h | 3 - src/openvpn/socket.c | 191 +++++------------- src/openvpn/socket.h | 6 - 15 files changed, 70 insertions(+), 404 deletions(-) delete mode 100644 sample/sample-config-files/xinetd-client-config delete mode 100644 sample/sample-config-files/xinetd-server-config diff --git a/Changes.rst b/Changes.rst index 2a2829e7..2a847564 100644 --- a/Changes.rst +++ b/Changes.rst @@ -9,6 +9,13 @@ Keying Material Exporters (RFC 5705) based key generation the RFC5705 based key material generation to the current custom OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. +Deprecated features +------------------- +``inetd`` has been removed + This was a very limited and not-well-tested way to run OpenVPN, on TCP + and TAP mode only. + + Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index c132a623..b8a72d7a 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -366,10 +366,6 @@ the local and the remote host. Persist replay-protection state across sessions using ``file`` to save and reload the state. - This option will strengthen protection against replay attacks, - especially when you are using OpenVPN in a dynamic context (such as with - ``--inetd``) when OpenVPN sessions are frequently started and stopped. - This option will keep a disk copy of the current replay protection state (i.e. the most recent packet timestamp and sequence number received from the remote peer), so that if an OpenVPN session is stopped and diff --git a/doc/man-sections/log-options.rst b/doc/man-sections/log-options.rst index e385d180..d2451d8a 100644 --- a/doc/man-sections/log-options.rst +++ b/doc/man-sections/log-options.rst @@ -15,8 +15,8 @@ Log options Output logging messages to ``file``, including output to stdout/stderr which is generated by called scripts. If ``file`` already exists it will be truncated. This option takes effect immediately when it is parsed in - the command line and will supersede syslog output if ``--daemon`` or - ``--inetd`` is also specified. This option is persistent over the entire + the command line and will supersede syslog output if ``--daemon`` + is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by :code:`SIGHUP`, :code:`SIGUSR1`, or ``--ping-restart``. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 5a689452..37ea8d43 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -286,37 +286,6 @@ fast hardware. SSL/TLS authentication must be used in this mode. ifconfig-ipv6-push ipv6addr/bits ipv6remote ---inetd args - Valid syntaxes: - :: - - inetd - inetd wait - inetd nowait - inetd wait progname - - Use this option when OpenVPN is being run from the inetd or ``xinetd``\(8) - server. - - The :code:`wait` and :code:`nowait` option must match what is specified - in the inetd/xinetd config file. The :code:`nowait` mode can only be used - with ``--proto tcp-server`` The default is :code:`wait`. The - :code:`nowait` mode can be used to instantiate the OpenVPN daemon as a - classic TCP server, where client connection requests are serviced on a - single port number. For additional information on this kind of - configuration, see the OpenVPN FAQ: - https://community.openvpn.net/openvpn/wiki/325-openvpn-as-a--forking-tcp-server-which-can-service-multiple-clients-over-a-single-tcp-port - - This option precludes the use of ``--daemon``, ``--local`` or - ``--remote``. Note that this option causes message and error output to - be handled in the same way as the ``--daemon`` option. The optional - ``progname`` parameter is also handled exactly as in ``--daemon``. - - Also note that in ``wait`` mode, each OpenVPN tunnel requires a separate - TCP/UDP port and a separate inetd or xinetd entry. See the OpenVPN 1.x - HOWTO for an example on using OpenVPN with xinetd: - https://openvpn.net/community-resources/1xhowto/ - --multihome Configure a multi-homed UDP server. This option needs to be used when a server has more than one IP address (e.g. multiple interfaces, or diff --git a/sample/sample-config-files/xinetd-client-config b/sample/sample-config-files/xinetd-client-config deleted file mode 100644 index 03c5c1fa..00000000 --- a/sample/sample-config-files/xinetd-client-config +++ /dev/null @@ -1,11 +0,0 @@ -# This OpenVPN config file -# is the client side counterpart -# of xinetd-server-config - -dev tun -ifconfig 10.4.0.1 10.4.0.2 -remote my-server -port 1194 -user nobody -secret /root/openvpn/key -inactive 600 diff --git a/sample/sample-config-files/xinetd-server-config b/sample/sample-config-files/xinetd-server-config deleted file mode 100644 index 803a6f8f..00000000 --- a/sample/sample-config-files/xinetd-server-config +++ /dev/null @@ -1,25 +0,0 @@ -# An xinetd configuration file for OpenVPN. -# -# This file should be renamed to openvpn or something suitably -# descriptive and copied to the /etc/xinetd.d directory. -# xinetd can then be made aware of this file by restarting -# it or sending it a SIGHUP signal. -# -# For each potential incoming client, create a separate version -# of this configuration file on a unique port number. Also note -# that the key file and ifconfig endpoints should be unique for -# each client. This configuration assumes that the OpenVPN -# executable and key live in /root/openvpn. Change this to fit -# your environment. - -service openvpn_1 -{ - type = UNLISTED - port = 1194 - socket_type = dgram - protocol = udp - wait = yes - user = root - server = /root/openvpn/openvpn - server_args = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user nobody -} diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 7d0fcb2d..0ecbfc33 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -62,7 +62,7 @@ static int mute_category; /* GLOBAL */ * Output mode priorities are as follows: * * (1) --log-x overrides everything - * (2) syslog is used if --daemon or --inetd is defined and not --log-x + * (2) syslog is used if --daemon is defined and not --log-x * (3) if OPENVPN_DEBUG_COMMAND_LINE is defined, output * to constant logfile name. * (4) Output to stdout. @@ -476,7 +476,7 @@ open_syslog(const char *pgmname, bool stdio_to_null) } } #else /* if SYSLOG_CAPABILITY */ - msg(M_WARN, "Warning on use of --daemon/--inetd: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages"); + msg(M_WARN, "Warning on use of --daemon: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages"); #endif } diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 67615a6b..17a2699d 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -834,23 +834,15 @@ read_incoming_link(struct context *c) #endif { /* received a disconnect from a connection-oriented protocol */ - if (c->options.inetd) + if (event_timeout_defined(&c->c2.explicit_exit_notification_interval)) { - register_signal(c, SIGTERM, "connection-reset-inetd"); - msg(D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status); + msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status); + management_sleep(1); } else { - if (event_timeout_defined(&c->c2.explicit_exit_notification_interval)) - { - msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status); - management_sleep(1); - } - else - { - register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */ - msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status); - } + register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */ + msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status); } } perf_pop(); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c3493c42..d234729c 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1236,7 +1236,6 @@ possibly_become_daemon(const struct options *options) if (options->daemon) { - ASSERT(!options->inetd); /* Don't chdir immediately, but the end of the init sequence, if needed */ #if defined(__APPLE__) && defined(__clang__) @@ -3449,7 +3448,6 @@ do_init_socket_1(struct context *c, const int mode) #endif c->options.ce.bind_local, c->options.ce.remote_float, - c->options.inetd, &c->c1.link_socket_addr, c->options.ipchange, c->plugins, @@ -3552,23 +3550,6 @@ do_init_first_time(struct context *c) } } -/* - * If xinetd/inetd mode, don't allow restart. - */ -static void -do_close_check_if_restart_permitted(struct context *c) -{ - if (c->options.inetd - && (c->sig->signal_received == SIGHUP - || c->sig->signal_received == SIGUSR1)) - { - c->sig->signal_received = SIGTERM; - msg(M_INFO, - PACKAGE_NAME - " started by inetd/xinetd cannot restart... Exiting."); - } -} - /* * free buffers */ @@ -4462,9 +4443,6 @@ close_instance(struct context *c) || c->mode == CM_CHILD_UDP || c->mode == CM_TOP) { - /* if xinetd/inetd mode, don't allow restart */ - do_close_check_if_restart_permitted(c); - #ifdef USE_COMP if (c->c2.comp_context) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index c0c72dd7..feaefb3b 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -75,26 +75,6 @@ set_std_files_to_null(bool stdin_only) #endif } -/* - * dup inetd/xinetd socket descriptor and save - */ - -int inetd_socket_descriptor = SOCKET_UNDEFINED; /* GLOBAL */ - -void -save_inetd_socket_descriptor(void) -{ - inetd_socket_descriptor = INETD_SOCKET_DESCRIPTOR; -#if defined(HAVE_DUP) && defined(HAVE_DUP2) - /* use handle passed by inetd/xinetd */ - if ((inetd_socket_descriptor = dup(INETD_SOCKET_DESCRIPTOR)) < 0) - { - msg(M_ERR, "INETD_SOCKET_DESCRIPTOR dup(%d) failed", INETD_SOCKET_DESCRIPTOR); - } - set_std_files_to_null(true); -#endif -} - /* * Prepend a random string to hostname to prevent DNS caching. * For example, foo.bar.gov would be modified to .foo.bar.gov. diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index e4342b0d..9b018eb5 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -32,9 +32,6 @@ #include "buffer.h" #include "platform.h" -/* socket descriptor passed by inetd/xinetd server to us */ -#define INETD_SOCKET_DESCRIPTOR 0 - /* forward declarations */ struct plugin_list; @@ -42,10 +39,6 @@ struct plugin_list; /* Set standard file descriptors to /dev/null */ void set_std_files_to_null(bool stdin_only); -/* dup inetd/xinetd socket descriptor and save */ -extern int inetd_socket_descriptor; -void save_inetd_socket_descriptor(void); - /* Make arrays of strings */ const char **make_arg_array(const char *first, const char *parms, struct gc_arena *gc); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ff3954d5..28d51c9a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -324,8 +324,6 @@ static const char usage_message[] = " as the program name to the system logger.\n" "--syslog [name] : Output to syslog, but do not become a daemon.\n" " See --daemon above for a description of the 'name' parm.\n" - "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n" - " See --daemon above for a description of the 'name' parm.\n" "--log file : Output log to file which is created/truncated on open.\n" "--log-append file : Append log to file, or create file if nonexistent.\n" "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n" @@ -1603,7 +1601,6 @@ show_settings(const struct options *o) SHOW_BOOL(up_restart); SHOW_BOOL(up_delay); SHOW_BOOL(daemon); - SHOW_INT(inetd); SHOW_BOOL(log); SHOW_BOOL(suppress_timestamps); SHOW_BOOL(machine_readable_output); @@ -2032,48 +2029,6 @@ options_postprocess_verify_ce(const struct options *options, "--proto tcp-server or --proto tcp-client"); } - /* - * Sanity check on daemon/inetd modes - */ - - if (options->daemon && options->inetd) - { - msg(M_USAGE, "only one of --daemon or --inetd may be specified"); - } - - if (options->inetd && (ce->local || ce->remote)) - { - msg(M_USAGE, "--local or --remote cannot be used with --inetd"); - } - - if (options->inetd && ce->proto == PROTO_TCP_CLIENT) - { - msg(M_USAGE, "--proto tcp-client cannot be used with --inetd"); - } - - if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER) - { - msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server"); - } - - if (options->inetd == INETD_NOWAIT - && !(options->tls_server || options->tls_client)) - { - msg(M_USAGE, "--inetd nowait can only be used in TLS mode"); - } - - if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP) - { - msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode"); - } - - if (options->inetd) - { - msg(M_WARN, - "DEPRECATED OPTION: --inetd mode is deprecated and will be removed " - "in OpenVPN 2.6"); - } - if (options->lladdr && dev != DEV_TYPE_TAP) { msg(M_USAGE, "--lladdr can only be used in --dev tap mode"); @@ -2339,10 +2294,6 @@ options_postprocess_verify_ce(const struct options *options, { msg(M_USAGE, "--shaper cannot be used with --mode server"); } - if (options->inetd) - { - msg(M_USAGE, "--inetd cannot be used with --mode server"); - } if (options->ipchange) { msg(M_USAGE, @@ -2983,18 +2934,7 @@ options_postprocess_mutate_invariant(struct options *options) { #ifdef _WIN32 const int dev = dev_type_enum(options->dev, options->dev_type); -#endif - /* - * In forking TCP server mode, you don't need to ifconfig - * the tap device (the assumption is that it will be bridged). - */ - if (options->inetd == INETD_NOWAIT) - { - options->ifconfig_noexec = true; - } - -#ifdef _WIN32 /* when using wintun, kernel doesn't send DHCP requests, so don't use it */ if (options->windows_driver == WINDOWS_DRIVER_WINTUN && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE)) @@ -5895,67 +5835,6 @@ add_option(struct options *options, } } } - else if (streq(p[0], "inetd") && !p[3]) - { - VERIFY_PERMISSION(OPT_P_GENERAL); - if (!options->inetd) - { - int z; - const char *name = NULL; - const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging"; - - options->inetd = -1; - - for (z = 1; z <= 2; ++z) - { - if (p[z]) - { - if (streq(p[z], "wait")) - { - if (options->inetd != -1) - { - msg(msglevel, "%s", opterr); - goto err; - } - else - { - options->inetd = INETD_WAIT; - } - } - else if (streq(p[z], "nowait")) - { - if (options->inetd != -1) - { - msg(msglevel, "%s", opterr); - goto err; - } - else - { - options->inetd = INETD_NOWAIT; - } - } - else - { - if (name != NULL) - { - msg(msglevel, "%s", opterr); - goto err; - } - name = p[z]; - } - } - } - - /* default */ - if (options->inetd == -1) - { - options->inetd = INETD_WAIT; - } - - save_inetd_socket_descriptor(); - open_syslog(name, true); - } - } else if (streq(p[0], "log") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 5b6d9441..56228668 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -319,9 +319,6 @@ struct options int remap_sigusr1; - /* inetd modes defined in socket.h */ - int inetd; - bool log; bool suppress_timestamps; bool machine_readable_output; diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 97750681..891f63b0 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1894,7 +1894,6 @@ link_socket_init_phase1(struct link_socket *sock, #endif bool bind_local, bool remote_float, - int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, @@ -1917,7 +1916,6 @@ link_socket_init_phase1(struct link_socket *sock, sock->http_proxy = http_proxy; sock->socks_proxy = socks_proxy; sock->bind_local = bind_local; - sock->inetd = inetd; sock->resolve_retry_seconds = resolve_retry_seconds; sock->mtu_discover_type = mtu_discover_type; @@ -1946,7 +1944,6 @@ link_socket_init_phase1(struct link_socket *sock, { ASSERT(accept_from); ASSERT(sock->info.proto == PROTO_TCP_SERVER); - ASSERT(!sock->inetd); sock->sd = accept_from->sd; /* inherit (possibly guessed) info AF from parent context */ sock->info.af = accept_from->info.af; @@ -1956,7 +1953,6 @@ link_socket_init_phase1(struct link_socket *sock, if (sock->http_proxy) { ASSERT(sock->info.proto == PROTO_TCP_CLIENT); - ASSERT(!sock->inetd); /* the proxy server */ sock->remote_host = http_proxy->options.server; @@ -1969,8 +1965,6 @@ link_socket_init_phase1(struct link_socket *sock, /* or in Socks proxy mode? */ else if (sock->socks_proxy) { - ASSERT(!sock->inetd); - /* the proxy server */ sock->remote_host = socks_proxy->server; sock->remote_port = socks_proxy->port; @@ -1998,15 +1992,7 @@ link_socket_init_phase1(struct link_socket *sock, } } - /* were we started by inetd or xinetd? */ - if (sock->inetd) - { - ASSERT(sock->info.proto != PROTO_TCP_CLIENT); - ASSERT(socket_defined(inetd_socket_descriptor)); - sock->sd = inetd_socket_descriptor; - set_cloexec(sock->sd); /* not created by create_socket*() */ - } - else if (mode != LS_MODE_TCP_ACCEPT_FROM) + if (mode != LS_MODE_TCP_ACCEPT_FROM) { if (sock->bind_local) { @@ -2016,58 +2002,6 @@ link_socket_init_phase1(struct link_socket *sock, } } -static -void -phase2_inetd(struct link_socket *sock, const struct frame *frame, - const char *remote_dynamic, volatile int *signal_received) -{ - bool remote_changed = false; - - if (sock->info.proto == PROTO_TCP_SERVER) - { - /* AF_INET as default (and fallback) for inetd */ - sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET; -#ifdef HAVE_GETSOCKNAME - { - /* inetd: hint family type for dest = local's */ - struct openvpn_sockaddr local_addr; - socklen_t addrlen = sizeof(local_addr); - if (getsockname(sock->sd, &local_addr.addr.sa, &addrlen) == 0) - { - sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family; - dmsg(D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)", - proto2ascii(sock->info.proto, sock->info.af, false), - local_addr.addr.sa.sa_family, (int)sock->sd); - } - else - { - int saved_errno = errno; - msg(M_WARN|M_ERRNO, "inetd(%s): getsockname(%d) failed, using AF_INET", - proto2ascii(sock->info.proto, sock->info.af, false), (int)sock->sd); - /* if not called with a socket on stdin, --inetd cannot work */ - if (saved_errno == ENOTSOCK) - { - msg(M_FATAL, "ERROR: socket required for --inetd operation"); - } - } - } -#else /* ifdef HAVE_GETSOCKNAME */ - msg(M_WARN, "inetd(%s): this OS does not provide the getsockname() " - "function, using AF_INET", - proto2ascii(sock->info.proto, false)); -#endif /* ifdef HAVE_GETSOCKNAME */ - sock->sd = - socket_listen_accept(sock->sd, - &sock->info.lsa->actual, - remote_dynamic, - sock->info.lsa->bind_local, - false, - sock->inetd == INETD_NOWAIT, - signal_received); - } - ASSERT(!remote_changed); -} - static void phase2_set_socket_flags(struct link_socket *sock) { @@ -2094,11 +2028,7 @@ linksock_print_addr(struct link_socket *sock) const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO; /* print local address */ - if (sock->inetd) - { - msg(msglevel, "%s link local: [inetd]", proto2ascii(sock->info.proto, sock->info.af, true)); - } - else if (sock->bind_local) + if (sock->bind_local) { sa_family_t ai_family = sock->info.lsa->actual.dest.addr.sa.sa_family; /* Socket is always bound on the first matching address, @@ -2287,85 +2217,72 @@ link_socket_init_phase2(struct link_socket *sock, remote_dynamic = sock->remote_host; } - /* were we started by inetd or xinetd? */ - if (sock->inetd) - { - phase2_inetd(sock, frame, remote_dynamic, &sig_info->signal_received); - if (sig_info->signal_received) - { - goto done; - } + /* Second chance to resolv/create socket */ + resolve_remote(sock, 2, &remote_dynamic, &sig_info->signal_received); - } - else + /* If a valid remote has been found, create the socket with its addrinfo */ + if (sock->info.lsa->current_remote) { - /* Second chance to resolv/create socket */ - resolve_remote(sock, 2, &remote_dynamic, &sig_info->signal_received); + create_socket(sock, sock->info.lsa->current_remote); + } - /* If a valid remote has been found, create the socket with its addrinfo */ - if (sock->info.lsa->current_remote) - { - create_socket(sock, sock->info.lsa->current_remote); - } + /* If socket has not already been created create it now */ + if (sock->sd == SOCKET_UNDEFINED) + { + /* If we have no --remote and have still not figured out the + * protocol family to use we will use the first of the bind */ - /* If socket has not already been created create it now */ - if (sock->sd == SOCKET_UNDEFINED) + if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local) { - /* If we have no --remote and have still not figured out the - * protocol family to use we will use the first of the bind */ - - if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local) + /* Warn if this is because neither v4 or v6 was specified + * and we should not connect a remote */ + if (sock->info.af == AF_UNSPEC) { - /* Warn if this is because neither v4 or v6 was specified - * and we should not connect a remote */ - if (sock->info.af == AF_UNSPEC) - { - msg(M_WARN, "Could not determine IPv4/IPv6 protocol. Using %s", - addr_family_name(sock->info.lsa->bind_local->ai_family)); - sock->info.af = sock->info.lsa->bind_local->ai_family; - } - - create_socket(sock, sock->info.lsa->bind_local); + msg(M_WARN, "Could not determine IPv4/IPv6 protocol. Using %s", + addr_family_name(sock->info.lsa->bind_local->ai_family)); + sock->info.af = sock->info.lsa->bind_local->ai_family; } - } - /* Socket still undefined, give a warning and abort connection */ - if (sock->sd == SOCKET_UNDEFINED) - { - msg(M_WARN, "Could not determine IPv4/IPv6 protocol"); - sig_info->signal_received = SIGUSR1; - goto done; + create_socket(sock, sock->info.lsa->bind_local); } + } - if (sig_info->signal_received) - { - goto done; - } + /* Socket still undefined, give a warning and abort connection */ + if (sock->sd == SOCKET_UNDEFINED) + { + msg(M_WARN, "Could not determine IPv4/IPv6 protocol"); + sig_info->signal_received = SIGUSR1; + goto done; + } - if (sock->info.proto == PROTO_TCP_SERVER) - { - phase2_tcp_server(sock, remote_dynamic, - &sig_info->signal_received); - } - else if (sock->info.proto == PROTO_TCP_CLIENT) - { - phase2_tcp_client(sock, sig_info); + if (sig_info->signal_received) + { + goto done; + } - } - else if (sock->info.proto == PROTO_UDP && sock->socks_proxy) - { - phase2_socks_client(sock, sig_info); - } + if (sock->info.proto == PROTO_TCP_SERVER) + { + phase2_tcp_server(sock, remote_dynamic, + &sig_info->signal_received); + } + else if (sock->info.proto == PROTO_TCP_CLIENT) + { + phase2_tcp_client(sock, sig_info); + + } + else if (sock->info.proto == PROTO_UDP && sock->socks_proxy) + { + phase2_socks_client(sock, sig_info); + } #ifdef TARGET_ANDROID - if (sock->sd != -1) - { - protect_fd_nonlocal(sock->sd, &sock->info.lsa->actual.dest.addr.sa); - } + if (sock->sd != -1) + { + protect_fd_nonlocal(sock->sd, &sock->info.lsa->actual.dest.addr.sa); + } #endif - if (sig_info->signal_received) - { - goto done; - } + if (sig_info->signal_received) + { + goto done; } phase2_set_socket_flags(sock); diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 7aeae527..4099f6ea 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -188,11 +188,6 @@ struct link_socket struct cached_dns_entry *dns_cache; bool bind_local; -#define INETD_NONE 0 -#define INETD_WAIT 1 -#define INETD_NOWAIT 2 - int inetd; - #define LS_MODE_DEFAULT 0 #define LS_MODE_TCP_LISTEN 1 #define LS_MODE_TCP_ACCEPT_FROM 2 @@ -318,7 +313,6 @@ link_socket_init_phase1(struct link_socket *sock, #endif bool bind_local, bool remote_float, - int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins,