diff mbox series

[Openvpn-devel] Apply the connect-retry backoff to only one side of a connection

Message ID 20210602194739.29488-1-selva.nair@gmail.com
State Accepted
Headers show
Series [Openvpn-devel] Apply the connect-retry backoff to only one side of a connection | expand

Commit Message

Selva Nair June 2, 2021, 9:47 a.m. UTC 
From: Selva Nair <selva.nair@gmail.com>

p2p connections with both ends backing off seldom succeed
as their connection attempt durations becomes increasingly
unlikely to overlap when the retry wait time is long.

Avoid this by applying the backoff logic only on TCP clients
or the tls_client side for UDP.

Regression warning: shared secret setups are left out of the
backoff logic.

Trac #1010

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 src/openvpn/init.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Gert Doering June 16, 2021, 10:22 p.m. UTC | #1 
Acked-by: Gert Doering <gert@greenie.muc.de>

Thanks.  Change makes sense.  Code looks good.  

Lightly tested on TCP/--client, UDP/--client, TCP/--tls-client, 
UDP/--tls-client (same behaviour as without the patch).

Plus t_client test rig.

Tested on p2p "server" according to #1384 (--ping-restart, --secret, 
--proto udp, no --remote) - could reproduce #1384 without the patch, 
server does not go into backoff with the patch.  Consequently, this 
will also affect a "p2p --secret client", as the only difference is 
"is there a remote?" (but for such setups, this is likely the right
thing to do - to avoid restart loops, just do not use --ping-restart
in p2p mode, use --ping alone to keep NAT sessions open)


Your patch has been applied to the master, release/2.5 and release/2.4
branch (bugfix).  Not sure we'll ever do another 2.4 release, but if
we do, it's in :-)

commit 063d55afeea723fc6df0af29a19df257a8ab6920 (master)
commit d8dee82f1129ac6d3e4bcdc867726f5d64798dc7 (release/2.5)
commit 7029cece844d9324aff687981b8b6c33b099db2d (release/2.4)
Author: Selva Nair
Date:   Wed Jun 2 15:47:39 2021 -0400

     Apply the connect-retry backoff to only one side of a connection

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20210602194739.29488-1-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22485.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 49c74292..2889f355 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2423,8 +2423,9 @@  socket_restart_pause(struct context *c)
         sec = 10;
     }
 
-    /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
-    if (c->options.ce.proto != PROTO_TCP_SERVER)
+    /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
+    if (c->options.ce.proto == PROTO_TCP_CLIENT
+        || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
     {
         backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
         if (backoff > 0)