From patchwork Sat Jan 1 05:25:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2196 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.51]) by backend41.mail.ord1d.rsapps.net with LMTP id uDkKBLiA0GFyLAAAqwncew (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from proxy10.mail.iad3a.rsapps.net ([172.27.255.51]) by director14.mail.ord1d.rsapps.net with LMTP id CCyJBriA0GFBbAAAeJ7fFg (envelope-from ) for ; Sat, 01 Jan 2022 11:26:32 -0500 Received: from smtp19.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3a.rsapps.net with LMTPS id sLVoO7eA0GHCOgAAnQ/bqA (envelope-from ) for ; Sat, 01 Jan 2022 11:26:31 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 93c1faf0-6b1f-11ec-bac0-5254005d39f2-1-1 Received: from [216.105.38.7] ([216.105.38.7:47610] helo=lists.sourceforge.net) by smtp19.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 66/80-02012-7B080D16; Sat, 01 Jan 2022 11:26:31 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n3hCT-0000Dr-7l; Sat, 01 Jan 2022 16:25:45 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n3hCP-0000Dg-KI for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zZHADyxkN0nqBHBxzSRA1x6U9jRjecxMTWBu7Z16QUI=; b=XEKVrtkEMGqlgB+3Q8oGQynN7J 1Gw1psydK3xsH1imWDQmucOhWgYYPoyaxmfvcDgZIsOMDolVaCbbsDbdIAbTtc+WtKwOSvIcuKfVR 4wHH51e6f8C2F46nf3fCZNtEUlbejGjKR9OLMWApWBXra82Qh27DnOfeWHzJrKkbJWdo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zZHADyxkN0nqBHBxzSRA1x6U9jRjecxMTWBu7Z16QUI=; b=e/sreWTa6vVYfpRUbhsnZn89zM /N3iw/kHexodZANJAFYVGQsPNApbvFGD0VebhrAM/G3rFw2puQtA7lcQaUVU1/4n1bSGVtaI01ezt ofBejLSpZr/x7sKo2+bUQfg0F9tjwBc2mZqstcwJD/qN2fMjrpQo6b5zhxX+vQeqobR8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n3hCO-0005GO-Vb for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 16:25:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1n3hCH-000FgM-I7 for openvpn-devel@lists.sourceforge.net; Sat, 01 Jan 2022 17:25:33 +0100 Received: (nullmailer pid 2251896 invoked by uid 10006); Sat, 01 Jan 2022 16:25:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Jan 2022 17:25:25 +0100 Message-Id: <20220101162532.2251835-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220101162532.2251835-1-arne@rfc2549.org> References: <20220101162532.2251835-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well an [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1n3hCO-0005GO-Vb Subject: [Openvpn-devel] [PATCH v3 07/14] Change the default for mssfix to mssfix 1492 mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well and changes the target to 1492. 1492 was picked in our community meeting for being a very common encapsulation upper bound. The change also disables an mssfix default if tun-mtu is set to a value different than 1500. Signed-off-by: Arne Schwabe --- src/openvpn/mtu.h | 2 +- src/openvpn/options.c | 60 +++++++++++++++++++++++++++++-------------- src/openvpn/options.h | 2 +- 3 files changed, 43 insertions(+), 21 deletions(-) diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 930c4b73..41ba970c 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -77,7 +77,7 @@ /* * Default MSSFIX value, used for reducing TCP MTU size */ -#define MSSFIX_DEFAULT 1450 +#define MSSFIX_DEFAULT 1492 /* * Alignment of payload data such as IP packet or diff --git a/src/openvpn/options.c b/src/openvpn/options.c index efe3b2fb..3ba183d0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -802,7 +802,9 @@ init_options(struct options *o, const bool init_gc) o->ce.tun_mtu = TUN_MTU_DEFAULT; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; - o->ce.mssfix = MSSFIX_DEFAULT; + o->ce.mssfix = 0; + o->ce.mssfix_default = true; + o->ce.mssfix_encap = true; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; @@ -1509,6 +1511,7 @@ show_connection_entry(const struct connection_entry *o) SHOW_INT(fragment); #endif SHOW_INT(mssfix); + SHOW_BOOL(mssfix_encap); SHOW_INT(explicit_exit_notification); @@ -2884,22 +2887,6 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->flags |= CE_DISABLED; } - /* - * If --mssfix is supplied without a parameter, default - * it to --fragment value, if --fragment is specified. - */ - if (o->ce.mssfix_default) - { -#ifdef ENABLE_FRAGMENT - if (ce->fragment) - { - ce->mssfix = ce->fragment; - } -#else - msg(M_USAGE, "--mssfix must specify a parameter"); -#endif - } - /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ @@ -2933,6 +2920,36 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } } + /* + * If --mssfix is supplied without a parameter or not specified at all, + * default it to --fragment value, if --fragment is specified and otherwise + * to the default if tun-mtu is 1500 + */ + if (o->ce.mssfix_default) + { +#ifdef ENABLE_FRAGMENT + if (ce->fragment) + { + ce->mssfix = ce->fragment; + } + else +#endif + if (ce->tun_mtu_defined && o->ce.tun_mtu == TUN_MTU_DEFAULT) + { + /* We want to only set mssfix default value if we use a default + * MTU Size, otherwise the different size of tun should either + * already solve the problem or mssfix might artifically make the + * payload packets smaller without mssfix 0 */ + ce->mssfix = MSSFIX_DEFAULT; + ce->mssfix_encap = true; + } + else + { + msg(D_MTU_INFO, "Note: not enabling mssfix for non-default value " + "of --tun-mtu"); + } + } + /* * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined. * @@ -6776,12 +6793,17 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { + /* value specified, assume encapsulation is not + * included unles "mtu" follows later */ options->ce.mssfix = positive_atoi(p[1]); + options->ce.mssfix_encap = false; + options->ce.mssfix_default = false; } - - if (!p[1]) + else { + /* Set MTU to default values */ options->ce.mssfix_default = true; + options->ce.mssfix_encap = true; } if (p[2] && streq(p[2], "mtu")) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c8bccf3e..d754efa1 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -126,7 +126,7 @@ struct connection_entry int fragment; /* internal fragmentation size */ int mssfix; /* Upper bound on TCP MSS */ - bool mssfix_default; /* true if --mssfix was supplied without a parameter */ + bool mssfix_default; /* true if --mssfix should use the default parameters */ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include * overhead from IP and TCP/UDP encapsulation */