From patchwork Thu Feb 10 05:26:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2276 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.54]) by backend41.mail.ord1d.rsapps.net with LMTP id +F/cB/s8BWLBdAAAqwncew (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.54]) by director8.mail.ord1d.rsapps.net with LMTP id SL+GJvs8BWI8YgAAfY0hYg (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 Received: from smtp10.gate.iad3a ([172.27.255.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net with LMTPS id 2DgNHvs8BWJrbwAAhn5joQ (envelope-from ) for ; Thu, 10 Feb 2022 11:27:39 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5c6270e2-8a8e-11ec-88be-525400a8203f-1-1 Received: from [216.105.38.7] ([216.105.38.7:39860] helo=lists.sourceforge.net) by smtp10.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5B/E0-19657-AFC35026; Thu, 10 Feb 2022 11:27:38 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nICHU-00054Z-1g; Thu, 10 Feb 2022 16:26:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nICHQ-00054E-W8 for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Esgufp2T3bITeF0rQ71oMbm+R+nmeHf09MyHSFahxwM=; b=WbP+7MVLHxcLTyemOQF/1Ypavp 4ldhHUTHkQpKoN5W9OQSrHV5c0zMntA2vsQUTlkl9Qv6z0o3GtLvrgCIXVuIYVAWTSB44a18xQTrW ca0yB8j2iRxIZgLEFXqfGPsZejV3ndyxZ5wdf6cqVR65JQRyWqLGs0TBL+jdgldsbDTI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Esgufp2T3bITeF0rQ71oMbm+R+nmeHf09MyHSFahxwM=; b=F+nwqe5Jo+Efuxh8EYuWfthsmj VFokfnYHRHgyUVemZMiz2nUG1Zw+z8rSgHHOQTg25nNOsd9NCkv8ZfsVPQxG+XYkMwkngt9uD0TMJ F1wU5xEruC4UQNpzVZCtFbgWjDXI6mtnH0mjpNQ92NVVLZEtdjbisM1D3nG93mgL/MDw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nICHN-0004UH-IF for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 16:26:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nICHA-00060G-DI for openvpn-devel@lists.sourceforge.net; Thu, 10 Feb 2022 17:26:32 +0100 Received: (nullmailer pid 3310023 invoked by uid 10006); Thu, 10 Feb 2022 16:26:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 10 Feb 2022 17:26:26 +0100 Message-Id: <20220210162632.3309974-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220210162632.3309974-1-arne@rfc2549.org> References: <20220210162632.3309974-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well an [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nICHN-0004UH-IF Subject: [Openvpn-devel] [PATCH v4 2/8] Change the default for mssfix to mssfix 1492 mtu X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The current default is 1450, which translates to 1478 byte packets for udp4 and 1498 byte packets for udp6. This commit changes the mssfix default to take the outer IP overhead into account as well and changes the target to 1492. 1492 was picked in our community meeting for being a very common encapsulation upper bound. The change also disables an mssfix default if tun-mtu is set to a value different than 1500. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/mtu.h | 2 +- src/openvpn/options.c | 60 +++++++++++++++++++++++++++++-------------- src/openvpn/options.h | 2 +- 3 files changed, 43 insertions(+), 21 deletions(-) diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 7a6cdcb4..3a8faec1 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -77,7 +77,7 @@ /* * Default MSSFIX value, used for reducing TCP MTU size */ -#define MSSFIX_DEFAULT 1450 +#define MSSFIX_DEFAULT 1492 /* * Alignment of payload data such as IP packet or diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 705f7e0c..491edbe5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -803,7 +803,9 @@ init_options(struct options *o, const bool init_gc) o->ce.tun_mtu = TUN_MTU_DEFAULT; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; - o->ce.mssfix = MSSFIX_DEFAULT; + o->ce.mssfix = 0; + o->ce.mssfix_default = true; + o->ce.mssfix_encap = true; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; @@ -1511,6 +1513,7 @@ show_connection_entry(const struct connection_entry *o) SHOW_INT(fragment); #endif SHOW_INT(mssfix); + SHOW_BOOL(mssfix_encap); SHOW_INT(explicit_exit_notification); @@ -2887,22 +2890,6 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->flags |= CE_DISABLED; } - /* - * If --mssfix is supplied without a parameter, default - * it to --fragment value, if --fragment is specified. - */ - if (o->ce.mssfix_default) - { -#ifdef ENABLE_FRAGMENT - if (ce->fragment) - { - ce->mssfix = ce->fragment; - } -#else - msg(M_USAGE, "--mssfix must specify a parameter"); -#endif - } - /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ @@ -2936,6 +2923,36 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } } + /* + * If --mssfix is supplied without a parameter or not specified at all, + * default it to --fragment value, if --fragment is specified and otherwise + * to the default if tun-mtu is 1500 + */ + if (o->ce.mssfix_default) + { +#ifdef ENABLE_FRAGMENT + if (ce->fragment) + { + ce->mssfix = ce->fragment; + } + else +#endif + if (ce->tun_mtu_defined && o->ce.tun_mtu == TUN_MTU_DEFAULT) + { + /* We want to only set mssfix default value if we use a default + * MTU Size, otherwise the different size of tun should either + * already solve the problem or mssfix might artifically make the + * payload packets smaller without mssfix 0 */ + ce->mssfix = MSSFIX_DEFAULT; + ce->mssfix_encap = true; + } + else + { + msg(D_MTU_INFO, "Note: not enabling mssfix for non-default value " + "of --tun-mtu"); + } + } + /* * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined. * @@ -6812,12 +6829,17 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { + /* value specified, assume encapsulation is not + * included unles "mtu" follows later */ options->ce.mssfix = positive_atoi(p[1]); + options->ce.mssfix_encap = false; + options->ce.mssfix_default = false; } - - if (!p[1]) + else { + /* Set MTU to default values */ options->ce.mssfix_default = true; + options->ce.mssfix_encap = true; } if (p[2] && streq(p[2], "mtu")) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 13d6b0da..3d0f7fe7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -126,7 +126,7 @@ struct connection_entry int fragment; /* internal fragmentation size */ int mssfix; /* Upper bound on TCP MSS */ - bool mssfix_default; /* true if --mssfix was supplied without a parameter */ + bool mssfix_default; /* true if --mssfix should use the default parameters */ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include * overhead from IP and TCP/UDP encapsulation */