From patchwork Thu Feb 24 03:42:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2321 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id MFa/I7OZF2J4LgAAqwncew (envelope-from ) for ; Thu, 24 Feb 2022 09:44:03 -0500 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id CBaLKbOZF2IeegAAIcMcQg (envelope-from ) for ; Thu, 24 Feb 2022 09:44:03 -0500 Received: from smtp37.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTPS id +Lw/KbOZF2JDVwAA7WKfLA (envelope-from ) for ; Thu, 24 Feb 2022 09:44:03 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 35760d48-9580-11ec-9150-525400a11cf3-1-1 Received: from [216.105.38.7] ([216.105.38.7:53398] helo=lists.sourceforge.net) by smtp37.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EF/BC-09386-3B997126; Thu, 24 Feb 2022 09:44:03 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nNFKk-0007Sr-BE; Thu, 24 Feb 2022 14:43:05 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nNFKi-0007Sl-4Q for openvpn-devel@lists.sourceforge.net; Thu, 24 Feb 2022 14:43:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g96+Tjwti8FGppUKllV7dyf6OGEkqD/8Rp8RO6QXMeM=; b=Nx5FDjNfO8zit872aD0Sma8z5x R7Kjzbaus+xQBVZCZ0N7/2qeGyjr6wgTY5BtS+uoe/5P4Dg18F/S0sgVoEfUgT0I4yak3Rj7k5Cdv 2gISj6mhAIQcGwKJli0pygYGanWT/MYUSUmeBD5uX1LV5MiGnrXM60mjcSmgbyY7rq8w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=g96+Tjwti8FGppUKllV7dyf6OGEkqD/8Rp8RO6QXMeM=; b=l 61TRXgkRTRwVNdflNNNbI03C1gHt+zqwQ4P2lj1pG8btwKVI8RlcfygzgzKCgvMI82680m6q9MFzO ZuwFBmCzhOQ9zbNCjG8bUpBmXyNRRGtFxQUfgoK0fG/cDQAerQQC2qOa7GMdqyu+jonYx8KB6fosA qwlK3CnSvw0xPKX8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nNFKb-0005OK-FP for openvpn-devel@lists.sourceforge.net; Thu, 24 Feb 2022 14:43:02 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nNFKP-000OIw-94 for openvpn-devel@lists.sourceforge.net; Thu, 24 Feb 2022 15:42:45 +0100 Received: (nullmailer pid 878104 invoked by uid 10006); Thu, 24 Feb 2022 14:42:45 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 24 Feb 2022 15:42:45 +0100 Message-Id: <20220224144245.878056-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows to set the MSS value inside the tunnel to a user specified value instead of calculating it form (somewhat) dynamic encapsoluation overhead. Also default to the MTU when tun-mtu does not have the default value to ensure that packets are not larger than the tun-mtu. This only affects packets that are routed via the VPN and none of the peers [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nNFKb-0005OK-FP Subject: [Openvpn-devel] [PATCH] Implement fixed MSS value for mssfix and use it for non default MTUs X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows to set the MSS value inside the tunnel to a user specified value instead of calculating it form (somewhat) dynamic encapsoluation overhead. Also default to the MTU when tun-mtu does not have the default value to ensure that packets are not larger than the tun-mtu. This only affects packets that are routed via the VPN and none of the peers is an endpoint since otherwise the peer would already set a lower MTU. Acked-by: Lev Stipakov --- doc/man-sections/link-options.rst | 9 +++++++- src/openvpn/mss.c | 8 +++++++ src/openvpn/options.c | 37 ++++++++++++++++++++----------- src/openvpn/options.h | 1 + 4 files changed, 41 insertions(+), 14 deletions(-) diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 782aa7381..6473ad423 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -132,12 +132,14 @@ the local and the remote host. mssfix max [mtu] + mssfix max [fixed] + mssfix Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not - exceed ``max`` bytes. The default value is :code:`1450`. Use :code:`0` + exceed ``max`` bytes. The default value is :code:`1492 mtu`. Use :code:`0` as max to disable mssfix. If the :code:`mtu` parameter is specified the ``max`` value is interpreted @@ -153,6 +155,11 @@ the local and the remote host. transmitted over IPv4 on a link with MTU 1478 or higher without IP level fragmentation (and 1498 for IPv6). + If the :code:`fixed` parameter is specified, OpenVPN will make no attempt + to calculate the VPN encapsulation overhead but instead will set the MSS to + limit the size of the payload IP packets to the specified number. IPv4 packets + will have the MSS value lowered to mssfix - 40 and IPv6 packets to mssfix - 60. + if ``--mssfix`` is specified is specified without any parameter it inherits the parameters of ``--fragment`` if specified or uses the default for ``--mssfix`` otherwise. diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 25b264059..22f9fcf2f 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -289,6 +289,14 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi) { + if (options->ce.mssfix_fixed) + { + /* we subtract IPv4 and TCP overhead here, mssfix method will add the + * extra 20 for IPv6 */ + frame->mss_fix = options->ce.mssfix - (20 + 20); + return; + } + unsigned int overhead, payload_overhead; overhead = frame_calculate_protocol_header_size(kt, options, false); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7ce0ba613..2bf711fd0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1515,6 +1515,7 @@ show_connection_entry(const struct connection_entry *o) #endif SHOW_INT(mssfix); SHOW_BOOL(mssfix_encap); + SHOW_BOOL(mssfix_fixed); SHOW_INT(explicit_exit_notification); @@ -2937,19 +2938,24 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } else #endif - if (ce->tun_mtu_defined && o->ce.tun_mtu == TUN_MTU_DEFAULT) + if (ce->tun_mtu_defined) { - /* We want to only set mssfix default value if we use a default - * MTU Size, otherwise the different size of tun should either - * already solve the problem or mssfix might artifically make the - * payload packets smaller without mssfix 0 */ - ce->mssfix = MSSFIX_DEFAULT; - ce->mssfix_encap = true; - } - else - { - msg(D_MTU_INFO, "Note: not enabling mssfix for non-default value " - "of --tun-mtu"); + if (o->ce.tun_mtu == TUN_MTU_DEFAULT) + { + /* We want to only set mssfix default value if we use a default + * MTU Size, otherwise the different size of tun should either + * already solve the problem or mssfix might artifically make the + * payload packets smaller without mssfix 0 */ + ce->mssfix = MSSFIX_DEFAULT; + ce->mssfix_encap = true; + } + else + { + /* We still apply the mssfix value but only adjust it to the + * size of the tun interface. */ + ce->mssfix = ce->tun_mtu; + ce->mssfix_fixed = true; + } } } @@ -6844,7 +6850,7 @@ add_option(struct options *options, if (p[1]) { /* value specified, assume encapsulation is not - * included unles "mtu" follows later */ + * included unless "mtu" follows later */ options->ce.mssfix = positive_atoi(p[1]); options->ce.mssfix_encap = false; options->ce.mssfix_default = false; @@ -6854,12 +6860,17 @@ add_option(struct options *options, /* Set MTU to default values */ options->ce.mssfix_default = true; options->ce.mssfix_encap = true; + options->ce.mssfix_fixed = false; } if (p[2] && streq(p[2], "mtu")) { options->ce.mssfix_encap = true; } + else if (p[2] && streq(p[2], "fixed")) + { + options->ce.mssfix_fixed = true; + } else if (p[2]) { msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 9c25fbafd..75f3bb264 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -131,6 +131,7 @@ struct connection_entry bool mssfix_default; /* true if --mssfix should use the default parameters */ bool mssfix_encap; /* true if --mssfix had the "mtu" parameter to include * overhead from IP and TCP/UDP encapsulation */ + bool mssfix_fixed; /* use the mssfix value without any encapsulation adjustments */ int explicit_exit_notification; /* Explicitly tell peer when we are exiting via OCC_EXIT or [RESTART] message */