From patchwork Mon Jul 18 12:19:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2591 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2Ne6HJDc1WLkVAAAIUCqbw (envelope-from ) for ; Mon, 18 Jul 2022 18:20:00 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id GBahHJDc1WIKNgAAIasKDg (envelope-from ) for ; Mon, 18 Jul 2022 18:20:00 -0400 Received: from smtp33.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTPS id EFtzHJDc1WKIEgAAQyIf0w (envelope-from ) for ; Mon, 18 Jul 2022 18:20:00 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: c2d5f3fa-06e7-11ed-9058-54520067fec4-1-1 Received: from [216.105.38.7] ([216.105.38.7:47576] helo=lists.sourceforge.net) by smtp33.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4F/EA-00371-F8CD5D26; Mon, 18 Jul 2022 18:20:00 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oDZ4y-0001aF-7N; Mon, 18 Jul 2022 22:19:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oDZ4x-0001a8-4z for openvpn-devel@lists.sourceforge.net; Mon, 18 Jul 2022 22:19:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pl89syLwPoJQw5Vf625oCPDwWSiJoULZF/OrXmiCJhQ=; b=bTqbm5jE3xyN7U3ZlpD7u4ExXg 3sXz9O5bN6YCSDM+I5kln9At13UYrEJsu0LBrzGKLMaSRPEFGVGYF6fxjzqMuxy52g1nOlHED8sh0 4SpspglcSPxiPYSzKzv6I02ylIaFQGrIVwnfTRJQlYXjjR/Sx3uzQY/PjtSdgoUpeAVY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pl89syLwPoJQw5Vf625oCPDwWSiJoULZF/OrXmiCJhQ=; b=W7NiRmm2gFAv+wjbp37LmuhcKh jtpdTTUiTkm27BoH6xYUDxuRXLquX5XiVaGYB28kmYIOrInwqcfoEiCTW7UmHh9KywxxZ2u3llNOK X0kk/m2F+hmbr8dBuhSgJmaLVGfh1xaV+3qGYRLBmwA2KxDFG7KHBWGJAX37tiRbyR5E=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oDZ4v-0006IH-KT for openvpn-devel@lists.sourceforge.net; Mon, 18 Jul 2022 22:19:02 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Jul 2022 00:19:23 +0200 Message-Id: <20220718221923.2033-1-a@unstable.cc> In-Reply-To: <20220624083809.23487-9-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Antonio Quartulli --- Changes from v1: * removed "--dco-disable" option: we just need "--disable-dco" * added text to manpage about --client-to-client being no-op * added text to manpage about --disable-dco * rebased on to [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oDZ4v-0006IH-KT Subject: [Openvpn-devel] [PATCH v2 08/25] dco: allow user to disable it at runtime X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Antonio Quartulli Acked-by: Gert Doering --- Changes from v1: * removed "--dco-disable" option: we just need "--disable-dco" * added text to manpage about --client-to-client being no-op * added text to manpage about --disable-dco * rebased on top of master+"dco: add option check - disable DCO if conflict is detected" doc/man-sections/generic-options.rst | 9 +++++++++ doc/man-sections/server-options.rst | 4 ++++ src/openvpn/options.c | 24 ++++++++++++++++++++++++ 3 files changed, 37 insertions(+) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 9060a235..394c2186 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -171,6 +171,15 @@ which mode OpenVPN is configured as. on console) and ``--auth-nocache`` will fail as soon as key renegotiation (and reauthentication) occurs. +--disable-dco + Disable "data channel offload" (DCO). + + On Linux don't use the ovpn-dco device driver, but rather rely on the + legacy tun module. + + You may want to use this option if your server needs to allow clients + older than version 2.4 to connect. + --disable-occ Disable "options consistency check" (OCC). diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 08ee7bd3..04f4b4fb 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -146,6 +146,10 @@ fast hardware. SSL/TLS authentication must be used in this mode. server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. + Please note that when using data channel offload this option has no + effect. Packets are always sent to the tunnel interface and then + routed based on the system routing table. + --disable Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client due to key or password diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7b919a1e..d864c6e2 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -61,6 +61,7 @@ #include "ssl_verify.h" #include "platform.h" #include "xkey_common.h" +#include "dco.h" #include #include "memdbg.h" @@ -106,6 +107,9 @@ const char title_string[] = #endif #endif " [AEAD]" +#ifdef ENABLE_DCO + " [DCO]" +#endif " built on " __DATE__ ; @@ -177,6 +181,9 @@ static const char usage_message[] = " does not begin with \"tun\" or \"tap\".\n" "--dev-node node : Explicitly set the device node rather than using\n" " /dev/net/tun, /dev/tun, /dev/tap, etc.\n" +#if defined(ENABLE_DCO) && defined(TARGET_LINUX) + "--disable-dco : Do not attempt using Data Channel Offload.\n" +#endif "--lladdr hw : Set the link layer address of the tap device.\n" "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n" #ifdef ENABLE_IPROUTE @@ -1785,6 +1792,9 @@ show_settings(const struct options *o) SHOW_STR(dev); SHOW_STR(dev_type); SHOW_STR(dev_node); +#if defined(ENABLE_DCO) && defined(TARGET_LINUX) + SHOW_BOOL(tuntap_options.disable_dco); +#endif SHOW_STR(lladdr); SHOW_INT(topology); SHOW_STR(ifconfig_local); @@ -3401,6 +3411,14 @@ options_postprocess_verify(const struct options *o) } dns_options_verify(M_FATAL, &o->dns_options); + + if (dco_enabled(o) && o->enable_c2c) + { + msg(M_WARN, "Note: --client-to-client has no effect when using data " + "channel offload: packets are always sent to the VPN " + "interface and then routed based on the system routing " + "table"); + } } /** @@ -5839,6 +5857,12 @@ add_option(struct options *options, options->windows_driver = parse_windows_driver(p[1], M_FATAL); } #endif + else if (streq(p[0], "disable-dco")) + { +#if defined(TARGET_LINUX) + options->tuntap_options.disable_dco = true; +#endif + } else if (streq(p[0], "dev-node") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL);