From patchwork Tue Dec 27 02:24:01 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2946
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp2355435dyk;
        Mon, 26 Dec 2022 18:25:05 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXuDyaParukQUT3i2avpUJRfRhCK4PPiETOgVKO/hEhHPSPDGEmzBi4tIY6XHgJzEmNoxEm/
X-Received: by 2002:a05:6a20:4c20:b0:b0:c30:1de with SMTP id
 fm32-20020a056a204c2000b000b00c3001demr21932855pzb.61.1672107904850;
        Mon, 26 Dec 2022 18:25:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672107904; cv=none;
        d=google.com; s=arc-20160816;
        b=xUqPqMn1xFsu+fa2brZU/FrJjlr4w7ppApqWiQtlvthwNEHEsxsmmovooTUFF9aUoR
         mZPcKfDVdbXo4mB2J0xsz/TTiD7HVL0crtZIwbL1bVXQ317/wh+2kYJ+RF5ZRZi+IUMD
         OURwNg229AFpXHs9Mgz299hy43FYrQE2Z9cKsxGxr/16AeHV4HFwTQeagPrQe79ovJLb
         7cJD7WdHOrH9Bd9wI4Wx7SihO1P4fszv0Svq4Fnya0HM7OiUmVPie6eEWnDzKqfFTdx+
         Kf//WKCXNHsoIufxDwk5LVuFsve5jbNehzXwv087CJTTAd+Xp1XXY4JCmbK5r1kR/ocB
         048w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature;
        bh=O7xwLfvaDwTDAnLqc6u7MG7GiuVLnK5qOBh391a30q8=;
        b=TxgHaA7xO2b0gtcdM82+oBjfgswEL3jWEUzkuFfx9hXdLS/hskZD/m39XPlo1f7dFi
         idKr1MH3r3yUqbIHENIqgr5/Fi2MWktoGj2CVEgX76UOEg5plxRTPxKqcf/pITYuBXbs
         w0sis9dqQb1oY4IczZCOikcXD5xGq6Xm0Vp/MwbWyoeDcjVGUTiVvVU3rpYXakX+QqJt
         ehRaRtZErlfBTbOy39vzq2d9bINDbgifYsSMh3nPNruUN+8ZQWDnSef50R+7RY4fPZac
         J5rJGT1tFowm2QUgYu5fuWl7uDdL8EwikULO9PbtM7sMbITwD/j/tkK94Q2OnpeC7rPL
         8Xug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=ZKfYhQsj;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="FAE/NEmG";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 m65-20020a633f44000000b00489c72b232fsi12831065pga.707.2022.12.26.18.25.04
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 26 Dec 2022 18:25:04 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=ZKfYhQsj;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="FAE/NEmG";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9zda-0005EU-1k;
	Tue, 27 Dec 2022 02:24:18 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9zdX-0005EN-LV
 for openvpn-devel@lists.sourceforge.net;
 Tue, 27 Dec 2022 02:24:15 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=3MXS/Qvsb0mRJ3JfZbEomviQOMWxkLs6m1hwLtiiwQQ=; b=ZKfYhQsjClosopTbrUXoKoVIh3
 3AsvglCHgX4AK8uZIBL5pMWBYtA6hYxmdhsNn84+F1+8vAvd9V0aLYmFlgjDWjbMFxZb5TRiJC2mD
 O3ulo/ByCUtHWHKNLLSmnKvbHkhQA8TCtL0FhUUG/qyR8SfBVpf0GPE0qWwVwq6q38hA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From:
 Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=3MXS/Qvsb0mRJ3JfZbEomviQOMWxkLs6m1hwLtiiwQQ=; b=F
 AE/NEmG6141rvpYmR349Km6YjlbPUj1/OjfPbx8PKMhfcelMWbeX0WLEKEh6XmVuf6nZb4l/Us0mb
 8nUD0WJp8UJHrTMwqV980+oFNtSIpZbtfPNlzc487xWqAkdT86EBDeOfaSosbx/ySrQX+hho6XQih
 +hKeck3LdBWTrau0=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9zdT-00DihJ-Ct for openvpn-devel@lists.sourceforge.net;
 Tue, 27 Dec 2022 02:24:15 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9zdM-0002IU-1h
 for openvpn-devel@lists.sourceforge.net;
 Tue, 27 Dec 2022 03:24:04 +0100
Received: (nullmailer pid 3468183 invoked by uid 10006);
 Tue, 27 Dec 2022 02:24:04 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 27 Dec 2022 03:24:01 +0100
Message-Id: <20221227022404.3468137-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  with dco sometimes we end up promoting a timeout event to
 read event. For the residual read,
 this problem is probably not solvable without
 changing the kernel DCO API (ie. passing our residual on new_ [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1p9zdT-00DihJ-Ct
Subject: [Openvpn-devel] [PATCH v2 1/4] Ensure we do not promote a
 TA_TIMEOUT to a TA_READ event with dco
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753332218565417705?=
X-GMAIL-MSGID: =?utf-8?q?1753332218565417705?=

with dco sometimes we end up promoting a timeout event to read event.
For the residual read, this problem is probably not solvable without
changing the kernel DCO API (ie. passing our residual on new_peer to
let the kernel handle assembling the next packet.)

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/forward.c | 24 ------------------------
 src/openvpn/forward.h | 30 ++++++++++++++++++++++++++++++
 src/openvpn/mtcp.c    | 12 +++++++++++-
 3 files changed, 41 insertions(+), 25 deletions(-)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index af4ed05da..61caf1146 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1676,30 +1676,6 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
     }
 }
 
-/*
- * Linux DCO implementations pass the socket to the kernel and
- * disallow usage of it from userland for TCP, so (control) packets
- * sent and received by OpenVPN need to go through the DCO interface.
- *
- * Windows DCO needs control packets to be sent via the normal
- * standard Overlapped I/O.
- *
- * FreeBSD DCO allows control packets to pass through the socket in both
- * directions.
- *
- * Hide that complexity (...especially if more platforms show up
- * in the future...) in a small inline function.
- */
-static inline bool
-should_use_dco_socket(struct link_socket *ls)
-{
-#if defined(TARGET_LINUX)
-    return ls->dco_installed && proto_is_tcp(ls->info.proto);
-#else
-    return false;
-#endif
-}
-
 /*
  * Input: c->c2.to_link
  */
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index bd2d96010..5cddb5995 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -424,4 +424,34 @@ connection_established(struct context *c)
     }
 }
 
+
+/**
+ * @param ls the link_socket the decision should be made for
+ * @return if we should use the dco kernel api or normal socket APIs for
+ *         write/send
+ *
+ *
+ * Linux DCO implementations pass the socket to the kernel and
+ * disallow usage of it from userland for TCP, so (control) packets
+ * sent and received by OpenVPN need to go through the DCO interface.
+ *
+ * Windows DCO needs control packets to be sent via the normal
+ * standard Overlapped I/O.
+ *
+ * FreeBSD DCO allows control packets to pass through the socket in both
+ * directions.
+ *
+ * Hide that complexity (...especially if more platforms show up
+ * in the future...) in a small inline function.
+ */
+static inline bool
+should_use_dco_socket(const struct link_socket *ls)
+{
+#if defined(TARGET_LINUX)
+    return ls->dco_installed && proto_is_tcp(ls->info.proto);
+#else
+    return false;
+#endif
+}
+
 #endif /* FORWARD_H */
diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c
index ac06ddc64..519630544 100644
--- a/src/openvpn/mtcp.c
+++ b/src/openvpn/mtcp.c
@@ -407,7 +407,7 @@ multi_tcp_wait_lite(struct multi_context *m, struct multi_instance *mi, const in
         /* If we got a socket that has been handed over to the kernel
          * we must not call the normal socket function to figure out
          * if it is readable or writable */
-        /* Assert that we only have the DCO exptected flags */
+        /* Assert that we only have the DCO expected flags */
         ASSERT(action & (TA_SOCKET_READ | TA_SOCKET_WRITE));
 
         /* We are always ready! */
@@ -586,6 +586,16 @@ multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int act
         case MTP_NONE:
             if (mi && socket_read_residual(c->c2.link_socket))
             {
+                if (should_use_dco_socket(c->c2.link_socket))
+                {
+                    struct gc_arena gc = gc_new();
+                    msg(M_INFO, "ovpn-dco installed socket with residual read "
+                        "len=%d, mi=%s. This connection will probably"
+                        " break.",  BLEN(&c->c2.link_socket->stream_buf.residual),
+                        multi_instance_string(mi, false, &gc));
+                    gc_free(&gc);
+                    break;
+                }
                 newaction = TA_SOCKET_READ_RESIDUAL;
             }
             else