From patchwork Sat Feb 1 06:24:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qingfang Deng X-Patchwork-Id: 4115 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c520:b0:5e7:b9eb:58e8 with SMTP id jx32csp1095561mab; Fri, 31 Jan 2025 22:25:05 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWQUB4owsWPH5y2Fe3piJzO0EluEC+sRkMvG60KnOXMRaGtzzQ/QFPJW3TvXqRdynzOByFPqJ0jdXg=@openvpn.net X-Google-Smtp-Source: AGHT+IFejtqrbDc+A7vouSN9UT0UKWInTjwwXbxfeG5vlPcS0JVGyge9rLge5Y+ayTpXTQ/z17ey X-Received: by 2002:a05:6870:7186:b0:296:aef8:fe9a with SMTP id 586e51a60fabf-2b32efdc7b9mr8673808fac.7.1738391104965; Fri, 31 Jan 2025 22:25:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738391104; cv=none; d=google.com; s=arc-20240605; b=RF+w8nU3wRH3Ou5vJf6i0nm8Satf4DU9aBN3F6GoSRyyUPgBthQHGiuA4Q0SUeMdUn V8cojt4ywMdsURF1PBi5+qT75oBF6P/tH/zpTHin4EDD/z3icoADTrroTYuBrDnnLmX9 fyDLYyNvhPQuQuNLCSsfC/os6lJ1Wt07u+EmPLh3GiwbOXj3+M40C0fU8y4HWmH761eH 2QIoAtUZbBVZPfUc6hp0bBYcTfROVVoXpLwBDLQCcVlFuV3H7sgDoQK1jBW7sd0aJh1f tgo0HvrTW9rlg/Vmq0LBK27LeQjYeB7nfmNAZ1yJZJLbtoFTnXpO+f/wbaM+fIh97K2u bc8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=EChiJMs/MSZTblxMy/QfFGQHcw72jQN1B5NRb2PwAsQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=XLG9oN1pLY0zqX7ffPhnNT8Qp1EBu3Cksbo1uwRoD4JQXBlGDkvUZPIuqHKGsLGwXw rQudHlC7Wu7ApsT6b7Ihq+ZiqQv7ewSVxGkXAFeMjvPjGTGaZlTnKb7PxfkKoFPzgSbr nHMGGSdjAraXYS2zGelFV6jrLRYyd4MkQIuPm5T2xujGf5mN/ODVtmMrEh20T2hxvACe jiGkVgbacfXm5TRNm3mQtCYKv5pkI4AtprUit78Z67SBfpe0sBUEd/u7/HrLtEH8EPQp Vu8dksZ+ywi/bfU8ZQD8iplYeQ56Ul0tTCECsrRpRpIakAZnLkRI7KtIfIsYqEaqo0F5 jzzA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TIVFCBzZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WgdBQsKy; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=G5SDj8H2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2b3561bb7f4si5616057fac.110.2025.01.31.22.25.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Jan 2025 22:25:04 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TIVFCBzZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WgdBQsKy; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=G5SDj8H2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1te6w3-0007eE-E2; Sat, 01 Feb 2025 06:24:56 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1te6w2-0007e8-4b for openvpn-devel@lists.sourceforge.net; Sat, 01 Feb 2025 06:24:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/p53cMkUiAvI5NFzX6B6wm4dZJCABzA6iK0Eole07so=; b=TIVFCBzZ77r2ay+6kPmpUUkbEu D7MFsPXxMyE6LAyDITvzkw2C9Fyc6WIHRt2YhQQeIl7DdMvNVhcwngm2jTDDLnd0ESjCWp32s7f2j /VlZHP+miCtlpZkNtKs9EBI3wTN/Z00vuOe/MLutS86BZXd1cVNFcRpcWVEQREVQ0yS4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=/p53cMkUiAvI5NFzX6B6wm4dZJCABzA6iK0Eole07so=; b=W gdBQsKyupgqDRP11ZrunpGCpS4aDoZdOOiXYWmljgoRheqDIJ533VpYol8gwAJud9Wjv4rETDTsdy /mmaB7bP/xv2m6/RrUnexqujWuwKk2uBB2gnT29sI3AQhFCl3YQCymYmlYpOA9nNWe9XDZzi5BOoN KMqQjKUcMZXTwooI=; Received: from mail-pj1-f41.google.com ([209.85.216.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1te6w2-00021U-2J for openvpn-devel@lists.sourceforge.net; Sat, 01 Feb 2025 06:24:54 +0000 Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-2f43d17b0e3so4705751a91.0 for ; Fri, 31 Jan 2025 22:24:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738391083; x=1738995883; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=/p53cMkUiAvI5NFzX6B6wm4dZJCABzA6iK0Eole07so=; b=G5SDj8H274VYNUf0vlwopJs5Tk7w58A1bKHg3sjbSxrpvsrGXHZMZ2wlYXLDdECmDX 5gF1k+B8Jz0XH7k0xEIWy+kYOvYvdDD8sGBBNwz0uvzpbA8QobldxJBmXmwix8wgVTre 0uFgpRirnmKc4Ye5k9LPMaFRIumorG6oz+skzuGcWDsZOs3JU3ExoWHsnUS/0urZDkpj nOEnIn36zMp//M9aCNzeKS2B657OHgtCE9/CdbGwGain4OFKqFw351xgRu7W5Q3UmjKw C97Rslm+vXaHTV4n0fAeppSkuSCjhg9ATyPGcCt7EJP1UV7afohBRWgRuoF0TyYX4o/e ThXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738391083; x=1738995883; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/p53cMkUiAvI5NFzX6B6wm4dZJCABzA6iK0Eole07so=; b=URoMybq3CnpCB02rHk5SR4LEJXntykXLhTuahmW9aRZBueDyPCFUtNiZxsJ0Mp3RXc lZKO6ysy06jB7NkHs1yhQdn+lRGoxqbtZM6MXr/BxuLSp+D+FMu9fMKBPPrzZ6SkRtpR Paxsp0v1lsWsKo3rXIMrXtYzwHXdp3DKDM8HaSjZon2Yx8pyjDLk0s2pSaGD4buqWwoo cl1L8M66VCZ7rsnpdiCfMK38qmRWCwNwdRyyphrjfjYhQJU4WfCP335ZYg8rCLZQ0RB3 1jOaucOLa6EHbPPq9KyeGFVQvfwl+azoOHBPl6aZ1I6MauOxJ8YuC3WjOk+suVLMrUXh SKcg== X-Gm-Message-State: AOJu0Yzgasy3zJs1XEEw4JImJAa6PwD78itumM//Ki51Itmo7gQ9hAuG IOzkuBMc+jaY2kniUeKv493aiyJSGy0PtwrncrRSQ1DQKZQVD2EqmnmR5XkPhfI= X-Gm-Gg: ASbGncsI6ZuXXzxd7u7ATLGgaMYgqLiroB0h6SCGc+lhmttXBxC7aooxdbI9pZB4Vf5 DTIwwCy8IC/mRxnqMjs9rTN9wuLpUNd3muCAbv6H1+Ie4Jce1V8iDdx2cCf5v/ww4pcqrvvWi0l jMQBEyizq2v1PggJ7IuB6/JozkcGW25MbNyogK6tvIvXeMbP3kvcZq765YmCblknSTkxQOi6u1p CxqPimbp98VZ0Pne4xieE681Te62rTPS0NSI2ZUkf1Y8gEBUxwiNRa5il3ByKyVEHHjFwfisSE9 Q0VM X-Received: by 2002:a17:90b:1f8c:b0:2ee:9d49:3ae6 with SMTP id 98e67ed59e1d1-2f83abd7da8mr21781230a91.10.1738391083071; Fri, 31 Jan 2025 22:24:43 -0800 (PST) Received: from gmail.com ([61.152.124.198]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2f82f92308asm2850402a91.0.2025.01.31.22.24.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Jan 2025 22:24:42 -0800 (PST) From: Qingfang Deng To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Feb 2025 14:24:37 +0800 Message-ID: <20250201062437.4059652-1-dqfext@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which is always 0.0.0.0. It should use ipi_spec_dst instead. When local option is present, OpenVPN does not pass it to DCO. As a resul [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [dqfext[at]gmail.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.216.41 listed in sa-accredit.habeas.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.216.41 listed in bl.score.senderscore.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.216.41 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.216.41 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1te6w2-00021U-2J Subject: [Openvpn-devel] [PATCH v2] dco: fix source IP selection X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1822835191107401701?= X-GMAIL-MSGID: =?utf-8?q?1822835191107401701?= When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which is always 0.0.0.0. It should use ipi_spec_dst instead. When local option is present, OpenVPN does not pass it to DCO. As a result, Linux may pick a different IP as the source IP, breaking the connection. Signed-off-by: Qingfang Deng --- v2: fix code style reported by CI Discussions: https://github.com/OpenVPN/openvpn/pull/668 src/openvpn/dco.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index b5a21369..eef49ade 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -493,6 +493,7 @@ dco_p2p_add_new_peer(struct context *c) ASSERT(sock->info.connection_established); struct sockaddr *remoteaddr = &sock->info.lsa->actual.dest.addr.sa; + struct sockaddr *localaddr = NULL; struct tls_multi *multi = c->c2.tls_multi; #ifdef TARGET_FREEBSD /* In Linux in P2P mode the kernel automatically removes an existing peer @@ -503,8 +504,12 @@ dco_p2p_add_new_peer(struct context *c) c->c2.tls_multi->dco_peer_id = -1; } #endif + if (sock->bind_local && sock->info.lsa->bind_local) { + localaddr = sock->info.lsa->bind_local->ai_addr; + } + int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, - c->c2.link_sockets[0]->sd, NULL, remoteaddr, NULL, NULL); + c->c2.link_sockets[0]->sd, localaddr, remoteaddr, NULL, NULL); if (ret < 0) { return ret; @@ -550,7 +555,7 @@ dco_multi_get_localaddr(struct multi_context *m, struct multi_instance *mi, { struct sockaddr_in *sock_in4 = (struct sockaddr_in *)local; #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) - sock_in4->sin_addr = actual->pi.in4.ipi_addr; + sock_in4->sin_addr = actual->pi.in4.ipi_spec_dst; #elif defined(IP_RECVDSTADDR) sock_in4->sin_addr = actual->pi.in4; #else @@ -616,10 +621,15 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) vpn_addr6 = &c->c2.push_ifconfig_ipv6_local; } + struct link_socket *ls = c->c2.link_sockets[0]; if (dco_multi_get_localaddr(m, mi, &local)) { localaddr = (struct sockaddr *)&local; } + else if (ls->bind_local && ls->info.lsa->bind_local) + { + localaddr = ls->info.lsa->bind_local->ai_addr; + } int ret = dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr, remoteaddr, vpn_addr4, vpn_addr6);