From patchwork Mon Mar 24 18:27:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4192 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:81e:b0:60a:d70a:d3c7 with SMTP id jj30csp2073326mab; Mon, 24 Mar 2025 11:27:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU+dY2T4RHVx31Gfa/xRQey/3LztvmegiZ0eAYG2Tq3ojT6URZPuYG2+UGbsP1kHBWTmaAYb+AviZ8=@openvpn.net X-Google-Smtp-Source: AGHT+IEzdNQSz0m9pynSTXRYGEFVlg1wtBKqDjFlEuIj8mlevpGenvedITWKIjjqD8GXh+B5CCvu X-Received: by 2002:a05:6870:959f:b0:2b8:3c87:b491 with SMTP id 586e51a60fabf-2c780495004mr9055367fac.26.1742840876173; Mon, 24 Mar 2025 11:27:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742840876; cv=none; d=google.com; s=arc-20240605; b=YJamR4V32L8enxh6uyBfgoXpYIXXWmy7IYeef2aKISPKhFSWlg85rBWdSW6cW6Corr FCQ65EbOBsMKvMAtgeNVYxZxpZ77TYUfZ6JbG/z2gO/nzTUEVzSQt6FvaINkPOitm5QC wRvqgxOyrDQITGOK4eZwFnL3JyuWlLsONRwfnFGHX7f/2HCYOu6JA4uRrN9r/WyZ9myR SNHCyTZpeXPWOzbR26Q7gzJH6Nrb9YX4EJwxPFAWuFQoSiAG2CJ77mP0FZpXxcsZysN/ DWpyWmxyrcbDAGYbIMQ09kCKvZBOwwBC72f8JF9adyb5Tc/fQOVs+oOvrV4EBlKveIof I3nA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=39Jseb6r93+P02S8y4p8bYrKXprqiUyKPhxfNBqIPBI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Y0n7A1kh9yC7iw1+HuhAdTfPx0RSu4OVkGZTGIZHhNk+RgUJbTDYWyu58veYaLzLW7 ohFv+b1nKZADEJ832Jd445WR5iLAWevmwN3UpwbmmxAU7583VQqeJLXHjP9B/kwT07tz o/PA2Bkp7Qf/yOtUD/V2+Nygs11bmPDj74ycPXOpOtooJkIa9s6IgTZHFirWAjgxhIZ4 8Py2DLhpvNmxR6SyYOrv42lbi4EkH7pnWi8JmUu3A3hVTKCviydqM+oB2olEnq65fYjw V8p+UT708UH1aKQC+eu//lzHPcA1yNNjw0J81xSPQu5DXxeeJOOqBH7C+BEOVFy1mDC0 mUFQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MPxqJXky; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="cV+1vE/T"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2c77f1779b1si6189470fac.262.2025.03.24.11.27.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Mar 2025 11:27:55 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MPxqJXky; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="cV+1vE/T"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1twmWc-0002Ma-Tm; Mon, 24 Mar 2025 18:27:51 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1twmWa-0002MF-RZ for openvpn-devel@lists.sourceforge.net; Mon, 24 Mar 2025 18:27:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=J/hvy4TxuHaqh9Pw2gOxCI3kQaxAKoHnnpPyoPhzcsU=; b=MPxqJXkymX76blvwGTe5F7bANQ DXpW4DW0xg7vRnSzYwrm0tIBVqj0mU9g1O49ZOzfNwRCCcaKiVqrYqzHIb8SVqpyeTHYyVLnkunAX oY13YUkmDCpQbHgo0XQt+FzYHy2v5lwKQDa+u4wHS/sxda3BtlFw59C1RUdGIcoEqqvg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=J/hvy4TxuHaqh9Pw2gOxCI3kQaxAKoHnnpPyoPhzcsU=; b=cV+1vE/TzGJtookiuNr431BofC pZspZdGXLz9RRZN2mRwaiJ2XOcrVrwp4PO0B0Ug6zRr6MPuM40QUAo6QBm6B1xGlrqBzu1qDq04UU GMKVZfLRZNxuXONdQXmu9Ge2y2Vf00g2TlUmijJiWOezVyoxfOt7cQdh0ooHEuTlT4Fk=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1twmWa-0001ud-7g for openvpn-devel@lists.sourceforge.net; Mon, 24 Mar 2025 18:27:49 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 52OIRafB013958 for ; Mon, 24 Mar 2025 19:27:36 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 52OIRa9d013951 for openvpn-devel@lists.sourceforge.net; Mon, 24 Mar 2025 19:27:36 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 24 Mar 2025 19:27:26 +0100 Message-ID: <20250324182735.12657-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 'lport ' used to trigger 'do socket bind', which is not useful in itself for the 'lport 0' case (port 0 -> OS assigns a random port, as it is done for unbound sockets) unless also binding to [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1twmWa-0001ud-7g Subject: [Openvpn-devel] [PATCH v1] Make 'lport 0' no longer sufficient to do '--bind'. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1827501114433718827?= X-GMAIL-MSGID: =?utf-8?q?1827501114433718827?= 'lport ' used to trigger 'do socket bind', which is not useful in itself for the 'lport 0' case (port 0 -> OS assigns a random port, as it is done for unbound sockets) unless also binding to a particular local IP address ('--local 192.0.2.1'). The trigger for 'lport has been used, do socket bind' is ce.local_port_defined -> change the code to test for "0", and only set this for non-0 ports (NOTE: this is a string match, so if you really really want the old "lport 0" behaviour, using "lport 00" still does that...). The ce.local_port value is still set, so '--lport 0' together with '--local 192.0.2.1' will give you a random port number bound to that IP address - without 'lport 0' it would default to 1194 or the value of '--port' (if not using '--rport'). Summary: socket bind is now only done if one of these is set - --port with not "0" - --bind (default on the client is "--nobind") - --local
Change-Id: I1976307a7643c82f31d55ca32c79cbe64b6fffc6 Signed-off-by: Gert Doering Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/916 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index d48021e..287473e 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -122,7 +122,9 @@ --lport port Set default TCP/UDP port number. Cannot be used together with - ``--nobind`` option. + ``--nobind`` option. A port number of ``0`` is only honoured to + achieve "bind() to a random assigned port number" if a bind-to IP + address is specified with ``--local``. --mark value Mark encrypted packets being sent with ``value``. The mark value can be diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ab56609..99dd60a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6710,7 +6710,12 @@ else if (streq(p[0], "lport") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); - options->ce.local_port_defined = true; + + /* only trigger bind() if port is not 0 (or --local is used) */ + if (!streq(p[1], "0")) + { + options->ce.local_port_defined = true; + } options->ce.local_port = p[1]; } else if (streq(p[0], "rport") && p[1] && !p[2])