| Message ID | 20251208194023.17193-1-gert@greenie.muc.de |
|---|---|
| State | New |
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:29c3:b0:7b1:439f:bdf with SMTP id g3csp888319max;
Mon, 8 Dec 2025 11:40:35 -0800 (PST)
X-Forwarded-Encrypted: i=2;
AJvYcCUv0bXw1DcFdpeuuMdDbh5Lwiqsh7du2fNAvt+Fmr1L0aMBYzCJYCtlHjOGwqGuMWCV5LTVZVDYfDE=@openvpn.net
X-Google-Smtp-Source:
AGHT+IEtIaTQjRjsxaSFns+ItXPQnUPEdcbS3So57qNr7tkiYAjxLUsSVUzxrENiO8jWfn0Q/T7r
X-Received: by 2002:a05:6830:3b08:b0:7c7:48b7:640a with SMTP id
46e09a7af769-7cac0e9eb85mr242651a34.7.1765222834938;
Mon, 08 Dec 2025 11:40:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1765222834; cv=none;
d=google.com; s=arc-20240605;
b=c8KFxJTU44TmljFTh24AdmQw+82uw0cQ9nzv2VlbnTd+fVp7XbQfJgxFSL92up3VF8
7WcmmSFU46yL55fi7s08TK5AGDKtQFHQ6ZoyIaeWBlezN/Mw2nYau5XnqL4f1DriHODF
3DwpBip1ITOSceG6pIhRwia4R4L3a0IoHTvXj+mx2IARDoqL9glSlsZ2yJTvZFhtxAl9
/duQ+DpBPCym8++OFM0XdVa1sHzVWuH8uJqF5zYOnVcHx2EdhVRymV2Lh43/LESuniWr
z0Zh/mgXahwBoVVFEnJn0FVTc3EYgW4V3kM6TpDqbXTtHZ8eRmeDKmvpoPMZY87i3nVk
KMNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature;
bh=EK47CEvyWAP/zRcKSjj9WirftWVRdOCDMLp/+KmatpQ=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=gEaXsWhqhY3kxQQz1V51H51SvgEaiihVzCcUP84cZBaTtj+P3IV809U7vtqWvAC/61
z7Ztpg/emWHoyzNT/RnJE2OH53NSnTJv5ERhanC/vhj6jqyIz8DZF/xhWfD1hi9bTCmB
mg8nxSWnGuk8VPEFO9D4J2t9hW1FvJxW1qq0qNKVXB6cF8bTSWHqpVNN81lRffcECXd+
FkYKSWUwNtz/X3QcL47uvafbucSp+hvLuzhGpvkLmcTxQNGhvRchc/RXtlxmQt3AtDTn
ZlLXOUfYbDg3motGz7QE6m5/ysQ5UXvIRFkOUHLam9oa7nFUsbVsuEM+mtNIo6L/uMSl
FQWg==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=nO5sWOTj;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=IjDnhMj7;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=D0PfzSfF;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
46e09a7af769-7c95a8f2e98si9940949a34.2.2025.12.08.11.40.34
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 08 Dec 2025 11:40:34 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=nO5sWOTj;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=IjDnhMj7;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=D0PfzSfF;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=EK47CEvyWAP/zRcKSjj9WirftWVRdOCDMLp/+KmatpQ=; b=nO5sWOTjNWAoNlaRgaW6aR795K
2BkLE0KMqMpLPk0kCX+F3A3msWKdo03z/XFcRzXjrFXTTQebYSquW03tDSviDY2gKDLJmF/PfhZsh
e1BU9xIJVvjWKuTVlLxAqPZqXaX767FcIqwgkDhQ4PqlEl/JJYwuS1oGuPc63YVmtE8o=;
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1vSh60-0000Q7-Rd;
Mon, 08 Dec 2025 19:40:32 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gert@blue4.greenie.muc.de>) id 1vSh5z-0000Pv-LG
for openvpn-devel@lists.sourceforge.net;
Mon, 08 Dec 2025 19:40:31 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=3n0hDPwSQVf1pkTp9SVcfcIpCchQehvFn1/F54GCXLs=; b=IjDnhMj7wadGz57S4TE5qlDEpd
jl16DaLmGwjE/VEIfXhAiocdmrhFlSoaC+qsW/WaKVritUBvpQ7UAOUkdI5IwiYKyYh9TUTNPxK7D
0qHl5w8w8eqX5RqiRYQMuw3oa5w6QGRwlBBs0ihnunxZJWp0uv4K2f9xUb+te821w5sE=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=3n0hDPwSQVf1pkTp9SVcfcIpCchQehvFn1/F54GCXLs=; b=D0PfzSfF3fHb68aj0EheJxm46+
J6THLicgn4YOcI+RzOwKAq3Y691CMxqMludJXY5JNZwWWHPhkOPnIcZ/1FBxZ3HxOeHqqAuCZIxcE
3PCTkcZ73jxsZgvhiIBoG20hJZPb3mC1wYKVfG0rJiV9JFAwU47uAd75gG8SuIjbid1o=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1vSh5y-0002vM-QR for openvpn-devel@lists.sourceforge.net;
Mon, 08 Dec 2025 19:40:31 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5B8JeORC017210
for <openvpn-devel@lists.sourceforge.net>; Mon, 8 Dec 2025 20:40:24 +0100
Received: (from gert@localhost)
by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5B8JeOlE017209
for openvpn-devel@lists.sourceforge.net; Mon, 8 Dec 2025 20:40:24 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 8 Dec 2025 20:40:18 +0100
Message-ID: <20251208194023.17193-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.51.2
In-Reply-To:
<gerrit.1764812658000.I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a@gerrit.openvpn.net>
References:
<gerrit.1764812658000.I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-1.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Selva Nair <selva.nair@gmail.com> Pull-filter uses a
simple string comparison and could be defeated by unusual formatting of
pushed
option strings. Document that this option is not meant to be used as a
security measure.
Content analysis details: (1.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vSh5y-0002vM-QR
Subject: [Openvpn-devel] [PATCH v2] pull-filter: improve documentation
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1850970299309700030?=
X-GMAIL-MSGID: =?utf-8?q?1850970299309700030?=
|
| Series |
[Openvpn-devel,v2] pull-filter: improve documentation
|
expand
|
diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index e8523d9..17f0a6a 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -345,6 +345,14 @@ next remote succeeds. To silently ignore an option pushed by the server, use :code:`ignore`. + *Warning:* ``pull-filter`` cannot be relied upon as a security measure to + protect against offending options pushed by a server. For example, the + filter could be defeated by pushing options with extra spaces between + tokens or other formatting variations. In such situations, an "allow-list" + approach using specific ``pull-filter accept`` directives followed by a + generic ``pull-filter ignore`` should be preferred over a "deny-list" + approach. This improves robustness but does not guarantee security. + --push-peer-info Push additional information about the client to server. The following data is always pushed to the server: