[Openvpn-devel,v3] pull-filter: improve documentation

Message ID	20251209070218.4467-1-gert@greenie.muc.de
State	New
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Gert Doering <gert@greenie.muc.de> To: openvpn-devel@lists.sourceforge.net Date: Tue, 9 Dec 2025 08:02:11 +0100 Message-ID: <20251209070218.4467-1-gert@greenie.muc.de> In-Reply-To: <gerrit.1764812658000.I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a@gerrit.openvpn.net> References: <gerrit.1764812658000.I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a@gerrit.openvpn.net> MIME-Version: 1.0 preview: From: Selva Nair <selva.nair@gmail.com> Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Subject: [Openvpn-devel] [PATCH v3] pull-filter: improve documentation Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,v3] pull-filter: improve documentation \| expand [Openvpn-devel,v3] pull-filter: improve documentation

Message ID

20251209070218.4467-1-gert@greenie.muc.de

State

New

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Tue,  9 Dec 2025 08:02:11 +0100
Message-ID: <20251209070218.4467-1-gert@greenie.muc.de>
In-Reply-To: 
 <gerrit.1764812658000.I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a@gerrit.openvpn.net>
References: 
 <gerrit.1764812658000.I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a@gerrit.openvpn.net>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH v3] pull-filter: improve documentation
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,v3] pull-filter: improve documentation | expand

Commit Message

Gert Doering Dec. 9, 2025, 7:02 a.m. UTC

From: Selva Nair <selva.nair@gmail.com>

Pull-filter uses a simple string comparison and could be defeated by
unusual formatting of pushed option strings. Document that this
option is not meant to be used as a security measure.

Reported by: <aarnav@srlabs.de>

Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415
This mail reflects revision 3 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering Dec. 9, 2025, 9 a.m. UTC | #1

Thanks :-)

For the other readers: this is a documentation-only update, intending to
emphasize that "pull-filter" is not a secure solution (in the sense of
"a malicious server can not find ways around it") to filter options sent
by a, well, untrusted server.  "Connecting to a server you do not fully
trust" is not unheard-of - consulting customers passing on a VPN config
to access to-be-consulted systems, but you do not want to send them any
other traffic.  Usually those are not actively malicious, though...

Your patch has been applied to the master and release/2.6 branch.

commit d3e03b9a97177f62d31697f2b4b453295ee30e60 (master)
commit f8f1e1afac1a30ef7311bf75716421e08466780e (release/2.6)
Author: Selva Nair
Date:   Tue Dec 9 08:02:11 2025 +0100

     pull-filter: improve documentation

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415
     Message-Id: <20251209070218.4467-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34930.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index e8523d9..4841756 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -345,6 +345,11 @@ 
   next remote succeeds. To silently ignore an option pushed by the server,
   use :code:`ignore`.
 
+  *Warning:* ``pull-filter`` cannot be relied upon as a security measure to
+  protect against offending options pushed by a server. For example, the
+  filter could be defeated by pushing options with extra spaces between
+  tokens or other formatting variations.
+
 --push-peer-info
   Push additional information about the client to server. The following
   data is always pushed to the server:

[Openvpn-devel,v3] pull-filter: improve documentation

Commit Message

Comments

Patch