From patchwork Thu May 14 09:52:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Baffo X-Patchwork-Id: 4939 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a719:b0:84a:48f:a1fd with SMTP id hl25csp3721096mab; Thu, 14 May 2026 02:52:31 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ93ZGrJ525FURfIlt6H9UhP39uQK1bTq6jq/ayzBqPD42a+qbhOFv5T9fB2hDOWfkQBI+ESsEBDg3A=@openvpn.net X-Received: by 2002:a05:6870:e087:b0:417:837:635c with SMTP id 586e51a60fabf-439ce469444mr4010641fac.36.1778752351662; Thu, 14 May 2026 02:52:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1778752351; cv=none; d=google.com; s=arc-20240605; b=b1a0igtnrToF5c0E/WLTiHiNEuZFL+/1sG0uC9/tIV0z6sfN/vRzERR76MdDe/ccYQ O+RtRGlP0+LQ8wd3PE3hf4uN7cU+F0nLe/w606Kso4WUSHdDnfw3Y6ZtPX3DuSEp77dK CBk0xUwWiouCRq841DoR92SrMWR+KeNgpPIiGnaaYUWZ3YNKVofsQ2LGBJC5LKJxNZBh L2w5sjT5i1jTquYdbxLJLLBad7mrvJmdhxvQnFMP5M3+478/4dKfO0jZ0zHvcFMRXor3 fkNlrcYh/bDwSTSrZ3Hqviy2s3+Gc6GxzMiXRjJ6SasP19nu1CG0gU0XkHe7QngdYKQt J/Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=nYPfviBhpdars/82kX5Kvjh84ci2Rsf0Lnk+X9DUfX0=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gaANUJugaW6w13WHgWqoWK5uyUK337jQxd8E4COYylHXxosE+5+EcMcPmeLKe2fPc+ L/Aqfv2eTE9QKnOe2GQJZZAmIi74973VOpon2EJ2ex32sMiUtsVqPLA66PMqxLoDy+aI uxVO6ZG+EkKDmuwCt2w70oLh8ZIqqvVTMqAelaomlOa8qVJaMh0cHatMHkuUOBt23hQv JcJLFvE4908ASjGL6BsYXRqB4S8oZ8ulVoIDQhj5m51+4anbPguUFryminMKKN0HNkHI 7CRnykhtsIPaIGuw9u+ikO2ugtnPu5NQMVl0AwbwujxejGC1ty0Q91Azh/mqfZMD3Hx4 qdsg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=etc+WUzh; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Yl8YC2K/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iGMkiwqP; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=pc8gdPOG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-439fc70bdb3si1551534fac.257.2026.05.14.02.52.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 May 2026 02:52:31 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=etc+WUzh; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Yl8YC2K/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iGMkiwqP; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=pc8gdPOG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=nYPfviBhpdars/82kX5Kvjh84ci2Rsf0Lnk+X9DUfX0=; b=etc+WUzhnNCAY3q+Hv5IB0cKS/ Y4KEkLHgOJOhGD9uoP+sgwYlrjVyFNmrlf+K0OnD4pNv1G/x7Kz9JrR67XdPPvGjFx0Q2bkNCBhdL YYsgYBQ+z2HEE9QU428Op+c/bPPGdmDPggPmuASi3aeMg4ML45xBy/Bglfrlc+YVM/Gg=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wNSk2-00048M-RF; Thu, 14 May 2026 09:52:28 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wNSk1-00048F-Tu for openvpn-devel@lists.sourceforge.net; Thu, 14 May 2026 09:52:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uzGT369//u6C/Hbi08SGx7199+8q5nnjhOf/9KTiyck=; b=Yl8YC2K/cWARi5YiPhKM+bMuKn R24zUQtkZeovr4OvplYrL81V3EYh11j9Fpm7/ls72tXDDv/qnhM5FoVNkDhbKxvvSom9EzK7cJLbV fGAIDnbLMBm+WuWTwNTm7FDSIf06lBAvgZPbyoW2mZ4I8kTwGLA4ysnLssY9xzWvNUt8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=uzGT369//u6C/Hbi08SGx7199+8q5nnjhOf/9KTiyck=; b=i GMkiwqPa1caQzuTY4UhQPrvhp4Z27uvVfMtyjYHbBm/XN8IW9PUolk7rOIjmL6I4hAvbiPj4929BD Nv0BH2ku0ONOqHDLlAOsDWhknjqjeoF0BOZY/y9GXdpomjzqR5NmhXY8NTCxSBsGvCK/l94GLHvHx gGt50CSanAUGKbr0=; Received: from mout-b-106.mailbox.org ([195.10.208.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wNSjx-0004Tl-Eu for openvpn-devel@lists.sourceforge.net; Thu, 14 May 2026 09:52:27 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-106.mailbox.org (Postfix) with ESMTPS id 4gGQbf1ZVxzDsJT; Thu, 14 May 2026 11:52:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1778752334; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uzGT369//u6C/Hbi08SGx7199+8q5nnjhOf/9KTiyck=; b=pc8gdPOGk14J7DICjJty653PpmrU/evFOxvZys9vq0e0cBHzIRDG7O9jYoVQGLTdiHFji7 5D5VzhQ8DjW6VWuo+H5a6+fM4lfeJPSSFGj+xLBgKHjPxRDk1CSZbD4Sytkmsvu2FLxeeJ AzirrlUtyPO5Lh95MwZsJyffHmuet7cS59SiSLqmCLq5kZZkAtcmFG6c4CSr4Rg+UMOz8S gf8Vhl6NsJVf5ow16ItVtKeO6BXJjkfjT/usGWSvsWeMgYx7/4vkzXqzdZr5T1rmjAeuH0 fBnhJsQV3nwHdPn7zlP+caj/+82ZCCJGmOlGD1DSjw9k2pl8qei+GiOCCDWl2Q== From: Marco Baffo To: openvpn-devel@lists.sourceforge.net Date: Thu, 14 May 2026 11:52:06 +0200 Message-ID: <20260514095210.288979-1-marco@mandelbit.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The ovpn DCO driver currently drops all multicast/broadcast packets because it does not set IFF_MULTICAST and IFF_BROADCAST on the netdevice and always performs a unicast peer lookup in ovpn_net_xmit( [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [195.10.208.46 listed in wl.mailspike.net] X-Headers-End: 1wNSjx-0004Tl-Eu Subject: [Openvpn-devel] [RFC ovpn net-next 1/5] ovpn: add multicast/braodcast packet transmission support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1865157025538204346?= X-GMAIL-MSGID: =?utf-8?q?1865157025538204346?= The ovpn DCO driver currently drops all multicast/broadcast packets because it does not set IFF_MULTICAST and IFF_BROADCAST on the netdevice and always performs a unicast peer lookup in ovpn_net_xmit(). This prevents multicast routing daemons such as smcroute from using an ovpn interface as a multicast VIF and makes it impossible to forward multicastand broadcast traffic to VPN clients. Add the minimal infrastructure needed to get multicast/broadcast working: - Set IFF_MULTICAST and IFF_BROADCAST in ovpn_setup(). - Detect multicast and broadcast destinations in ovpn_peer_list_get_by_dst() and create a list with the target peers. - Introduce ovpn_skb_list_clone() to clone GSO segment lists and replicate the packet to every connected peer in ovpn_net_xmit(). For now multicast traffic is flooded to all peers. A future enhancement will replace the flood with a subscription table driven by IGMP snooping. Signed-off-by: Marco Baffo --- drivers/net/ovpn/io.c | 57 ++++++++++++++++++++++++++----- drivers/net/ovpn/main.c | 2 +- drivers/net/ovpn/peer.c | 76 ++++++++++++++++++++++++++++++++--------- drivers/net/ovpn/peer.h | 5 +-- 4 files changed, 112 insertions(+), 28 deletions(-) diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c index 22c555dd962e..acf0907dd445 100644 --- a/drivers/net/ovpn/io.c +++ b/drivers/net/ovpn/io.c @@ -351,15 +351,39 @@ static void ovpn_send(struct ovpn_priv *ovpn, struct sk_buff *skb, ovpn_peer_put(peer); } +static struct sk_buff *ovpn_skb_list_clone(struct sk_buff *skb) +{ + struct sk_buff *copy, *curr, *next, *head = NULL, *prev = NULL; + + skb_list_walk_safe(skb, curr, next) { + copy = skb_clone(curr, GFP_ATOMIC); + if (unlikely(!copy)) { + kfree_skb_list(head); + return NULL; + } + + if (unlikely(!head)) + head = copy; + else + prev->next = copy; + + prev = copy; + } + + return head; +} + /* Send user data to the network */ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev) { struct ovpn_priv *ovpn = netdev_priv(dev); - struct sk_buff *segments, *curr, *next; + struct sk_buff *segments, *curr, *next, *to_send; struct sk_buff_head skb_list; - unsigned int tx_bytes = 0; + struct llist_head mcast_list; + struct llist_node *node, *n; struct ovpn_peer *peer; + unsigned int tx_bytes = 0; __be16 proto; int ret; @@ -372,8 +396,9 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev) goto drop_no_peer; /* retrieve peer serving the destination IP of this packet */ - peer = ovpn_peer_get_by_dst(ovpn, skb); - if (unlikely(!peer)) { + init_llist_head(&mcast_list); + ovpn_peer_list_get_by_dst(ovpn, skb, &mcast_list); + if (unlikely(llist_empty(&mcast_list))) { switch (skb->protocol) { case htons(ETH_P_IP): net_dbg_ratelimited("%s: no peer to send data to dst=%pI4\n", @@ -427,18 +452,34 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev) * incremented the counter for each failure in the loop */ if (unlikely(skb_queue_empty(&skb_list))) { - ovpn_peer_put(peer); + llist_for_each_safe(node, n, mcast_list.first) { + peer = llist_entry(node, struct ovpn_peer, mcast_entry); + ovpn_peer_put(peer); + } return NETDEV_TX_OK; } skb_list.prev->next = NULL; - ovpn_peer_stats_increment_tx(&peer->vpn_stats, tx_bytes); - ovpn_send(ovpn, skb_list.next, peer); + llist_for_each_safe(node, n, mcast_list.first) { + peer = llist_entry(node, struct ovpn_peer, mcast_entry); + + to_send = n ? ovpn_skb_list_clone(skb_list.next) : skb_list.next; + if (likely(to_send)) { + ovpn_peer_stats_increment_tx(&peer->vpn_stats, tx_bytes); + ovpn_send(ovpn, to_send, peer); + } else { + dev_dstats_tx_dropped(ovpn->dev); + ovpn_peer_put(peer); + } + } return NETDEV_TX_OK; drop: - ovpn_peer_put(peer); + llist_for_each_safe(node, n, mcast_list.first) { + peer = llist_entry(node, struct ovpn_peer, mcast_entry); + ovpn_peer_put(peer); + } drop_no_peer: dev_dstats_tx_dropped(ovpn->dev); skb_tx_error(skb); diff --git a/drivers/net/ovpn/main.c b/drivers/net/ovpn/main.c index 2e0420febda0..ee9cb61a090f 100644 --- a/drivers/net/ovpn/main.c +++ b/drivers/net/ovpn/main.c @@ -155,7 +155,7 @@ static void ovpn_setup(struct net_device *dev) dev->max_mtu = IP_MAX_MTU - OVPN_HEAD_ROOM; dev->type = ARPHRD_NONE; - dev->flags = IFF_POINTOPOINT | IFF_NOARP; + dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST | IFF_BROADCAST; dev->priv_flags |= IFF_NO_QUEUE; /* when routing packets to a LAN behind a client, we rely on the * route entry that originally brought the packet into ovpn, so diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index c02dfab51a6e..06d47c468956 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -718,23 +718,49 @@ static void ovpn_peer_remove(struct ovpn_peer *peer, llist_add(&peer->release_entry, release_list); } +static void ovpn_peer_list_get_all(struct ovpn_priv *ovpn, + struct llist_head *list) +{ + struct ovpn_peer *peer; + int bkt; + + rcu_read_lock(); + hash_for_each_rcu(ovpn->peers->by_id, bkt, peer, hash_entry_id) { + if (ovpn_peer_hold(peer)) + llist_add(&peer->mcast_entry, list); + } + rcu_read_unlock(); +} + +/** + * TO DO: At the moment the list contain all the peers, + * after IGMP snooping is implemented we want to select only the peers + * subscribed to a specific multicast group. + */ +static void ovpn_peer_list_get_by_mcast_group(struct ovpn_priv *ovpn, + struct llist_head *list) +{ + ovpn_peer_list_get_all(ovpn, list); +} + /** - * ovpn_peer_get_by_dst - Lookup peer to send skb to + * ovpn_peer_list_get_by_dst - Lookup peers to send skb to * @ovpn: the private data representing the current VPN session * @skb: the skb to extract the destination address from + * @list: the head of the list to fill with the target peers * - * This function takes a tunnel packet and looks up the peer to send it to - * after encapsulation. The skb is expected to be the in-tunnel packet, without - * any OpenVPN related header. + * This function takes a tunnel packet and looks up the peers to send it to + * after encapsulation and add them to `list'. The skb is expected to be the + * in-tunnel packet, without any OpenVPN related header. * * Assume that the IP header is accessible in the skb data. * - * Return: the peer if found or NULL otherwise. */ -struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn, - struct sk_buff *skb) +void ovpn_peer_list_get_by_dst(struct ovpn_priv *ovpn, struct sk_buff *skb, + struct llist_head *list) { struct ovpn_peer *peer = NULL; + unsigned int addr_type; struct in6_addr addr6; __be32 addr4; @@ -744,29 +770,45 @@ struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn, if (ovpn->mode == OVPN_MODE_P2P) { rcu_read_lock(); peer = rcu_dereference(ovpn->peer); - if (unlikely(peer && !ovpn_peer_hold(peer))) - peer = NULL; + if (likely(peer && ovpn_peer_hold(peer))) + llist_add(&peer->mcast_entry, list); rcu_read_unlock(); - return peer; + return; } - rcu_read_lock(); switch (skb->protocol) { case htons(ETH_P_IP): addr4 = ovpn_nexthop_from_skb4(skb); + rcu_read_lock(); peer = ovpn_peer_get_by_vpn_addr4(ovpn, addr4); - break; + + if (peer) + break; + + rcu_read_unlock(); + addr_type = inet_dev_addr_type(dev_net(ovpn->dev), ovpn->dev, addr4); + if (addr_type == RTN_MULTICAST) + ovpn_peer_list_get_by_mcast_group(ovpn, list); + else if (addr_type == RTN_BROADCAST) + ovpn_peer_list_get_all(ovpn, list); + return; case htons(ETH_P_IPV6): addr6 = ovpn_nexthop_from_skb6(skb); + rcu_read_lock(); peer = ovpn_peer_get_by_vpn_addr6(ovpn, &addr6); - break; + + if (peer) + break; + + rcu_read_unlock(); + if (ipv6_addr_is_multicast(&addr6)) + ovpn_peer_list_get_by_mcast_group(ovpn, list); + return; } - if (unlikely(peer && !ovpn_peer_hold(peer))) - peer = NULL; + if (likely(peer && ovpn_peer_hold(peer))) + llist_add(&peer->mcast_entry, list); rcu_read_unlock(); - - return peer; } /** diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h index 328401570cba..08a471deb187 100644 --- a/drivers/net/ovpn/peer.h +++ b/drivers/net/ovpn/peer.h @@ -113,6 +113,7 @@ struct ovpn_peer { struct kref refcount; struct rcu_head rcu; struct llist_node release_entry; + struct llist_node mcast_entry; struct work_struct keepalive_work; }; @@ -148,8 +149,8 @@ void ovpn_peers_free(struct ovpn_priv *ovpn, struct sock *sock, struct ovpn_peer *ovpn_peer_get_by_transp_addr(struct ovpn_priv *ovpn, struct sk_buff *skb); struct ovpn_peer *ovpn_peer_get_by_id(struct ovpn_priv *ovpn, u32 peer_id); -struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn, - struct sk_buff *skb); +void ovpn_peer_list_get_by_dst(struct ovpn_priv *ovpn, struct sk_buff *skb, + struct llist_head *list); void ovpn_peer_hash_vpn_ip(struct ovpn_peer *peer); bool ovpn_peer_check_by_src(struct ovpn_priv *ovpn, struct sk_buff *skb, struct ovpn_peer *peer);