From patchwork Wed May 20 09:16:12 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4957 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b695:b0:861:c897:cb9d with SMTP id dh21csp717168mab; Wed, 20 May 2026 02:17:05 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ+oZptKs7qCh0vis6LQLbL5G0bWgpOh0JWS8A+/WC6j90sVoeSJ6K+/naaCR/teAQlLQ68FktwjJWA=@openvpn.net X-Received: by 2002:a05:6870:2c41:b0:439:f46f:c3e6 with SMTP id 586e51a60fabf-43a2de0c518mr15280259fac.36.1779268625464; Wed, 20 May 2026 02:17:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779268625; cv=none; d=google.com; s=arc-20240605; b=gWh7ZukYMnCnhpeV/3nspvucNbuPpcNBhzNJODFPrtWl+3c3vvn8isUFFsp8bX03UE MD//Pl1a45vVEGQgi2EkXGgrDxu5emr/V2WACBsArI8ElehAQJikr+1cl1a0hW4o++BR OGtL5fJslKL6o4lk4I82g/QHYPAlJb3Ih/9XqxgYGYgvnkSss/LlVDnCpFiLAcmmu8ew SZfM4QTA2LtjZntg7KLcWN865ABL7Vkjutz3BG+PkNzkaI8INiQn+tPGQm1DQMRX4l6r z3qG4eKKbdCYQY92n5Lx2gIsoObjQ5qcuVmc+gWV+yJeXE+dWtvR6Fva/B29vTHNM5nB hYog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=XR6qjNzIref6RcfZDilS4cwqbAXQniOSvjckCyF8AUs=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=PaphNHOIzXcghwGcgDUzI56pFQsJKdLNn4jlX79WuLDhRkNoqetTG/2gDvzbyRepOa JXPBHSxS1nryjzyuVrDOuNEw4li1M6TzCCA1q1DRLILiMgRykyRtSoF8vAXIdrFBfF6w 8vuAsSMgDVt7CkqDC586YSTEI1NAyPyJ4/9wn+1Oy5xn03kZbCAyWwdeGEowe84sJOMG giCYlJKDsI1SaQ6dLEko83XgJTEDXhNo9meyy/06PEuVDvtuN5sE5KP7Gn2+lsRl6Y6O KVhtm1uN4toEBmHEKST/Rg5Ax9/fDyJv/vHJyMVfE8SCNoNXNc28iSAbrhbysgSBEvR8 jujg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fSgVfw0M; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hXOubspT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MLtKIC34; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b="a9yQax/k"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-43a9582f60esi8177638fac.257.2026.05.20.02.17.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 May 2026 02:17:05 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=fSgVfw0M; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hXOubspT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MLtKIC34; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b="a9yQax/k"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=XR6qjNzIref6RcfZDilS4cwqbAXQniOSvjckCyF8AUs=; b=fSgVfw0MekcnBYKZsRlBVC2FN6 vrq4rnNfcDY29pzerEEbTeKKFqwPzg70Vf5W+AM/gs0vWlc+Kg1idv3ocVlVBMefB+2McK4YLRFpt iDKK1XTRDnUO/Jf2tBGeJ1hnaLy8oL9q+vkmS3McL22GGRFXadqKM+qKxbjTOi7L8xLQ=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wPd2x-0002lj-ID; Wed, 20 May 2026 09:17:00 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wPd2w-0002lL-1R for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2026 09:16:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oy4OGVLnEfxAVYpMhNjAYCD4zJORiyoXP2wKb7ZA6pg=; b=hXOubspTzjXTQvZM4+L1YNGpX7 iIO+HDqBY0O9t/3WA0WZn1NSzT4cguCLzuATR0MhYc3goTuo+bijz3xDx5ZVX76uAYlWCsMGtC1Te qRABCy7XZwxPe1BYgzH0HC38kQOybz6JjIL52MWq3w46q1hunmZ9OksywYTd0Fss6X04=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oy4OGVLnEfxAVYpMhNjAYCD4zJORiyoXP2wKb7ZA6pg=; b=MLtKIC34ptsG4n/398t5/iX/Rg w54nPwAXrJ2rQqd5qFOMaZa+kMlfin6yiMaZ6otBpU7P4EMjZ9ieLYg01gBtF7ezcq1Dxy4fQ/dbG nSarbmDThBLDyqZpCOVrzTnQGetVKIc6iVOl1mxnzWdbsBx+PSI7qM2voDNELDtlpP9A=; Received: from mout-b-210.mailbox.org ([195.10.208.40]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wPd2g-0003PR-JZ for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2026 09:16:45 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-210.mailbox.org (Postfix) with ESMTPS id 4gL5Wd5N8rzDx9J; Wed, 20 May 2026 11:16:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1779268589; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oy4OGVLnEfxAVYpMhNjAYCD4zJORiyoXP2wKb7ZA6pg=; b=a9yQax/k2t5FoLN2vJG4k3gi0kv+9rFpRi14Q2yLqyrg4+wHKwf13yayjMueLiJttv/XKT 5xUnerQC1PjC7h5dxO9GpzDnYm6GD1C/ParJiU1NGPcYatNr381raZpfDRfwrKzFW9zXXV STDLWVtgkO94x+Hz+3pFcMDbqUpDyiAh0h37rvLoe3PvyVDmMGmZQMdCtXqYwHCWjPgrZ3 lUQoro/rxFe+E4q9P0UcreCpa7tkmiECSJ1dqtNVuwScHRN8LkzA2AWb5IL2hz2UX9Tax8 g3+o/J+Z4bYKnpOAl9qzYQy10xD6pgjRLS1S8SKKQvReeNR/j4l6jEPI81kjhQ== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ralf@mandelbit.com designates 2001:67c:2050:b231:465::202 as permitted sender) smtp.mailfrom=ralf@mandelbit.com From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2026 11:16:12 +0200 Message-ID: <20260520091613.158891-3-ralf@mandelbit.com> In-Reply-To: <20260520091613.158891-1-ralf@mandelbit.com> References: <20260520091613.158891-1-ralf@mandelbit.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gL5Wd5N8rzDx9J X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Extend ovpn-cli set_peer to pass the peer mssfix attribute. Use -1 as the selftest CLI sentinel for leaving mssfix unchanged, so existing timeout-only peer updates can keep omitting the netlink attrib [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1wPd2g-0003PR-JZ Subject: [Openvpn-devel] [PATCH ovpn net-next v4 3/3] selftests: ovpn: add mssfix coverage X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1865698378604255008?= X-GMAIL-MSGID: =?utf-8?q?1865698378604255008?= Extend ovpn-cli set_peer to pass the peer mssfix attribute. Use -1 as the selftest CLI sentinel for leaving mssfix unchanged, so existing timeout-only peer updates can keep omitting the netlink attribute. Add an ovpn test stage that configures mssfix on each side of a peer pair and verifies the MSS advertised on TCP SYN packets seen on the tunnel device. This covers both TX-side and RX-side clamping, and also checks that an invalid non-zero MSS value is rejected. Signed-off-by: Ralf Lici --- No changes since v3 https://lore.kernel.org/openvpn-devel/20260519080500.120724-3-ralf@mandelbit.com/ No changes since v2 https://lore.kernel.org/openvpn-devel/20260518085908.135570-3-ralf@mandelbit.com/ Changes since v1 https://lore.kernel.org/openvpn-devel/20260515075941.102225-3-ralf@mandelbit.com/ - parse mssfix into long before narrowing in ovpn-cli tools/testing/selftests/net/ovpn/ovpn-cli.c | 20 ++++- .../selftests/net/ovpn/test-close-socket.sh | 4 +- tools/testing/selftests/net/ovpn/test-mark.sh | 4 +- tools/testing/selftests/net/ovpn/test.sh | 75 +++++++++++++++++-- 4 files changed, 90 insertions(+), 13 deletions(-) diff --git a/tools/testing/selftests/net/ovpn/ovpn-cli.c b/tools/testing/selftests/net/ovpn/ovpn-cli.c index d40953375c86..67351f33e7c8 100644 --- a/tools/testing/selftests/net/ovpn/ovpn-cli.c +++ b/tools/testing/selftests/net/ovpn/ovpn-cli.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -129,6 +130,7 @@ struct ovpn_ctx { __u32 keepalive_interval; __u32 keepalive_timeout; + int mssfix; enum ovpn_key_direction key_dir; enum ovpn_key_slot key_slot; @@ -732,6 +734,8 @@ static int ovpn_set_peer(struct ovpn_ctx *ovpn) ovpn->keepalive_interval); NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, ovpn->keepalive_timeout); + if (ovpn->mssfix >= 0) + NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_MSSFIX, ovpn->mssfix); nla_nest_end(ctx->nl_msg, attr); ret = ovpn_nl_msg_send(ctx, NULL); @@ -1730,13 +1734,15 @@ static void usage(const char *cmd) fprintf(stderr, "\tmark: socket FW mark value\n"); fprintf(stderr, - "* set_peer : set peer attributes\n"); + "* set_peer : set peer attributes\n"); fprintf(stderr, "\tiface: ovpn interface name\n"); fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); fprintf(stderr, "\tkeepalive_interval: interval for sending ping messages\n"); fprintf(stderr, "\tkeepalive_timeout: time after which a peer is timed out\n"); + fprintf(stderr, + "\tmssfix: TCP MSS value to clamp SYN packets to (0 disables, -1 leaves unchanged)\n"); fprintf(stderr, "* del_peer : delete peer\n"); fprintf(stderr, "\tiface: ovpn interface name\n"); @@ -2166,6 +2172,7 @@ static int ovpn_run_cmd(struct ovpn_ctx *ovpn) static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) { + long mssfix; int ret; /* no args required for LISTEN_MCAST */ @@ -2307,7 +2314,7 @@ static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) } break; case CMD_SET_PEER: - if (argc < 6) + if (argc < 7) return -EINVAL; ovpn->peer_id = strtoul(argv[3], NULL, 10); @@ -2329,6 +2336,14 @@ static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) "keepalive interval value out of range\n"); return -1; } + + errno = 0; + mssfix = strtol(argv[6], NULL, 10); + if (errno == ERANGE || mssfix < -1 || mssfix > UINT16_MAX) { + fprintf(stderr, "mssfix value out of range\n"); + return -1; + } + ovpn->mssfix = mssfix; break; case CMD_DEL_PEER: if (argc < 4) @@ -2442,6 +2457,7 @@ int main(int argc, char *argv[]) memset(&ovpn, 0, sizeof(ovpn)); ovpn.sa_family = AF_UNSPEC; ovpn.cipher = OVPN_CIPHER_ALG_NONE; + ovpn.mssfix = -1; ovpn.cmd = ovpn_parse_cmd(argv[1]); if (ovpn.cmd == CMD_INVALID) { diff --git a/tools/testing/selftests/net/ovpn/test-close-socket.sh b/tools/testing/selftests/net/ovpn/test-close-socket.sh index af1532b4d2da..091c0103bdba 100755 --- a/tools/testing/selftests/net/ovpn/test-close-socket.sh +++ b/tools/testing/selftests/net/ovpn/test-close-socket.sh @@ -41,10 +41,10 @@ ovpn_prepare_network() { peer_ns="ovpn_peer${p}" ovpn_cmd_ok "set peer0 timeout for peer ${p}" \ ip netns exec ovpn_peer0 ${OVPN_CLI} set_peer tun0 \ - ${p} 60 120 + ${p} 60 120 -1 ovpn_cmd_ok "set peer${p} timeout for peer ${p}" \ ip netns exec "${peer_ns}" ${OVPN_CLI} set_peer \ - tun${p} $((p + OVPN_ID_OFFSET)) 60 120 + tun${p} $((p + OVPN_ID_OFFSET)) 60 120 -1 done } diff --git a/tools/testing/selftests/net/ovpn/test-mark.sh b/tools/testing/selftests/net/ovpn/test-mark.sh index 5a8f47554286..11af23beea2a 100755 --- a/tools/testing/selftests/net/ovpn/test-mark.sh +++ b/tools/testing/selftests/net/ovpn/test-mark.sh @@ -54,10 +54,10 @@ ovpn_mark_prepare_network() { peer_ns="ovpn_peer${p}" ovpn_cmd_ok "set peer0 timeout for peer ${p}" \ ip netns exec ovpn_peer0 "${OVPN_CLI}" set_peer tun0 \ - "${p}" 60 120 + "${p}" 60 120 -1 ovpn_cmd_ok "set peer${p} timeout for peer ${p}" \ ip netns exec "${peer_ns}" "${OVPN_CLI}" set_peer \ - tun"${p}" $((p + OVPN_ID_OFFSET)) 60 120 + tun"${p}" $((p + OVPN_ID_OFFSET)) 60 120 -1 done } diff --git a/tools/testing/selftests/net/ovpn/test.sh b/tools/testing/selftests/net/ovpn/test.sh index c06e3135fbef..a0630034351a 100755 --- a/tools/testing/selftests/net/ovpn/test.sh +++ b/tools/testing/selftests/net/ovpn/test.sh @@ -49,10 +49,10 @@ ovpn_prepare_network() { peer_ns="ovpn_peer${p}" ovpn_cmd_ok "set peer0 timeout for peer ${p}" \ ip netns exec ovpn_peer0 ${OVPN_CLI} set_peer tun0 \ - ${p} 60 120 + ${p} 60 120 -1 ovpn_cmd_ok "set peer${p} timeout for peer ${p}" \ ip netns exec "${peer_ns}" ${OVPN_CLI} set_peer \ - tun${p} $((p + OVPN_ID_OFFSET)) 60 120 + tun${p} $((p + OVPN_ID_OFFSET)) 60 120 -1 done } @@ -142,6 +142,66 @@ ovpn_run_iperf() { wait "${iperf_pid}" || return 1 } +ovpn_run_mssfix_flow() { + local filter + local iperf_pid + local direction="$1" + local mssfix="$2" + local tcpdump_pid + + filter="tcp and src host 5.5.5.1 and dst host 5.5.5.2" + filter="${filter} and tcp[tcpflags] & tcp-syn != 0" + + ovpn_run_bg iperf_pid ip netns exec ovpn_peer1 iperf3 -1 -s + sleep 1 + + timeout 3s ip netns exec ovpn_peer1 tcpdump --immediate-mode -l -p \ + -vv -nn -i tun1 -c 1 "${filter}" 2>&1 | + grep -iq "mss ${mssfix}" & + tcpdump_pid=$! + sleep 0.3 + + ovpn_cmd_ok "run ${direction} mssfix TCP flow" \ + ip netns exec ovpn_peer0 iperf3 -t 1 -c 5.5.5.2 + + ovpn_cmd_ok "capture ${direction} mssfix TCP SYN" wait "${tcpdump_pid}" + ovpn_cmd_ok "finish ${direction} mssfix TCP server" wait "${iperf_pid}" +} + +ovpn_run_mssfix() { + local peer0_id=$((1 + OVPN_ID_OFFSET)) + + # peer0 will clamp MSS for packets exchanged with peer1 + ovpn_cmd_ok "set peer0 mssfix for peer 1" \ + ip netns exec ovpn_peer0 ${OVPN_CLI} set_peer tun0 1 \ + 60 120 900 + + ovpn_cmd_fail "reject invalid peer0 mssfix for peer 1" \ + ip netns exec ovpn_peer0 ${OVPN_CLI} set_peer tun0 1 \ + 60 120 20 + + ovpn_cmd_ok "clear peer1 mssfix for peer ${peer0_id}" \ + ip netns exec ovpn_peer1 ${OVPN_CLI} set_peer tun1 \ + "${peer0_id}" 60 120 0 + + ovpn_run_mssfix_flow "TX" 900 + + ovpn_cmd_ok "clear peer0 mssfix for peer 1" \ + ip netns exec ovpn_peer0 ${OVPN_CLI} set_peer tun0 1 \ + 60 120 0 + + # peer1 will clamp MSS for packets exchanged with peer0 + ovpn_cmd_ok "set peer1 mssfix for peer ${peer0_id}" \ + ip netns exec ovpn_peer1 ${OVPN_CLI} set_peer tun1 \ + "${peer0_id}" 60 120 901 + + ovpn_run_mssfix_flow "RX" 901 + + ovpn_cmd_ok "clear peer1 mssfix for peer ${peer0_id}" \ + ip netns exec ovpn_peer1 ${OVPN_CLI} set_peer tun1 \ + "${peer0_id}" 60 120 0 +} + ovpn_run_key_rollover() { local p local peer_ns @@ -259,11 +319,11 @@ ovpn_run_timeouts() { # Non-fatal: this may fail in some protocol modes. ovpn_cmd_mayfail "set peer0 timeout for peer ${p} (non-fatal)" \ ip netns exec ovpn_peer0 ${OVPN_CLI} set_peer tun0 \ - ${p} 3 3 + ${p} 3 3 -1 peer_ns="ovpn_peer${p}" ovpn_cmd_ok "disable timeout on peer${p} while peer0 adjusts \ state" ip netns exec "${peer_ns}" ${OVPN_CLI} set_peer \ - tun${p} $((p + OVPN_ID_OFFSET)) 0 0 + tun${p} $((p + OVPN_ID_OFFSET)) 0 0 -1 done # wait for peers to timeout sleep 5 @@ -274,7 +334,7 @@ ovpn_run_timeouts() { peer_ns="ovpn_peer${p}" ovpn_cmd_ok "set peer${p} P2P timeout" \ ip netns exec "${peer_ns}" ${OVPN_CLI} set_peer \ - tun${p} $((p + OVPN_ID_OFFSET)) 3 3 + tun${p} $((p + OVPN_ID_OFFSET)) 3 3 -1 done sleep 5 } @@ -293,9 +353,9 @@ trap ovpn_stage_err ERR ktap_print_header if [ "${OVPN_FLOAT}" == "1" ]; then - ktap_set_plan 13 + ktap_set_plan 14 else - ktap_set_plan 12 + ktap_set_plan 13 fi ovpn_cleanup @@ -307,6 +367,7 @@ ovpn_run_stage "run LAN traffic behind peer1" ovpn_run_lan_traffic [ "${OVPN_FLOAT}" == "1" ] && ovpn_run_stage "run floating peer checks" \ ovpn_run_float_mode ovpn_run_stage "run iperf throughput" ovpn_run_iperf +ovpn_run_stage "run mssfix TCP SYN clamp" ovpn_run_mssfix ovpn_run_stage "run key rollout" ovpn_run_key_rollover ovpn_run_stage "query peers" ovpn_run_queries ovpn_run_stage "query missing peer fails" ovpn_query_peer_missing