From patchwork Sat Dec 14 23:20:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4002 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1f13:b0:5e7:b9eb:58e8 with SMTP id hs19csp1273618mab; Sat, 14 Dec 2024 15:20:52 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCX4TI6KMQG0rGFlil/Ea1pKwgDv/8o9FVcnpa/FNoOPwc7Uu3OGcdl55hWTF0wGwIXRP3IZIVv14EQ=@openvpn.net X-Google-Smtp-Source: AGHT+IFIb3qUlvUGih6GTA8ipOxU0MA6O7A/fU6H3sVToCTM7Ukj9BvssbNsrJ+94Z/Sn5rUUud6 X-Received: by 2002:a05:6870:4997:b0:296:e491:b244 with SMTP id 586e51a60fabf-2a3ac98fec1mr3658579fac.32.1734218452636; Sat, 14 Dec 2024 15:20:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734218452; cv=none; d=google.com; s=arc-20240605; b=LYvIM40FK2Oqgtkb3OGls5+YUADeWluTEllbMND/PCf/BTnVehw+Lhna0nBz8P1F8V A++NQTFO6As43LNXmKkJ9G5mFYk/0U+Gv/LKAH1fswLYlAyBVrsdmmyJ4iPkm1nUF374 MZv8kZ72Ewz6iO48VkM/7ryYbsa9Z7u767klVVyMbsUVkf/4D/9cyHi0CRkXbP9smcjJ jQ59Fu3AyHsXr4bdJ0WgadOIrKDlbcMzS8k7VpsP5cB/c45xFlYo2RaNxuPVr968YO4Y 2HAdzuk3BXQ2vIQZi80m2II/kJ9Dos+iUCOmSIiiPqAZlle/KZs9f6h1w9uTngu13BtH Nvpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:content-language :references:to:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=00YQ1gCqIh8bjR0w3UOcahzD0X0adatthXxsoOOgUlI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=cbLb9dJg8y81Hgbs6avTXYHifN4iKM54h/qmvT+eqqiu0VkBViPIDfImMJhp5siP8C D2mcct4ycbQHOT1jCIEbFuWztueS2qjd7a5pNuNOCbUa5NrerHhhKzsMCjP+QOOMGuFp /2Mlk073qAd2nwh+0MaHChy9/0qXFXo9IryI7lanLFWyD3AjuRaXVJje3HbxE+baIcFG +iG8J1efLlSx8Xq0d8e/JlhVfWvgSJAis6z4uUoQGAwQRqRFUWMegq39ZB/ZagLK3UhJ qJR4JKFcQynHVZ7eV3hxPb6UU3QTt+Vg+B5H/8doIJAT+iuJgzNPO/ieMTFT5wiMwfbU +j3Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="OIa99w5/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OhfYVI7Z; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=cIZOw8cd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2a3d242f657si1511268fac.50.2024.12.14.15.20.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Dec 2024 15:20:52 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="OIa99w5/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OhfYVI7Z; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=cIZOw8cd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tMbRJ-0000X9-Jg; Sat, 14 Dec 2024 23:20:49 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tMbRJ-0000X3-3n for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:20:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vVNJQBS6iZ2z9AFcW3b/81jHpF8qOzATj+MjhHrvUe8=; b=OIa99w5/fxcJbK5FFaZETSe1zh ZsV5S7IpuaEAiX00DBCCP6c35hOOude6ZO5bpXBtR1PcAS0JaCKc9lnDDaY/FvrXoMtw+k+oFIbgG s1i+HNefHExYJvxU/kGNWMJwAa6eLKUiWU9+A4gpbrGgXKG44SjdCqNmA0BzQdx/ZAF8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vVNJQBS6iZ2z9AFcW3b/81jHpF8qOzATj+MjhHrvUe8=; b=OhfYVI7ZASBhLVm2jNDB5c0yan uc+MvWj+PEQTris5jYSnLbSboq0X+bORJWLCO5g1o02/M44dqQVnqpxf8eCy96EhiGM4wvPT+fAzJ d2qBzOr5aXOXXa6Bljpt0x2ymWKY3jSYBdqIZTMgzD+DAgExKjP5up9gUPgEgunRKuIQ=; Received: from mout.gmx.net ([212.227.17.21]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tMbRH-0003FQ-Cz for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:20:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1734218441; x=1734823241; i=corubba@gmx.de; bh=vVNJQBS6iZ2z9AFcW3b/81jHpF8qOzATj+MjhHrvUe8=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=cIZOw8cd2Rx9cBDNtGP0t2Pre+XYUibIeaaenVWm8ZwTBtDT/1wCzlksy6MENprO I/eAxnQ/pN8xfeKPNWxKaRywCM41nQkwQzoe4sUdF9cVjpg9xO6YWER9UdK5qQlTY gLs83lnSxPeJWDjT9J4Eiq/o1sZRcb8luxQiSQdJulpRkTxDdNl3c8B7VI6wA2CGk lNR3S7IhttQOXCwJ0n3aesx1Ma5dfWqGHZRp+gQBd5BPfpsYrtb5UySvhar+RPk7U RMB2n3+Z5uyeVeJ5bt+UE6EVhVlEnM6KEvwly2CZm8afTdDPZS/1i72tANVCyl5qu R3XNfGIuotaaflstxQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.236]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mg6Zq-1tngKE3mjG-00mmoi for ; Sun, 15 Dec 2024 00:20:40 +0100 Message-ID: <6fbf5828-05ad-47fd-8093-a4feb54f6f6c@gmx.de> Date: Sun, 15 Dec 2024 00:20:40 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: openvpn-devel@lists.sourceforge.net References: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> Content-Language: de-CH In-Reply-To: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> X-Provags-ID: V03:K1:Kmf5akaNIA0tV/29TX0MCZt4wE6ldIxdoTbrVXUkTtjYPN798Ni SAU4wi55wBfcyBP05wpqe+GafRHwUDSiOPW9/eSxqvvCB8vGZIPiBi+tAp2+n6Zz23QQh7X oFH6vETK4+YNlgI6OJImgcALLnWS0TxIO1lO2MXANC5jxDGdRJJiEgqyfu44njlR7+PRdPL mcmL6vfABw/zwDR4EeLjw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:Rez1Xri6/XY=;emKtTc08gCh+swSB32Sjs0e3So/ GEllm6LjtWOLySDZudgGXNnQQR7Z99XMY+zXShM4JDR0oQetw3pZqyZnfovAwA0oETarBFxIs f+HbGQdIcnX/A59tUuFXbUw+SYeoqNiYECvrq26qVVFCZj6rsgis6amCNb+Ec+zeNFOXYDV3q EnBWwtuFJwC8K36xjqSB056mtSWknkKtmtPSjAkZf9VPlT0eG0tOrbh7O1ThG67ZqMbw0SK+e x8LiZ5dbqVYTLv1G4Sdaag3SvlQj+PW6Hs8OOguVCnAmaAYw+7JQ7l7xldWlB0fpYWhWQ/vx0 qNwWHV1rpdJaX7yO8gpyh0LtqolKQ5NYfb771LCAN1a6OJStjikVa0W+LXledAVgVLv2MrW67 4gPIR4rlptMxRqqN2VTLSjMwcIg0f7sBJ1VCJaUqFiVWAF9HsMPHSuXAGJqi5suFGvjk2GCt6 xCYdZyQENaI11Hs1AybKJjIQUMag4EEyjvAzZFpGECSy5HNGi28Q3nxmf9KOYVhxeOXjPncMq JuMFH/IgqA3lpfU4JUDoLmn3ZGW1BKvoMbreecJojmRU/KbIpfVoQyrVlS7kpioLGpLPSaw5G HkDhZDHlC6O+YDvZBT8IAFyYwxTpflXipawoTXDNwM+gB6+MPMFeXDi+49OvXcTBc7yEwNB3J 2mkkYdofanwS9mVcj4jzJTlFj0tSW6GhHo6qRoY1+kFCxHp6yNVOiyVDR9qDHnOp7GpVwMhQ1 OTgsvzTrx9ik1jBYF78quR/N/QsIT68UaoJHDDKWpsz92WmEc156rnTrmQhnfWWA5K2qj8VVF QLTu42eFmpDY/iR1cfePz6I8Q78Fzb9MQC5t7HIQHKfG2idHvwBZCRM8qeg8AuYU2I9oqx/E+ HS2UeS7IpnmLS4ViaVATS/UnBCfgbzx9RKlm795lzyvCLD8bgv+A3lIqE5Wv9Gv++UzuOm7CY HhSG1yUpyPhAlHWH2FQTmoDYlX3R10CzytSuZ6gO3H+8dXxetPZY6GrYXxg6z6wMR7dE562bD AjIgAMcDhFlYsJGYG92pLK7hLZOP6bAxn+2VY6gcHqriVHtClnvQmzP2pc6ewTD81sgDmu98J 4LF1gaMEYNfaiZM8zKIfqTbBD7JLOX X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port- [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.21 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.21 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tMbRH-0003FQ-Cz Subject: [Openvpn-devel] [PATCH 2/2] port-share: Add proxy protocol v2 support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818459848478397102?= X-GMAIL-MSGID: =?utf-8?q?1818459848478397102?= In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port-share journal feature more accessable and easier to use, because one doesn't need a custom integration. While this is a spec-compliant sender implementation of the PROXY protocol, it does not implement it in full. Version 1 was left out entirely, in favour of the superior and easier-to-implement version 2. The implementation was also kept minimal with regards to what OpenVPN supports/requires: Local commands, unix sockets, UDP and TLVs are not implemented. Signed-off-by: corubba --- doc/man-sections/server-options.rst | 4 + src/openvpn/ps.c | 110 +++++++++++++++++++++++++++- 2 files changed, 113 insertions(+), 1 deletion(-) -- 2.47.1 diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 3fe9862c..5fdd4a22 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -435,6 +435,10 @@ fast hardware. SSL/TLS authentication must be used in this mode. the origin of the connection. Each generated file will be automatically deleted when the proxied connection is torn down. + ``dir`` can be set to the special value ``proxy_protocol_v2`` to make + OpenVPN use the binary PROXY protocol version 2 towards the proxy receiver. + No temporary files will be written in this mode. + Not implemented on Windows. --push option diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 36ea63b8..b5d04c5b 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -393,6 +393,107 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c gc_free(&gc); } +/* + * Send the proxy protocol v2 binary header, so that the receiving + * server knows the true client connection parameters. + */ +static void +send_proxy_protocol_v2_header(const struct proxy_connection *const pc, const struct proxy_connection *const cp) +{ + static const uint8_t PP2_AF_UNSPEC = 0x0, PP2_AF_INET = 0x1, PP2_AF_INET6 = 0x2; + static const uint8_t PP2_PROTO_STREAM = 0x1; + + struct openvpn_sockaddr src, dst; + socklen_t src_len, dst_len; + unsigned char header[52] = { + "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" /* signature */ + "\x21" /* version=2 + command=proxy */ + /* initialize the rest to zero for now */ + }; + uint8_t addr_fam, header_len = 16; + uint16_t addr_len; + + src_len = sizeof(src.addr); + dst_len = sizeof(dst.addr); + if (0 != getpeername(pc->sd, &src.addr.sa, &src_len) + || 0 != getsockname(pc->sd, &dst.addr.sa, &dst_len)) + { + msg(M_WARN, "PORT SHARE PROXY: getting client connection parameters failed"); + src.addr.sa.sa_family = dst.addr.sa.sa_family = AF_UNSPEC; + } + + transform_mapped_v4_sockaddr(&src); + transform_mapped_v4_sockaddr(&dst); + if (src.addr.sa.sa_family != dst.addr.sa.sa_family) + { + msg(M_WARN, "PORT SHARE PROXY: address family mismatch between peer and socket"); + /* src wins, because that is usually the more important info */ + dst.addr.sa.sa_family = src.addr.sa.sa_family; + } + + if (msg_test(D_PS_PROXY_DEBUG)) + { + struct gc_arena gc = gc_new(); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client connection is %s -> %s", + print_openvpn_sockaddr(&src, &gc), print_openvpn_sockaddr(&dst, &gc)); + gc_free(&gc); + } + + switch (src.addr.sa.sa_family) + { + case AF_INET: + addr_fam = PP2_AF_INET; + addr_len = 12; + ASSERT(4 >= sizeof(src.addr.in4.sin_addr)); + ASSERT(4 >= sizeof(dst.addr.in4.sin_addr)); + memcpy(&header[16], &src.addr.in4.sin_addr, sizeof(src.addr.in4.sin_addr)); + memcpy(&header[20], &dst.addr.in4.sin_addr, sizeof(dst.addr.in4.sin_addr)); + ASSERT(2 >= sizeof(src.addr.in4.sin_port)); + ASSERT(2 >= sizeof(dst.addr.in4.sin_port)); + memcpy(&header[24], &src.addr.in4.sin_port, sizeof(src.addr.in4.sin_port)); + memcpy(&header[26], &dst.addr.in4.sin_port, sizeof(dst.addr.in4.sin_port)); + break; + + case AF_INET6: + addr_fam = PP2_AF_INET6; + addr_len = 36; + ASSERT(16 >= sizeof(src.addr.in6.sin6_addr)); + ASSERT(16 >= sizeof(dst.addr.in6.sin6_addr)); + memcpy(&header[16], &src.addr.in6.sin6_addr, sizeof(src.addr.in6.sin6_addr)); + memcpy(&header[32], &dst.addr.in6.sin6_addr, sizeof(dst.addr.in6.sin6_addr)); + ASSERT(2 >= sizeof(src.addr.in6.sin6_port)); + ASSERT(2 >= sizeof(dst.addr.in6.sin6_port)); + memcpy(&header[48], &src.addr.in6.sin6_port, sizeof(src.addr.in6.sin6_port)); + memcpy(&header[50], &dst.addr.in6.sin6_port, sizeof(dst.addr.in6.sin6_port)); + break; + + /* AF_UNIX is currently not suppported by OpenVPN */ + + default: + addr_fam = PP2_AF_UNSPEC; + addr_len = 0; + break; + } + + const uint8_t proto = PP2_PROTO_STREAM; /* DGRAM is currently not supported by port-share */ + header[13] = (addr_fam << 4) | proto; + + /* TLV is currently not implemented */ + + header_len += addr_len; + const uint16_t addr_len_n = htons(addr_len); + memcpy(&header[14], &addr_len_n, sizeof(addr_len_n)); + + ASSERT(header_len <= sizeof(header)); + const socket_descriptor_t sd = cp->sd; + const int status = send(sd, header, header_len, MSG_NOSIGNAL); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: proxy protocol v2 wrote[%d] %d", (int) sd, status); + if (status < (int) header_len) + { + msg(M_WARN, "PORT SHARE PROXY: failed to send proxy protocol v2 header"); + } +} + /* * Cleanup function, on proxy process exit. */ @@ -488,7 +589,14 @@ proxy_entry_new(struct proxy_connection **list, /* add journal entry */ if (journal_dir) { - journal_add(journal_dir, pc, cp); + if (0 == strcmp("proxy_protocol_v2", journal_dir)) + { + send_proxy_protocol_v2_header(pc, cp); + } + else + { + journal_add(journal_dir, pc, cp); + } } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, (int)sd_server);