From patchwork Mon Dec 16 12:22:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4005 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1f13:b0:5e7:b9eb:58e8 with SMTP id hs19csp2078408mab; Mon, 16 Dec 2024 04:23:09 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCX9BOTnDcs3tUugqyWqOJtlwEo9YSemAVntOpeudmIQHG1S+0PtMqqoTnfhzp9uEoYGvbGSuYmrTxc=@openvpn.net X-Google-Smtp-Source: AGHT+IGnj+5ip8jsOlR11Qc42rrQepChPKwvLrR0KK6CGXsViPSPWuP4XpuSW7oALNgdEvlXaCkR X-Received: by 2002:a05:6808:bc4:b0:3ea:66c1:cbef with SMTP id 5614622812f47-3eba698279amr5588476b6e.39.1734351789647; Mon, 16 Dec 2024 04:23:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734351789; cv=none; d=google.com; s=arc-20240605; b=eVb+fMhpFXvrDR/bsoMuzOA92SnokVUYPbJeZWmur8WW1dC2nLFZ17IepUdgyAg7n/ P1JwggBxbZe8FmieaJ5IwQjuW4B2hNwNPvApcmtwhJ9JQk+0SLyMrAXX22ixvWDuuyCN SY0X8FhYrdZubVVOzCPU4XyLm4mnbWveubgG69uj9Ul8GoLZ0y6ZtaJT1jaN2tSyk7Rk NiDKtMPn4oQY43oCBQ7TRoJw9T30r8E0UMMdUVZtxKigLJ4JvAVH3zvbcpDvSPrXYQH6 oYtoAZQD7OyQCEq6z1GdCNdblcOtFvydQ0G2k5EGwMN2ew6Fho5yVpA2Z6GNTbh2CZxg evQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:content-language :references:to:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=SYBQ3CGLYeIlLfIjwpJaEzTJx8JIyNfH9I0LFLm69aw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=EJimx0qLF89bG7dhFbaGcomH1i7J7AAQzZSHWx8xZjZoEdWMnGTHNv/9sFFYmgdBtM fKASTyF1ui3Vqrcwg5xCTRc3Pbkz7x0BS8wtdT93jxgMTpsUgdlGYIPynsgdTQqhL6Hm D2BsyPFTefpwET2hBzDV6rGQKDSRp17ai74NWuakfI8ywteppZP401KYHggOCMZ3Muvt 2b5jd6jh89Nm07JmQpQynun6daXLKxvJudrIYWg9dfd53oTGtqTrk6T78ZBKKeaMN9mP fJns9wwBr4IKutrl2uYmmzQGbvYNRmv9jJIbmhx9YH54sdMnrI+pnC4FMRLHM4fKxeQ2 m4eA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=arC85tWt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VEqxLPk2; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=sACo38Bl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3ebb478b718si2871841b6e.30.2024.12.16.04.23.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Dec 2024 04:23:09 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=arC85tWt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VEqxLPk2; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=sACo38Bl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tNA7t-00041I-Fs; Mon, 16 Dec 2024 12:23:05 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tNA7s-00041C-9J for openvpn-devel@lists.sourceforge.net; Mon, 16 Dec 2024 12:23:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: From:References:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Zozjrr5C5ak6/+nzGtzeG7Epmd7p6z5PCfQJD5ciGGs=; b=arC85tWtItV/XPHRPnf565uaoA wyQulKVwUVD2jkhqR+qQkDKjvul/opLhjZDv0AvSKpmdVP7f3WmjlJ89otTbXbOZxnKzaXqUDeiwN EG6nLMmjmdluqM8oFTTI7rnPqGHZZl6lTD7X8OINmC+AAK5NSiWlY7L9z/I1ECJYMb0k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References:To: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Zozjrr5C5ak6/+nzGtzeG7Epmd7p6z5PCfQJD5ciGGs=; b=VEqxLPk2/gQQxSPxJZUVRv7D5o mOOHWPE8VpOGRSozaICSPgHhYTUeBnul45lCHJKYo4TTxMLjFRod7NiyxetVaPk4ck4M2qg64wJ0x q4kTGfMw9n55nFnmAaP2/6/pxt2qkrSJmhR4wFr5QB5bRK1/bGmEqVJrARw5zLcITVcA=; Received: from mout.gmx.net ([212.227.15.18]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tNA7r-0005P7-4W for openvpn-devel@lists.sourceforge.net; Mon, 16 Dec 2024 12:23:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1734351771; x=1734956571; i=corubba@gmx.de; bh=Zozjrr5C5ak6/+nzGtzeG7Epmd7p6z5PCfQJD5ciGGs=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To: References:From:In-Reply-To:Content-Type: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=sACo38BlI1C/hRp/gJQ9K5M0pP1XRlcyS+lYxRO009ev5mcV33hURoycedQ5YWD4 xNKIZ34RxuaQBrUPNaS1DYc7hZ1L2o4DmaTngyWagiVsDiJ7wELMTCG6+VtXhEQ4m 04yJWyshJiDhUyDAw+wwSlFEGjD43gx0NrdMtKNzpO+k0We/Mb5rD3PvGeXikRxaQ F4ZnpbVgkM50WjVuuivuwxUkto9zdH0xTGODgs1fakU2HThUq4gryZyK1o9mTaYbu GD8y+vk3cBVaVaB13hg8W7AFb74JCMsKKrQ20AfPyUOGMQxQ5aFdKYVDmdYgTvapK vYaBsU4j2x8YLzsGJg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.229]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MS3ir-1szseG2cBv-00OiHU for ; Mon, 16 Dec 2024 13:22:51 +0100 Message-ID: <86c60a4f-685e-4157-ad10-6de03bb2eef0@gmx.de> Date: Mon, 16 Dec 2024 13:22:51 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: openvpn-devel@lists.sourceforge.net References: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> <6a00da72-dc11-409e-9d47-4694e1d6f02f@gmx.de> Content-Language: de-CH In-Reply-To: X-Provags-ID: V03:K1:TqvMbsQGr9iRIDuez6lO8YtSQ/0IBdG0mqzutO3SEF7Pbql3auU pOCcRsO1u+NV998+JDUYq03S838ZoFqVDKlzYAQtqrlkibpjDLM7boOIxNb1llUX6Ihn2RS k61cOxPM2/8Ey8w24z0+k9pAGqawQrz0UNDy+Udyw+qjLv71GDVIXAGKFlBgab/puLePzVZ x2JhU3HTpjQyb5FcZv5fg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:Lm0Luzf0aD0=;+6auJRnDv9D1oXEmAF8++dxAUi/ xwaaWF7NBGo89d6x2klQAwM96o1TId+KsL5RQpfJjNCzNml8qDSFJvTkBURMpEyTEHbuiyctT dYk8KbNpBTPFDnooee9h5tOH6hKwgF/h58nXFZGHYKqLoaGlSVE5K8m0nk0quh1O+SpX9e/Xi WK8t8cEB+z+HdwWDcfQq+f+vxQ/Hfz+uQce+UA7X6QwQsyI1+Djls2P+7iyuNchguxzDLva3F KtKdjfCm7HrHsoHL8o+GpmwxP5pUhFKy7ftHzvNqN8LC8FRfR0wnHhZA145eJYm4MeSJYPdh2 NT5N2FdzSaS2uz+LnvoBe8xSs+uXLSurd+yKxs3UOSvigkcmvvMELeQ962nCuJgDbTDfu+SN+ NYa+Iio0e4b3Q2NbmiC3YTf7O5b7NwQgAg02GExJBtxndUzxpAcAghBHHl6g7/420OwPA3lhh qJr68TAVPunQl/bqPffS5PQi0CvNjbfkMWSb2ZTy8A2P8FcVm4S02/5f7cwRsAdCuaFILy/gR Oquf0q5idzv2xF/U9zbL8qOEzPh4NM7kzOIYxQe2min9hFtIjJDQYuhPgUqYd0V4k3NL/1sml 79GfyDjica8blsJEm8Qx7oKpg0+kv0JbAQRitHcISCjYr4dHiIgfEyNVLkE//l/seecpK3LjX AbFmIpva5ioNKHrP7PycXPit8XGLic/MNYaMYyhXWuhHM+Gigi+/BwqBFOD2nUOv5XVp8EdCy GiKzwqxO4pJPutHQdHNx3svF5Eph441QgH2K0dt2kXVd5Wxd3YHG3mDLhy7JNu4KFtkk3MiEa BXiW7q34LJ/maeWV9TxaFbuA3gcupIE6AdDNH7PE6EAYMGDe6pTh/sz56pTduxIE+EJRncCBs 72Chmp9w4zxDx42W8BMwlk9jQcPOJIYR/H2WjmAk5b91Wj+Hc2lfY5Yn/2e06pmE3n8h3s4I8 UWqlzYNAOtKxuIWE6ovFlI47KNVQeAORilyEEOjmw4B8V2xVNTDkMuwfx8yHXcCysgW/OXl/1 pxfki4M1HNMtPoyFzdelcnCV07WMdPrs97myZnsYdk4n3yxTp9za5cj2uoenwvJRqbv3+Yjyi KiPjBvt/2oYr4PaPtBwQ5fgfyKiRS/ X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port- [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.15.18 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.15.18 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.15.18 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.15.18 listed in sa-trusted.bondedsender.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tNA7r-0005P7-4W Subject: [Openvpn-devel] [PATCH v2 2/2] port-share: Add proxy protocol v2 support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818459848478397102?= X-GMAIL-MSGID: =?utf-8?q?1818599662568883772?= In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port-share journal feature more accessable and easier to use, because one doesn't need a custom integration. While this is a spec-compliant sender implementation of the PROXY protocol, it does not implement it in full. Version 1 was left out entirely, in favour of the superior and easier-to-implement version 2. The implementation was also kept minimal with regards to what OpenVPN supports/requires: Local commands, unix sockets, UDP and TLVs are not implemented. Signed-off-by: Corubba Smith --- doc/man-sections/server-options.rst | 4 + src/openvpn/ps.c | 110 +++++++++++++++++++++++++++- 2 files changed, 113 insertions(+), 1 deletion(-) -- 2.47.1 diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 3fe9862c..5fdd4a22 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -435,6 +435,10 @@ fast hardware. SSL/TLS authentication must be used in this mode. the origin of the connection. Each generated file will be automatically deleted when the proxied connection is torn down. + ``dir`` can be set to the special value ``proxy_protocol_v2`` to make + OpenVPN use the binary PROXY protocol version 2 towards the proxy receiver. + No temporary files will be written in this mode. + Not implemented on Windows. --push option diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 36ea63b8..b5d04c5b 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -393,6 +393,107 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c gc_free(&gc); } +/* + * Send the proxy protocol v2 binary header, so that the receiving + * server knows the true client connection parameters. + */ +static void +send_proxy_protocol_v2_header(const struct proxy_connection *const pc, const struct proxy_connection *const cp) +{ + static const uint8_t PP2_AF_UNSPEC = 0x0, PP2_AF_INET = 0x1, PP2_AF_INET6 = 0x2; + static const uint8_t PP2_PROTO_STREAM = 0x1; + + struct openvpn_sockaddr src, dst; + socklen_t src_len, dst_len; + unsigned char header[52] = { + "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" /* signature */ + "\x21" /* version=2 + command=proxy */ + /* initialize the rest to zero for now */ + }; + uint8_t addr_fam, header_len = 16; + uint16_t addr_len; + + src_len = sizeof(src.addr); + dst_len = sizeof(dst.addr); + if (0 != getpeername(pc->sd, &src.addr.sa, &src_len) + || 0 != getsockname(pc->sd, &dst.addr.sa, &dst_len)) + { + msg(M_WARN, "PORT SHARE PROXY: getting client connection parameters failed"); + src.addr.sa.sa_family = dst.addr.sa.sa_family = AF_UNSPEC; + } + + transform_mapped_v4_sockaddr(&src); + transform_mapped_v4_sockaddr(&dst); + if (src.addr.sa.sa_family != dst.addr.sa.sa_family) + { + msg(M_WARN, "PORT SHARE PROXY: address family mismatch between peer and socket"); + /* src wins, because that is usually the more important info */ + dst.addr.sa.sa_family = src.addr.sa.sa_family; + } + + if (msg_test(D_PS_PROXY_DEBUG)) + { + struct gc_arena gc = gc_new(); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client connection is %s -> %s", + print_openvpn_sockaddr(&src, &gc), print_openvpn_sockaddr(&dst, &gc)); + gc_free(&gc); + } + + switch (src.addr.sa.sa_family) + { + case AF_INET: + addr_fam = PP2_AF_INET; + addr_len = 12; + ASSERT(4 >= sizeof(src.addr.in4.sin_addr)); + ASSERT(4 >= sizeof(dst.addr.in4.sin_addr)); + memcpy(&header[16], &src.addr.in4.sin_addr, sizeof(src.addr.in4.sin_addr)); + memcpy(&header[20], &dst.addr.in4.sin_addr, sizeof(dst.addr.in4.sin_addr)); + ASSERT(2 >= sizeof(src.addr.in4.sin_port)); + ASSERT(2 >= sizeof(dst.addr.in4.sin_port)); + memcpy(&header[24], &src.addr.in4.sin_port, sizeof(src.addr.in4.sin_port)); + memcpy(&header[26], &dst.addr.in4.sin_port, sizeof(dst.addr.in4.sin_port)); + break; + + case AF_INET6: + addr_fam = PP2_AF_INET6; + addr_len = 36; + ASSERT(16 >= sizeof(src.addr.in6.sin6_addr)); + ASSERT(16 >= sizeof(dst.addr.in6.sin6_addr)); + memcpy(&header[16], &src.addr.in6.sin6_addr, sizeof(src.addr.in6.sin6_addr)); + memcpy(&header[32], &dst.addr.in6.sin6_addr, sizeof(dst.addr.in6.sin6_addr)); + ASSERT(2 >= sizeof(src.addr.in6.sin6_port)); + ASSERT(2 >= sizeof(dst.addr.in6.sin6_port)); + memcpy(&header[48], &src.addr.in6.sin6_port, sizeof(src.addr.in6.sin6_port)); + memcpy(&header[50], &dst.addr.in6.sin6_port, sizeof(dst.addr.in6.sin6_port)); + break; + + /* AF_UNIX is currently not suppported by OpenVPN */ + + default: + addr_fam = PP2_AF_UNSPEC; + addr_len = 0; + break; + } + + const uint8_t proto = PP2_PROTO_STREAM; /* DGRAM is currently not supported by port-share */ + header[13] = (addr_fam << 4) | proto; + + /* TLV is currently not implemented */ + + header_len += addr_len; + const uint16_t addr_len_n = htons(addr_len); + memcpy(&header[14], &addr_len_n, sizeof(addr_len_n)); + + ASSERT(header_len <= sizeof(header)); + const socket_descriptor_t sd = cp->sd; + const int status = send(sd, header, header_len, MSG_NOSIGNAL); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: proxy protocol v2 wrote[%d] %d", (int) sd, status); + if (status < (int) header_len) + { + msg(M_WARN, "PORT SHARE PROXY: failed to send proxy protocol v2 header"); + } +} + /* * Cleanup function, on proxy process exit. */ @@ -488,7 +589,14 @@ proxy_entry_new(struct proxy_connection **list, /* add journal entry */ if (journal_dir) { - journal_add(journal_dir, pc, cp); + if (0 == strcmp("proxy_protocol_v2", journal_dir)) + { + send_proxy_protocol_v2_header(pc, cp); + } + else + { + journal_add(journal_dir, pc, cp); + } } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, (int)sd_server);