From patchwork Thu Jan 13 09:00:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2217 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id aM22BC+F4GGNMwAAqwncew (envelope-from ) for ; Thu, 13 Jan 2022 15:01:51 -0500 Received: from proxy16.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id iJSrFC+F4GGXdQAAovjBpQ (envelope-from ) for ; Thu, 13 Jan 2022 15:01:51 -0500 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3b.rsapps.net with LMTPS id kCsPDS+F4GG5CQAAPj+4aA (envelope-from ) for ; Thu, 13 Jan 2022 15:01:51 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: a52db046-74ab-11ec-864c-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:38688] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7C/51-27394-E2580E16; Thu, 13 Jan 2022 15:01:50 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1n86H9-0001ex-As; Thu, 13 Jan 2022 20:00:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1n86H8-0001er-Rq for openvpn-devel@lists.sourceforge.net; Thu, 13 Jan 2022 20:00:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+TLB10UijVeBnhRhpZPVcA89eWhMX1czTe9LEXvp2kw=; b=FNrJudJV4U23NQcuZymuFKq50x zt6AxpBXt0vY3ioxTKzK+sfSdUoY7CjiSCr3sVazU/7VHo3b+EvizaXcGIsb20yDVEljguq4oQfR9 /r05MU+0XP5wNw/XRRaJ2BeHI3PuV1vWroxoEdKZU9Z0ibA8GWMoD9F93qM362soC4MA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=+TLB10UijVeBnhRhpZPVcA89eWhMX1czTe9LEXvp2kw=; b=m hnHQYgr5oaj7N4OMpyx4f7GQgqFcUwCx3YLTXnuR8YKgsyt4b1rt4Jl0IpT1K6pVd+JitWEFbsQ7A 0szk4rYfrbvs8JmdOBD1Gmckl8FkH6+gJ28ETeddGSCbtKfyH8hMEdUcfMsB5/ObqpxESJlCJlH5V cNB2GFbQQkRsnhvU=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1n86H7-00Eow9-Vh for openvpn-devel@lists.sourceforge.net; Thu, 13 Jan 2022 20:00:47 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Jan 2022 21:00:30 +0100 Message-Id: <20220113200030.18656-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: PF (Packet Filter) has been dropped from the OpenVPN code base, however some bits and pieces are left in the documentation. Erase them all. Reported-by: Arne Schwabe Signed-off-by: Antonio Quartulli --- doc/man-sections/management-options.rst | 5 -- doc/management-notes.txt | 112 [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1n86H7-00Eow9-Vh Subject: [Openvpn-devel] [PATCH] doc: remove PF leftovers from documentation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox PF (Packet Filter) has been dropped from the OpenVPN code base, however some bits and pieces are left in the documentation. Erase them all. Reported-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-by: Gert Doering --- doc/man-sections/management-options.rst | 5 -- doc/management-notes.txt | 112 ------------------------ 2 files changed, 117 deletions(-) diff --git a/doc/man-sections/management-options.rst b/doc/man-sections/management-options.rst index de0d47e7..884750a6 100644 --- a/doc/man-sections/management-options.rst +++ b/doc/man-sections/management-options.rst @@ -65,11 +65,6 @@ server and client mode operations. When the management interface is listening on a unix domain socket, only allow connections from group ``g``. ---management-client-pf - Management interface clients must specify a packet filter file for each - connecting client. See :code:`management-notes.txt` in OpenVPN - distribution for detailed notes. - --management-client-user u When the management interface is listening on a unix domain socket, only allow connections from user ``u``. diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 84e3d04b..203d3d82 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -785,118 +785,6 @@ Immediately kill a client instance by CID. CID -- client ID. See documentation for ">CLIENT:" notification for more info. -COMMAND -- client-pf (OpenVPN 2.1 or higher) ---------------------------------------------- - -Push a packet filter file to a specific client. - -The OpenVPN server should have been started with the ---management-client-pf directive so that it will require that -VPN tunnel packets sent or received by client instances must -conform to that client's packet filter configuration. - - client-pf {CID} - line_1 - line_2 - ... - line_n - END - -CID -- client ID. See documentation for ">CLIENT:" notification for -more info. - -line_1 to line_n -- the packet filter configuration file for this -client. - -Packet filter file grammar: - - [CLIENTS DROP|ACCEPT] - {+|-}common_name1 - {+|-}common_name2 - . . . - [SUBNETS DROP|ACCEPT] - {+|-}subnet1 - {+|-}subnet2 - . . . - [END] - - Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS | "unknown" - - CLIENTS refers to the set of clients (by their common-name) which - this instance is allowed ('+') to connect to, or is excluded ('-') - from connecting to. Note that in the case of client-to-client - connections, such communication must be allowed by the packet filter - configuration files of both clients AND the --client-to-client - directive must have been specified in the OpenVPN server config. - - SUBNETS refers to IP addresses or IP address subnets which this - client instance may connect to ('+') or is excluded ('-') from - connecting to, and applies to IPv4 and ARP packets. The special - "unknown" tag refers to packets of unknown type, i.e. a packet that - is not IPv4 or ARP. - - DROP or ACCEPT defines default policy when there is no explicit match - for a common-name or subnet. The [END] tag must exist. - - Notes: - - * The SUBNETS section currently only supports IPv4 addresses and - subnets. - - * A given client or subnet rule applies to both incoming and - outgoing packets. - - * The CLIENTS list is order-invariant. Because the list is stored - as a hash-table, the order of the list does not affect its function. - - * The SUBNETS table is scanned sequentially, and the first item to - match is chosen. Therefore the SUBNETS table is NOT order-invariant. - - * No client-to-client communication is allowed unless the - --client-to-client configuration directive is enabled AND - the CLIENTS list of BOTH clients allows the communication. - -Example packet filter spec, as transmitted to the management interface: - - client-pf 42 - [CLIENTS ACCEPT] - -accounting - -enigma - [SUBNETS DROP] - -10.46.79.9 - +10.0.0.0/8 - [END] - END - -The above example sets the packet filter policy for the client -identified by CID=42. This client may connect to all other clients -except those having a common name of "accounting" or "enigma". -The client may only interact with external IP addresses in the -10.0.0.0/8 subnet, however access to 10.46.79.9 is specifically -excluded. - -Another example packet filter spec, as transmitted to the -management interface: - - client-pf 99 - [CLIENTS DENY] - +public - [SUBNETS ACCEPT] - +10.10.0.1 - -10.0.0.0/8 - -unknown - [END] - END - -The above example sets the packet filter policy for the client -identified by CID=99. This client may not connect to any other -clients except those having a common name of "public". It may -interact with any external IP address except those in the -10.0.0.0/8 netblock. However interaction with one address in -the 10.0.0.0/8 netblock is allowed: 10.10.0.1. Also, the client -may not interact with external IP addresses using an "unknown" -protocol (i.e. one that is not IPv4 or ARP). - COMMAND -- remote (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher) --------------------------------------------