From patchwork Tue Jun 21 06:16:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2515 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.7]) by backend41.mail.ord1d.rsapps.net with LMTP id D5a7KDvvsWJqKAAAqwncew (envelope-from ) for ; Tue, 21 Jun 2022 12:18:03 -0400 Received: from proxy9.mail.iad3a.rsapps.net ([172.27.255.7]) by director15.mail.ord1d.rsapps.net with LMTP id UO7uJzvvsWKqeQAAIcMcQg (envelope-from ) for ; Tue, 21 Jun 2022 12:18:03 -0400 Received: from smtp2.gate.iad3a ([172.27.255.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.iad3a.rsapps.net with LMTPS id qPwpIjvvsWIVHwAAGuSQww (envelope-from ) for ; Tue, 21 Jun 2022 12:18:03 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: b9145a3e-f17d-11ec-a2ae-525400de56ae-1-1 Received: from [216.105.38.7] ([216.105.38.7:44014] helo=lists.sourceforge.net) by smtp2.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 11/74-28802-A3FE1B26; Tue, 21 Jun 2022 12:18:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3gYt-00075h-Lq; Tue, 21 Jun 2022 16:17:07 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3gYq-00075V-Qs for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=f5r5uALD00h/vNjyVK25pUyc/6X4+BIEhIj7sRlBNoE=; b=AOqxW1b6IV/wyPgqxQqyNKTUXA LWbsyddZX4OC6REjBuewNplqjkM4Z1doMtt4w4VNhdjUoVLqG2KHMF7Yt+a/5U1ZYaqoyDtkI+pWz mvtdagqQJTtfT6lo4qwYLEdqkOJ+ll1fpaqaRuLUSRS1ADSGZe7ry36xTlDoFAE9Gx2Y=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=f5r5uALD00h/vNjyVK25pUyc/6X4+BIEhIj7sRlBNoE=; b=O 8H4UkX1RRIVf0/VymISw7aGbti3PX1ZSfn9R40eqyPRF/ObAnGWelmJH+OvmJpNknc/2LPQRo5PON ZLE02Ox4Rz/bGy0bCq/I+anS0Z6i6LItADs/EL9N/8hQQTA4n75FYDvea8g8TYsqf0rxb3BUChoak Y0K87aShff9iUqus=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o3gYo-0004fv-Ni for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:04 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o3gYb-000DmD-V4 for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 18:16:49 +0200 Received: (nullmailer pid 2873031 invoked by uid 10006); Tue, 21 Jun 2022 16:16:49 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Jun 2022 18:16:44 +0200 Message-Id: <20220621161649.2872985-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The frame_set_mtu_dynamic function and it defines were removed during the buffer rework but this definitions were overlooked. Signed-off-by: Arne Schwabe --- src/openvpn/mtu.h | 10 1 file changed, 10 deletions(-) Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o3gYo-0004fv-Ni Subject: [Openvpn-devel] [PATCH 1/6] Remove leftover frame_set_mtu_dynamic definitions in mtu.h X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The frame_set_mtu_dynamic function and it defines were removed during the buffer rework but this definitions were overlooked. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/mtu.h | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 7f967e066..4b8feca7c 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -253,16 +253,6 @@ unsigned int calc_packet_id_size_dc(const struct options *options, const struct key_type *kt); - -/* - * frame_set_mtu_dynamic and flags - */ - -#define SET_MTU_TUN (1<<0) /* use tun/tap rather than link sizing */ -#define SET_MTU_UPPER_BOUND (1<<1) /* only decrease dynamic MTU */ - -void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags); - /* * allocate a buffer for socket or tun layer */ From patchwork Tue Jun 21 06:16:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2519 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.50]) by backend41.mail.ord1d.rsapps.net with LMTP id yGkKI0nvsWJvKAAAqwncew (envelope-from ) for ; Tue, 21 Jun 2022 12:18:17 -0400 Received: from proxy15.mail.iad3a.rsapps.net ([172.27.255.50]) by director12.mail.ord1d.rsapps.net with LMTP id mDLWIknvsWIlUQAAIasKDg (envelope-from ) for ; Tue, 21 Jun 2022 12:18:17 -0400 Received: from smtp53.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3a.rsapps.net with LMTPS id oPV5HUnvsWIURgAAHi9b9g (envelope-from ) for ; Tue, 21 Jun 2022 12:18:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp53.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: c1ab590e-f17d-11ec-bc4d-5254009c3572-1-1 Received: from [216.105.38.7] ([216.105.38.7:50508] helo=lists.sourceforge.net) by smtp53.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 74/43-03599-84FE1B26; Tue, 21 Jun 2022 12:18:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3gYr-0008HC-0B; Tue, 21 Jun 2022 16:17:05 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3gYp-0008Gz-4U for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=q1A+Kvwz9pFF68UikFfhS3tzLIKrRscl/KIDS7Ryj4I=; b=GeYf1b4o5QvOSJ9GRoDQ4Pn0uW i9C0S7oQpOIXsvrwL9ibUEDVrPJTot8lt/x0Cf/JLmlI4JaQOzH5Ka8QY2Voirc0NisI9ftzY7edr jezzXKrtthe0JRuFI3Z3uKM7DmBxrXmARVSGLL+7scoBRqoe1+JuFCXLWYbe+i3nT8XE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=q1A+Kvwz9pFF68UikFfhS3tzLIKrRscl/KIDS7Ryj4I=; b=KJVPMdjRR+0yf9GcPuhbi0YMTr SyRqeqUOe/vIiDYG6ouBOMU8r6GSR7W1VWye1aiLCO+i+lR3QKisznI5YaBuPG4Oq9I7y6b2DhJ65 kivSCWIlyf7REcFbqGwYS/0S0DysR9bKGFkipCH2aNBRiIzK4Ej3MGi3q82SRaE1X/aA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o3gYl-009Wj9-Gn for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:03 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o3gYc-000DmF-0r for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 18:16:50 +0200 Received: (nullmailer pid 2873036 invoked by uid 10006); Tue, 21 Jun 2022 16:16:49 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Jun 2022 18:16:45 +0200 Message-Id: <20220621161649.2872985-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220621161649.2872985-1-arne@rfc2549.org> References: <20220621161649.2872985-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This function has only one usage and is so trivial that an extra function makes little sense anymore. frame_defined is no longer used, so remove the function. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 2 +- src/openvpn/mtu.h | 16 2 files changed, 1 insertion(+), 17 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1o3gYl-009Wj9-Gn Subject: [Openvpn-devel] [PATCH 2/6] Inline frame_add_to_extra_tun function and remove frame_defined X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This function has only one usage and is so trivial that an extra function makes little sense anymore. frame_defined is no longer used, so remove the function. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/init.c | 2 +- src/openvpn/mtu.h | 16 ---------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f06afc298..6cdcef628 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3047,7 +3047,7 @@ do_init_frame(struct context *c) */ if (c->options.ce.tun_mtu_extra_defined) { - frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra); + c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra; } /* diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 4b8feca7c..9db6cf26a 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -274,20 +274,4 @@ const char *format_extended_socket_error(int fd, int *mtu, struct gc_arena *gc); #endif -/* - * frame member adjustment functions - */ - -static inline void -frame_add_to_extra_tun(struct frame *frame, const int increment) -{ - frame->extra_tun += increment; -} - -static inline bool -frame_defined(const struct frame *frame) -{ - return frame->buf.payload_size > 0; -} - #endif /* ifndef MTU_H */ From patchwork Tue Jun 21 06:16:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2517 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.56]) by backend41.mail.ord1d.rsapps.net with LMTP id YI98G0PvsWJsKAAAqwncew (envelope-from ) for ; Tue, 21 Jun 2022 12:18:11 -0400 Received: from proxy21.mail.iad3a.rsapps.net ([172.27.255.56]) by director8.mail.ord1d.rsapps.net with LMTP id wAeQG0PvsWLXSQAAfY0hYg (envelope-from ) for ; Tue, 21 Jun 2022 12:18:11 -0400 Received: from smtp31.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy21.mail.iad3a.rsapps.net with LMTPS id 0PMlFkPvsWK3RgAASBQwCQ (envelope-from ) for ; Tue, 21 Jun 2022 12:18:11 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: bdab2c3a-f17d-11ec-96ac-5254003d9392-1-1 Received: from [216.105.38.7] ([216.105.38.7:50480] helo=lists.sourceforge.net) by smtp31.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6B/22-27102-24FE1B26; Tue, 21 Jun 2022 12:18:10 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3gYs-0008HJ-6J; Tue, 21 Jun 2022 16:17:07 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3gYq-0008H6-EC for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=08H4yIcIZSxnBdc2xWCpjigBw07xYIYe7hg/pqzBRDo=; b=hpJetLOImgcuCzflFsEz28swsB RWlN/uTz9iQ2094Crl4h9mELNd0Uo+lo+msGKLLeUDwjDkzltOsiRMosqpB3VHjwUQ74p+4BbPvoS rdhUOnvOAUZEZnjOaC5kFqlm7G1LzKs1zZwuR3Txu14mLLbXsAej78ag5G+WWGHRvces=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=08H4yIcIZSxnBdc2xWCpjigBw07xYIYe7hg/pqzBRDo=; b=IvIe4EN5al8iY5FuSo5EhgykSK kj2OI3pAfW2PumajGx9qHgl1Dj1e70GEJ3Wz+knAGvjX5Q/ToZNkox/f8Qd1kRjhXjQy7jDrgDbfz Ao22YYSFE5vYrtAzff8TpNqwgmnE6Fpz72j/KvHDvcKBAVpGPx4Fls9rM2Bun1CfRAIc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o3gYl-009WjA-Gn for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:05 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o3gYc-000DmH-3B for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 18:16:50 +0200 Received: (nullmailer pid 2873039 invoked by uid 10006); Tue, 21 Jun 2022 16:16:50 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Jun 2022 18:16:46 +0200 Message-Id: <20220621161649.2872985-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220621161649.2872985-1-arne@rfc2549.org> References: <20220621161649.2872985-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 11 + src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertion [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1o3gYl-009WjA-Gn Subject: [Openvpn-devel] [PATCH 3/6] Extract update_session_cipher into standalone function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size. Signed-off-by: Arne Schwabe Acked-By: Frank Lichtenheld --- src/openvpn/ssl.c | 11 +---------- src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996d..ddd90080b 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session, struct frame *frame_fragment, struct link_socket_info *lsi) { - - bool cipher_allowed_as_fallback = options->enable_ncp_fallback - && streq(options->ciphername, session->opt->config_ciphername); - - if (!session->opt->server && !cipher_allowed_as_fallback - && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + if (!update_session_cipher(session, options)) { - msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", - options->ciphername, options->ncp_ciphers); - /* undo cipher push, abort connection setup */ - options->ciphername = session->opt->config_ciphername; return false; } diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 564942503..c800f718f 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) gc_free(&gc); } + + +bool +update_session_cipher(struct tls_session *session, struct options *options) +{ + bool cipher_allowed_as_fallback = options->enable_ncp_fallback + && streq(options->ciphername, session->opt->config_ciphername); + + if (!session->opt->server && !cipher_allowed_as_fallback + && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + { + msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", + options->ciphername, options->ncp_ciphers); + /* undo cipher push, abort connection setup */ + options->ciphername = session->opt->config_ciphername; + return false; + } + else + { + return true; + } +} diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index 853017f5f..5ba2f7ae7 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -148,4 +148,12 @@ const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc); + +/** + * Checks if the cipher is allowed and updates the TLS session cipher with it, + * otherwise returns false + */ +bool +update_session_cipher(struct tls_session *session, struct options *options); + #endif /* ifndef OPENVPN_SSL_NCP_H */ From patchwork Tue Jun 21 06:16:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2520 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.52]) by backend41.mail.ord1d.rsapps.net with LMTP id yD51AUrvsWJvKAAAqwncew (envelope-from ) for ; Tue, 21 Jun 2022 12:18:18 -0400 Received: from proxy19.mail.iad3a.rsapps.net ([172.27.255.52]) by director13.mail.ord1d.rsapps.net with LMTP id iN5qAUrvsWLZEQAA91zNiA (envelope-from ) for ; Tue, 21 Jun 2022 12:18:18 -0400 Received: from smtp18.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3a.rsapps.net with LMTPS id cOGyN0nvsWLbMgAAXy6Yeg (envelope-from ) for ; Tue, 21 Jun 2022 12:18:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: c1d5e908-f17d-11ec-9410-5254008b8116-1-1 Received: from [216.105.38.7] ([216.105.38.7:33396] helo=lists.sourceforge.net) by smtp18.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 77/50-20949-94FE1B26; Tue, 21 Jun 2022 12:18:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3gYt-0006QO-5p; Tue, 21 Jun 2022 16:17:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3gYr-0006QG-VM for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ti7skC1DzJTIcb35u1TqIxAwOzZa1uiR77qk3M0b2Gg=; b=V0N5jDjRoFhRGg2vHxlV04iVHJ jKiJTf/4/66vKrQghItZlT5jZalICiB9ktSSNYgjhGM8xxq71pOIvdmVCtN3vVIIg4FA62FE3QXZ0 9HbqIMme7p9o56Rh+kVri7cC/7EdtcygRX/prlNv9xbAiXpy90+rqaV54eZlhiirABtU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ti7skC1DzJTIcb35u1TqIxAwOzZa1uiR77qk3M0b2Gg=; b=j0zENZlfA15euCSzkbyZgue/Q6 GnIXxdQNrO1X9YKXOiMGTe9qdEErIEV7gxdFsqMgfOw7RozPKDpBslyR/ewtkHHom40LLcF77KAKJ IoUF04JURiHamiIKd8UgZOoWDmcSaSApvCJO/Ai3h4cTSrbI8+21lMZ1mokW3fOKSzV8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o3gYo-0004fw-Nn for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:04 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o3gYc-000DmJ-5M for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 18:16:50 +0200 Received: (nullmailer pid 2873042 invoked by uid 10006); Tue, 21 Jun 2022 16:16:50 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Jun 2022 18:16:47 +0200 Message-Id: <20220621161649.2872985-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220621161649.2872985-1-arne@rfc2549.org> References: <20220621161649.2872985-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We could also just hardcode this value to 1420 but this approach does not add much (complicated) code and it is a bit better than to have a magic number to just be there. Signed-off-by: Arne Schwabe --- src/openvpn/mtu.c | 22 ++++++++++++++++++++++ src/openvpn/mtu.h | 14 ++++++++++++++ tests/unit_tests/openvpn/test_crypto.c | 19 ++++++++++++++++++- 3 [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o3gYo-0004fw-Nn Subject: [Openvpn-devel] [PATCH 4/6] Implement a function to calculate the default MTU X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox We could also just hardcode this value to 1420 but this approach does not add much (complicated) code and it is a bit better than to have a magic number to just be there. Signed-off-by: Arne Schwabe --- src/openvpn/mtu.c | 22 ++++++++++++++++++++++ src/openvpn/mtu.h | 14 ++++++++++++++ tests/unit_tests/openvpn/test_crypto.c | 19 ++++++++++++++++++- 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 59b917985..8afc16394 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -205,6 +205,28 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) return payload + overhead; } +int +frame_calculate_default_mtu(struct options *o) +{ + struct options options = *o; + + /* assume we have peer_id enabled */ + options.use_peer_id = true; + + /* We use IPv6+UDP here to have a consistent size for tun MTU no matter + * the combination of udp/tcp and IPv4/IPv6 */ + int encap_overhead = datagram_overhead(AF_INET6, PROTO_UDP); + + struct key_type kt; + init_key_type(&kt, "AES-256-GCM", "none", true, false); + + size_t payload_overhead = frame_calculate_payload_overhead(0, &options, &kt); + size_t protocol_overhead = frame_calculate_protocol_header_size(&kt, &options, false); + + return MTU_ENCAP_DEFAULT - encap_overhead - payload_overhead - protocol_overhead; + +} + void frame_print(const struct frame *frame, int level, diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 9db6cf26a..d643027d3 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -79,6 +79,10 @@ */ #define MSSFIX_DEFAULT 1492 +/* The default size we aim to reach to with our VPN packets by setting + * the MTU accordingly */ +#define MTU_ENCAP_DEFAULT 1492 + /* * Alignment of payload data such as IP packet or * ethernet frame. @@ -260,6 +264,16 @@ void alloc_buf_sock_tun(struct buffer *buf, const struct frame *frame, const bool tuntap_buffer); + +/** + * Function to calculate the default MTU for Layer 3 VPNs. The function + * assumes that UDP packets should be a maximum of \c MTU_ENCAP_DEFAULT (1492) + * with a AEAD cipher. This default comes out to be 1420. + */ +int +frame_calculate_default_mtu(struct options *o); + + /* * EXTENDED_SOCKET_ERROR_CAPABILITY functions -- print extra error info * on socket errors, such as PMTU size. As of 2003.05.11, only works diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 83572b827..ca595b0a5 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -477,6 +477,22 @@ test_mssfix_mtu_calculation(void **state) gc_free(&gc); } + +static void +test_mtu_default_calculation(void **state) +{ + struct options o = {0}; + + /* common defaults */ + o.ce.tun_mtu = 1400; + o.ce.mssfix = 1000; + o.replay = true; + o.ce.proto = PROTO_UDP; + + size_t mtu = frame_calculate_default_mtu(&o); + assert_int_equal(1420, mtu); +} + int main(void) { @@ -487,7 +503,8 @@ main(void) cmocka_unit_test(crypto_test_hmac), cmocka_unit_test(test_des_encrypt), cmocka_unit_test(test_occ_mtu_calculation), - cmocka_unit_test(test_mssfix_mtu_calculation) + cmocka_unit_test(test_mssfix_mtu_calculation), + cmocka_unit_test(test_mtu_default_calculation) }; #if defined(ENABLE_CRYPTO_OPENSSL) From patchwork Tue Jun 21 06:16:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2516 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.50]) by backend41.mail.ord1d.rsapps.net with LMTP id UA9wHELvsWJsKAAAqwncew (envelope-from ) for ; Tue, 21 Jun 2022 12:18:10 -0400 Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.50]) by director13.mail.ord1d.rsapps.net with LMTP id 4EVjHELvsWJPFgAA91zNiA (envelope-from ) for ; Tue, 21 Jun 2022 12:18:10 -0400 Received: from smtp33.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3a.rsapps.net with LMTPS id 8BKuEkzvsWJiSgAA1+b4IQ (envelope-from ) for ; Tue, 21 Jun 2022 12:18:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: bd42d0fe-f17d-11ec-8adf-525400201c3f-1-1 Received: from [216.105.38.7] ([216.105.38.7:33366] helo=lists.sourceforge.net) by smtp33.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CA/EA-24440-14FE1B26; Tue, 21 Jun 2022 12:18:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3gYv-0006Qm-Bh; Tue, 21 Jun 2022 16:17:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3gYu-0006Qd-Jc for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bDAGH2EE3vuyXzfDYo7SfHTy10PAAspTZ6Yc5kt1G1Y=; b=McScnlKZH/U7JNCSiV/CVeeFvE oAqNyvr4T2L6xBObHJ87MAzOHnOt3ncceU3ih/oM55zfs0dJwHZqXlbE/iDa6B5j5gLp+vJaaryda zga002KxmU5SCYEPQFMIikDjnlY4IQVmY+ktkJr+tAKv4tZrALGKcK9oSM1P5YZ4ljno=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bDAGH2EE3vuyXzfDYo7SfHTy10PAAspTZ6Yc5kt1G1Y=; b=kLxjYbvFpLqcsk7VKlzLqpSnAg yIDqbePX18msaFSrgZztGcderh+0GJTECqAlDWFtq7QuNXyVFJ3UIERk00+7AYFV31nIDIvl41TWA vpnjF6BGNRNDfWg3NpcgoOEsGnsBNAKBFuVFdzFKcY4NPaaQu9Lc9IuYxpOYpuf31xII=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o3gYo-0004fx-NZ for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:07 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o3gYc-000DmP-7g for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 18:16:50 +0200 Received: (nullmailer pid 2873045 invoked by uid 10006); Tue, 21 Jun 2022 16:16:50 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Jun 2022 18:16:48 +0200 Message-Id: <20220621161649.2872985-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220621161649.2872985-1-arne@rfc2549.org> References: <20220621161649.2872985-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This changes the default MTU of the tun-mtu to 1420 to avoid MTU related issues that are even more prominent when DCO server or clients are involved. To maximise compatibility to lie our MTU in the default OCC message and also push the real MTU to clients that support pushing the MTU. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1o3gYo-0004fx-NZ Subject: [Openvpn-devel] [PATCH 5/6] Change default MTU in server mode to 1420 and push it to client X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This changes the default MTU of the tun-mtu to 1420 to avoid MTU related issues that are even more prominent when DCO server or clients are involved. To maximise compatibility to lie our MTU in the default OCC message and also push the real MTU to clients that support pushing the MTU. Signed-off-by: Arne Schwabe --- Changes.rst | 5 ++++ doc/man-sections/vpn-network-options.rst | 36 ++++++++++++++++++++---- src/openvpn/options.c | 31 ++++++++++++++++++-- src/openvpn/options.h | 1 + src/openvpn/push.c | 16 +++++++++++ 5 files changed, 81 insertions(+), 8 deletions(-) diff --git a/Changes.rst b/Changes.rst index 67a23c792..79b79d608 100644 --- a/Changes.rst +++ b/Changes.rst @@ -141,6 +141,11 @@ User-visible Changes - Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration - :code:`link_mtu` parameter is removed from environment or replaced with 0 when scripts are called with parameters. This parameter is unreliable and no longer internally calculated. +- the default of ``--tun-mtu`` has been changed to ``--tun 1420 1500`` when + running in server mode. This will create an mtu mismatch with older client + (newer client allow pushable mtu) but the most common server platforms + (Linux and FreeBSD) allow receiving 1500 byte packets even tun-mtu is set + to 1420, still allowing larger packets from client with 1500 byte mtu. Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 5b2f84707..2e4fff5df 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -500,21 +500,45 @@ routing. arguments of ``--ifconfig`` to mean "address netmask", no longer "local remote". ---tun-mtu n - Take the TUN device MTU to be **n** and derive the link MTU from it - (default :code:`1500`). In most cases, you will probably want to leave - this parameter set to its default value. +--tun-mtu args + + Valid syntaxes: + :: + + tun-mtu tun-mtu + tun-mtu tun-mtu occ-mtu + + Take the TUN device MTU to be ``tun-mtu`` and derive the link MTU from it. + In most cases, you will probably want to leave this parameter set to + its default value. + + Starting with OpenVPN 2.6 in when running server mode (``--mode server``, + ``--server`` or ``-server-ipv6`` options present in the configuration), + the default will be 1420 for the tun mtu size and 1500 for the ``occ-mtu``. + + The OCC MTU can be used to avoid warnings about mismatched MTU from + clients. If :code:`occ-mtu` is not specified, it will to default to the + tun-mtu The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. OpenVPN requires that packets on the control and data channels be sent unfragmented. + It is generally advisable to set the tun MTU low enough that with the + encapsulation overhead is lower than the MTU of the network that is used + to transport the VPN packets. + MTU problems often manifest themselves as connections which hang during periods of active usage. - It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal - with MTU sizing issues. + If lowering the tun MTU to avoid MTU related problems (e.g. when tap is used + and an MTU of 1500 is rdquired), the ``--fragment`` and/or ``--mssfix`` + options can be also used to deal with MTU sizing issues. + + Note: Depending on the platform, the operating system allows to receive + packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms + (like macOS) limit received packets to the same size as the MTU. --tun-mtu-extra n Assume that the TUN/TAP device might return as many as ``n`` bytes more diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 9a0634a5e..69c839fb6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -814,6 +814,7 @@ init_options(struct options *o, const bool init_gc) o->status_file_version = 1; o->ce.bind_local = true; o->ce.tun_mtu = TUN_MTU_DEFAULT; + o->ce.occ_mtu = 0; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; o->ce.mssfix = 0; @@ -3031,6 +3032,16 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) if (!ce->tun_mtu_defined && !ce->link_mtu_defined) { ce->tun_mtu_defined = true; + if (o->mode == MODE_SERVER) + { + /* If we are running in P2MP mode we default to a MTU + * that is low enough by default to fit into a 1492 + * MTU UDP IPv6 packet: + * + */ + ce->tun_mtu = frame_calculate_default_mtu(o); + ce->occ_mtu = TUN_MTU_DEFAULT; + } } if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined) { @@ -4018,7 +4029,15 @@ options_string(const struct options *o, buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); - buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + if (o->ce.occ_mtu != 0) + { + buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu); + } + else + { + buf_printf(&out, ",tun-mtu %d", frame->tun_mtu); + } + buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); @@ -6262,11 +6281,19 @@ add_option(struct options *options, options->ce.link_mtu = positive_atoi(p[1]); options->ce.link_mtu_defined = true; } - else if (streq(p[0], "tun-mtu") && p[1] && !p[2]) + else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi(p[1]); options->ce.tun_mtu_defined = true; + if (p[2]) + { + options->ce.occ_mtu = positive_atoi(p[2]); + } + else + { + options->ce.occ_mtu = 0; + } } else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c2937dc37..1085a462a 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -118,6 +118,7 @@ struct connection_entry const char *socks_proxy_authfile; int tun_mtu; /* MTU of tun device */ + int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ int tun_mtu_extra; bool tun_mtu_extra_defined; diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 63257348a..463957a82 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -603,6 +603,22 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, { push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm"); } + + /* Push our mtu to the peer if it supports pushable MTUs */ + int client_max_mtu = 0; + const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc); + + if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1) + { + push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu); + if (client_max_mtu < o->ce.tun_mtu) + { + msg(M_WARN, "Warning reported maximum MTU from client (%d) is lower " + "than MTU used on the server (%d). Add tun-max-mtu %d " + "to client configuration.", client_max_mtu, + o->ce.tun_mtu, o->ce.tun_mtu); + } + } return true; } From patchwork Tue Jun 21 06:16:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2518 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.59]) by backend41.mail.ord1d.rsapps.net with LMTP id 6GhzLEjvsWJvKAAAqwncew (envelope-from ) for ; Tue, 21 Jun 2022 12:18:16 -0400 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.59]) by director8.mail.ord1d.rsapps.net with LMTP id CJ6MLEjvsWJYRwAAfY0hYg (envelope-from ) for ; Tue, 21 Jun 2022 12:18:16 -0400 Received: from smtp9.gate.iad3a ([172.27.255.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net with LMTPS id UGQLJ0jvsWJIVQAAhn5joQ (envelope-from ) for ; Tue, 21 Jun 2022 12:18:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: c118f302-f17d-11ec-9b53-52540097fc8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:44058] helo=lists.sourceforge.net) by smtp9.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CD/25-18962-74FE1B26; Tue, 21 Jun 2022 12:18:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o3gYt-00075o-Oz; Tue, 21 Jun 2022 16:17:07 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o3gYr-00075b-IO for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DADvdiszcdhTO0ok8xjs1koOSeJX3JfP6KaP6DcwUDE=; b=Sv1rBg1y0hHo5Psz+b8wirgg1W 6SQuPMnH6ylT7lVMLRKQQLNfcKPy1aqNFkF0RdFq/wqb6WDrNg9dqadWmKrR2be57urzJskV10Kx6 75C4dhgpAkPdUfdalBLDbs/DE7MUQf0IgzpxxBqrWCqhKUbxG+F8uMZN9uoNaBv7C5AY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DADvdiszcdhTO0ok8xjs1koOSeJX3JfP6KaP6DcwUDE=; b=dtUamyqYhmrKPVCIgre1zZHdXT iU/IXLsG1UZClZI2F74FUuWuP7xqik5Uk9wxhhYqq87Go8b5OA6EYl7avL36SF3wKIHsr7p/h8Q1+ 0q51oT2U3ovihmiw1dvBlPXroQg7YK7PLJDQtxpNKDaEJR59YsctFczoWGIodbUPc/hw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o3gYo-0004fy-Mz for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:05 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o3gYc-000DmS-AB for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 18:16:50 +0200 Received: (nullmailer pid 2873048 invoked by uid 10006); Tue, 21 Jun 2022 16:16:50 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 21 Jun 2022 18:16:49 +0200 Message-Id: <20220621161649.2872985-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220621161649.2872985-1-arne@rfc2549.org> References: <20220621161649.2872985-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows tun-mtu to pushed but only up to the size of the preallocated buffers. This is not a perfect solution but should allow most of the use cases where the mtu is close enough to 1500. Signed-off-by: Arne Schwabe --- Changes.rst | 8 ++++ doc/man-sections/client-options.rst | 4 ++ doc/man-sections/vpn-network-options.rst | 5 +++ src/openvpn/init.c | 52 ++++++++++++ [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o3gYo-0004fy-Mz Subject: [Openvpn-devel] [PATCH 6/6] Allow tun-mtu to be pushed X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows tun-mtu to pushed but only up to the size of the preallocated buffers. This is not a perfect solution but should allow most of the use cases where the mtu is close enough to 1500. Signed-off-by: Arne Schwabe --- Changes.rst | 8 ++++ doc/man-sections/client-options.rst | 4 ++ doc/man-sections/vpn-network-options.rst | 5 +++ src/openvpn/init.c | 52 ++++++++++++++++++++---- src/openvpn/mtu.c | 1 + src/openvpn/mtu.h | 3 ++ src/openvpn/options.c | 15 ++++++- src/openvpn/options.h | 2 + src/openvpn/ssl.c | 3 ++ 9 files changed, 85 insertions(+), 8 deletions(-) diff --git a/Changes.rst b/Changes.rst index 79b79d608..e99671bcb 100644 --- a/Changes.rst +++ b/Changes.rst @@ -79,6 +79,14 @@ Cookie based handshake for UDP server shake. The tls-crypt-v2 option allows controlling if older clients are accepted. + +Tun MTU can be pushed + As part of changing the ``--tun-mtu`` default to 1420 (see below), the + client can now also dynamically configure its MTU and the server will + try to push the client MTU when the client supports it. The directive + ``--tun-mtu-max`` has been introduced to specify the maximum pushable + MTU size. + Deprecated features ------------------- ``inetd`` has been removed diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 8e0e4f18a..230e51e8d 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -358,6 +358,10 @@ configuration. The client announces the list of supported ciphers configured with the ``--data-ciphers`` option to the server. + :code:`IV_MTU=` + The client announces the support of pushable MTU and the maximum MTU + the client is willing to accept. + :code:`IV_GUI_VER= ` The UI version of a UI if one is running, for example :code:`de.blinkt.openvpn 0.5.47` for the Android app. diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 2e4fff5df..71aa3f4c7 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -540,6 +540,11 @@ routing. packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms (like macOS) limit received packets to the same size as the MTU. +--tun-max-mtu maxmtu + This configures the maximum MTU size that a server can push to ``maxmtu``. + The default for ``maxmtu`` is 1600. This will increase internal buffers + allocation for larger packet sizes. + --tun-mtu-extra n Assume that the TUN/TAP device might return as many as ``n`` bytes more than the ``--tun-mtu`` size on read. This parameter defaults to 0, which diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 6cdcef628..e9f9778a3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2126,7 +2126,8 @@ pull_permission_mask(const struct context *c) | OPT_P_ECHO | OPT_P_PULL_MODE | OPT_P_PEER_ID - | OPT_P_NCP; + | OPT_P_NCP + | OPT_P_PUSH_MTU; if (!c->options.route_nopull) { @@ -2283,12 +2284,39 @@ do_deferred_options(struct context *c, const unsigned int found) #endif struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!update_session_cipher(session, &c->options)) + { + /* The update_session_cipher method wil already print an error */ + return false; + } + + /* Cipher is considered safe, so we can use it to calculate the max + * MTU size */ + if (found & OPT_P_PUSH_MTU) + { + /* MTU has changed, check that the pushed MTU is small enough to + * be able to change it */ + msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu); + + struct frame *frame = &c->c2.frame; + + if (c->options.ce.tun_mtu > frame->tun_max_mtu) + { + msg(D_PUSH_ERRORS, "Server pushed a large mtu, please add " + "tun-mtu-max %d in the client configuration", + c->options.ce.tun_mtu); + } + frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu); + } + if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame, frame_fragment, get_link_socket_info(c))) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; } + + } return true; @@ -2446,10 +2474,16 @@ frame_finalize_options(struct context *c, const struct options *o) struct frame *frame = &c->c2.frame; frame->tun_mtu = get_frame_mtu(c, o); + frame->tun_max_mtu = o->ce.tun_mtu_max; + + /* max mtu needs to be at least as large as the tun mtu */ + frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu); - /* We always allow at least 1500 MTU packets to be received in our buffer - * space */ - size_t payload_size = max_int(1500, frame->tun_mtu); + /* We always allow at least 1600 MTU packets to be received in our buffer + * space to allow server to push "baby giant MTU sizes */ + frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu); + + size_t payload_size = frame->tun_max_mtu; /* The extra tun needs to be added to the payload size */ if (o->ce.tun_mtu_defined) @@ -2457,9 +2491,9 @@ frame_finalize_options(struct context *c, const struct options *o) payload_size += o->ce.tun_mtu_extra; } - /* Add 100 byte of extra space in the buffer to account for slightly - * mismatched MUTs between peers */ - payload_size += 100; + /* Add 32 byte of extra space in the buffer to account for small errors + * in the calculation */ + payload_size += 32; /* the space that is reserved before the payload to add extra headers to it @@ -2992,6 +3026,10 @@ do_init_frame_tls(struct context *c) c->c2.frame.buf.payload_size); frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms"); + + /* Keep the max mtu also in the frame of tls multi so it can access + * it in push_peer_info */ + c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu; } if (c->c2.tls_auth_standalone) { diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 8afc16394..d883569c8 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -244,6 +244,7 @@ frame_print(const struct frame *frame, buf_printf(&out, " max_frag:%d", frame->max_fragment_size); #endif buf_printf(&out, " tun_mtu:%d", frame->tun_mtu); + buf_printf(&out, " tun_max_mtu:%d", frame->tun_max_mtu); buf_printf(&out, " headroom:%d", frame->buf.headroom); buf_printf(&out, " payload:%d", frame->buf.payload_size); buf_printf(&out, " tailroom:%d", frame->buf.tailroom); diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index d643027d3..e80d8bd01 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -137,6 +137,9 @@ struct frame { * control frame payload (although most of * code ignores it) */ + int tun_max_mtu; /**< the maximum tun-mtu size the buffers are + * are sized for. This is the upper bound that + * a server can push as MTU */ int extra_tun; /**< Maximum number of bytes in excess of * the tun/tap MTU that might be read diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 69c839fb6..7a07daa40 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6283,7 +6283,7 @@ add_option(struct options *options, } else if (streq(p[0], "tun-mtu") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi(p[1]); options->ce.tun_mtu_defined = true; if (p[2]) @@ -6295,6 +6295,19 @@ add_option(struct options *options, options->ce.occ_mtu = 0; } } + else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3]) + { + VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); + int max_mtu = positive_atoi(p[1]); + if (max_mtu < 68 || max_mtu > 65536) + { + msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]); + } + else + { + options->ce.tun_mtu_max = max_mtu; + } + } else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 1085a462a..5a1720ca9 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -119,6 +119,7 @@ struct connection_entry int tun_mtu; /* MTU of tun device */ int occ_mtu; /* if non-null, this is the MTU we announce to peers in OCC */ + int tun_mtu_max; /* maximum MTU that can be pushed */ bool tun_mtu_defined; /* true if user overriding parm with command line option */ int tun_mtu_extra; bool tun_mtu_extra_defined; @@ -720,6 +721,7 @@ struct options #define OPT_P_CONNECTION (1<<27) #define OPT_P_PEER_ID (1<<28) #define OPT_P_INLINE (1<<29) +#define OPT_P_PUSH_MTU (1<<30) #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE)) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index ddd90080b..a6071e3c1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1939,6 +1939,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) { iv_proto |= IV_PROTO_REQUEST_PUSH; iv_proto |= IV_PROTO_AUTH_PENDING_KW; + + /* support for tun-mtu as part of the push message */ + buf_printf(&out, "IV_MTU=%d\n", session->opt->frame.tun_max_mtu); } /* support for Negotiable Crypto Parameters */