From patchwork Sat Sep 17 11:47:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2769 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.52]) by backend30.mail.ord1d.rsapps.net with LMTP id 0PEyBt9AJmPWGgAAIUCqbw (envelope-from ) for ; Sat, 17 Sep 2022 17:49:19 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.52]) by director9.mail.ord1d.rsapps.net with LMTP id 0NUNBt9AJmMzJAAAalYnBA (envelope-from ) for ; Sat, 17 Sep 2022 17:49:19 -0400 Received: from smtp30.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTPS id iQRmOd5AJmPWfwAAYaqY3Q (envelope-from ) for ; Sat, 17 Sep 2022 17:49:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp30.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 9458b51a-36d2-11ed-805a-525400089674-1-1 Received: from [216.105.38.7] ([216.105.38.7:34714] helo=lists.sourceforge.net) by smtp30.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F2/40-15842-ED046236; Sat, 17 Sep 2022 17:49:18 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oZffl-0000Kn-G1; Sat, 17 Sep 2022 21:48:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oZffh-0000Kg-51 for openvpn-devel@lists.sourceforge.net; Sat, 17 Sep 2022 21:48:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RtVbDRaURAtfzWGP+4p8HrFV8BaAOHUla+qUDtvLIg4=; b=HoKe8FdFynGB1QYwicoa4PROKI psVkalCbq7U6tEkcPJki4UzjUDA704O+oUeI30bUSgt5BEEmty9esmN8pEtw7GvVrDvH60qkVQYCv GPU+4S+Ur5WcFiywUxuog27FGFOY2CJh+zFnhyIRI+7q6T4dBf5lvNpoKkqjXEP/Utkg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=RtVbDRaURAtfzWGP+4p8HrFV8BaAOHUla+qUDtvLIg4=; b=Q 3BEND7qKlKtTflk9UW44SiKq1Sd9fcWeAnullc8VRakXccXaJxsPjPDLI8aHlfzadiaDjr0NOOKTu pzFIOiG27kDI8Q1+FQVwywExAdyQjkcgYrAx9qfqknhLynTe4PxJ6gAvAO1VKVP7BprggQtGq+ceg 9cvdvf+UeiYXWo0o=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oZfff-0005zl-8s for openvpn-devel@lists.sourceforge.net; Sat, 17 Sep 2022 21:48:21 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by wilbur.contactoffice.com (Postfix) with ESMTP id EDA78CEE; Sat, 17 Sep 2022 23:48:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663451292; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:MIME-Version:Content-Transfer-Encoding; l=6150; bh=RtVbDRaURAtfzWGP+4p8HrFV8BaAOHUla+qUDtvLIg4=; b=RhK1boZi9BxBR3snuH6XO/KuW1C+m7RkpZC/mtAYy84F/iBMEAPHQr3/LsRJFVGK u5EnzglHUq6go6Nu3LAE16sVRy+6q1PrOgcPgcBTkScxWf6WGiBHNsrrHzeyic7y7tM k5/FTX+dnuE83Ti/yu22rpGxlHCge0uD5baNusguQBaW2kgodwXEy5tKCIyKh30Utk+ EKrh1Z3hBqSQqLjMqqOcLsFdJ5p6gjHbw00EobONRNvMQqMRq/odd86sTo+mCRVnmkE NIF4kWXadpv9mFAAazjzkV7CQ+RjFkAf/u0RgK/u3sY3NyT04nIFpExWS/gx1uWpbCV cQU3wp4xsA== Received: by smtp.mailfence.com with ESMTPSA ; Sat, 17 Sep 2022 23:48:09 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 17 Sep 2022 23:47:56 +0200 Message-Id: <20220917214756.23630-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.1 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: "Vittorio Gambaletta (VittGam)" Signed-off-by: "Vittorio Gambaletta (VittGam)" --- src/openvpn/forward.c | 18 ++++++++++++----- src/openvpn/forward.h | 2 +- src/openvpn/multi.c | 2 +- src/openvpn/options.c | 2 + [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.68 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1oZfff-0005zl-8s Subject: [Openvpn-devel] [PATCH] Implement the --passtos option for IPv6 packets and sockets X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Vittorio Gambaletta \(VittGam\)" Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: "Vittorio Gambaletta (VittGam)" Signed-off-by: "Vittorio Gambaletta (VittGam)" --- src/openvpn/forward.c | 18 ++++++++++++----- src/openvpn/forward.h | 2 +- src/openvpn/multi.c | 2 +- src/openvpn/options.c | 2 +- src/openvpn/socket.h | 45 +++++++++++++++++++++++++++++++++++-------- src/openvpn/syshead.h | 2 +- 6 files changed, 54 insertions(+), 17 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index b8950e37..3526dbf6 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1346,7 +1346,7 @@ process_incoming_tun(struct context *c) * The --passtos and --mssfix options require * us to examine the IP header (IPv4 or IPv6). */ - unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT + unsigned int flags = PIP_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT | PIPV6_IMCP_NOHOST_CLIENT; process_ip_header(c, flags, &c->c2.buf); @@ -1518,7 +1518,7 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) #if PASSTOS_CAPABILITY if (!c->options.passtos) { - flags &= ~PIPV4_PASSTOS; + flags &= ~PIP_PASSTOS; } #endif if (!c->options.client_nat) @@ -1543,7 +1543,7 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) if (flags & (PIP_MSSFIX #if PASSTOS_CAPABILITY - | PIPV4_PASSTOS + | PIP_PASSTOS #endif | PIPV4_CLIENT_NAT )) @@ -1553,9 +1553,9 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) { #if PASSTOS_CAPABILITY /* extract TOS from IP header */ - if (flags & PIPV4_PASSTOS) + if (flags & PIP_PASSTOS) { - link_socket_extract_tos(c->c2.link_socket, &ipbuf); + link_socket_extract_tos_v4(c->c2.link_socket, &ipbuf); } #endif @@ -1583,6 +1583,14 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) } else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) { +#if PASSTOS_CAPABILITY + /* extract TOS from IPiv6 header */ + if (flags & PIP_PASSTOS) + { + link_socket_extract_tos_v6(c->c2.link_socket, &ipbuf); + } +#endif + /* possibly alter the TCP MSS */ if (flags & PIP_MSSFIX) { diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index bd2d9601..e3bb7945 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -291,7 +291,7 @@ send_control_channel_string_dowork(struct tls_multi *multi, */ void reschedule_multi_process(struct context *c); -#define PIPV4_PASSTOS (1<<0) +#define PIP_PASSTOS (1<<0) #define PIP_MSSFIX (1<<1) /* v4 and v6 */ #define PIP_OUTGOING (1<<2) #define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 1bbeab7d..3f3d79bb 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3573,7 +3573,7 @@ multi_get_queue(struct mbuf_set *ms) if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */ { - unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER; + unsigned int pip_flags = PIP_PASSTOS | PIPV6_IMCP_NOHOST_SERVER; set_prefix(item.instance); item.instance->context.c2.buf = item.buffer->buf; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2786c28b..3d48c2d9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -276,7 +276,7 @@ static const char usage_message[] = "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n" #if PASSTOS_CAPABILITY - "--passtos : TOS passthrough (applies to IPv4 only).\n" + "--passtos : TOS passthrough.\n" #endif "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n" " TCP/UDP MTU from it (default=%d).\n" diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 462afa31..ca4b3381 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -1209,17 +1209,35 @@ link_socket_write(struct link_socket *sock, #if PASSTOS_CAPABILITY /* - * Extract TOS bits. Assumes that ipbuf is a valid IPv4 packet. + * Extract TOS bits. Assumes that ipbuf is a valid IPv4 packet. */ static inline void -link_socket_extract_tos(struct link_socket *ls, const struct buffer *ipbuf) +link_socket_extract_tos_v4(struct link_socket *ls, const struct buffer *ipbuf) { - if (ls && ipbuf) + if (!ls || !ipbuf) { - struct openvpn_iphdr *iph = (struct openvpn_iphdr *) BPTR(ipbuf); - ls->ptos = iph->tos; - ls->ptos_defined = true; + return; } + + struct openvpn_iphdr *iph = (struct openvpn_iphdr *) BPTR(ipbuf); + ls->ptos = iph->tos; + ls->ptos_defined = true; +} + +/* + * Extract TOS bits. Assumes that ipbuf is a valid IPv6 packet. + */ +static inline void +link_socket_extract_tos_v6(struct link_socket *ls, const struct buffer *ipbuf) +{ + if (!ls || !ipbuf) + { + return; + } + + struct openvpn_ipv6hdr *ip6h = (struct openvpn_ipv6hdr *)BPTR(ipbuf); + ls->ptos = ((ip6h->version_prio & 0x0F) << 4) | (ip6h->flow_lbl[0] >> 4); + ls->ptos_defined = true; } /* @@ -1229,9 +1247,20 @@ link_socket_extract_tos(struct link_socket *ls, const struct buffer *ipbuf) static inline void link_socket_set_tos(struct link_socket *ls) { - if (ls && ls->ptos_defined) + if (!ls || !ls->ptos_defined) + { + return; + } + + if (ls->info.af == AF_INET6) + { + setsockopt(ls->sd, IPPROTO_IPV6, IPV6_TCLASS, (const void *)&ls->ptos, + sizeof(ls->ptos)); + } + else { - setsockopt(ls->sd, IPPROTO_IP, IP_TOS, (const void *)&ls->ptos, sizeof(ls->ptos)); + setsockopt(ls->sd, IPPROTO_IP, IP_TOS, (const void *)&ls->ptos, + sizeof(ls->ptos)); } } diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 5a673a7b..e04f454f 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -362,7 +362,7 @@ typedef int MIB_TCP_STATE; /* * Do we have the capability to support the --passtos option? */ -#if defined(IPPROTO_IP) && defined(IP_TOS) +#if defined(IPPROTO_IP) && defined(IP_TOS) && defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) #define PASSTOS_CAPABILITY 1 #else #define PASSTOS_CAPABILITY 0