From patchwork Thu Mar 7 12:46:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3638 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:5897:b0:559:d8ef:cc57 with SMTP id h23csp1512336max; Thu, 7 Mar 2024 04:46:57 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWKUINHDVaEsdHjJKVdpA7S09Dc6U8Oss+o/jp6TZ7baA+SGmjUleVrrvF2NYydegfzUCBTtKyDEOTet7Rfm3oGNqPHt9A= X-Google-Smtp-Source: AGHT+IFbwxp7EWNZ1XfzPoRjQrUsYVK3aoGHzbxDBJQ17riRja/6MqC3fsKxpkUiOa6bNkj7TwdX X-Received: by 2002:a17:90b:3793:b0:29b:9d97:b98c with SMTP id mz19-20020a17090b379300b0029b9d97b98cmr568985pjb.2.1709815617092; Thu, 07 Mar 2024 04:46:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1709815617; cv=none; d=google.com; s=arc-20160816; b=AAYgcus+v9mxx+BIoqWTh/aQQCP2j3VJfHEN5DVG7EZO2qmqgFvUWu0uImrmEQAr6o Z+YZl7QYz8VCJGmM5kLPpDoEcMIQQgJii14pplX3eHSkX+LZbJsF/HRSPN6fSpDIoMfG eYw85l6jpYjrdJSMLxPcKJWyy/b3KhJtSfkXuWUXZnx66wbHYPH2vRzcS1J2hIdECKCd 9SH8n0JHazE4PSFlJbtpMBATZNqwYY1mFnVJpRErFI1mXfa83ZSp+Rnt5jLEPnmQAVGP UApwbvhFKlP5fOyEqSimQkLHS5ua+Agh1e6tnRJnVvQwwq6duSwL4J0WRraHsjW6jbWs MQPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=sSEZdYr53O/rz5OM6nZsS1AsWfFcK8kamRkk0C4tf5w=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=D1hSoV2x/G+MYA6e/CgyV7httRShR/Q7hPgXFAlb7FEvagYKP0mwwn4YvE64nelpgy INvf4HrOMTtklbXU9bLYOr4PN5GfS+r1PcCl1SbBRgvbRY3uKeC/Y1llyrXJD4b3hnKJ LAZfcZK7AApy2dO+d4Xgavn32hiUlCf1uDepoiWoLgfwWNcw9vwCNom6zBZFdSTD+oal pWXnFdqwCY0UEp151zIAz21D6agLCmOVhkaoSlvAJp/IYF7T7FRHfWrFjQfpPG6IB2LY Ter4sNmVWoor16rTaG7fk/I9/5WNPmAuAgzOb0HwL4a+ROFLy1hM14BedAOyWIzZrR4Q 7t3A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IPjihs1A; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=XPO9Evp5; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id il15-20020a17090b164f00b0029b713a8d8dsi1681861pjb.93.2024.03.07.04.46.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Mar 2024 04:46:56 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IPjihs1A; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=XPO9Evp5; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1riD8r-0005WK-15; Thu, 07 Mar 2024 12:46:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1riD8q-0005WD-0w for openvpn-devel@lists.sourceforge.net; Thu, 07 Mar 2024 12:46:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dXpgJcxN1U54j7LSEUuJ1Z+G9IvrZrOrtQj9UhN8ZF4=; b=IPjihs1AHTc7HML8TH9nsephRe mETjzJT3WcrLU4TG8BJG3dLC8OUMlyqepDbuyw1rR/5BbgeQe/AADWEyuiw6rl7Pp+ZHd2tonsMvT LhZVyNqLiFlxhedtHdrRB6cWDfSKfDE/VoYUe/U0JRDI0A75+ger8vz9KconJCAahM+M=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dXpgJcxN1U54j7LSEUuJ1Z+G9IvrZrOrtQj9UhN8ZF4=; b=XPO9Evp5mE3Vo/trDex23kqKXr LlPuHU6T618qh7xKvksuu6qn245ol9eDfrpdjWuEGi1mi6ZYfZ3+qm7abRNvwBtoRFSqawUMWKfYM 0KIiWAu+xwh5ZGyZRBEIOFd9u7WFAMTKXZZ0Z4y8DEqPC9I81Ta3U+BHUlKhsL9eAT+A=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1riD8i-0004dS-GX for openvpn-devel@lists.sourceforge.net; Thu, 07 Mar 2024 12:46:32 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 427CkI9e016410 for ; Thu, 7 Mar 2024 13:46:18 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 427CkIXi016409 for openvpn-devel@lists.sourceforge.net; Thu, 7 Mar 2024 13:46:18 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 7 Mar 2024 13:46:16 +0100 Message-ID: <20240307124616.16358-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1riD8i-0004dS-GX Subject: [Openvpn-devel] [PATCH v5] Minor fix to process_ip_header X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1791507080768391696?= X-GMAIL-MSGID: =?utf-8?q?1792871620739505016?= From: Gianmarco De Gregori Removed if-guard checking if any feature is enabled before performing per-feature check. It doesn't save us much but instead introduces uneeded complexity. While at it, fixed a typo IMCP -> ICMP for defined PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER macros. Fixes: Trac https://community.openvpn.net/openvpn/ticket/269 Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/525 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe Frank Lichtenheld diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, &c->c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,73 +1644,60 @@ } if (!c->options.block_ipv6) { - flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); + flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { - /* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - - if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) + struct buffer ipbuf = *buf; + if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) { - struct buffer ipbuf = *buf; - if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) - { #if PASSTOS_CAPABILITY - /* extract TOS from IP header */ - if (flags & PIPV4_PASSTOS) - { - link_socket_extract_tos(c->c2.link_socket, &ipbuf); - } + /* extract TOS from IP header */ + if (flags & PIPV4_PASSTOS) + { + link_socket_extract_tos(c->c2.link_socket, &ipbuf); + } #endif - /* possibly alter the TCP MSS */ - if (flags & PIP_MSSFIX) - { - mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); - } - - /* possibly do NAT on packet */ - if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) - { - const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; - client_nat_transform(c->options.client_nat, &ipbuf, direction); - } - /* possibly extract a DHCP router message */ - if (flags & PIPV4_EXTRACT_DHCP_ROUTER) - { - const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf); - if (dhcp_router) - { - route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); - } - } - } - else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) + /* possibly alter the TCP MSS */ + if (flags & PIP_MSSFIX) { - /* possibly alter the TCP MSS */ - if (flags & PIP_MSSFIX) - { - mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); - } - if (!(flags & PIP_OUTGOING) && (flags - &(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) - { - ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); - /* Drop the IPv6 packet */ - buf->len = 0; - } - + mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); } + + /* possibly do NAT on packet */ + if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) + { + const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; + client_nat_transform(c->options.client_nat, &ipbuf, direction); + } + /* possibly extract a DHCP router message */ + if (flags & PIPV4_EXTRACT_DHCP_ROUTER) + { + const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf); + if (dhcp_router) + { + route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); + } + } + } + else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) + { + /* possibly alter the TCP MSS */ + if (flags & PIP_MSSFIX) + { + mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); + } + if (!(flags & PIP_OUTGOING) && (flags + &(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER))) + { + ipv6_send_icmp_unreachable(c, buf, + (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT)); + /* Drop the IPv6 packet */ + buf->len = 0; + } + } } } diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index e19115e..bc00ba5 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -297,8 +297,9 @@ #define PIP_OUTGOING (1<<2) #define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) #define PIPV4_CLIENT_NAT (1<<4) -#define PIPV6_IMCP_NOHOST_CLIENT (1<<5) -#define PIPV6_IMCP_NOHOST_SERVER (1<<6) +#define PIPV6_ICMP_NOHOST_CLIENT (1<<5) +#define PIPV6_ICMP_NOHOST_SERVER (1<<6) + void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 4344126..712456c 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3645,7 +3645,7 @@ if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */ { - unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER; + unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER; set_prefix(item.instance); item.instance->context.c2.buf = item.buffer->buf;