From patchwork Wed May 1 12:42:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3696 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:f212:b0:577:9287:30c5 with SMTP id sk18csp384574mab; Wed, 1 May 2024 05:43:27 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUGYx/GmUDMX9aMQBAmOdBkxQIZ7zgBmc/4Xfv9WwwDhP8C99fEH9xey5yfkYFka0/oS3FljsVt9jDGArJTz+irpojaLbA= X-Google-Smtp-Source: AGHT+IHO3FeBLl/D84LcgzzYyUXEBAntEeTzOS+fd5OLXbNrptYEwRD2J+zZtZhHTXT3WmNhrgTc X-Received: by 2002:a05:6a00:4b51:b0:6f3:e9c0:a197 with SMTP id kr17-20020a056a004b5100b006f3e9c0a197mr2661198pfb.0.1714567407649; Wed, 01 May 2024 05:43:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714567407; cv=none; d=google.com; s=arc-20160816; b=tZ4TDEyGXFvF9HyaOIibHEfkFddrQnh1ZpsE4/B/zXIqponMHfSdWUbclHbreFjjDI RxOmLt/PGIf9fo9ImP38BkCN859a9bsMfZGaT/KNIVHIHDt887tZp18vIfcEFY4pAI9Z mHOBsAqjDsx0DsFEf67hnDZeW7i69iiR0sIvVWHbDc25D8ryudjgMVo9vmTtlB2uaD0R zVUmrAY41iCJfPxP+HRVivDf/lS/e5O71EHqpMOI0h7FrSStt8Wr81cv9x2oa66QmOV8 65vf+54nzchg3gVfj6Np6WqBpwJZ5/gihmJAUoZezkqbdH7cc9//xR9pLNgbBS4koVoR 5MtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=1qNo+ZAXpu8D3MGjnp3vXpxPrDBdWpC3rZmz/ITq4Rw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=zwHKfFAYi99P4MfZMBqklWfCB7TybXA3kILDjhhw+X30QqcJZ0HuUifor6N0Q26yjs +EptCLd/izZK8eN4NHhT/VKFdVQSJUxHBW8UC19mxVU8EYweka6RZP+jvJAeEZugMYjW N6piAYBxFL3Ec9uAHSgUobnyVcEjK3lAK7axMLm+r0Af6lOMIdYGbt1CV+LkWkwuOb/E jHcqFvBprXO0UGXAEJWrKAMQhdZ0xgNiKLkQiBTECclQ/sQVBBD9lVPtDPW9+O3/V7GX yLSznl1T2OYEZ0RwbH7Yy/3h8krjgTXBcs+zfs2/CUgpVVyNfGsg5gdUnjd3b4A0lRKr RdCg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=U8kJgnlC; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=kH3VJ2b3; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id j10-20020a056a00234a00b006ed8017a5f4si24825545pfj.175.2024.05.01.05.43.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 May 2024 05:43:27 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=U8kJgnlC; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=kH3VJ2b3; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1s29Ie-0005iX-7A; Wed, 01 May 2024 12:43:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1s29Ic-0005iI-H2 for openvpn-devel@lists.sourceforge.net; Wed, 01 May 2024 12:43:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ku682hrq1SZ9vgmc4EYjSwsai+OyFY5T6huGl7qS7J0=; b=U8kJgnlC+iEu5aunE47fqMasY4 JF9SUgWv22CzFib+Zjsd8uyAYXqAWc8oHSam2TmgvXAKHl2tXq1f7TdA4Nfg7PIOQ35y0Y/1uK131 EwfJn+/NZPOJteu9CsV3dATJeqeAetumkdi6hFBiGzDOT4LyOd/4ZLbrmF8Eizw6FyuY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ku682hrq1SZ9vgmc4EYjSwsai+OyFY5T6huGl7qS7J0=; b=kH3VJ2b3EObktDTvQQ88+HJwqF 7t4I24d9CLDVa1z0vfFoUAiTSKnKuBiSu9DcoidRQBXm3lfMP3txiWv8Kz4dqnrYO3lam9AXn+68M dwQx6McIzZCLVRw/VRqI3gwsRpAJECS3Fcm/tz/oFHwYuyY5cJ6aEzK+6uCNfDnQPvts=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1s29Ib-0002fO-1u for openvpn-devel@lists.sourceforge.net; Wed, 01 May 2024 12:43:03 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 441Cgs9V029124 for ; Wed, 1 May 2024 14:42:54 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 441Cgs9D029123 for openvpn-devel@lists.sourceforge.net; Wed, 1 May 2024 14:42:54 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 1 May 2024 14:42:54 +0200 Message-ID: <20240501124254.29114-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld The setting of --topology changes the syntax of --ifconfig. So changing the default of --topology breaks all existing configs that use --ifconfig but not --topology. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1s29Ib-0002fO-1u Subject: [Openvpn-devel] [PATCH v1] Use topology default of "subnet" only for server mode X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1797854234378432153?= X-GMAIL-MSGID: =?utf-8?q?1797854234378432153?= From: Frank Lichtenheld The setting of --topology changes the syntax of --ifconfig. So changing the default of --topology breaks all existing configs that use --ifconfig but not --topology. For P2P setups that is probably a signification percentage. For server setups the percentage is hopefully lower since --ifconfig is implicitly set by --server. Also more people might have set their topology explicitly since it makes a much bigger difference. Clients will usually get the topology and the IP config pushed by the server. So we decided to not switch the default for everyone to not affect P2P setups. What we care about is to change the default for --mode server, so we only do that now. For people using --server this should be transparent except for a pool reset. Change-Id: Iefd209c0856ef395ab74055496130de00b86ead0 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/554 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/Changes.rst b/Changes.rst index b2278ab..fa0fb22 100644 --- a/Changes.rst +++ b/Changes.rst @@ -23,11 +23,12 @@ ``persist-key`` option has been enabled by default. All the keys will be kept in memory across restart. -Default for ``--topology`` changed to ``subnet`` - Previous releases used ``net30`` as default. This only affects - configs with ``--dev tun`` and only IPv4. Note that this - changes the semantics of ``--ifconfig``, so if you have manual - settings for that in your config but not set ``--topology`` +Default for ``--topology`` changed to ``subnet`` for ``--mode server`` + Previous releases always used ``net30`` as default. This only affects + configs with ``--mode server`` or ``--server`` (the latter implies the + former), and ``--dev tun``, and only if IPv4 is enabled. + Note that this changes the semantics of ``--ifconfig``, so if you have + manual settings for that in your config but not set ``--topology`` your config might fail to parse with the new version. Just adding ``--topology net30`` to the config should fix the problem. By default ``--topology`` is pushed from server to client. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 1bab84c..5681718 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -137,6 +137,32 @@ } +/** + * Set --topology default depending on --mode + */ +void +helper_setdefault_topology(struct options *o) +{ + if (o->topology != TOP_UNDEF) + { + return; + } + int dev = dev_type_enum(o->dev, o->dev_type); + if (dev != DEV_TYPE_TUN) + { + return; + } + if (o->mode == MODE_SERVER) + { + o->topology = TOP_SUBNET; + } + else + { + o->topology = TOP_NET30; + } +} + + /* * Process server, server-bridge, and client helper * directives after the parameters themselves have been @@ -151,7 +177,6 @@ * Get tun/tap/null device type */ const int dev = dev_type_enum(o->dev, o->dev_type); - const int topology = o->topology; /* * @@ -177,11 +202,11 @@ if (o->server_flags & SF_NOPOOL) { - msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" ); + msg(M_USAGE, "--server-ipv6 is incompatible with 'nopool' option"); } if (o->ifconfig_ipv6_pool_defined) { - msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); + msg(M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); } o->mode = MODE_SERVER; @@ -207,7 +232,7 @@ o->server_netbits_ipv6 < 112 ? 0x1000 : 2); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; - push_option( o, "tun-ipv6", M_USAGE ); + push_option(o, "tun-ipv6", M_USAGE); } /* @@ -305,8 +330,10 @@ o->mode = MODE_SERVER; o->tls_server = true; + /* Need to know topology now */ + helper_setdefault_topology(o); - if (topology == TOP_NET30 || topology == TOP_P2P) + if (o->topology == TOP_NET30 || o->topology == TOP_P2P) { o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); o->ifconfig_remote_netmask = print_in_addr_t(o->server_network + 2, 0, &o->gc); @@ -324,12 +351,12 @@ { push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc), M_USAGE); } - else if (topology == TOP_NET30) + else if (o->topology == TOP_NET30) { push_option(o, print_opt_route(o->server_network + 1, 0, &o->gc), M_USAGE); } } - else if (topology == TOP_SUBNET) + else if (o->topology == TOP_SUBNET) { o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); o->ifconfig_remote_netmask = print_in_addr_t(o->server_netmask, 0, &o->gc); @@ -354,9 +381,9 @@ ASSERT(0); } - push_option(o, print_opt_topology(topology, &o->gc), M_USAGE); + push_option(o, print_opt_topology(o->topology, &o->gc), M_USAGE); - if (topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL)) + if (o->topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL)) { msg(M_WARN, "WARNING: --topology net30 support for server " "configs with IPv4 pools will be removed in a future " @@ -394,7 +421,7 @@ } /* set push-ifconfig-constraint directive */ - if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET)) + if ((dev == DEV_TYPE_TAP || o->topology == TOP_SUBNET)) { o->push_ifconfig_constraint_defined = true; o->push_ifconfig_constraint_network = o->server_network; diff --git a/src/openvpn/helper.h b/src/openvpn/helper.h index d0fd17d..6b42e13 100644 --- a/src/openvpn/helper.h +++ b/src/openvpn/helper.h @@ -30,6 +30,8 @@ #include "options.h" +void helper_setdefault_topology(struct options *o); + void helper_keepalive(struct options *o); void helper_client_server(struct options *o); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e2bfe0e..07387cd 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -796,7 +796,7 @@ o->gc_owned = true; } o->mode = MODE_POINT_TO_POINT; - o->topology = TOP_SUBNET; + o->topology = TOP_UNDEF; o->ce.proto = PROTO_UDP; o->ce.af = AF_UNSPEC; o->ce.bind_ipv6_only = false; @@ -3478,6 +3478,7 @@ } } + /** * Checks for availibility of Chacha20-Poly1305 and sets * the ncp_cipher to either AES-256-GCM:AES-128-GCM or @@ -3680,6 +3681,8 @@ * sequences of options. */ helper_client_server(o); + /* must be called after helpers that might set --mode */ + helper_setdefault_topology(o); helper_keepalive(o); helper_tcp_nodelay(o);