From patchwork Sat Dec 14 23:19:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4001 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1f13:b0:5e7:b9eb:58e8 with SMTP id hs19csp1273347mab; Sat, 14 Dec 2024 15:19:56 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUAIAkxKJnhG/12epcv+Gp9ifb14dKbIbZ8I9lEjYA1J2dYsVlJYbB8vKdyVB60kooeDY/W2gqyZUg=@openvpn.net X-Google-Smtp-Source: AGHT+IHZY6rB+O/4VE/pJQQYXEdlXD4pga93+i2lae6xiyS9sDZaGdr8dWiYzZ1jEjHoH0OOc5qw X-Received: by 2002:a05:6871:6a3:b0:288:e7f2:e9da with SMTP id 586e51a60fabf-2a3ac6b96a3mr3274669fac.20.1734218396237; Sat, 14 Dec 2024 15:19:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734218396; cv=none; d=google.com; s=arc-20240605; b=ILbBxMUAbV4+tvetCrwj7pxwOVDpNpy6PKa+ilF7HKNPZ+7eh0w+87cRB3d1+15jii COZi3E0s1AruJlRlXitBegdNzuTPn90D2RNcW2ln1MNUmJPUR9U8QOr7pLnbXhnFDdAV oW7eaZnxZBgzKEAPzqyySuFjtLplWLz3O+FfuW0Gji396hynBzmmAec/coKwJ9RhkQg4 8k9K6vcxoKSOFZvLgokR88SiDZeH2kR7iD60ETOiaQd+wwH3v94b+omC1Knk09i+O+WY yDghEAzUzPM8RQBMM2JaCVFCLXIQCbDpgzeg7xZGx44HVPFsJS/6IMFGWhV/su1tLKIR tmvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:content-language :references:to:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=dNmhypVUMe6CUJVQ0wLcyqNy705LqAPPbb9+akVQytM=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Z4WLQeCjjSnXt+piAK+sDElV+tVZ5Sdt62pk+OesfLa8joL5s0ETW1R7icHgdHHUh7 maaaE+sini/fHt6fxThX8joG30Bq0sk+0K54t1H8RUgFdv6xYTc0kI0jszdlOdVfKBNw s8fhx0fkj0O4/DP/LbC5hACfMakMxs8wUlQPUm6LvCQpfiaCz3e1JQqCbOx8va7xKTSB kWhw2FhVKIhu4GeGbZFbD2R179WA9sqCja21aqhHmlQP/CaiMXFB76p2QpGYa+2VHoQM phXE8sNVkxLmAzyi1WpptZO+swlSxlUHShLijVPVz/ByflRTe7EF5JfCEcd4cPE/Q/fk 5sYQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="h9HZYKv/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IrU1wsRR; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=n7EYJG9B; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-71e484e9f4csi1388622a34.226.2024.12.14.15.19.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Dec 2024 15:19:56 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="h9HZYKv/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IrU1wsRR; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=n7EYJG9B; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tMbQJ-0000TK-NN; Sat, 14 Dec 2024 23:19:47 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tMbQI-0000TE-CW for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:19:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BQyXW/cL0DF4nGdvtUC0iK2gN/e5DwIeW1/uFt2OWUo=; b=h9HZYKv/jwu3Bj7uiIAQyzMRpk 61wB8kHH3x3/1lApoqAAdHYB1zRFaIytdMz8UoY+px8w4ztV0ucmAugAOVui9XtE5is1wzhv98Qdy qQ4c57oQj4s9jLLetGBDSTg8pONh4h7JnsGI9/FcSeiA7yhV7mJwD5jKgZyO+eCmu/8s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BQyXW/cL0DF4nGdvtUC0iK2gN/e5DwIeW1/uFt2OWUo=; b=IrU1wsRRoxg0wYqcLpd8W/YBJq DKKxjKOsDkUvagm9HkWg2K7NQK4ImHgI8lQRJ6VTMP9teSmlfKessIwCAcwPXD69jdjfI+W2LlTKO gH7JoY8lo2xlxShK0k+MNLnRJ6YsqbrJW0ZKsW95Y9rsCt3IR1cPRaLVRNyOjHCYd3Vk=; Received: from mout.gmx.net ([212.227.17.22]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tMbQG-0003B8-Qr for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:19:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1734218373; x=1734823173; i=corubba@gmx.de; bh=BQyXW/cL0DF4nGdvtUC0iK2gN/e5DwIeW1/uFt2OWUo=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=n7EYJG9BGX6llZeylXTdhIBSqmxiHpgODxUqo56rgLtYzPWHFeI5rBo16Iqu4LWF cvX4LB+WRKJgr69RtfKPfwMawzUZ+NwSr/A9jIKEpuLB8zOwPKPlsXNDUOhHJhQCG bI25+MyKtL+JwVvZ/0RX/+vA+53ZbL3MKhr64hee6pgm+DZfB9Xx7lT2eDtIwMhRR hFPJR495vvgJGnqvnP3aQHmcD3Qrw/szeYfCNjSsmfOlcd9i0BywMkBi/6WBfmV+c bhm+StP1VXuqub/sgLVbamoJyvMq6fNs9eBKyuSdF93zoQVKAG0sgF+IGuZHQWF8x d17VBpjlKvk8v9kXSw== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.236]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1McH9Y-1tseNt12hY-00brSM for ; Sun, 15 Dec 2024 00:19:33 +0100 Message-ID: <6a00da72-dc11-409e-9d47-4694e1d6f02f@gmx.de> Date: Sun, 15 Dec 2024 00:19:32 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: openvpn-devel@lists.sourceforge.net References: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> Content-Language: de-CH In-Reply-To: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> X-Provags-ID: V03:K1:Fg+9lG1r0OlSWRWLCoCmieQT2bCkhPacPI8JFEgdD0u9Tq5Lnqg szl5zQuL7F5HVPB7ClSvSZQUf5w1tqHaqcloWoLDswe5/ptS5cO8GSc1vyyUlCNtmdx2Deg ampimg4BJ9jgg3Dpa+1zs2x2bpvUMpqrvSSTLaFdcPECdM9spJGIyzDNlB6rJ3bmrsD7dIZ hhmc0OpyXVbgY0oraA9gw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:Mp2gCcAPSF4=;sPOzgd4rcr8b+SQOAXpkL8icN6t BX6MDAt9mpCR65V5HbvX3DbDS1CKjUOoBBwIb5FTX7CyoWnlvfJXokX7rACyiGxlVgpoyiu9D Tv867YrIW61jqd+FS02G+WLY8O1FeGxoyyNeXMndHfWSo6NQzDAcJGIHjmvPLGLTJMD9zKq8X JKjRVBoee0oR4RsZpcbwrfklnXp9eBv/P0xxbdhTSQ9w6SL3nOY/T8qy4l1K3NwlK6odnlhXU gGJNmNemDSXY63+GBLSkcejUAqWdIdu5RIcdmhfC3JCmKSERcQWvFHA/+58wq1zHBTBQTTxjv CZ5BxCXSxK+G7YXQ3050xB79e0qw7cC/cKvg6KesEHhDdnSpEpjw7432MXzXFonK7EO/TK/4y DcVSMiyGFoKb280LAw7QromrQUcIF4R1DYgaFmtcGKzhJmEmSL4fSj+Ck6MPgEuW/oA2jLJAA jcGoS2ecH8m3CoiJ0nG9iZrFSqbWXo/75pSGBWEwHDrXaePisQSRa+10/qfGItR9L+sQK6BSD jVian3Yqsaj6TQpVaag9i4kZHuYeLxXcwmr90C8C0A91UrDw78BCCb/KiTdIvFKFzEZExITBD OZTKvdYcHqVuL7QQvdM71E/RKkfDRcP/XkeuTdW73vM5z6h9hR0N3a5mJ1yemgxUZ+OiK4aLv g56/A1tZxftaZ1vi0yZPH7OeN8oVzZRT/xpbncVhv2xak0kgVxuuNTpezc6S3e0vFXtDKNbm/ S+K4kxai2OfSeLjixygT/nR9tc+ojhwGUl2Zeht2Iwdg4G/GlDBhaWsnCptj+zAYwM/U9m/ys wDTKdhiQESxyu4bbvLYtCKrT2lKGX3BOBiG59shdSsCX0Vq0314psOSGbhjU+pgYWZMNxk55H XKi4flxvzzD+PKcixxzTkWEKrshxFHUiOo/t35E3OJjDt7/C+5VGFsW51XRdNooYGwezROu7S E3vxgSet5vb/duWi59aSIKLwHBewS1GLO1FHkNFxSnYek7sQUq8lZ3Pu1KZ8Y53uiOCGr+xuJ RH75yhj310ZNqorSw+9zRNJMxvKT6Vs7/x2BOmQHK2s1nvOEnSA7r24XvMSXQfOq+MOTxeZ0R V0axLt/6YjT3sseAZqklRbhrseSuRG X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Before passing IPv4-mapped IPv6 addresses to the proxy journal, translate them to plain IPv4 addresses. Whether the connection was accepted by OpenVPN on a "dual stack" socket is of no importance to t [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.22 listed in sa-trusted.bondedsender.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [212.227.17.22 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.22 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tMbQG-0003B8-Qr Subject: [Openvpn-devel] [PATCH 1/2] port-share: Normalize IPv4-mapped IPv6 addresses X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818459789447854206?= X-GMAIL-MSGID: =?utf-8?q?1818459789447854206?= Before passing IPv4-mapped IPv6 addresses to the proxy journal, translate them to plain IPv4 addresses. Whether the connection was accepted by OpenVPN on a "dual stack" socket is of no importance to the proxy receiver. Signed-off-by: corubba --- src/openvpn/ps.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) -- 2.47.1 diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 06bf91a8..36ea63b8 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -330,6 +330,22 @@ proxy_list_housekeeping(struct proxy_connection **list) } } +/* + * In-place transformation of an openvpn_sockaddr with an IPv4-mapped IPv6 + * address to one with a plain IPv4 address. No-op otherwise. + */ +static void +transform_mapped_v4_sockaddr(struct openvpn_sockaddr *sock) +{ + if (sock->addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&sock->addr.in6.sin6_addr)) + { + sock->addr.in4.sin_family = AF_INET; + /* sin_port and sin6_port are the same already */ + memcpy(&sock->addr.in4.sin_addr, &sock->addr.in6.sin6_addr.s6_addr[12], 4); + memset(&sock->addr.in4 + 1, 0, sizeof(sock->addr) - sizeof(sock->addr.in4)); + } +} + /* * Record IP/port of client in filesystem, so that server receiving * the proxy can determine true client origin. @@ -349,6 +365,8 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c if (!getpeername(pc->sd, (struct sockaddr *) &from.addr.sa, &slen) && !getsockname(cp->sd, (struct sockaddr *) &to.addr.sa, &dlen)) { + transform_mapped_v4_sockaddr(&from); + transform_mapped_v4_sockaddr(&to); const char *f = print_openvpn_sockaddr(&from, &gc); const char *t = print_openvpn_sockaddr(&to, &gc); fnlen = strlen(journal_dir) + strlen(t) + 2; From patchwork Sat Dec 14 23:20:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4002 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1f13:b0:5e7:b9eb:58e8 with SMTP id hs19csp1273618mab; Sat, 14 Dec 2024 15:20:52 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCX4TI6KMQG0rGFlil/Ea1pKwgDv/8o9FVcnpa/FNoOPwc7Uu3OGcdl55hWTF0wGwIXRP3IZIVv14EQ=@openvpn.net X-Google-Smtp-Source: AGHT+IFIb3qUlvUGih6GTA8ipOxU0MA6O7A/fU6H3sVToCTM7Ukj9BvssbNsrJ+94Z/Sn5rUUud6 X-Received: by 2002:a05:6870:4997:b0:296:e491:b244 with SMTP id 586e51a60fabf-2a3ac98fec1mr3658579fac.32.1734218452636; Sat, 14 Dec 2024 15:20:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734218452; cv=none; d=google.com; s=arc-20240605; b=LYvIM40FK2Oqgtkb3OGls5+YUADeWluTEllbMND/PCf/BTnVehw+Lhna0nBz8P1F8V A++NQTFO6As43LNXmKkJ9G5mFYk/0U+Gv/LKAH1fswLYlAyBVrsdmmyJ4iPkm1nUF374 MZv8kZ72Ewz6iO48VkM/7ryYbsa9Z7u767klVVyMbsUVkf/4D/9cyHi0CRkXbP9smcjJ jQ59Fu3AyHsXr4bdJ0WgadOIrKDlbcMzS8k7VpsP5cB/c45xFlYo2RaNxuPVr968YO4Y 2HAdzuk3BXQ2vIQZi80m2II/kJ9Dos+iUCOmSIiiPqAZlle/KZs9f6h1w9uTngu13BtH Nvpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:content-language :references:to:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=00YQ1gCqIh8bjR0w3UOcahzD0X0adatthXxsoOOgUlI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=cbLb9dJg8y81Hgbs6avTXYHifN4iKM54h/qmvT+eqqiu0VkBViPIDfImMJhp5siP8C D2mcct4ycbQHOT1jCIEbFuWztueS2qjd7a5pNuNOCbUa5NrerHhhKzsMCjP+QOOMGuFp /2Mlk073qAd2nwh+0MaHChy9/0qXFXo9IryI7lanLFWyD3AjuRaXVJje3HbxE+baIcFG +iG8J1efLlSx8Xq0d8e/JlhVfWvgSJAis6z4uUoQGAwQRqRFUWMegq39ZB/ZagLK3UhJ qJR4JKFcQynHVZ7eV3hxPb6UU3QTt+Vg+B5H/8doIJAT+iuJgzNPO/ieMTFT5wiMwfbU +j3Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="OIa99w5/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OhfYVI7Z; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=cIZOw8cd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2a3d242f657si1511268fac.50.2024.12.14.15.20.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Dec 2024 15:20:52 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="OIa99w5/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OhfYVI7Z; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=cIZOw8cd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tMbRJ-0000X9-Jg; Sat, 14 Dec 2024 23:20:49 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tMbRJ-0000X3-3n for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:20:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vVNJQBS6iZ2z9AFcW3b/81jHpF8qOzATj+MjhHrvUe8=; b=OIa99w5/fxcJbK5FFaZETSe1zh ZsV5S7IpuaEAiX00DBCCP6c35hOOude6ZO5bpXBtR1PcAS0JaCKc9lnDDaY/FvrXoMtw+k+oFIbgG s1i+HNefHExYJvxU/kGNWMJwAa6eLKUiWU9+A4gpbrGgXKG44SjdCqNmA0BzQdx/ZAF8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vVNJQBS6iZ2z9AFcW3b/81jHpF8qOzATj+MjhHrvUe8=; b=OhfYVI7ZASBhLVm2jNDB5c0yan uc+MvWj+PEQTris5jYSnLbSboq0X+bORJWLCO5g1o02/M44dqQVnqpxf8eCy96EhiGM4wvPT+fAzJ d2qBzOr5aXOXXa6Bljpt0x2ymWKY3jSYBdqIZTMgzD+DAgExKjP5up9gUPgEgunRKuIQ=; Received: from mout.gmx.net ([212.227.17.21]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tMbRH-0003FQ-Cz for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:20:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1734218441; x=1734823241; i=corubba@gmx.de; bh=vVNJQBS6iZ2z9AFcW3b/81jHpF8qOzATj+MjhHrvUe8=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=cIZOw8cd2Rx9cBDNtGP0t2Pre+XYUibIeaaenVWm8ZwTBtDT/1wCzlksy6MENprO I/eAxnQ/pN8xfeKPNWxKaRywCM41nQkwQzoe4sUdF9cVjpg9xO6YWER9UdK5qQlTY gLs83lnSxPeJWDjT9J4Eiq/o1sZRcb8luxQiSQdJulpRkTxDdNl3c8B7VI6wA2CGk lNR3S7IhttQOXCwJ0n3aesx1Ma5dfWqGHZRp+gQBd5BPfpsYrtb5UySvhar+RPk7U RMB2n3+Z5uyeVeJ5bt+UE6EVhVlEnM6KEvwly2CZm8afTdDPZS/1i72tANVCyl5qu R3XNfGIuotaaflstxQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.236]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mg6Zq-1tngKE3mjG-00mmoi for ; Sun, 15 Dec 2024 00:20:40 +0100 Message-ID: <6fbf5828-05ad-47fd-8093-a4feb54f6f6c@gmx.de> Date: Sun, 15 Dec 2024 00:20:40 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: openvpn-devel@lists.sourceforge.net References: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> Content-Language: de-CH In-Reply-To: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> X-Provags-ID: V03:K1:Kmf5akaNIA0tV/29TX0MCZt4wE6ldIxdoTbrVXUkTtjYPN798Ni SAU4wi55wBfcyBP05wpqe+GafRHwUDSiOPW9/eSxqvvCB8vGZIPiBi+tAp2+n6Zz23QQh7X oFH6vETK4+YNlgI6OJImgcALLnWS0TxIO1lO2MXANC5jxDGdRJJiEgqyfu44njlR7+PRdPL mcmL6vfABw/zwDR4EeLjw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:Rez1Xri6/XY=;emKtTc08gCh+swSB32Sjs0e3So/ GEllm6LjtWOLySDZudgGXNnQQR7Z99XMY+zXShM4JDR0oQetw3pZqyZnfovAwA0oETarBFxIs f+HbGQdIcnX/A59tUuFXbUw+SYeoqNiYECvrq26qVVFCZj6rsgis6amCNb+Ec+zeNFOXYDV3q EnBWwtuFJwC8K36xjqSB056mtSWknkKtmtPSjAkZf9VPlT0eG0tOrbh7O1ThG67ZqMbw0SK+e x8LiZ5dbqVYTLv1G4Sdaag3SvlQj+PW6Hs8OOguVCnAmaAYw+7JQ7l7xldWlB0fpYWhWQ/vx0 qNwWHV1rpdJaX7yO8gpyh0LtqolKQ5NYfb771LCAN1a6OJStjikVa0W+LXledAVgVLv2MrW67 4gPIR4rlptMxRqqN2VTLSjMwcIg0f7sBJ1VCJaUqFiVWAF9HsMPHSuXAGJqi5suFGvjk2GCt6 xCYdZyQENaI11Hs1AybKJjIQUMag4EEyjvAzZFpGECSy5HNGi28Q3nxmf9KOYVhxeOXjPncMq JuMFH/IgqA3lpfU4JUDoLmn3ZGW1BKvoMbreecJojmRU/KbIpfVoQyrVlS7kpioLGpLPSaw5G HkDhZDHlC6O+YDvZBT8IAFyYwxTpflXipawoTXDNwM+gB6+MPMFeXDi+49OvXcTBc7yEwNB3J 2mkkYdofanwS9mVcj4jzJTlFj0tSW6GhHo6qRoY1+kFCxHp6yNVOiyVDR9qDHnOp7GpVwMhQ1 OTgsvzTrx9ik1jBYF78quR/N/QsIT68UaoJHDDKWpsz92WmEc156rnTrmQhnfWWA5K2qj8VVF QLTu42eFmpDY/iR1cfePz6I8Q78Fzb9MQC5t7HIQHKfG2idHvwBZCRM8qeg8AuYU2I9oqx/E+ HS2UeS7IpnmLS4ViaVATS/UnBCfgbzx9RKlm795lzyvCLD8bgv+A3lIqE5Wv9Gv++UzuOm7CY HhSG1yUpyPhAlHWH2FQTmoDYlX3R10CzytSuZ6gO3H+8dXxetPZY6GrYXxg6z6wMR7dE562bD AjIgAMcDhFlYsJGYG92pLK7hLZOP6bAxn+2VY6gcHqriVHtClnvQmzP2pc6ewTD81sgDmu98J 4LF1gaMEYNfaiZM8zKIfqTbBD7JLOX X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port- [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.21 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.21 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tMbRH-0003FQ-Cz Subject: [Openvpn-devel] [PATCH 2/2] port-share: Add proxy protocol v2 support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818459848478397102?= X-GMAIL-MSGID: =?utf-8?q?1818459848478397102?= In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port-share journal feature more accessable and easier to use, because one doesn't need a custom integration. While this is a spec-compliant sender implementation of the PROXY protocol, it does not implement it in full. Version 1 was left out entirely, in favour of the superior and easier-to-implement version 2. The implementation was also kept minimal with regards to what OpenVPN supports/requires: Local commands, unix sockets, UDP and TLVs are not implemented. Signed-off-by: corubba --- doc/man-sections/server-options.rst | 4 + src/openvpn/ps.c | 110 +++++++++++++++++++++++++++- 2 files changed, 113 insertions(+), 1 deletion(-) -- 2.47.1 diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 3fe9862c..5fdd4a22 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -435,6 +435,10 @@ fast hardware. SSL/TLS authentication must be used in this mode. the origin of the connection. Each generated file will be automatically deleted when the proxied connection is torn down. + ``dir`` can be set to the special value ``proxy_protocol_v2`` to make + OpenVPN use the binary PROXY protocol version 2 towards the proxy receiver. + No temporary files will be written in this mode. + Not implemented on Windows. --push option diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 36ea63b8..b5d04c5b 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -393,6 +393,107 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c gc_free(&gc); } +/* + * Send the proxy protocol v2 binary header, so that the receiving + * server knows the true client connection parameters. + */ +static void +send_proxy_protocol_v2_header(const struct proxy_connection *const pc, const struct proxy_connection *const cp) +{ + static const uint8_t PP2_AF_UNSPEC = 0x0, PP2_AF_INET = 0x1, PP2_AF_INET6 = 0x2; + static const uint8_t PP2_PROTO_STREAM = 0x1; + + struct openvpn_sockaddr src, dst; + socklen_t src_len, dst_len; + unsigned char header[52] = { + "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" /* signature */ + "\x21" /* version=2 + command=proxy */ + /* initialize the rest to zero for now */ + }; + uint8_t addr_fam, header_len = 16; + uint16_t addr_len; + + src_len = sizeof(src.addr); + dst_len = sizeof(dst.addr); + if (0 != getpeername(pc->sd, &src.addr.sa, &src_len) + || 0 != getsockname(pc->sd, &dst.addr.sa, &dst_len)) + { + msg(M_WARN, "PORT SHARE PROXY: getting client connection parameters failed"); + src.addr.sa.sa_family = dst.addr.sa.sa_family = AF_UNSPEC; + } + + transform_mapped_v4_sockaddr(&src); + transform_mapped_v4_sockaddr(&dst); + if (src.addr.sa.sa_family != dst.addr.sa.sa_family) + { + msg(M_WARN, "PORT SHARE PROXY: address family mismatch between peer and socket"); + /* src wins, because that is usually the more important info */ + dst.addr.sa.sa_family = src.addr.sa.sa_family; + } + + if (msg_test(D_PS_PROXY_DEBUG)) + { + struct gc_arena gc = gc_new(); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client connection is %s -> %s", + print_openvpn_sockaddr(&src, &gc), print_openvpn_sockaddr(&dst, &gc)); + gc_free(&gc); + } + + switch (src.addr.sa.sa_family) + { + case AF_INET: + addr_fam = PP2_AF_INET; + addr_len = 12; + ASSERT(4 >= sizeof(src.addr.in4.sin_addr)); + ASSERT(4 >= sizeof(dst.addr.in4.sin_addr)); + memcpy(&header[16], &src.addr.in4.sin_addr, sizeof(src.addr.in4.sin_addr)); + memcpy(&header[20], &dst.addr.in4.sin_addr, sizeof(dst.addr.in4.sin_addr)); + ASSERT(2 >= sizeof(src.addr.in4.sin_port)); + ASSERT(2 >= sizeof(dst.addr.in4.sin_port)); + memcpy(&header[24], &src.addr.in4.sin_port, sizeof(src.addr.in4.sin_port)); + memcpy(&header[26], &dst.addr.in4.sin_port, sizeof(dst.addr.in4.sin_port)); + break; + + case AF_INET6: + addr_fam = PP2_AF_INET6; + addr_len = 36; + ASSERT(16 >= sizeof(src.addr.in6.sin6_addr)); + ASSERT(16 >= sizeof(dst.addr.in6.sin6_addr)); + memcpy(&header[16], &src.addr.in6.sin6_addr, sizeof(src.addr.in6.sin6_addr)); + memcpy(&header[32], &dst.addr.in6.sin6_addr, sizeof(dst.addr.in6.sin6_addr)); + ASSERT(2 >= sizeof(src.addr.in6.sin6_port)); + ASSERT(2 >= sizeof(dst.addr.in6.sin6_port)); + memcpy(&header[48], &src.addr.in6.sin6_port, sizeof(src.addr.in6.sin6_port)); + memcpy(&header[50], &dst.addr.in6.sin6_port, sizeof(dst.addr.in6.sin6_port)); + break; + + /* AF_UNIX is currently not suppported by OpenVPN */ + + default: + addr_fam = PP2_AF_UNSPEC; + addr_len = 0; + break; + } + + const uint8_t proto = PP2_PROTO_STREAM; /* DGRAM is currently not supported by port-share */ + header[13] = (addr_fam << 4) | proto; + + /* TLV is currently not implemented */ + + header_len += addr_len; + const uint16_t addr_len_n = htons(addr_len); + memcpy(&header[14], &addr_len_n, sizeof(addr_len_n)); + + ASSERT(header_len <= sizeof(header)); + const socket_descriptor_t sd = cp->sd; + const int status = send(sd, header, header_len, MSG_NOSIGNAL); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: proxy protocol v2 wrote[%d] %d", (int) sd, status); + if (status < (int) header_len) + { + msg(M_WARN, "PORT SHARE PROXY: failed to send proxy protocol v2 header"); + } +} + /* * Cleanup function, on proxy process exit. */ @@ -488,7 +589,14 @@ proxy_entry_new(struct proxy_connection **list, /* add journal entry */ if (journal_dir) { - journal_add(journal_dir, pc, cp); + if (0 == strcmp("proxy_protocol_v2", journal_dir)) + { + send_proxy_protocol_v2_header(pc, cp); + } + else + { + journal_add(journal_dir, pc, cp); + } } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, (int)sd_server); From patchwork Sat Dec 14 23:21:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4003 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1f13:b0:5e7:b9eb:58e8 with SMTP id hs19csp1273871mab; Sat, 14 Dec 2024 15:21:49 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUaR7doFoHmkd2IneKb9EVMFauHLLZ/SJuzDpiOQNPbeynT8o0OBJMmWQGMoIy08YoAlUjAFioX2Fw=@openvpn.net X-Google-Smtp-Source: AGHT+IEiNpL2a6DfPTKwvv2jQ9MfAJ6DBVSTtOj6CFHh9NHAUdb6I1DLVq+EHHVYcIj6509HygOt X-Received: by 2002:a05:6808:178e:b0:3e6:5761:af3 with SMTP id 5614622812f47-3eba67febbcmr3443006b6e.9.1734218508931; Sat, 14 Dec 2024 15:21:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734218508; cv=none; d=google.com; s=arc-20240605; b=MBWzL4/p5CJSKe12MbCpac7soITwiMOO/QC2h49BdxfI/vF/IbQj2lzFe5KXcNtZHU YLP7d/G2flJSufEpuhRMR5ut7Lyqd1bA/j+1TDQFLK8MFy++k0mhSCiPkIhVdWRA7h49 ZOwWbiXuMEao9qAOlYSd6hJrWGSxjrVYgEWDIchsXJnmSRpFHpPC7FcnHPN3cx0Wsuk+ zASqvejtuJuQEiXHb/XsZIslPUHM9KQPdyl+5P2SBif7B92rgnGs3OwIoFopFN5/qK22 oksoEU0AYAfqENSCgd+1gB+9xEyL0JMHcqkp8LgcPoUNghBR9N2/MPK8iXyT4w8wS7p9 KfLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:content-language :references:to:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=28UjCKDX7gsYfCsdP4Uj5iWstAPpS52Y+Z87ljvAbBc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=DSFzKXjxddL9RoGsGWy5d2JdnZjkYR8WCVhuQk6pTWMKJeWc0eO8L6WXGfpun+U/LH rMaifiWXRpT2SyZQ9qJUCwGLLWD047OFbegTz6PDrFByDnX3U33b/AekaUPlm+v3CTvl 6UBAJSha6i4RwIADFk4RkZtYeFXjD+nEWaNEIq+qHkjmgVAxXIOGJN+B6KozidSeEi+M 5ah/3/TAZh8KuaHL5KOalGXr9Zi4DtTe6ZJi2pd6llHhuXLQlheJDkPCrPXJCvyDTbkV GVlemymotr2y7SHr9UV/52ISzmktWG1RBnOU5RZrzCYRmDhyqLr/iMqjlnZwsXm+nd+J 5w5A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jMMzl48B; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=j6vAXZAO; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="CEixez/o"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3ebb48aa333si1276540b6e.239.2024.12.14.15.21.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Dec 2024 15:21:48 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jMMzl48B; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=j6vAXZAO; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b="CEixez/o"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tMbSC-0004Ug-8G; Sat, 14 Dec 2024 23:21:44 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tMbSB-0004Ua-EE for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:21:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AaX6LqGSMtEdFpsl+pa2MJKQaMgEEYvWQgerxCxU8NY=; b=jMMzl48BK17MSQHqQZCQiueSm0 4hA11fD9yHPCt6iaN83meZVx9trQvXZOs4G34JsuO4ZG5dQ4JHzzWEUD4jZ04EMHRAMs3QavG9KGb VW9r8EpXOhQRy08OQA5gFNrXSY4e14nOdu5tPRA9aQgQnMQBkvmtcqUsxIMunCWO9ALc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AaX6LqGSMtEdFpsl+pa2MJKQaMgEEYvWQgerxCxU8NY=; b=j6vAXZAOAiXau56Plpkal8jcBV tbS8cCSX5VW31DcowE6PVWNFLKBCnqjnXbMALZSZyalDhbuiqhUmBcoE92lchI1iX7XXou+EDPRT6 F3x24YZEeo3cagTmWCDHjRkV+Ak3PjiS9NKxvoVOWRcIsWZKvUinoG6trXq+hBo5Q5l4=; Received: from mout.gmx.net ([212.227.17.21]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tMbSB-0003JL-77 for openvpn-devel@lists.sourceforge.net; Sat, 14 Dec 2024 23:21:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1734218491; x=1734823291; i=corubba@gmx.de; bh=AaX6LqGSMtEdFpsl+pa2MJKQaMgEEYvWQgerxCxU8NY=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=CEixez/obMCNyliCp+uQG6op+z18OSPuL6lcH1D7pdYcoVWQuVZoJ1gO5RIsDxdb A01CSBd8TVHF7H6tQpp916ItfwCj7EvDIxn9+27IAENlYNAiSYm9A35HMTowqSLX9 t0Xm37Mu6tDcjak/O3r3RN0juec3qAWbrBp4WCKYCJ5R+UV6friTYKz6qN5Geh1Do Riz3QYk4etWmkF3DrwZ9Plux4gEk0HV2yoKVN4vxl1M8RyvSrcwMnn9TKfJwsFSzH ItKDYnhH+PLwuNoE7vz6zFTgFY/iB5Qd3IliJAOV6FVU7+za1CAGLHdRysMdIcvuQ HIF9PKjjwjqPAuecGA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.236]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MAwbp-1tTWOQ2nlJ-001t3u for ; Sun, 15 Dec 2024 00:21:31 +0100 Message-ID: <27c62e07-1f28-4e2a-b68d-32963f6d6da9@gmx.de> Date: Sun, 15 Dec 2024 00:21:31 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: openvpn-devel@lists.sourceforge.net References: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> Content-Language: de-CH In-Reply-To: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> X-Provags-ID: V03:K1:DoTpvlDDoFdfbl7ndtYsNb6ff0Ci6DWb7Z4uDtNXeJEDWD1Qpdi aXFhM6Wb5M8g/6A+dThOQvao1TdXfRRfYREDvFkJGsrfHvjiyXKpt/CRXSj4PerfcY4D+n6 +qmxbl/W6d6GYvzSleCjNrkC0OMVpgBBxp4RIY3znRMFc1Od3hAH1eiCWR8tSIiAwS1hPNm T7N13lbye7oDk2j2uHyNg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:AJgC/zHpC80=;Orhq1itdwzM4obF3nNrSaZngxdC /ZS4k6JKkMht4h5Bf2dQHJwXJvHrelwbmm/n4IxhWK6oaLQ6rZ8zSJsNwi1j7amM8FnouCV94 0opMh3MTWqJEXeeOE2bQVWOAVk5TW2AS+tT4Ysea6qNysfAUmoTYW+ldfVHFlD+JB6siseqHz LK/BA1FMBuqs9dow+EMmTDlS4NOuXWx78mqvtAv3smiznNf9FUV9pX8idAjXcpiXcRrf/X1ot wNLbDInd4Ji4T8LeEtVuG46lEsn505QQO/iXSLyrwDlJT55mHiRjnE9xTw8sx4Jm8Nhe3ZfBD 2XXlTuye+g2e6Mcy33ytzZms0ZVR32mq9v6od3MZq1b4kVGF/aH7w866s5n2Hivl60WCpE2tC kc9yWh4j5kot0wAaetT8pPVrnA84HoQcxSvFDp0cL6HKHusz8B3esyzL53LoofpJ6Zre4E11t FZx5/lS+tE7U3OESbSW06czTDDZBBn5Iyv/ZM7gsHbG7dkhaQwGXBIFggKp+n6N6kENIFQL8I YoPyz3UGmhH1pvHXRvOK8SHC8tlRMZCuCIHcsSdyauAUbPglbXYXlFfEg+QHSIzNsGIB3HllV OKkiDLrETtBqyBJ2QrQDULI2g/txTsRHgmuaFb+CqHw0dNpDuUOx7MVUB5hAY0W1n3MhOrVSJ xVosTILtXDwwAPHFOC8NLwDZNs6S055CWr9U3kitE4sHxqPIYei7K5YFbpF+kmEpmOUBzUg2r Rxohs55fOFXyNvNAt6mkX3QsLA1H9dcOupe5O8RLCuFyhmXPtmPueYORbi977JLQVDelu4cfS ls+gdIvDBdyfeM6qx3yuKJ24RlgwnMOSilvUVhRZ2UNJaH41kawbCG9l4ITqNS4FZx1UKQW9a rfcbfNARqwEVlc+7Cl4qK2AkeNcjctfwQ5qZV82L4cEenhs4FNGnrCoCLsm2HOUMVHtomTU7L FN2rSFMNl/RoYXnj4ItbnuTpbO6CJpBvo9p3EGgm/zW/xVjrvczrg4EwzzUa2pheVcXGu/tVO U2JsJUKiufZJS3rCIa7piD8WzsqPR+tGfBOnUSvoYMgTb8Z42ij2ehSYjfRI1fS2LcsgzWSYr Pu7juOI/6R/ARZOvVnsrhKyIY7akrf X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Subject: [PATCH 3/3] port-share: Add unix-socket and udp support for proxy protocol v2 Just in case it is ever needed. Signed-off-by: corubba --- src/openvpn/ps.c | 42 +++++++++++++++++++++++++++++++++++------- src/openvpn/socket.h | 1 + 2 files changed, 36 insertions(+), 7 deletions(-) Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.21 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.21 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in sa-accredit.habeas.com] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tMbSB-0003JL-77 Subject: [Openvpn-devel] [PATCH 3/2] port-share: Add unix-socket and udp support for proxy protocol X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818459907126457218?= X-GMAIL-MSGID: =?utf-8?q?1818459907126457218?= Subject: [PATCH 3/3] port-share: Add unix-socket and udp support for proxy protocol v2 Just in case it is ever needed. Signed-off-by: corubba --- src/openvpn/ps.c | 42 +++++++++++++++++++++++++++++++++++------- src/openvpn/socket.h | 1 + 2 files changed, 36 insertions(+), 7 deletions(-) -- 2.47.1 diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index b5d04c5b..b34df315 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -400,18 +400,19 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c static void send_proxy_protocol_v2_header(const struct proxy_connection *const pc, const struct proxy_connection *const cp) { - static const uint8_t PP2_AF_UNSPEC = 0x0, PP2_AF_INET = 0x1, PP2_AF_INET6 = 0x2; - static const uint8_t PP2_PROTO_STREAM = 0x1; + static const uint8_t PP2_AF_UNSPEC = 0x0, PP2_AF_INET = 0x1, PP2_AF_INET6 = 0x2, PP2_AF_UNIX = 0x3; + static const uint8_t PP2_PROTO_UNSPEC = 0x0, PP2_PROTO_STREAM = 0x1, PP2_PROTO_DGRAM = 0x2; struct openvpn_sockaddr src, dst; - socklen_t src_len, dst_len; - unsigned char header[52] = { + socklen_t src_len, dst_len, socket_type_len; + unsigned char header[232] = { "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" /* signature */ "\x21" /* version=2 + command=proxy */ /* initialize the rest to zero for now */ }; - uint8_t addr_fam, header_len = 16; + uint8_t addr_fam, proto, header_len = 16; uint16_t addr_len; + int socket_type; src_len = sizeof(src.addr); dst_len = sizeof(dst.addr); @@ -467,7 +468,14 @@ send_proxy_protocol_v2_header(const struct proxy_connection *const pc, const str memcpy(&header[50], &dst.addr.in6.sin6_port, sizeof(dst.addr.in6.sin6_port)); break; - /* AF_UNIX is currently not suppported by OpenVPN */ + case AF_UNIX: + addr_fam = PP2_AF_UNIX; + addr_len = 216; + ASSERT(108 >= sizeof(src.addr.un.sun_path)); + ASSERT(108 >= sizeof(dst.addr.un.sun_path)); + memcpy(&header[16], &src.addr.un.sun_path, 108); + memcpy(&header[124], &dst.addr.un.sun_path, 108); + break; default: addr_fam = PP2_AF_UNSPEC; @@ -475,7 +483,27 @@ send_proxy_protocol_v2_header(const struct proxy_connection *const pc, const str break; } - const uint8_t proto = PP2_PROTO_STREAM; /* DGRAM is currently not supported by port-share */ + socket_type_len = sizeof(socket_type); + if (0 != getsockopt(pc->sd, SOL_SOCKET, SO_TYPE, &socket_type, &socket_type_len)) + { + msg(M_WARN, "PORT SHARE PROXY: getting socket type failed"); + socket_type = -1; /* fallback to unspec */ + } + switch (socket_type) + { + case SOCK_STREAM: + proto = PP2_PROTO_STREAM; + break; + + case SOCK_DGRAM: + proto = PP2_PROTO_DGRAM; + break; + + default: + proto = PP2_PROTO_UNSPEC; + break; + } + header[13] = (addr_fam << 4) | proto; /* TLV is currently not implemented */ diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 465d92ba..3578b3c3 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -69,6 +69,7 @@ struct openvpn_sockaddr struct sockaddr sa; struct sockaddr_in in4; struct sockaddr_in6 in6; + struct sockaddr_un un; } addr; };