From patchwork Thu Dec 26 22:10:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: corubba X-Patchwork-Id: 4020 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:998b:b0:5e7:b9eb:58e8 with SMTP id d11csp5889246mav; Thu, 26 Dec 2024 14:10:33 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWQDkCyfexzd0boL7QUPRnHzeV/e+C2+jz81zM/cpiwOt6bwuOHRSshhJSBw708VtL8ytPyrRRfjTI=@openvpn.net X-Google-Smtp-Source: AGHT+IF5gE0N8otdUTYwx0s5bL4d8dhqkq+wrOv3la8Bw/jsboS91q64Irz2oEwNNth/K1+1gk7X X-Received: by 2002:a05:6808:1829:b0:3e5:f4f9:3280 with SMTP id 5614622812f47-3ed88f42f73mr14671465b6e.10.1735251032835; Thu, 26 Dec 2024 14:10:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1735251032; cv=none; d=google.com; s=arc-20240605; b=ky2JDj7U0RDei3EQZdkCpaHJFBzsjNI5cKgv+uyZboEIz2afqOqUEy1QlH1vpze6Q3 qLab6l2mEnC2HwenQrfeeTvLmUTxodK7IBZsb/N410y6p/OgJPzMaWiANzfISekH/D2l Z9zsgOpXW/V31yHgzs8GYaZWSNTaY38yKrpuaU5u2Qem19kkvADS3I28QcHRKHyV4Vum IO/DWf0wQmIKUMfHFpgGwP1ajeET6nsmrTfh07cBE2+GFMkUjs5iLrXQXihclOoR/tb2 CbhD2yrnaIBu6iGrRxYpCG8IPz2oVsAwbzzogex0dso8xFauT2fAN1FiQeSqWIncNXj/ SC9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:ui-outboundreport:in-reply-to:content-language :references:to:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=dsjv0M+Tl6LLoDom3jY0CyoviCba8gGqeanfhwpmbSU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=cqDcLJ50H2a5fJRDQ/9zuvxv9R3StexIOCrLnDxiGRifDVd2F97YYPczvzsghEaNkP 1+A1ebmtXLx8vggEEGUrGMSgS5VAr8g1VkIOQu9kY+vvo5CSe/vl4waFTG28NAi0IzgQ BZdY5RUOJVtqqm/dOvle7UyglPZD3MBznsbN1dX2mtmaAgwzn9KoQfNEpY4sGCfAjdYY YPE+7WftxKjOmtDHv4qs+i/tE8CXWsjQVLV0o3jn2p/6Id9G5Xwci4gqQEKQkTjJPcia 375V6sDD3N7ZiOXDLRMTcA3Atq1a2G8eA8rMISEhmdkXDrwmr9/F3JkzLbgWg6QvB8Js BNVg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JY5ocMRq; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WdCxyN7A; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=JUOkA5OO; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3ece2677cbesi9730907b6e.212.2024.12.26.14.10.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Dec 2024 14:10:32 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JY5ocMRq; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WdCxyN7A; dkim=neutral (body hash did not verify) header.i=@gmx.de header.s=s31663417 header.b=JUOkA5OO; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tQw3o-0001Pg-Ke; Thu, 26 Dec 2024 22:10:28 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tQw3n-0001PY-SV for openvpn-devel@lists.sourceforge.net; Thu, 26 Dec 2024 22:10:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: References:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FIS2Wv+2y3mRmpkj1ivUYLi05tVCqEco1hjVjkBNbL8=; b=JY5ocMRquifUD518/aOl7rO1KL hJBd1i5UEF9Ap3KuuGoeKg/L9otTMgVTQlstrKRoesdQoInjQ46X2g9jW1CGvRGMddFl1ghyduCTe lXED3tBmWQotNtIkWypljsRFD48umFkYjrzb3jAcSiQDTfsSje01K3xa1oHMmeifIo60=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:From: Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FIS2Wv+2y3mRmpkj1ivUYLi05tVCqEco1hjVjkBNbL8=; b=WdCxyN7AXxRA5hJo1pwx9wVOXF xqLw0G/btDPKYgR4VzOnfe7typEFNr7jhOVs7UcRSrtk89LxClgpmENvzNpO9JfvSEPUtUoD/C9Tf 1I+V0vIZeE7vU8QAvFLziVDiSL8TEKhw5V/jRcr3XUL0zEtKfN9DDEIUeK7hxwLun7TI=; Received: from mout.gmx.net ([212.227.17.21]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tQw3m-0005E0-LZ for openvpn-devel@lists.sourceforge.net; Thu, 26 Dec 2024 22:10:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1735251015; x=1735855815; i=corubba@gmx.de; bh=FIS2Wv+2y3mRmpkj1ivUYLi05tVCqEco1hjVjkBNbL8=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:From:To: References:In-Reply-To:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=JUOkA5OOnswFcSwg4Bb6veocNBBy0KWZVMmn2vqr5eGJHQMs0esrLQq3taVTtZVd BF0uuoe2n+2sZXyrOu498uwH5lpEqQ0vSDONstEN6EzQsoS5u0p0uKygKN54pekIq LZ/DQOXGQjhEErmWcIRYDH8pk1anQ/o+DSU3MBR1BwgcMMTU0uMQIafthdvHmtDHg mpd+UiWpYrMtPg6GZYMBzkYKZo7oMd8Zj73X42GFVUlFpz2VnChhO3V5fLoAPJtQy ABh1tcSTzOrdA9Wg0hNlf0YOsOXL/e4Pgwz1o7n9bgPTV5UgU4yinWvfBXr0V6EZm ZF1VnWkNUfylICLKDA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.44.3] ([83.135.91.82]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mnpru-1ttyUm3vze-00qewP for ; Thu, 26 Dec 2024 23:10:14 +0100 Message-ID: Date: Thu, 26 Dec 2024 23:10:14 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: openvpn-devel@lists.sourceforge.net References: <7e42399c-3a94-40a2-bcaa-15545c3b761c@gmx.de> <6a00da72-dc11-409e-9d47-4694e1d6f02f@gmx.de> <86c60a4f-685e-4157-ad10-6de03bb2eef0@gmx.de> Content-Language: de-CH In-Reply-To: X-Provags-ID: V03:K1:jMrmOxpyITvvGpLZAWBH5ckiMeX/cZ3Mf0cMZboO9xlMNH9Cp0g VtI8opXjwoao8Hl4gjK1sxa9p32+p90rqmlJFOFpFDtWPSGmizidX0SDxY6CwWf2OjY7joC 9X/Q4Mo3FQu5U7S5eYXPnIeinac4AgBY4F7vI0RNDzbdaDHCdmzqiCz1hufmGQlmfz9q3NF dlTlQPc8rDdYFtOAUiJmg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:Qu8eYI58tNY=;r30AEhbi3K3JLLLVsGPNQLwf7gj GsEqsNu2bvJHbymDHqIF0KhnidCEE5XZRab9v6mTvsDOPTvgG6GM1NL3wOOzmJNvgp0eMW6IH jkhipwYDJrVSeK3/FsJNgz+kYC00ALr9DB6upkIx8v/J4xQ0VFkfAfV5oIrxDlyTJWBGRieSl MLyEJkU4VIZp5Ik0oJpmo+fYQ4gb6KKclFP/PYDnM5IPHw1jMUyg5zx7wT9SMBaKC1Jucx0qO V0b3QHSei+n2inBEbu4q8RgHEV0D3CEehEWfuhL11EQ3+rk8/s+P1wkzIizYAskTC4VOADKtI 7h1AMujpXTwvrNjyr89VrB2i1L/OwV+ycP79VVpHTnCcUfJZvikqsG1synP9BC9rGh0CBdU9F repG/bpbTWOXd73Zglp1Sm/oy/JhoP/f0JjbX/yjiUoLNndUJni4v0WgSlGBXGdQ2RtK9Wci3 J958/Vndk4+dWBNXr7Y+BQKiCXqz7SAF5uZQGYgo8RDiLvbXSGQtBfRYWbOZ5TmxrYgtpZ++0 FeqKgnC/hONlA9qNijYBWuTj8HAzdQGHOfy6fX/qTVTNKS3bRefJgNmjvKrADUCdAk6JbF8iI JBgReSPFT/mc0kQnf7VL+7DRr5SCaOIYbdQmVxDJDpGy4Q+t0M/+ucwLY9mveNlhlX7USfXot pX2t7yHNr0R4QjirJGkuM88MuDsbM7GexQZ7JGvpwbeNIr3XsGvghNOsgvHRgbVBq5mithQoP kxRQXb6j3Iuo9SnWLesgkcf/pqOmM8nqfzZZAo02lyiWhPIipz6KUbtlKibrtanMADNj4UtaP 7bJk5okv8+ybJpuS0UqrveR7Wvi8JunzeDjX73Rr21eDzbxCfURI/6hLa/JFvtTCS7UiKaxww GzplGmDI+IlNKGvJIAz+aceg9O3v6VSvkO9cXh/7KVC3v+uAgg9w2N0DG7jhCEMorTDhM7ySO t3mZVmb8mR1OBK5AG95Rmf2nikDRimYbIpMYlSOE9dMvenQ1AK4rf0hefR9AHtx0Xb5gg8qam 9fpzEDl9BiBGrxtx/8zbKPRGxFDWTS43zdkgh54L6cOggmpHHjifdo56SPEXBH4jH1ZDRD8Ps Tp3Qfv1JGS01WxpI66fvuhaEerAYsp X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port- [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.227.17.21 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [212.227.17.21 listed in bl.score.senderscore.com] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [corubba[at]gmx.de] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [212.227.17.21 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tQw3m-0005E0-LZ Subject: [Openvpn-devel] [PATCH v3 2/2] port-share: Add proxy protocol v2 support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: corubba via Openvpn-devel From: corubba Reply-To: corubba Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818459848478397102?= X-GMAIL-MSGID: =?utf-8?q?1819542587193214330?= In addition to the custom journal solution, also support the widely used binary PROXY protocol version 2 to convey the original client connection parameters to the proxy receiver. This makes the port-share journal feature more accessable and easier to use, because one doesn't need a custom integration. While this is a spec-compliant [0] sender implementation of the PROXY protocol, it does not implement it in full. Version 1 was left out entirely, in favour of the superior and easier-to-implement version 2. The implementation was also kept minimal with regards to what OpenVPN supports/requires: Local commands, unix sockets, UDP and TLVs are not implemented. [0] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt Signed-off-by: Corubba Smith --- doc/man-sections/server-options.rst | 4 ++ src/openvpn/ps.c | 102 +++++++++++++++++++++++++++- 2 files changed, 105 insertions(+), 1 deletion(-) -- 2.47.1 diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 3fe9862c..5fdd4a22 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -435,6 +435,10 @@ fast hardware. SSL/TLS authentication must be used in this mode. the origin of the connection. Each generated file will be automatically deleted when the proxied connection is torn down. + ``dir`` can be set to the special value ``proxy_protocol_v2`` to make + OpenVPN use the binary PROXY protocol version 2 towards the proxy receiver. + No temporary files will be written in this mode. + Not implemented on Windows. --push option diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index d12ac9e6..5cba2d64 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -375,6 +375,99 @@ journal_add(const char *journal_dir, struct proxy_connection *pc, struct proxy_c gc_free(&gc); } +/* + * Send the proxy protocol v2 binary header, so that the receiving + * server knows the true client connection parameters. + */ +static void +send_proxy_protocol_v2_header(const struct proxy_connection *const pc, const struct proxy_connection *const cp) +{ + static const uint8_t PP2_AF_UNSPEC = 0x0, PP2_AF_INET = 0x1, PP2_AF_INET6 = 0x2; + static const uint8_t PP2_PROTO_STREAM = 0x1; + + struct openvpn_sockaddr src, dst; + socklen_t src_len, dst_len; + unsigned char header[52] = { + "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" /* signature */ + "\x21" /* version=2 + command=proxy */ + /* initialize the rest to zero for now */ + }; + uint8_t addr_fam, header_len = 16; + uint16_t addr_len; + + src_len = sizeof(src.addr); + dst_len = sizeof(dst.addr); + if (0 != getpeername(pc->sd, &src.addr.sa, &src_len) + || 0 != getsockname(pc->sd, &dst.addr.sa, &dst_len)) + { + msg(M_WARN, "PORT SHARE PROXY: getting client connection parameters failed"); + src.addr.sa.sa_family = dst.addr.sa.sa_family = AF_UNSPEC; + } + + transform_mapped_v4_sockaddr(&src); + transform_mapped_v4_sockaddr(&dst); + if (src.addr.sa.sa_family != dst.addr.sa.sa_family) + { + msg(M_WARN, "PORT SHARE PROXY: address family mismatch between peer and socket"); + /* src wins, because that is usually the more important info */ + dst.addr.sa.sa_family = src.addr.sa.sa_family; + } + + if (msg_test(D_PS_PROXY_DEBUG)) + { + struct gc_arena gc = gc_new(); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: client connection is %s -> %s", + print_openvpn_sockaddr(&src, &gc), print_openvpn_sockaddr(&dst, &gc)); + gc_free(&gc); + } + + switch (src.addr.sa.sa_family) + { + case AF_INET: + addr_fam = PP2_AF_INET; + addr_len = 12; + memcpy(&header[16], &src.addr.in4.sin_addr, 4); + memcpy(&header[20], &dst.addr.in4.sin_addr, 4); + memcpy(&header[24], &src.addr.in4.sin_port, 2); + memcpy(&header[26], &dst.addr.in4.sin_port, 2); + break; + + case AF_INET6: + addr_fam = PP2_AF_INET6; + addr_len = 36; + memcpy(&header[16], &src.addr.in6.sin6_addr, 16); + memcpy(&header[32], &dst.addr.in6.sin6_addr, 16); + memcpy(&header[48], &src.addr.in6.sin6_port, 2); + memcpy(&header[50], &dst.addr.in6.sin6_port, 2); + break; + + /* AF_UNIX is currently not suppported by OpenVPN */ + + default: + addr_fam = PP2_AF_UNSPEC; + addr_len = 0; + break; + } + + const uint8_t proto = PP2_PROTO_STREAM; /* DGRAM is currently not supported by port-share */ + header[13] = (addr_fam << 4) | proto; + + /* TLV is currently not implemented */ + + header_len += addr_len; + const uint16_t addr_len_n = htons(addr_len); + memcpy(&header[14], &addr_len_n, sizeof(addr_len_n)); + + ASSERT(header_len <= sizeof(header)); + const socket_descriptor_t sd = cp->sd; + const int status = send(sd, header, header_len, MSG_NOSIGNAL); + dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: proxy protocol v2 wrote[%d] %d", (int) sd, status); + if (status < (int) header_len) + { + msg(M_WARN, "PORT SHARE PROXY: failed to send proxy protocol v2 header"); + } +} + /* * Cleanup function, on proxy process exit. */ @@ -470,7 +563,14 @@ proxy_entry_new(struct proxy_connection **list, /* add journal entry */ if (journal_dir) { - journal_add(journal_dir, pc, cp); + if (0 == strcmp("proxy_protocol_v2", journal_dir)) + { + send_proxy_protocol_v2_header(pc, cp); + } + else + { + journal_add(journal_dir, pc, cp); + } } dmsg(D_PS_PROXY_DEBUG, "PORT SHARE PROXY: NEW CONNECTION [c=%d s=%d]", (int)sd_client, (int)sd_server);