From patchwork Thu Jan 16 06:27:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qingfang Deng X-Patchwork-Id: 4062 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b7cb:b0:5e7:b9eb:58e8 with SMTP id en11csp3315982mab; Wed, 15 Jan 2025 22:28:30 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCX+ppeUES9wYSpvx/V/pmpsQUjTuWGKpvWxqF3o7Dw9wVGUezupiY2q67ulOAP5i7NYkeovnKJYgjc=@openvpn.net X-Google-Smtp-Source: AGHT+IGuRxRvLBDVoxCcF/2MT1dnBPoMBFJgWWIp8pobsxWcRT/kt1oCE3l6QblU9AhFZie1QBfc X-Received: by 2002:a05:6808:220e:b0:3e7:bd97:759a with SMTP id 5614622812f47-3ef2eeb0d61mr20948560b6e.39.1737008909868; Wed, 15 Jan 2025 22:28:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1737008909; cv=none; d=google.com; s=arc-20240605; b=NPmVrDWoPGvqEMcP5UP0xcVmpsYKg49GLBknexS3Ko25E8DfsFpu6SgdLOWk06PJZc sA2bwPDveAeeg/8ypRs3QOoTQWOXHvgDw2Mvz57+FXhVSzC5XnNyhlSfqNzmu86Td17T +KVQKIlJq8Yn4VoLowC+i5C65kvwRgAKPqE8kJdhwgqmO6TieNP2JObiwOCwivYq9a0a v52BTOzhR2ri6KmoIwRxBjPLcpDBpOd2khzPnyT28HT5hVHXhnCX+ce6a7AO01JmatuC WZ9BDKcPB7X7rf7TaQal7YlIUZ1xgbUcu///Xsg+OhgZkIjv47RS/EIHHhlsIS4rBvdX eMbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=UEMprrB2Bh4t9dRtBOGDOy4C36UiDIrJK7nsE1VAr5U=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Alfzs523VFSev1xM3Yo0GqV94BamMpSLVRmTL1bBkwWdgsyC0gBT9ymDbCUvV4wEak ZpcIjnJdCrhWPnduGnnfoPdI/x0t00LWWKMyJTJImI33LpIKFG0jmx5E+yvHynXUBAB9 WH76KVnRFQhC/Jjd/ea+k+g/41kvz9w7D4ZiJrSU7MxRUJsiwVjkG64qJp/xjq85IFQz sNOVen4HDfz8W5/TwDVz2qwJJblXu2kc5Ee2udFXAW0E0vAmTEcA5xpgyiNfnp0qB4aQ wurZnitxwrmADKYMg9vPLhsCK9N2ceTjpjhTAeLgsUgXFZ0q+P20TtQHRsjvjRuxeWij M4dQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CcKs1lJt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="i//I68J9"; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=HRs9oM14; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3f037aa811csi11811136b6e.277.2025.01.15.22.28.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Jan 2025 22:28:29 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CcKs1lJt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="i//I68J9"; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=HRs9oM14; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tYJMa-0008Fe-Vv; Thu, 16 Jan 2025 06:28:21 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tYJMZ-0008FX-JV for openvpn-devel@lists.sourceforge.net; Thu, 16 Jan 2025 06:28:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6fb+iW/YSB8zLNT7v6NMO4nOy2qlZFBuFxThOZKSEz0=; b=CcKs1lJtBFcIPbgi20VPjOoC5R Vc06NIEeawSR1xXtvWfwqZx21stdTNw/ctG7Ls0yCvn4gXkZAj4wYxSnMbIqYvFGA+BIyAVjRuyW7 ZYYVoBtw4ouxQjElbDkxZGiOd2c17EyLZjBJ/EqLTIE2N6medx54cU21ppFyB9iSn7sA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=6fb+iW/YSB8zLNT7v6NMO4nOy2qlZFBuFxThOZKSEz0=; b=i //I68J9k8eu8pd9kWuTVblGlo6kTiOjWmx+mQTt5eaNsOnJ59FXQp3GEYGecMOCBZCrdxP3gGkc+k xywGbwv8ybzTol0NDWKTWy6oneZu+oXnQvZIOWWmHfRIgn0C8AHpBzRCKLKT8evpfMwaD/0xRP3ao xdRLWWTYXfDHlIRw=; Received: from mail-pj1-f47.google.com ([209.85.216.47]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tYJMZ-0002vt-Nz for openvpn-devel@lists.sourceforge.net; Thu, 16 Jan 2025 06:28:20 +0000 Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-2eeb4d643a5so1123307a91.3 for ; Wed, 15 Jan 2025 22:28:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737008889; x=1737613689; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=6fb+iW/YSB8zLNT7v6NMO4nOy2qlZFBuFxThOZKSEz0=; b=HRs9oM14xCtd5FmbSxA4j3PyylDBPMPOe0OCWAXaLr8hRp/yCp2ZxU1MUTxEH6mvfe oOLmtCTJOhuqKMY4+86obrVojOu1eOdmXM6HZLPsm7aHenrd3GPDoh0spp+4UvUZqYhN F1cdT//P6myuRy+D825agzD9aiNftHUIeI6Ad0NsPC3HBSQeoUHSoFXjrkSy/YV/whTr ArB9K12LbiJUwBm3+z25vOioRXfWyC8ogQpw0NzNzo3uxkbuDeOuo/CT/c8D9v/lMBWk hcvFVVsEpwP3/hsW64Y5jsJSQuBnoFQnQku02/4uPTRk/Ylb+XlBQD0BKB1AT6lr2V4f iFGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737008889; x=1737613689; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6fb+iW/YSB8zLNT7v6NMO4nOy2qlZFBuFxThOZKSEz0=; b=lh8tAHZsrah5o3xVVdGOqJSUtF20YsZSil8cnIwIhostyWotxkYRTwO4uVe6QQ3eLZ Nxba3KfeJsM7Bv0rIMF2DhkUTzU/wVG62oSkX2fo55+bBVR4lMNFbBWB82+LOW/QpQGz TgJaNAEzgIji0nFXX7YwYIKieT0a74oRrOdwtoJ08R2qhdRA7cCub8V/L0gn2IH41wUo 5I/Adw7I6j6RM8FgDnnO6uYwjgIqhaUEeUPH6tJ+nHgjvLnSNLoRXxyRTKrIvaJTad3D qlHuVLE5Oo4NkKA7h5yXujUVne3PPFuNgQ3tzRT1cXYpgeMiT0ot9ZhxnwyEB80/bCh7 7zhQ== X-Gm-Message-State: AOJu0YxFFb2kwjgmhmZ77GXG2HRH86LrSoLz0VcbL0qDIhosH091VXE2 bvG8/mEPo0EOU9EAl8ne9fiu52MrS4PoGLlECrpp569Bz39iem8JtZGNCdMpmEDLNw== X-Gm-Gg: ASbGncu53nuOkB/UadLUh35ESIo1SsxzEFNvLaxtWCluJ5HiMY262KvwcuE+Z9A07jx txew5QMPyfzet5TL2camV0mPrm6TV4d3urQfUjgApGkkc7+YSBAAgLeOyurY3BuCAGxSNlVUdAq h8WdGRYA3xqzvFR2yc21+RsqO5UdHoslTn6XId/Yu0drupQh1i4mOJ46LwgWiYr9bZ3dfTM/rmn iUs25EJ0EjSAqpQnYa1CNdsopZdnvl2WmZnCCu1CjafLQ== X-Received: by 2002:a17:90b:5686:b0:2ee:df70:1ff3 with SMTP id 98e67ed59e1d1-2f548e4d0a7mr54756378a91.0.1737008888693; Wed, 15 Jan 2025 22:28:08 -0800 (PST) Received: from gmail.com ([61.152.124.198]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2f72c1543dbsm2688565a91.1.2025.01.15.22.27.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2025 22:28:08 -0800 (PST) From: Qingfang Deng To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jan 2025 14:27:14 +0800 Message-ID: <20250116062714.336410-1-dqfext@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which is always 0.0.0.0. It should use ipi_spec_dst instead. When local option is present, OpenVPN does not pass it to DCO. As a resul [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.216.47 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.216.47 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [dqfext[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.216.47 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.216.47 listed in list.dnswl.org] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1tYJMZ-0002vt-Nz Subject: [Openvpn-devel] [PATCH] dco: fix source IP selection X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1821385854698377197?= X-GMAIL-MSGID: =?utf-8?q?1821385854698377197?= When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which is always 0.0.0.0. It should use ipi_spec_dst instead. When local option is present, OpenVPN does not pass it to DCO. As a result, Linux may pick a different IP as the source IP, breaking the connection. Signed-off-by: Qingfang Deng --- Discussions: https://github.com/OpenVPN/openvpn/pull/668 src/openvpn/dco.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index b5a21369..f2cff0e4 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -493,6 +493,7 @@ dco_p2p_add_new_peer(struct context *c) ASSERT(sock->info.connection_established); struct sockaddr *remoteaddr = &sock->info.lsa->actual.dest.addr.sa; + struct sockaddr *localaddr = NULL; struct tls_multi *multi = c->c2.tls_multi; #ifdef TARGET_FREEBSD /* In Linux in P2P mode the kernel automatically removes an existing peer @@ -503,8 +504,11 @@ dco_p2p_add_new_peer(struct context *c) c->c2.tls_multi->dco_peer_id = -1; } #endif + if (sock->bind_local && sock->info.lsa->bind_local) + localaddr = sock->info.lsa->bind_local->ai_addr; + int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id, - c->c2.link_sockets[0]->sd, NULL, remoteaddr, NULL, NULL); + c->c2.link_sockets[0]->sd, localaddr, remoteaddr, NULL, NULL); if (ret < 0) { return ret; @@ -550,7 +554,7 @@ dco_multi_get_localaddr(struct multi_context *m, struct multi_instance *mi, { struct sockaddr_in *sock_in4 = (struct sockaddr_in *)local; #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) - sock_in4->sin_addr = actual->pi.in4.ipi_addr; + sock_in4->sin_addr = actual->pi.in4.ipi_spec_dst; #elif defined(IP_RECVDSTADDR) sock_in4->sin_addr = actual->pi.in4; #else @@ -616,10 +620,15 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) vpn_addr6 = &c->c2.push_ifconfig_ipv6_local; } + struct link_socket *ls = c->c2.link_sockets[0]; if (dco_multi_get_localaddr(m, mi, &local)) { localaddr = (struct sockaddr *)&local; } + else if (ls->bind_local && ls->info.lsa->bind_local) + { + localaddr = ls->info.lsa->bind_local->ai_addr; + } int ret = dco_new_peer(&c->c1.tuntap->dco, peer_id, sd, localaddr, remoteaddr, vpn_addr4, vpn_addr6);