From patchwork Mon Sep 8 08:11:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4397 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b149:b0:671:5a2c:6455 with SMTP id s9csp947601maw; Mon, 8 Sep 2025 01:11:42 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU798I3YhPFTSL0Vt6ePGV5BKCRaKNxKwGee5VgpQfHAqnFrM2rd3tQsj+8bEvZc8GqMDX0gvvKZd8=@openvpn.net X-Google-Smtp-Source: AGHT+IGaj8cLHDePxaCQqigBavHh6Lnc0dsxMPa3Bu1DTtH0w0mWclsbb5MAnDwPTHD93FuLhaTK X-Received: by 2002:a05:6830:6a89:b0:745:a1d8:9deb with SMTP id 46e09a7af769-74c6ee35692mr3469931a34.1.1757319101792; Mon, 08 Sep 2025 01:11:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1757319101; cv=none; d=google.com; s=arc-20240605; b=lapHi3ru5hWYT15FFulVngg4Am9xBkHWDRcLENRGAR/Hh5ElZ2TWIN1LrJS3+qal0O d3bz2SA8r6qCFMDdcDTSLLOsdQHqF0v9+67nJP7QZA4IcHIddMof1D6QRPjCEQBtWTza +Lv/r0VU0t/HUIidxiWXQjjuk6h5uEJhjoCVwUC+AEQNdeylg5gmP89Ja6GEqDkRvxwx JE2G5kTI4ladaBKrygIyufkGk2dzQodWaMqNbR5PqPNRhihhMhDgT9RMVI5YiM3znjVq iporbF2jMQSO9M7/4X0pp/shkjnxjWn28Tmot2ZndEYlogs4bpY9M1E7YGye05flbAD+ VBaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=T/xwaQh1ookD8BbeZuHqMwGBaGAhVRGV4kN+DXFwPfA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=cawEcpGmnaInLG6IB63srcBbeLG0u41Y7lN+eVo3C+X2tFeO4SfNv63OdyIU+hHOHS dFf4eKIX1FN0dWP8dylvtmV/6snfANegiI3HasA48I8kK46iVPyW2DccmEc0lnpkk80/ X43wHFRbw0VXXvd35xphK6udHaQH56oslty/km20kHcxCmS6PG4Z3+eNzy0bAxBIkGlH p+MVjjhAq7POYAECVVD+ByDghSxGeEDxeyLTD7EDKWyVWpw+mSBNXMKOc1niCjOZHLGm Te0rzQSO7e2tsUmPttW+fZbLjQqIvOjSfC6FYq0PQrBF2Uy9QtTUVkH61TYStFysY6gP 7tFA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iIgfkpc+; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=I963n2bT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GCTtD3cV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-74dd952873esi1229001a34.242.2025.09.08.01.11.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Sep 2025 01:11:41 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iIgfkpc+; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=I963n2bT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GCTtD3cV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=T/xwaQh1ookD8BbeZuHqMwGBaGAhVRGV4kN+DXFwPfA=; b=iIgfkpc+89sxkSpdcQ25JbViQb f7XLjoqpR0vXDnx9vWU9y0cxwnETWt+etjCft5PQKduk+Q4JZg6RTuNRXlmjQ53eEcpZqFYNdomFv XToa3kvIaGbC8FoF/zZ9X0NKaPQXWf9+Eujt4SpnOydLXixyTzcHWNJutme9Ez3zCElY=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uvWyR-0007sm-AG; Mon, 08 Sep 2025 08:11:39 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uvWyP-0007sf-KZ for openvpn-devel@lists.sourceforge.net; Mon, 08 Sep 2025 08:11:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pF9F4vvWKQPSSG6YQSs8HsX+Vz1Gyu8GvdMWiSBlSEw=; b=I963n2bTH5+Cyx8vq1ibTpGoek BGrzPhPHLllV/uALwg62ggx2pVNj2jkDn2d/GsAUg+iZtnJA3/tHyS2EBxkLi9wYNoTrGoalSckEE 7g15WMNJNlfZwg02UULQu1gHNWJOit8k4ksOfz9ua8hIyPRgH5HMkXygjSv9cEP7YL1U=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pF9F4vvWKQPSSG6YQSs8HsX+Vz1Gyu8GvdMWiSBlSEw=; b=GCTtD3cVkU8wTpG4FS5pLIexp4 U+Ma/NGChdqnmiYxKB0TbBgxCv/UbNBfHfaTVLL5MDtvmQTZIn4qIFDBJrwXcdJ9dTYGACvI+HJdu q7/UW/Tz6Fkon1+8rh/u7g1CooCKeVsGb/+2PVqvi/8tzP8x+Aqfu+7EfaVba37TZCgc=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uvWyO-0006Ho-EL for openvpn-devel@lists.sourceforge.net; Mon, 08 Sep 2025 08:11:37 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5888BOLX017951 for ; Mon, 8 Sep 2025 10:11:24 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5888BOfI017950 for openvpn-devel@lists.sourceforge.net; Mon, 8 Sep 2025 10:11:24 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Sep 2025 10:11:18 +0200 Message-ID: <20250908081124.17933-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ralf Lici This is a backport of commit cb8a0f6f5741d102b667d98370ab4d553503d0b5, which introduces float support for DCO linux, Windows, and the OS-independent parts. DCO linux/windows in 2.6 has no float support kernel-side, so this ignores all OS dependent parts, backporting just enough to add FreeBSD support in the next patch. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uvWyO-0006Ho-EL Subject: [Openvpn-devel] [PATCH v1] dco: backport OS-independent part of peer float support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1842682634474340839?= X-GMAIL-MSGID: =?utf-8?q?1842682634474340839?= From: Ralf Lici This is a backport of commit cb8a0f6f5741d102b667d98370ab4d553503d0b5, which introduces float support for DCO linux, Windows, and the OS-independent parts. DCO linux/windows in 2.6 has no float support kernel-side, so this ignores all OS dependent parts, backporting just enough to add FreeBSD support in the next patch. One notable difference in the backport is that 2.6 has no multi-socket support, so all the "link_sockets[0]" occurances need to be changed back to "link_socket". Change-Id: Ib748e726eb84dcbe8a48b297d165dec80c0e578d Signed-off-by: Ralf Lici Signed-off-by: Gert Doering Acked-by: Ralf Lici (cherry picked from commit cb8a0f6f5741d102b667d98370ab4d553503d0b5) --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1169 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Ralf Lici diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0f2ec07..ab5ebda 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1234,6 +1234,41 @@ perf_pop(); } +void +extract_dco_float_peer_addr(const sa_family_t socket_family, + struct openvpn_sockaddr *out_osaddr, + const struct sockaddr *float_sa) +{ + if (float_sa->sa_family == AF_INET) + { + struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa; + /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a + * dual-stack socket, we need to preserve the mapping otherwise openvpn + * will not be able to find the peer by its transport address. + */ + if (socket_family == AF_INET6) + { + out_osaddr->addr.in6.sin6_family = AF_INET6; + out_osaddr->addr.in6.sin6_port = float4->sin_port; + + memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10); + out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff; + out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff; + memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], + &float4->sin_addr.s_addr, sizeof(in_addr_t)); + } + else + { + memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in)); + } + } + else + { + struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa; + memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6)); + } +} + static void process_incoming_dco(struct context *c) { diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 245a802..3d0abd5 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -189,6 +189,21 @@ void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); /** + * Transfers \c float_sa data extracted from an incoming DCO + * PEER_FLOAT_NTF to \c out_osaddr for later processing. + * + * @param socket_family - The address family of the socket + * @param out_osaddr - openvpn_sockaddr struct that will be filled the new + * address data + * @param float_sa - The sockaddr struct containing the data received from the + * DCO notification + */ +void +extract_dco_float_peer_addr(sa_family_t socket_family, + struct openvpn_sockaddr *out_osaddr, + const struct sockaddr *float_sa); + +/** * Write a packet to the external network interface. * @ingroup external_multiplexer * diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 199f655..eb5f932 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3169,6 +3169,18 @@ goto done; } + /* It doesn't make sense to let a peer float to the address it already + * has, so we disallow it. This can happen if a DCO netlink notification + * gets lost and we miss a floating step. + */ + if (m1->peer_id == m2->peer_id) + { + msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to " + "its own address (%s)", + m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false), + mroute_addr_print(&mi->real, &gc)); + goto done; + } msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc)); multi_close_instance(m, ex_mi, false); } @@ -3301,6 +3313,17 @@ { process_incoming_del_peer(m, mi, dco); } +#if 0 + else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER) + { + ASSERT(mi->context.c2.link_socket); + extract_dco_float_peer_addr(mi->context.c2.link_socket->info.af, + &m->top.c2.from.dest, + (struct sockaddr *)&dco->dco_float_peer_ss); + multi_process_float(m, mi); + CLEAR(dco->dco_float_peer_ss); + } +#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */ else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS) { tls_session_soft_reset(mi->context.c2.tls_multi);