From patchwork Sun Nov 9 08:42:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4574 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:33c4:b0:7b1:439f:bdf with SMTP id u4csp524181maf; Sun, 9 Nov 2025 00:42:52 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVUSlw+VT0wSJFtx0vmidnzXJwfP9XapK/KuOuqdEF0xgWmg4Fx4uTXHW1mmOxh5UOm8Or3EqYKYTw=@openvpn.net X-Google-Smtp-Source: AGHT+IHHSusZCgzsjicu+/txC5XuFzE2DqpCM5V08fgzKpF9Gypk+oJ3fu4SFLSEd/1e3trS23iN X-Received: by 2002:a05:6808:80a6:b0:450:65f:493c with SMTP id 5614622812f47-4502a361dcfmr2304374b6e.33.1762677772160; Sun, 09 Nov 2025 00:42:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1762677772; cv=none; d=google.com; s=arc-20240605; b=Wjmy743htRbLelcxiX5dTnWf+FvB6ifRVr+ecrfbXDKZ8SnzPVR4rd8Y1zw+7bMIUr sjo6FPRVjiD6+BCNMLah5PMf7fw8EVQj2KM5UGQNUPU2EzIRMMAfdYrZymPhbr7weJiM 7U6JJhMoHB4eOi9r0rCh6GTKX1vvG9ugI6f3PZpYtmFh9jqlfZ99bsnWYuWwVz9pjX01 Syw2tianXWR+3kREVQOVYzHHAktCaCGRPy9OdZlXqkD1bYLL2We5n2299BacS3xd67MT INTVgKoZN5APo1hzJQR3p0yG4nkt9CeBZpUx+GEn4A0PynHiheog7ffMadYdVZ1wrF/9 tGdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=B0ZrFkBBJgy0O9kT193qkRzwtwq8uLlEZMMgKUxsQYg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=T3Nv/4U+b3v51FD7W83SIuvGX1BivDBRigaWVGr1RSidKZbDKKSsbyQAVUivNHzq7Q Mixhkoyfbj9uKhqbNkEP9gOpihqQf09pebnZ0rBFbyU6aCBimt9UuwAPOc0lCo1/BNyI 92B/0yiUOTYysQlEcxYoStyC8Ev50Mrp7Uyl62RqJumEOwPt9+DZoMs4S6ZJJ4oDLl2H m1Qfsfg/EZ3vW2m4/fhTyFRQi+RM8yqyp7sUvNYkuV63dmEnQOKolTgy+c3XT4K8ZKRt 5T4DYyIg4UPRFUccb8HB51LFEoX6uCWWPjKDb5y6ZR1Ey9Oa8g6V4Y6UmEtMglNZRupN VTqg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=EZHa5Eu1; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kDVI7Ord; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ZGY19WUo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3e41f25dff2si3382307fac.341.2025.11.09.00.42.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Nov 2025 00:42:52 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=EZHa5Eu1; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=kDVI7Ord; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ZGY19WUo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=B0ZrFkBBJgy0O9kT193qkRzwtwq8uLlEZMMgKUxsQYg=; b=EZHa5Eu1wqrJdsFcqz/YVquVWZ FZ0vo5WM2bHbpPtri+kz7PQzYjAa9VHdXVepApn8vRF/8/v3Ba6v9okKC6IZ7F/hNR1DgJ1EFt1dQ zywoW14UfSYN5d+YOe26l/vO9HIXdW3zpgrP9PA9xAbkv7ORnw2XM4hX37Fv5i3UUbDw=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vI10a-00019M-Gc; Sun, 09 Nov 2025 08:42:48 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vI10Y-00019G-H1 for openvpn-devel@lists.sourceforge.net; Sun, 09 Nov 2025 08:42:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=o7tHftSodYI+dGuTqqP8ZwHXPLGsruAU0xndYckTtfg=; b=kDVI7OrdDVyJ6P5Lo6UpY4oQsP jazaqOZ9xHAlByiLiAagmnbtcJi1GbdlkkhVn+wnlaVRlPTvfRkyxJlwqZLtpOD9XCqRtz3fBvh76 rSLQB2DEbmJGCqWoUw8UqkFMPf4EoBR7Lurv7o6fzMqYzsCCKKCuB8wW75WGr0k6qkds=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=o7tHftSodYI+dGuTqqP8ZwHXPLGsruAU0xndYckTtfg=; b=ZGY19WUoWPs1/OnNCOdqPY9lQ2 5WqsFx704jJ1br3gaJrXKa98zkE5ThLvNj9pseng2Zw8TNZZdFNMeVD5vXCI1Wys0ce8WNaccwBOL gL+DV3N05DaiRXkW/sfZ4tlOxzyw6ANS79013mgkJ0WnlSwqKwibW0f27YkqO7DI/hTU=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vI10X-00029g-L0 for openvpn-devel@lists.sourceforge.net; Sun, 09 Nov 2025 08:42:46 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5A98gdal011601 for ; Sun, 9 Nov 2025 09:42:39 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5A98gdjb011600 for openvpn-devel@lists.sourceforge.net; Sun, 9 Nov 2025 09:42:39 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sun, 9 Nov 2025 09:42:31 +0100 Message-ID: <20251109084238.11581-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: --inactive on DCO requires a working DCO counters query function (dco_get_peer_stats(), implemented in the previous commit) and that the DCO implementation in use fills the "tun_{read,write}_bytes" fi [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vI10X-00029g-L0 Subject: [Openvpn-devel] [PATCH v4] FreeBSD DCO: repair --inactive X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848301607360109563?= X-GMAIL-MSGID: =?utf-8?q?1848301607360109563?= --inactive on DCO requires a working DCO counters query function (dco_get_peer_stats(), implemented in the previous commit) and that the DCO implementation in use fills the "tun_{read,write}_bytes" fields for the peer context. FreeBSD DCO only fills the "dco_{read,write}_bytes" counters - which is something we can't fix in OpenVPN, this needs kernel enhancements. So, to make the feature (mostly) work, check the other set of counters on FreeBSD. Caveat: this will count encryption overhead and keepalives, so it will still not work for `--inactive ` without a byte count, or for byte counts with too tight thresholds. Adding the #ifdef to forward.c was considered the least bad alternative. v2: fix rst syntax for manpage addition Github: OpenVPN/openvpn#898 Change-Id: I48c877843d24144450af1282b7524bb3ba18232e Signed-off-by: Gert Doering Acked-by: Ralf Lici Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1351 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1351 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Ralf Lici diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 0aee9e2..e8523d9 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -274,6 +274,11 @@ counted as traffic, as they are used internally by OpenVPN and are not an indication of actual user activity. + NOTE: on FreeBSD with DCO, due to platform limits, the previous paragraph + is not correct. In that case, encapsulation overhead and keepalives are + counted, so using this feature needs a sufficiently-high ``bytes`` value to + take these extra numbers into account. + --proto-force p When iterating through connection profiles, only consider profiles using protocol ``p`` (:code:`tcp` \| :code:`udp`). diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 5bbac13..c355f66 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -476,13 +476,20 @@ * and the logic needs to change - we permit the event to trigger and check * kernel DCO counters here, returning and rearming the timer if there was * sufficient traffic. + * + * NOTE: FreeBSD DCO does not supply "tun bytes" (= decrypted payload) today, + * so "dco bytes" (encrypted bytes, including keepalives) is used instead */ static void check_inactivity_timeout(struct context *c) { if (dco_enabled(&c->options) && dco_get_peer_stats(c, true) == 0) { +#ifdef TARGET_FREEBSD + int64_t tot_bytes = c->c2.dco_read_bytes + c->c2.dco_write_bytes; +#else int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes; +#endif int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes; if (new_bytes > c->options.inactivity_minimum_bytes)