From patchwork Thu Dec 11 10:59:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4677 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8508:b0:7b1:439f:bdf with SMTP id w8csp750086max; Thu, 11 Dec 2025 03:00:19 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUpg7A0RRAtAZcRiispLt47WG2nakq7wEFt2V1a2yBikZY0MgUUJMNJR9JyjdcijErquRyYe0njgDQ=@openvpn.net X-Google-Smtp-Source: AGHT+IE7PFvd95l0FfNAbvyQHtmVtirkGn6MEyQD2IwYRhC8g+ovXMtZeezLE/m9vvbOG2VVWmxp X-Received: by 2002:a05:6808:4f62:b0:438:40c3:8765 with SMTP id 5614622812f47-455860ebc75mr3041824b6e.0.1765450819455; Thu, 11 Dec 2025 03:00:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765450819; cv=none; d=google.com; s=arc-20240605; b=Rp/CMiNdmgVunMDoksrDC5xUeROaDRP1nUKUJleaV99MKcId5yw1fw0uUd1W0SIMfo 0dQBu7MJCaKs0TkEppCVvBkUNSGIpa/BE50iRD9gRefHfDHP0dJZCQpO50NJN5+EC8nA 3sAIunndW9i77V5oxNHkVbgUd7V6jjkk9WKgw86R8xQnb6GcmmKbOspBjF4tc7jVO/wG /MtU82LrcoX4qIywagXptqEiX1c+kMvqEiJU87POiNNE58KBWWojM9avRA36D2r4QAIu 8d4s4eBtPjg5PBCbOEppRMRXYHlbK4Bt8KuNYy3f/ryy1EE1/4AVp6Tqjdd7oh/X9933 P6fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=9XHG6J0nEtr8VHC3HCvIcegJdiQ64WYgtwPH+1TOxmc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ZRNvK7r4xDhEalJ7baUjr0vz+QBLr/3o5W/0Cs8lsipbzFAIrpVNNPw+eVLP0VRbi4 S0+0sKoOc+EF0FOpsrNZBBwdb/07yZRf8qXzgoP2sZjmYLcbMd754/CIqimbI9+dJTvn 93kUn6CRGHbsWRg8JrImWufZOfuKlmoHb77K5EAfnW1/45sBvowwv5gy5Y3PTCPCabJd TUT9qGyEMVk8QfIPi4ad1GzINpwVyz0myuCGIzS3u/p8PsDpAUX63yxBkD3rhso6yAC7 Z7Y5urZCCe5st/oWkDVS+WfYY8ExfOdVXuv4Vrl35ULJYndvfXFQCGSd37Np93Z12SHr izmw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=G3sRqzAb; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dpc0S4Fa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=C+j2y6kL; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-45598dc3163si1071530b6e.112.2025.12.11.03.00.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Dec 2025 03:00:19 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=G3sRqzAb; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dpc0S4Fa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=C+j2y6kL; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=9XHG6J0nEtr8VHC3HCvIcegJdiQ64WYgtwPH+1TOxmc=; b=G3sRqzAbqeWJUODEQ8kljXfkUw /Ch/Czb9wdrQv9ShbY0YcpnHvEv7fs7uT+zBdnmmeOvGMHnMR3mpWd9aACnDiIoV1PaJKYNvMb8xJ CXsgbvMZG/iGvxhpm+WHO5YpsmEPa8PV34tldAOnAGjvPlVxvzmHgWfKsFDJsrQdAo3I=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vTeP7-0004qi-8a; Thu, 11 Dec 2025 11:00:13 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vTeP5-0004qb-Jy for openvpn-devel@lists.sourceforge.net; Thu, 11 Dec 2025 11:00:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=E7ZY4UCkwxS9mH1RIw8pb6n2qxdCl0fDm67Lg0i54Ug=; b=dpc0S4FaRPIzHjU2K8Cj1on8RF XUviRQ4r5bd9P3Noa6rv11RMrrvgg9UsEZ7jMXqno9oCC6si9AaePpsvs0QDMvS9SByuy59OuqxKQ Ik9bRj8h6FlxBAwsG8/s4fDN5DoA0rTGCtNdVQpylVQm9YtyS7NanJT7KM8VR+QdRbLk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=E7ZY4UCkwxS9mH1RIw8pb6n2qxdCl0fDm67Lg0i54Ug=; b=C+j2y6kLjhbnhwh7JAcHTGpqqI hI/ifF1Outr55Tz7zKHNlmLOr0DNOTgQVfw10ZtKqyLb0j8jqChp21mR2EnhJpptLdFivMcOLErHg 3uIDtY886mITmZgCGwKGZ0FocO1GREtweQ0w1suxlCT8iMxYg6vyo+eF+OrJ8DHYKkUk=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vTeP3-000766-MO for openvpn-devel@lists.sourceforge.net; Thu, 11 Dec 2025 11:00:11 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5BBAxvQH022813 for ; Thu, 11 Dec 2025 11:59:57 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5BBAxvpW022812 for openvpn-devel@lists.sourceforge.net; Thu, 11 Dec 2025 11:59:57 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 11 Dec 2025 11:59:51 +0100 Message-ID: <20251211105956.22789-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori Recent changes to the event loop revealed that the --fast-io option is now partially broken and may cause "unroutable control packet" issues. As agreed during the last hackathon, this patch turns --fast-io into a no-op and emits a warning when it is used. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [193.149.48.134 listed in list.dnswl.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vTeP3-000766-MO Subject: [Openvpn-devel] [PATCH v6] Deprecate --fast-io option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1851045716563350198?= X-GMAIL-MSGID: =?utf-8?q?1851209358161913444?= From: Gianmarco De Gregori Recent changes to the event loop revealed that the --fast-io option is now partially broken and may cause "unroutable control packet" issues. As agreed during the last hackathon, this patch turns --fast-io into a no-op and emits a warning when it is used. Additionally, the MPP_CONDITIONAL_PRE_SELECT flag has been removed as it was part of the same code path and no longer needed. Change-Id: I2c0a0b55ad56e704d4bd19f1fbc1c30c83fae14c Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1425 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1425 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 882cf28..a9232ce 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -211,18 +211,6 @@ ``--show-engines`` standalone option to list the crypto engines which are supported by OpenSSL. ---fast-io - Optimize TUN/TAP/UDP I/O writes by avoiding a call to - poll/epoll/select prior to the write operation. The purpose of such a - call would normally be to block until the device or socket is ready to - accept the write. Such blocking is unnecessary on some platforms which - don't support write blocking on UDP sockets or TUN/TAP devices. In such - cases, one can optimize the event loop by avoiding the poll/epoll/select - call, improving CPU efficiency by 5% to 10%. - - This option can only be used on non-Windows systems, when ``--proto - udp`` is specified, and when ``--shaper`` is *NOT* specified. - --group group Similar to the ``--user`` option, this option changes the group ID of the OpenVPN process to ``group`` after initialization. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index b646991..f1332f3 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -9,6 +9,10 @@ Removed in OpenVPN 2.5. This should be replaced with ``--verify-client-cert none``. +--fast-io + Ignored since OpenVPN 2.7. This option became broken due to changes + to the event loop. + --http-proxy-retry Removed in OpenVPN 2.4. All retries are controlled by ``--max-connect-retry``. diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 913fb92..492e667 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -2154,13 +2154,12 @@ } /* - * Wait for I/O events. Used for both TCP & UDP sockets - * in point-to-point mode and for UDP sockets in + * Wait for I/O events. Used for UDP sockets in * point-to-multipoint mode. */ void -get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags) +get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags) { unsigned int out_socket; @@ -2168,33 +2167,12 @@ multi_io->udp_flags = (out_socket << SOCKET_SHIFT); } +/* + * This is the core I/O wait function, used for all I/O waits except + * for the top-level server sockets. + */ void -get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags) -{ - multi_io->udp_flags = ES_ERROR; - if (c->c2.fast_io && (flags & (IOW_TO_TUN | IOW_TO_LINK | IOW_MBUF))) - { - /* fast path -- only for TUN/TAP/UDP writes */ - unsigned int ret = 0; - if (flags & IOW_TO_TUN) - { - ret |= TUN_WRITE; - } - if (flags & (IOW_TO_LINK | IOW_MBUF)) - { - ret |= SOCKET_WRITE; - } - multi_io->udp_flags = ret; - } - else - { - /* slow path - delegate to io_wait_dowork_udp to calculate flags */ - get_io_flags_dowork_udp(c, multi_io, flags); - } -} - -void -io_wait_dowork(struct context *c, const unsigned int flags) +io_wait(struct context *c, const unsigned int flags) { unsigned int out_socket; unsigned int out_tuntap; diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 06808b9..7f6f666 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -68,12 +68,9 @@ extern counter_type link_write_bytes_global; -void get_io_flags_dowork_udp(struct context *c, struct multi_io *multi_io, - const unsigned int flags); - void get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned int flags); -void io_wait_dowork(struct context *c, const unsigned int flags); +void io_wait(struct context *c, const unsigned int flags); void pre_select(struct context *c); @@ -382,34 +379,6 @@ return flags; } -/* - * This is the core I/O wait function, used for all I/O waits except - * for the top-level server sockets. - */ -static inline void -io_wait(struct context *c, const unsigned int flags) -{ - if (proto_is_dgram(c->c2.link_sockets[0]->info.proto) && c->c2.fast_io - && (flags & (IOW_TO_TUN | IOW_TO_LINK | IOW_MBUF))) - { - /* fast path -- only for TUN/TAP/UDP writes */ - unsigned int ret = 0; - if (flags & IOW_TO_TUN) - { - ret |= TUN_WRITE; - } - if (flags & (IOW_TO_LINK | IOW_MBUF)) - { - ret |= SOCKET_WRITE; - } - c->c2.event_set_status = ret; - } - else - { - /* slow path */ - io_wait_dowork(c, flags); - } -} static inline bool connection_established(struct context *c) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index fc079e1..cd01520 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -4139,34 +4139,6 @@ } } -/* - * Fast I/O setup. Fast I/O is an optimization which only works - * if all of the following are true: - * - * (1) The platform is not Windows - * (2) --proto udp is enabled - * (3) --shaper is disabled - */ -static void -do_setup_fast_io(struct context *c) -{ - if (c->options.fast_io) - { -#ifdef _WIN32 - msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); -#else - if (c->options.shaper) - { - msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); - } - else - { - c->c2.fast_io = true; - } -#endif - } -} - static void do_signal_on_tls_errors(struct context *c) { @@ -4513,12 +4485,6 @@ } #endif - /* should we enable fast I/O? */ - if (c->mode == CM_P2P || c->mode == CM_TOP) - { - do_setup_fast_io(c); - } - /* should we throw a signal on TLS errors? */ do_signal_on_tls_errors(c); diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 5de3af6..92d4dda 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -339,9 +339,7 @@ multi_process_io_udp(struct multi_context *m, struct link_socket *sock) { const unsigned int status = m->multi_io->udp_flags; - const unsigned int mpp_flags = m->top.c2.fast_io - ? (MPP_CONDITIONAL_PRE_SELECT | MPP_CLOSE_ON_SIGNAL) - : (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL); + const unsigned int mpp_flags = (MPP_PRE_SELECT | MPP_CLOSE_ON_SIGNAL); /* UDP port ready to accept write */ if (status & SOCKET_WRITE) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 153695c..d2d9ba8e 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3008,8 +3008,7 @@ bool ret = true; if (!IS_SIG(&mi->context) - && ((flags & MPP_PRE_SELECT) - || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context)))) + && ((flags & MPP_PRE_SELECT))) { #if defined(ENABLE_ASYNC_PUSH) bool was_unauthenticated = true; diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index a44f9f2..1209dfb 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -271,10 +271,9 @@ bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags); -#define MPP_PRE_SELECT (1 << 0) -#define MPP_CONDITIONAL_PRE_SELECT (1 << 1) -#define MPP_CLOSE_ON_SIGNAL (1 << 2) -#define MPP_RECORD_TOUCH (1 << 3) +#define MPP_PRE_SELECT (1 << 0) +#define MPP_CLOSE_ON_SIGNAL (1 << 1) +#define MPP_RECORD_TOUCH (1 << 2) /**************************************************************************/ diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index a198fcf..3e1ae78 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -420,9 +420,6 @@ struct env_set *es; bool es_owned; - /* don't wait for TUN/TAP/UDP to be ready to accept write */ - bool fast_io; - /* --ifconfig endpoints to be pushed to client */ bool push_request_received; bool push_ifconfig_defined; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2d1f740..d01ec47 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -285,7 +285,6 @@ #if ENABLE_IP_PKTINFO "--multihome : Configure a multi-homed UDP server.\n" #endif - "--fast-io : Optimize TUN/TAP/UDP writes.\n" "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" @@ -1795,8 +1794,6 @@ #endif SHOW_INT(sockflags); - SHOW_BOOL(fast_io); - SHOW_INT(comp.alg); SHOW_INT(comp.flags); @@ -6592,7 +6589,7 @@ else if (streq(p[0], "fast-io") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->fast_io = true; + msg(M_WARN, "DEPRECATED OPTION: --fast-io option ignored."); } else if (streq(p[0], "inactive") && p[1] && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index d331033..555d9dd 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -406,9 +406,6 @@ int status_file_version; int status_file_update_freq; - /* optimize TUN/TAP/UDP writes */ - bool fast_io; - struct compress_options comp; /* buffer sizes */