From patchwork Wed Jan 14 11:23:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4705 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9186:b0:80a:3855:ce6a with SMTP id j6csp153767maf; Wed, 14 Jan 2026 03:24:22 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUBqC3OPTcIAvsnm02IAoEXB5K5kaYtT9HZNzjbKZdfVty/k3ASqm7270k2dfjW8OIntyqYXc/GUiM=@openvpn.net X-Received: by 2002:a05:6870:e2cc:b0:3ec:4089:f963 with SMTP id 586e51a60fabf-4040719b7a8mr1543478fac.44.1768389862336; Wed, 14 Jan 2026 03:24:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768389862; cv=none; d=google.com; s=arc-20240605; b=ed9c8BYkzorwaf5VF9peAc/nDTtoiF/ZI5mZUhiZB+9cOGtjgnxhzA0W2l7uwuf9IQ 97tH1siNNX25xUqd2y5jATqkBtxEGhTFPAk8xmEiYJURmMGOeqGSTYkO5EYnjzewNFB3 MCC8RWRiMUYNt14XImVM1wq0ikt3pG4bS0RHIZy4bwmz2LJiitUWahi4DFvhLMUtXsDA u4QzSkEYfScrG9BJzvgNL3B5fcIrevA7yNzcFG8OZJec1mVwZsRG0YHyGESrRJbZKC7+ d2uUAxLxcuCPg1uTUloeHRgVC1Ov0UFKAl0FRhW3GcKNlj1OaBxljd9WZLe7gzG5ng0z l3oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=qoultI5IUSZzYM+MdLe0SSKB8Ahd3vss/G1wHqcvQRA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Ib4hmr1csmbp2T1+AfBF586M3sVjgyZ6aGiNf/JPyIHqP4kVrTR5Z1SGvPrXKmy3E0 2uiR2ud4sKRBXGKqLwIeOBZfoWVAbFs70PTGdZ+svV9Sp3omCCjCMJU1t8supYJqyMt4 Rcf5FoSEoNoIqMKwIk3Gac4VKT9ANTi38NqBFskNzXnYwkWJaS9RpCYXp7GV6rDJjckM +SntWLBYKtySh3gAo+csmr6w2JS4JmwCwj/ZANogRB937xffwrJclyiwfidICOLjb/cf RZ2gXRai96ZTd9jxivU5MlxSUsvnL8/OcfjlSElprQWd5jPnr9HJZOvOF06Pj/55tRNu 7Kqg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Ehv6EDpi; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KC91FPbr; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YG5VUfL9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-3ffa51614e0si18621772fac.433.2026.01.14.03.24.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Jan 2026 03:24:22 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Ehv6EDpi; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KC91FPbr; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YG5VUfL9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=qoultI5IUSZzYM+MdLe0SSKB8Ahd3vss/G1wHqcvQRA=; b=Ehv6EDpi9Ub1cScZfetwZWhiQL qH6xJOu5kYEYeMgTNkCNxRwlXnF5DfaF9EJ1IJ4oPbcaaDtD925UZJ1sL3UD3WEYz60w8Cs/YTDBK c6WWj2Rj5onCTc6KTSc4eO+d2AbPibu05vH5ekLdiTbqeeNIaC7E21eqLFNe33X8CuVE=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vfyz2-0005C8-Bb; Wed, 14 Jan 2026 11:24:17 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vfyz1-0005Bx-DJ for openvpn-devel@lists.sourceforge.net; Wed, 14 Jan 2026 11:24:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LbCz8Bn2LEpNciIB5IRRlu5u5Ci8LlE9ZzccZLwC2TE=; b=KC91FPbr3eZWErDajIz71g3IG5 on2UzlEwKYFJPfe0+2pBIeQSgM6wXM5Putt93Co6B1K8CcwCTOjALyh96GOcrzOEE22KZHW0HkbCi czM5jn+j9I/GvEJ3luapkvtX5jXnKEIy7cZ3EK4Kcmj8ihB46tns0UPGQ1PhS9Kcj1/4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=LbCz8Bn2LEpNciIB5IRRlu5u5Ci8LlE9ZzccZLwC2TE=; b=YG5VUfL9P0VZxZivGPPtxaxukP nj9EORJK1/RJxGFhLSiwV1qc31x1ZeiWqIp2ECNBjOust4FOf9kmlTxiuUU1WX8uJdEBn1jYO72yQ kYYp7ec9ivzfkulNDsGeJy3w2GQs4B7jIvmVIFoDMAYiSsoPJqIrjDoEAYT8o16S4Sb4=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vfyz1-0008E0-6s for openvpn-devel@lists.sourceforge.net; Wed, 14 Jan 2026 11:24:16 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 60EBO3Wu007072 for ; Wed, 14 Jan 2026 12:24:03 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 60EBO3UE007071 for openvpn-devel@lists.sourceforge.net; Wed, 14 Jan 2026 12:24:03 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 14 Jan 2026 12:23:49 +0100 Message-ID: <20260114112403.7046-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When --persist-tun is active, openvpn userland on Linux and FreeBSD fails to re-enable "poll for DCO events" after a reconnect (e.g. triggered by a ping timeout). The reconnect will still work fine, b [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vfyz1-0008E0-6s Subject: [Openvpn-devel] [PATCH v2] Repair interaction between DCO and persist-tun after reconnection X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1854287194801786674?= X-GMAIL-MSGID: =?utf-8?q?1854291168091029014?= When --persist-tun is active, openvpn userland on Linux and FreeBSD fails to re-enable "poll for DCO events" after a reconnect (e.g. triggered by a ping timeout). The reconnect will still work fine, but the *next* DCO event notification from the kernel will not be received by OpenVPN userland, and so the system will get into an inconsistent state (Userland assumes "all is well", kernel DCO has disconnected the peer, connection is broken until the next tls-renegotion and/or manual restart, *and* the next DCO key setup might fail due to "peer id gone"). This only affects client side, --server tun is always "persistent", and there is no "full restart" (and the code path in question is also only used for client and p2p server). The root cause is an incorrect check for "is this interface up?" when calling dco_event_set() in forard.c::io_wait() - "c2.did_open_tun" is only true if the tun interface was actually configured on this reconnect, which it isn't if --persist-tun is active. Replace with a check for "do we have a tuntap structure, and if yes, do we have active DCO?" which reflects the original intent much better. The original code also had a check for "out_socket & EVENT_READ" there, which did to some extend avoid calling dco_event_set() for every single UDP packet sent and received by userland - but this only worked on initial connection, and is always true on reconnect, so this condition was removed for simplicity. We should come back here... v2: - some language fixes on the commit message - do not check ->dco.open in forward.c, as this is not available if not on FreeBSD, or if compiled with --disable-dco. FreeBSD DCO does the "if (!dco || !dco->open)" check in dco_event_set() anyway, so it's not needed, and Linux DCO has "dco->nl_sock", which is also reliably set/unset, and checked by dco_event_set() already. Github: OpenVPN/openvpn#947 Change-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5 Signed-off-by: Gert Doering Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473 This mail reflects revision 2 of this Change. Signed-off-by line for the author was added as per our policy. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index d208c21..39ac3b3 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -2197,7 +2197,7 @@ multi_io_process_flags(c, c->c2.event_set, flags, &out_socket, &out_tuntap); #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) - if (out_socket & EVENT_READ && c->c2.did_open_tun) + if (c->c1.tuntap) { dco_event_set(&c->c1.tuntap->dco, c->c2.event_set, (void *)dco_shift); }