From patchwork Thu May 28 14:53:58 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marco Baffo <marco@mandelbit.com>
X-Patchwork-Id: 4988
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:4ec9:b0:861:c897:cb9d with SMTP id i9csp1109646mas;
        Thu, 28 May 2026 07:54:40 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AFNElJ/UbjIqdOL/H+diQpP/CpR0mMfwvc72Vf4VEGBZyu0VEpmTsFiKWfQaKiSQAZOpr/HZCN9Slh8OqyM=@openvpn.net
X-Received: by 2002:a05:6820:5618:10b0:69d:9111:3eeb with SMTP id
 006d021491bc7-69d91114387mr9981196eaf.20.1779980080583;
        Thu, 28 May 2026 07:54:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779980080; cv=none;
        d=google.com; s=arc-20240605;
        b=glRLXduUdXeTrXdL+Xe38TvF7r+9pesthWTViP2Qmeu96bp6xeUJ30wvDEN7kfWVWw
         ZtwcUC/Jqru/THUSyJArz7K4k/MW3dYgKuRvssyw1MizcChFKiw3wBskWxIRhivnv0qu
         c0IZ3BWP4RM/WfeY/zUnYtobbDPF1HJKOxAggZx96JC7E7bNxfwtuLqhH8GxnD/zt4cD
         aQZ7BTPfERfk2QUAV2gNzUVFnKlu3sQiIeZXB9ab2d9N72f73EZRI3KOpjTdbSzI/Eis
         OiWl1TlWcaqX3+GLSxO2tq+3FyUNVaJx3y0/NwiA2l/ZqeFemp3GfmwvDBV4HrePfMpK
         HdNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=E4tTavCOtbyWiYNNb8bN1wy/Wwe/zOTdAmtFquXoqkA=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=eJ//YdA3Z+8NszBj32SZE7IrbmVKhk2q9Oggni8Mw/aOWbH4mXrubaDrUj1/W0kXWG
         n20ZJNM18N63PjgtKmu6jmMoAfNtWEp8AxJ0us9sm5havqy1V23C0FApbXFjch8LWiWc
         X6gqJieh9nyR8f8Afu2u09xe1vpVTgY+4HH8BW9FUYCpiPSwCWM6hYIX//fiFOstc5M0
         U5matxEJVcnLLtQuyCyCXTqK6RHqiunTdXEhukdST7S1VkdVQC1loiR1qcbaAd3wzCq0
         +N0OhRBPcLxa7OIcgsMYELvn8az+lIySIeomK5KpPskxIPCRnLPhzPK01cunnZDFDTBQ
         4BsQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=KeSNJQAA;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=XHT3yZsl;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=R6bZ7utm;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=bimOY2ny;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 006d021491bc7-69d887002a1si10556927eaf.15.2026.05.28.07.54.40
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 28 May 2026 07:54:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=KeSNJQAA;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=XHT3yZsl;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=R6bZ7utm;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=bimOY2ny;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=E4tTavCOtbyWiYNNb8bN1wy/Wwe/zOTdAmtFquXoqkA=; b=KeSNJQAA2/AGBU/nhB/HYSuzuW
	rfECduj5PZitmvL0C1eGw6B/lZKed4sZtHsaG+gdHAnnHHv4kiSBTDjEVEEZBA2vFluxLmEf4WM/n
	LhaiTMaz2LnEjtUc+JAhmrki69sfxqPm6Ila259QqvnsndvCoLUAxB0h/bezCaJVfm+8=;
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1wSc80-0001hF-8M;
	Thu, 28 May 2026 14:54:32 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <marco@mandelbit.com>) id 1wSc7z-0001h7-HC
 for openvpn-devel@lists.sourceforge.net;
 Thu, 28 May 2026 14:54:31 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=O8hPH+MZGEYjuptj3hqNkQTBcQrjxwP6b8gDkNxGoYk=; b=XHT3yZslD9HqIbpwwd3DmQrDdh
 0Qj+bc8AoZaSpGl+443X7m0bkWq+D1rd1TMJshzveyt5vGrDt6UiLr/JZFsOh9RLYUQRkw7Ic7rZm
 xZwobtd3SEWkUBugFsCwAQQm7DfBUtCxoFnPtskmnkHYAZ+V8Zj4LlagDlOlplVtkQ7U=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=O8hPH+MZGEYjuptj3hqNkQTBcQrjxwP6b8gDkNxGoYk=; b=R6bZ7utmxjDt5vTT8VhQ4Pa5ve
 eI9GV9C6ulZvvVBloWhFNSkMa27Oi8x2cqfHKATMDnQ6Eo9W+z9s47LQlRGCMTOS6+7ApBhkzf4zW
 GzbOstSTvKK7tDXTr8Pwd0R35xP41Rktyp168/+MQJPOToL6cugJTKd4x0pOzHzFz1Wc=;
Received: from mout-b-106.mailbox.org ([195.10.208.46])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1wSc7x-0005b7-Bu for openvpn-devel@lists.sourceforge.net;
 Thu, 28 May 2026 14:54:31 +0000
Received: from smtp1.mailbox.org (smtp1.mailbox.org
 [IPv6:2001:67c:2050:b231:465::1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mout-b-106.mailbox.org (Postfix) with ESMTPS id 4gR8dh6gXNzDsTv;
 Thu, 28 May 2026 16:54:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com;
 s=MBO0001; t=1779980056;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=O8hPH+MZGEYjuptj3hqNkQTBcQrjxwP6b8gDkNxGoYk=;
 b=bimOY2nyAimWcip7VBaIrqYTkakfUST35fEm6vtvMTtnoI2iFJ9pC1M97zpwahJ0u7kehu
 xBCpK2tfJzHZw52vCLFGA4KmhpfhnpwApfxCaKlWi4ESk1vzWcxgzkPp1g0DhF7NYDC/zx
 PiATuxF8PK63w3fdfei43MzBYfmrW64rhYhXeV1g05C6Jm/Gy476HMeNcyHSgchHSPR7Es
 eIDaR92RScEBSVWwoox7AzxZJojLQGkssxAbWUqYBiAKaagyOXEB/MrceAUF8iRwqpkt8F
 9jvEMHxIZpktYagMzbTnbId0qVTmORMWn15CVczEdoT6qY8jS8VU/f4iBLHnYQ==
Authentication-Results: outgoing_mbo_mout; dkim=none;
 spf=pass (outgoing_mbo_mout: domain of marco@mandelbit.com designates
 2001:67c:2050:b231:465::1 as permitted sender)
 smtp.mailfrom=marco@mandelbit.com
From: Marco Baffo <marco@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Thu, 28 May 2026 16:53:58 +0200
Message-ID: <20260528145359.3815261-2-marco@mandelbit.com>
In-Reply-To: <20260528145359.3815261-1-marco@mandelbit.com>
References: <20260528145359.3815261-1-marco@mandelbit.com>
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4gR8dh6gXNzDsTv
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: The ovpn DCO driver currently drops all multicast/broadcast
 packets because it does not set IFF_MULTICAST and IFF_BROADCAST on the
 netdevice
 and always performs a unicast peer lookup in ovpn_net_xmit( [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1wSc7x-0005b7-Bu
Subject: [Openvpn-devel] [RFC ovpn net-next v6 1/2] ovpn: add
 multicast/broadcast packet transmission support
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1866444393022445368
X-GMAIL-MSGID: 1866444393022445368

The ovpn DCO driver currently drops all multicast/broadcast packets
because it does not set IFF_MULTICAST and IFF_BROADCAST on the
netdevice and always performs a unicast peer lookup in ovpn_net_xmit().
This prevents multicast routing daemons such as smcroute from using an
ovpn interface as a multicast VIF and makes it impossible to
forward multicast and broadcast traffic to VPN clients.

Add the minimal infrastructure needed to get multicast/broadcast working:

- Set IFF_MULTICAST and IFF_BROADCAST in ovpn_setup().

- Detect multicast and broadcast destinations in ovpn_peer_get_by_dst()
  and set the bcast flag to true.

- Introduce ovpn_bcast_work() to transmit enqueued broadcast messages.

- Allow all IGMP/MLD packets to bypass the RPF check in the RX path.

Multicast traffic is treated as broadcast and flooded to all peers.

Signed-off-by: Marco Baffo <marco@mandelbit.com>
---

Changes in v6:
- Moved cancel_work_sync(&ovpn->bcast.work) and skb_queue_purge(&ovpn->bcast.queue)
  to ovp_priv_free() to avoid possibles race conditions with ovpn_net_xmit().

Changes in v5:
- Add cond_resched() to the broadcast worker loop so it yields when the
  queue still has more work.
- Switch broadcast drop accounting to the new ovpn_dev_dstats_tx_dropped()
  helper introduced by:
    0c0dddc07d27 ("ovpn: disable BHs when updating device stats")
- Wrap ovpn_send() with local_bh_disable()/local_bh_enable() in the
  broadcast worker, matching the pattern already used by the keepalive
  worker (ovpn_peer_keepalive_send()) to avoid sends concurrecy.

Changes in v4:
- Extend the v3 bh-protection for dev_dstats_tx_dropped() to the ovpn_send()
  failure path.
- Refactor ovpn_mcast_mld_offset() and ovpn_mcast_is_control() to use
  skb_header_pointer() instead of pskb_may_pull() + direct pointer
  access, avoiding to mutate the skb during read-only inspection.

Changes in v3:
- Guard dev_dstats_tx_dropped() in ovpn_bcast_work() with local_bh_disable()
  to avoid seqcount races with softirq updates to dev->dstats, matching
  ovpn_netdev_write().

Changes in v2:
- Replace broadcast path with a deferred workqueue, avoiding GFP_ATOMIC:
  introduce struct ovpn_bcast (queue, work, wq) embedded in ovpn_priv.
- Add struct llist_node bcast_entry to ovpn_peer to build a lockless
  peer snapshot under RCU without allocating peer list nodes.
- Process broadcast packets in an ordered workqueue so the entire
  send path runs in process context and can use GFP_KERNEL.
- Queue broadcast skbs directly to bcast.queue inside the main
  ovpn_net_xmit() loop instead of building a temporary skb_list.

 drivers/net/ovpn/io.c       | 174 ++++++++++++++++++++++++++++++++++--
 drivers/net/ovpn/io.h       |   2 +
 drivers/net/ovpn/main.c     |  10 ++-
 drivers/net/ovpn/ovpnpriv.h |  10 +++
 drivers/net/ovpn/peer.c     |  21 ++++-
 drivers/net/ovpn/peer.h     |   6 +-
 6 files changed, 212 insertions(+), 11 deletions(-)

diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c
index 22c555dd962e..dd0b45d4875e 100644
--- a/drivers/net/ovpn/io.c
+++ b/drivers/net/ovpn/io.c
@@ -105,6 +105,80 @@ static void ovpn_netdev_write(struct ovpn_peer *peer, struct sk_buff *skb)
 	local_bh_enable();
 }
 
+/**
+ * ovpn_mcast_mld_offset - compute the offset to the MLD payload in an IPv6 packet
+ * @skb: the packet to inspect
+ * @offsetp: pointer to store the computed offset
+ *
+ * MLD packets may be preceded by a Hop-by-Hop options header containing
+ * the Router Alert option. Calculate the actual payload offset and
+ * verify that the next header is ICMPv6.
+ *
+ * Caller must ensure that the IPv6 header is linearized.
+ *
+ * Return: true if the offset was computed successfully, false otherwise
+ */
+static bool ovpn_mcast_mld_offset(const struct sk_buff *skb, unsigned int *offsetp)
+{
+	unsigned int offset = sizeof(struct ipv6hdr);
+	u8 nexthdr = ipv6_hdr(skb)->nexthdr;
+	struct ipv6_opt_hdr _hopopt, *hopopt;
+
+	if (nexthdr != IPPROTO_HOPOPTS)
+		goto check_icmpv6;
+
+	hopopt = skb_header_pointer(skb, offset, sizeof(_hopopt), &_hopopt);
+	if (!hopopt)
+		return false;
+
+	nexthdr = hopopt->nexthdr;
+	offset += ipv6_optlen(hopopt);
+
+check_icmpv6:
+	if (nexthdr != IPPROTO_ICMPV6)
+		return false;
+
+	*offsetp = offset;
+	return true;
+}
+
+/**
+ * ovpn_mcast_is_control - determine whether an skb is multicast control traffic
+ * @skb: the packet to inspect
+ *
+ * Caller must ensure that IP/IPv6 headers are linearized.
+ *
+ * Return: true if the skb contains IGMP or MLD control traffic,
+ *         false otherwise
+ */
+static bool ovpn_mcast_is_control(const struct sk_buff *skb)
+{
+	unsigned int offset;
+	struct icmp6hdr _ih, *ih;
+
+	if (skb->protocol == htons(ETH_P_IP))
+		return ip_hdr(skb)->protocol == IPPROTO_IGMP;
+
+	if (skb->protocol != htons(ETH_P_IPV6))
+		return false;
+
+	if (!ovpn_mcast_mld_offset(skb, &offset))
+		return false;
+
+	ih = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
+	if (!ih)
+		return false;
+	switch (ih->icmp6_type) {
+	case ICMPV6_MGM_QUERY:
+	case ICMPV6_MGM_REPORT:
+	case ICMPV6_MGM_REDUCTION:
+	case ICMPV6_MLD2_REPORT:
+		return true;
+	}
+
+	return false;
+}
+
 void ovpn_decrypt_post(void *data, int ret)
 {
 	struct ovpn_crypto_key_slot *ks;
@@ -183,8 +257,13 @@ void ovpn_decrypt_post(void *data, int ret)
 	}
 	skb->protocol = proto;
 
-	/* perform Reverse Path Filtering (RPF) */
-	if (unlikely(!ovpn_peer_check_by_src(peer->ovpn, skb, peer))) {
+	/* perform Reverse Path Filtering (RPF).
+	 * IGMP/MLD protocols may use source addresses
+	 * that differ from the peer's VPN address
+	 * so we bypass RPF in that case
+	 */
+	if (unlikely(!ovpn_mcast_is_control(skb) &&
+		     !ovpn_peer_check_by_src(peer->ovpn, skb, peer))) {
 		if (skb->protocol == htons(ETH_P_IPV6))
 			net_dbg_ratelimited("%s: RPF dropped packet from peer %u, src: %pI6c\n",
 					    netdev_name(peer->ovpn->dev),
@@ -351,6 +430,69 @@ static void ovpn_send(struct ovpn_priv *ovpn, struct sk_buff *skb,
 	ovpn_peer_put(peer);
 }
 
+static void ovpn_bcast_work(struct work_struct *work)
+{
+	struct ovpn_priv *ovpn = container_of_const(work, struct ovpn_priv, bcast.work);
+	struct sk_buff *skb, *to_send;
+	struct llist_head peer_list;
+	struct llist_node *node, *n;
+	struct ovpn_peer *peer;
+	int bkt;
+
+	while ((skb = skb_dequeue(&ovpn->bcast.queue))) {
+		skb_mark_not_on_list(skb);
+		init_llist_head(&peer_list);
+
+		rcu_read_lock();
+		hash_for_each_rcu(ovpn->peers->by_id, bkt, peer, hash_entry_id) {
+			if (likely(ovpn_peer_hold(peer)))
+				llist_add(&peer->bcast_entry, &peer_list);
+		}
+		rcu_read_unlock();
+
+		if (unlikely(llist_empty(&peer_list))) {
+			ovpn_dev_dstats_tx_dropped(ovpn->dev);
+			skb_tx_error(skb);
+			kfree_skb(skb);
+			goto resched;
+		}
+
+		llist_for_each_safe(node, n, peer_list.first) {
+			peer = llist_entry(node, struct ovpn_peer, bcast_entry);
+
+			if (likely(n))
+				to_send = skb_clone(skb, GFP_KERNEL);
+			else
+				to_send = skb;
+
+			if (likely(to_send)) {
+				ovpn_peer_stats_increment_tx(&peer->vpn_stats, skb->len);
+				local_bh_disable();
+				ovpn_send(ovpn, to_send, peer);
+				local_bh_enable();
+				continue;
+			}
+			ovpn_dev_dstats_tx_dropped(ovpn->dev);
+			ovpn_peer_put(peer);
+		}
+resched:
+		if (!skb_queue_empty(&ovpn->bcast.queue))
+			cond_resched();
+	}
+}
+
+int ovpn_bcast_init(struct ovpn_priv *ovpn)
+{
+	skb_queue_head_init(&ovpn->bcast.queue);
+	INIT_WORK(&ovpn->bcast.work, ovpn_bcast_work);
+	ovpn->bcast.wq = alloc_ordered_workqueue("ovpn-bcast-%s", WQ_MEM_RECLAIM,
+						 netdev_name(ovpn->dev));
+	if (!ovpn->bcast.wq)
+		return -ENOMEM;
+
+	return 0;
+}
+
 /* Send user data to the network
  */
 netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
@@ -362,6 +504,7 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct ovpn_peer *peer;
 	__be16 proto;
 	int ret;
+	bool bcast = false;
 
 	/* reset netfilter state */
 	nf_reset_ct(skb);
@@ -372,8 +515,8 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
 		goto drop_no_peer;
 
 	/* retrieve peer serving the destination IP of this packet */
-	peer = ovpn_peer_get_by_dst(ovpn, skb);
-	if (unlikely(!peer)) {
+	peer = ovpn_peer_get_by_dst(ovpn, skb, &bcast);
+	if (unlikely(!peer && !bcast)) {
 		switch (skb->protocol) {
 		case htons(ETH_P_IP):
 			net_dbg_ratelimited("%s: no peer to send data to dst=%pI4\n",
@@ -418,11 +561,31 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
 			continue;
 		}
 
+		if (unlikely(bcast)) {
+			spin_lock_bh(&ovpn->bcast.queue.lock);
+			if (unlikely(skb_queue_len(&ovpn->bcast.queue) >= OVPN_BCAST_MAX_QLEN)) {
+				spin_unlock_bh(&ovpn->bcast.queue.lock);
+				ovpn_dev_dstats_tx_dropped(ovpn->dev);
+				skb_tx_error(curr);
+				kfree_skb(curr);
+				continue;
+			}
+			__skb_queue_tail(&ovpn->bcast.queue, curr);
+			spin_unlock_bh(&ovpn->bcast.queue.lock);
+			continue;
+		}
+
 		/* only count what we actually send */
 		tx_bytes += curr->len;
 		__skb_queue_tail(&skb_list, curr);
 	}
 
+	if (unlikely(bcast)) {
+		if (!skb_queue_empty(&ovpn->bcast.queue))
+			queue_work(ovpn->bcast.wq, &ovpn->bcast.work);
+		return NETDEV_TX_OK;
+	}
+
 	/* no segments survived: don't jump to 'drop' because we already
 	 * incremented the counter for each failure in the loop
 	 */
@@ -438,7 +601,8 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
 	return NETDEV_TX_OK;
 
 drop:
-	ovpn_peer_put(peer);
+	if (peer)
+		ovpn_peer_put(peer);
 drop_no_peer:
 	dev_dstats_tx_dropped(ovpn->dev);
 	skb_tx_error(skb);
diff --git a/drivers/net/ovpn/io.h b/drivers/net/ovpn/io.h
index db9e10f9077c..9c21d14f7724 100644
--- a/drivers/net/ovpn/io.h
+++ b/drivers/net/ovpn/io.h
@@ -31,4 +31,6 @@ void ovpn_xmit_special(struct ovpn_peer *peer, const void *data,
 void ovpn_encrypt_post(void *data, int ret);
 void ovpn_decrypt_post(void *data, int ret);
 
+int ovpn_bcast_init(struct ovpn_priv *ovpn);
+
 #endif /* _NET_OVPN_OVPN_H_ */
diff --git a/drivers/net/ovpn/main.c b/drivers/net/ovpn/main.c
index 2e0420febda0..511233bd5d12 100644
--- a/drivers/net/ovpn/main.c
+++ b/drivers/net/ovpn/main.c
@@ -30,6 +30,11 @@ static void ovpn_priv_free(struct net_device *net)
 {
 	struct ovpn_priv *ovpn = netdev_priv(net);
 
+	if (ovpn->bcast.wq) {
+		cancel_work_sync(&ovpn->bcast.work);
+		skb_queue_purge(&ovpn->bcast.queue);
+		destroy_workqueue(ovpn->bcast.wq);
+	}
 	kfree(ovpn->peers);
 }
 
@@ -155,7 +160,7 @@ static void ovpn_setup(struct net_device *dev)
 	dev->max_mtu = IP_MAX_MTU - OVPN_HEAD_ROOM;
 
 	dev->type = ARPHRD_NONE;
-	dev->flags = IFF_POINTOPOINT | IFF_NOARP;
+	dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST | IFF_BROADCAST;
 	dev->priv_flags |= IFF_NO_QUEUE;
 	/* when routing packets to a LAN behind a client, we rely on the
 	 * route entry that originally brought the packet into ovpn, so
@@ -192,6 +197,9 @@ static int ovpn_newlink(struct net_device *dev,
 	spin_lock_init(&ovpn->lock);
 	INIT_DELAYED_WORK(&ovpn->keepalive_work, ovpn_peer_keepalive_work);
 
+	if (ovpn_bcast_init(ovpn))
+		return -ENOMEM;
+
 	/* Set carrier explicitly after registration, this way state is
 	 * clearly defined.
 	 *
diff --git a/drivers/net/ovpn/ovpnpriv.h b/drivers/net/ovpn/ovpnpriv.h
index 5898f6adada7..5c86b239527b 100644
--- a/drivers/net/ovpn/ovpnpriv.h
+++ b/drivers/net/ovpn/ovpnpriv.h
@@ -32,6 +32,14 @@ struct ovpn_peer_collection {
 	struct hlist_nulls_head by_transp_addr[1 << 12];
 };
 
+#define OVPN_BCAST_MAX_QLEN 1000
+
+struct ovpn_bcast {
+	struct sk_buff_head queue;
+	struct work_struct work;
+	struct workqueue_struct *wq;
+};
+
 /**
  * struct ovpn_priv - per ovpn interface state
  * @dev: the actual netdev representing the tunnel
@@ -41,6 +49,7 @@ struct ovpn_peer_collection {
  * @peer: in P2P mode, this is the only remote peer
  * @gro_cells: pointer to the Generic Receive Offload cell
  * @keepalive_work: struct used to schedule keepalive periodic job
+ * @bcast: struct used to queue and transmit broadcast messages
  */
 struct ovpn_priv {
 	struct net_device *dev;
@@ -50,6 +59,7 @@ struct ovpn_priv {
 	struct ovpn_peer __rcu *peer;
 	struct gro_cells gro_cells;
 	struct delayed_work keepalive_work;
+	struct ovpn_bcast bcast;
 };
 
 #endif /* _NET_OVPN_OVPNSTRUCT_H_ */
diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index c02dfab51a6e..d1616e04c0ad 100644
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -722,6 +722,8 @@ static void ovpn_peer_remove(struct ovpn_peer *peer,
  * ovpn_peer_get_by_dst - Lookup peer to send skb to
  * @ovpn: the private data representing the current VPN session
  * @skb: the skb to extract the destination address from
+ * @bcast: a pointer to a bool. It's set to true if the packet is a
+ *         broadcast or a multicast.
  *
  * This function takes a tunnel packet and looks up the peer to send it to
  * after encapsulation. The skb is expected to be the in-tunnel packet, without
@@ -731,10 +733,11 @@ static void ovpn_peer_remove(struct ovpn_peer *peer,
  *
  * Return: the peer if found or NULL otherwise.
  */
-struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn,
-				       struct sk_buff *skb)
+struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn, struct sk_buff *skb,
+				       bool *bcast)
 {
 	struct ovpn_peer *peer = NULL;
+	unsigned int addr_type;
 	struct in6_addr addr6;
 	__be32 addr4;
 
@@ -755,11 +758,23 @@ struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn,
 	case htons(ETH_P_IP):
 		addr4 = ovpn_nexthop_from_skb4(skb);
 		peer = ovpn_peer_get_by_vpn_addr4(ovpn, addr4);
+
+		if (peer)
+			break;
+
+		addr_type = inet_dev_addr_type(dev_net(ovpn->dev), ovpn->dev, addr4);
+		if (addr_type == RTN_MULTICAST || addr_type == RTN_BROADCAST)
+			*bcast = true;
 		break;
 	case htons(ETH_P_IPV6):
 		addr6 = ovpn_nexthop_from_skb6(skb);
 		peer = ovpn_peer_get_by_vpn_addr6(ovpn, &addr6);
-		break;
+
+		if (peer)
+			break;
+
+		if (ipv6_addr_is_multicast(&addr6))
+			*bcast = true;
 	}
 
 	if (unlikely(peer && !ovpn_peer_hold(peer)))
diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h
index 328401570cba..2b5027d0ad01 100644
--- a/drivers/net/ovpn/peer.h
+++ b/drivers/net/ovpn/peer.h
@@ -59,6 +59,7 @@
  * @refcount: reference counter
  * @rcu: used to free peer in an RCU safe way
  * @release_entry: entry for the socket release list
+ * @bcast_entry: entry for the broadcast peers list
  * @keepalive_work: used to schedule keepalive sending
  */
 struct ovpn_peer {
@@ -113,6 +114,7 @@ struct ovpn_peer {
 	struct kref refcount;
 	struct rcu_head rcu;
 	struct llist_node release_entry;
+	struct llist_node bcast_entry;
 	struct work_struct keepalive_work;
 };
 
@@ -148,8 +150,8 @@ void ovpn_peers_free(struct ovpn_priv *ovpn, struct sock *sock,
 struct ovpn_peer *ovpn_peer_get_by_transp_addr(struct ovpn_priv *ovpn,
 					       struct sk_buff *skb);
 struct ovpn_peer *ovpn_peer_get_by_id(struct ovpn_priv *ovpn, u32 peer_id);
-struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn,
-				       struct sk_buff *skb);
+struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn, struct sk_buff *skb,
+				       bool *bcast);
 void ovpn_peer_hash_vpn_ip(struct ovpn_peer *peer);
 bool ovpn_peer_check_by_src(struct ovpn_priv *ovpn, struct sk_buff *skb,
 			    struct ovpn_peer *peer);

From patchwork Thu May 28 14:53:59 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marco Baffo <marco@mandelbit.com>
X-Patchwork-Id: 4989
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:4ec9:b0:861:c897:cb9d with SMTP id i9csp1109755mas;
        Thu, 28 May 2026 07:54:55 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AFNElJ8a7YfeNq7TgFqxJLbzE+vU5ItLVhk+3OIIQirXoCOJAj7ZBRgeXjNO/4wPhQWgsMF0Qrm/DwYhUCI=@openvpn.net
X-Received: by 2002:a05:6820:1844:b0:69d:b4d4:bdf6 with SMTP id
 006d021491bc7-69db4d4dca4mr9011180eaf.29.1779980090769;
        Thu, 28 May 2026 07:54:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779980090; cv=none;
        d=google.com; s=arc-20240605;
        b=BbdZv20WEDa3/UrnICOaVO7cFfzgVvCsXwBFyB29aRihKQ3RBnMzKOGSk35T3cFdFj
         TELBleUEp2Toyj8womZ2xdSvTEWP2upEGQjI2MhimFPtnYaKbYmkEixHH+Rr1BnmIWIQ
         to7ktL16VIoVO5D/nnlUx8aGV3mHAM5YC2rpjxm+kCop2+nSu5R+z+NkXudpIh+OC9qq
         JepJpUPjRtulymnQHk6nmt1LVUhfnQQYyjpsheXFm0IDzhkhRvF3+FFH8Q/ePEJU/+P2
         DItV/xzB1VlP695BN8ZfSIr8Z/+aArB//5t4Xl2tGIVtvq0fXcH/IeIk0AGFxlbYkX+1
         IEFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=SJDMLyXYtp/e7gmQYepnPUUimxs3SgwgrvsjMozNisc=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=bRx+dFULL8Jeh2g5h/qKLGCV7TsK8i3NEhQ/l43pTjRwBqXM/h8y+V4RUv2DglHwl+
         O8rUR0KwJ+xdcP16bR1zogdcVHgkui+C7B4mCYTkJeMNkbK9jH1Vdz7yfXYzeY7RwLMK
         I+qF5AE3TPMlr8xkHj8mAcuxljKUPa3gWQWQBkjvXWjwcTEYzi6HxDiDNIP5XaWuZ9Qd
         6agoAZ3W1xdnAVImz1rW8pyd/I0qhb0U76wRXZtNFBa+h4XN/d0hgok/un8KaKRcMopC
         oVciLOHr0D/4CIZXRdOSrO9WXcl+JP2sdueYFoCmIa4mB/qn6pjN/SDnbHfn5A/gI79D
         /STg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=KlR150pB;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=lc73RG5w;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=KaWCrlpd;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=PLCMtUKA;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 006d021491bc7-69d83afd199si11107140eaf.67.2026.05.28.07.54.50
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 28 May 2026 07:54:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=KlR150pB;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=lc73RG5w;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=KaWCrlpd;
       dkim=neutral (body hash did not verify) header.i=@mandelbit.com
 header.s=MBO0001 header.b=PLCMtUKA;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=SJDMLyXYtp/e7gmQYepnPUUimxs3SgwgrvsjMozNisc=; b=KlR150pBuJAfgSmAE/n5SHab0q
	LeIp6Jny2YVLnsmk3y4gZJ8DlspYiGaH7t7zcLGf1G1Tw55lmVgy2NxG4UYp0CF22fEo4g2U4ZrRs
	uNKXu2OmGgYCE7Y87aaXgRbKFmf56sJYHG2Lrn+mzQqRPEQDUcPxEAVlI1EWXWwC0gww=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1wSc8A-00072R-4Q;
	Thu, 28 May 2026 14:54:42 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <marco@mandelbit.com>) id 1wSc81-00072C-Oa
 for openvpn-devel@lists.sourceforge.net;
 Thu, 28 May 2026 14:54:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=57jUF+lhhGxOOfHidCQJryhhSbNQrKky/44vvRdq5bs=; b=lc73RG5wrCLpyCa4SwVoF9RJAo
 QhvNlBuidEnHxOX6d3bilMdvGOIKSku2pvOOEh9hiF76ymxtqouUzZjpAGy8qDGq6A/jJnglyyPKz
 BFOhsUOOm8PsI00TIG++qKdAL0fK6MgRPKXC4+73mPwoQG0+BDWv6t5W8GrAtCxTd+tM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=57jUF+lhhGxOOfHidCQJryhhSbNQrKky/44vvRdq5bs=; b=KaWCrlpdufBsFBC1I1vUvoM/HE
 k7aEdEWnglWHrLvne1gdd8s1gDoIsE3CBZ5TvmeMgHLFuvyPvGMNEhTWwFRHaiBn1gZiLv5pTnYuc
 T0NUWnkabUiUSLRoVF7JjuPg+AfLJ3ugx4lfX8wJUfnHMdPMNxyG8UBPtT1CakNWgFMM=;
Received: from mout-b-107.mailbox.org ([195.10.208.47])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1wSc81-0005bz-4J for openvpn-devel@lists.sourceforge.net;
 Thu, 28 May 2026 14:54:34 +0000
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mout-b-107.mailbox.org (Postfix) with ESMTPS id 4gR8dm6P6tzDsBw;
 Thu, 28 May 2026 16:54:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com;
 s=MBO0001; t=1779980060;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=57jUF+lhhGxOOfHidCQJryhhSbNQrKky/44vvRdq5bs=;
 b=PLCMtUKAyV5lZvowli1gJKWxIZDo/DrGMLbmMBJwfAdAYpdHoLVXsp27jHjpEzl4ZxZVXi
 CAzUYZyfnZtDAdAmjlzH4Q7GI5B2cCzc0vVei8dwYz4k230u/T08fdLhT7nMT+PA+G9n4V
 r5EPHyqua2GE/Gf1HVh0o6kJGWdpUbK16GbeCy7sn4uobs+6bIVyPqmO6Ye9FKg/zChHgj
 yu/Y1vGJbuBnisURU9lWc8sq6TFOZGqYsvi4r/0xisenFovloFAwTNioFkddapgCWTRh+i
 OLkdlVNGiM+AiGAzkRH8i1GV4ytyeAcUm8hq/qmLz7KJDywlR9EsozqBs0bi/A==
From: Marco Baffo <marco@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Thu, 28 May 2026 16:53:59 +0200
Message-ID: <20260528145359.3815261-3-marco@mandelbit.com>
In-Reply-To: <20260528145359.3815261-1-marco@mandelbit.com>
References: <20260528145359.3815261-1-marco@mandelbit.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Add a test stage that verifies the ovpn module forwards
 broadcast
 (IPv4) and multicast (IPv4/v6) packets to all active peers. For each mode
 we start tcpdump on every client peer, send a single ping from peer0 to the
 broadcast/multicast address, and verify all peers captured the packet.
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1wSc81-0005bz-4J
Subject: [Openvpn-devel] [RFC ovpn net-next v6 2/2] ovpn: add broadcast and
 multicast selftests
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1866444403548630776
X-GMAIL-MSGID: 1866444403548630776

Add a test stage that verifies the ovpn module forwards broadcast
(IPv4) and multicast (IPv4/v6) packets to all active peers.

For each mode we start tcpdump on every client peer, send a single
ping from peer0 to the broadcast/multicast address, and verify all
peers captured the packet.

IPv6 link-local addresses are assigned to TUN interfaces so that
ping to ff02::1 can select a valid source address.

Signed-off-by: Marco Baffo <marco@mandelbit.com>
---
 tools/testing/selftests/net/ovpn/common.sh |  1 +
 tools/testing/selftests/net/ovpn/test.sh   | 58 +++++++++++++++++++++-
 2 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/net/ovpn/common.sh b/tools/testing/selftests/net/ovpn/common.sh
index 2d844eb3aa6e..c0ca08171fa1 100644
--- a/tools/testing/selftests/net/ovpn/common.sh
+++ b/tools/testing/selftests/net/ovpn/common.sh
@@ -174,6 +174,7 @@ ovpn_setup_ns() {
 		ip -n "${peer}" link set mtu ${3} dev tun${1}
 	fi
 	ip -n "${peer}" link set tun${1} up
+	ip -n "${peer}" addr add fe80::$(( ${1} + 1 ))/64 dev tun${1} scope link
 }
 
 ovpn_build_capture_filter() {
diff --git a/tools/testing/selftests/net/ovpn/test.sh b/tools/testing/selftests/net/ovpn/test.sh
index c06e3135fbef..e485282025e8 100755
--- a/tools/testing/selftests/net/ovpn/test.sh
+++ b/tools/testing/selftests/net/ovpn/test.sh
@@ -56,6 +56,59 @@ ovpn_prepare_network() {
 	done
 }
 
+ovpn_run_mbcast_tests() {
+	local p
+	local peer_ns
+	local -a pids=()
+
+	ovpn_log "Testing broadcast:"
+	for p in $(seq 1 "${OVPN_NUM_PEERS}"); do
+		peer_ns="ovpn_peer${p}"
+		timeout 3 ip netns exec "${peer_ns}" \
+			tcpdump --immediate-mode -p -ni "tun${p}" -c 1 \
+			'icmp and dst host 5.5.5.255' >/dev/null 2>&1 &
+		pids+=($!)
+	done
+	sleep 0.5
+	ovpn_cmd_mayfail "send broadcast ping from peer0" \
+		ip netns exec ovpn_peer0 ping -qbc 1 -w 3 -I tun0 5.5.5.255
+	for pid in "${pids[@]}"; do
+		wait "${pid}" || return 1
+	done
+	pids=()
+
+	ovpn_log "Testing multicast IPv4:"
+	for p in $(seq 1 "${OVPN_NUM_PEERS}"); do
+		peer_ns="ovpn_peer${p}"
+		timeout 3 ip netns exec "${peer_ns}" \
+			tcpdump --immediate-mode -p -ni "tun${p}" -c 1 \
+			'icmp and dst host 224.0.0.1' >/dev/null 2>&1 &
+		pids+=($!)
+	done
+	sleep 0.5
+	ovpn_cmd_mayfail "send IPv4 multicast ping from peer0" \
+		ip netns exec ovpn_peer0 ping -qc 1 -w 3 -I tun0 224.0.0.1
+	for pid in "${pids[@]}"; do
+		wait "${pid}" || return 1
+	done
+	pids=()
+
+	ovpn_log "Testing multicast IPv6:"
+	for p in $(seq 1 "${OVPN_NUM_PEERS}"); do
+		peer_ns="ovpn_peer${p}"
+		timeout 3 ip netns exec "${peer_ns}" \
+			tcpdump --immediate-mode -p -ni "tun${p}" -c 1 \
+			'icmp6 and dst host ff02::1' >/dev/null 2>&1 &
+		pids+=($!)
+	done
+	sleep 0.5
+	ovpn_cmd_mayfail "send IPv6 multicast ping from peer0" \
+		ip netns exec ovpn_peer0 ping -6 -qc 1 -w 3 -I tun0 ff02::1
+	for pid in "${pids[@]}"; do
+		wait "${pid}" || return 1
+	done
+}
+
 ovpn_run_basic_traffic() {
 	local p
 	local header1
@@ -293,9 +346,9 @@ trap ovpn_stage_err ERR
 
 ktap_print_header
 if [ "${OVPN_FLOAT}" == "1" ]; then
-	ktap_set_plan 13
+	ktap_set_plan 14
 else
-	ktap_set_plan 12
+	ktap_set_plan 13
 fi
 
 ovpn_cleanup
@@ -303,6 +356,7 @@ modprobe -q ovpn || true
 
 ovpn_run_stage "setup network topology" ovpn_prepare_network
 ovpn_run_stage "run baseline data traffic" ovpn_run_basic_traffic
+ovpn_run_stage "run multi/broadcast traffic" ovpn_run_mbcast_tests
 ovpn_run_stage "run LAN traffic behind peer1" ovpn_run_lan_traffic
 [ "${OVPN_FLOAT}" == "1" ] && ovpn_run_stage "run floating peer checks" \
 	ovpn_run_float_mode