A quick from me. > This has been in production use for some time now and there don't seem > to be any problems :) > > Can I motivate anyone on commenting on or applying this? :) > > Best > Max > > > commit 1baa7e6782b39ed664eedb9b006728d31e22c07e > Author: Maximilian Wilhelm <m...@rfc2324.org> > Date: Fri Oct 21 17:05:25 2016 +0200 > > Add --bind-dev option. > > This options allows the user to specify a network device the OpenVPN > process > should use when making a connection or binding to an address. This > translates > in setting the SO_BINDTODEVICE option to the corresponding socket (on > Linux). > > When for example using VRFs on Linux [0] this allows making connections > using > the non-default VRF and having the tun/tap interface in the default VRF. > > It seems FreeBSD does not support the SO_BINDTODEVICE socket option, > but has > a similar one called IP_SENDIF. As I don't have any BSD running, this > part is > untested. > > Thanks to David Ahern (Cumulus Networks) for insights on this. > > [0] > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/vrf.txt > > Signed-off-by: Maximilian Wilhelm <m...@rfc2324.org> > > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index 73f8c6d..57b1423 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -2856,7 +2856,8 @@ do_init_socket_1 (struct context *c, const int mode) > c->options.sndbuf, > c->options.mark, > &c->c2.server_poll_interval, > - sockflags); > + sockflags, > + c->options.bind_dev); > }
Should be after the after c->options options. > > /* > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 281ef0b..58dd298 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -167,6 +167,8 @@ static const char usage_message[] = > " or --socks-proxy" > " is used).\n" > "--nobind : Do not bind to local address and port.\n" > + "--bind-dev dev : Bind to the given device when making connection to a > peer or\n" > + " listening for connections\n" > "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n" > "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n" > " this option only if the tun/tap device used with > --dev\n" > @@ -5128,6 +5130,13 @@ add_option (struct options *options, > msg (msglevel, "unknown socket flag: %s", p[j]); > } > } > +#ifdef TARGET_LINUX > + else if (streq (p[0], "bind-dev") && p[1]) > + { > + VERIFY_PERMISSION (OPT_P_SOCKFLAGS); > + options->bind_dev = p[1]; > + } > +#endif Better use something like HAVE_BIND_TO_DEVICE or similar. Your define also misses FREEBSD here. > else if (streq (p[0], "txqueuelen") && p[1] && !p[2]) > { > VERIFY_PERMISSION (OPT_P_GENERAL); > diff --git a/src/openvpn/options.h b/src/openvpn/options.h > index b7453a0..3ce4550 100644 > --- a/src/openvpn/options.h > +++ b/src/openvpn/options.h > @@ -325,6 +325,7 @@ struct options > > /* socket flags */ > unsigned int sockflags; > + char *bind_dev; > > /* route management */ > const char *route_script; > diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c > index 184c7ad..b345de2 100644 > --- a/src/openvpn/socket.c > +++ b/src/openvpn/socket.c > @@ -868,6 +868,15 @@ create_socket (struct link_socket* sock, struct > addrinfo* addr) > /* set socket to --mark packets with given value */ > socket_set_mark (sock->sd, sock->mark); > > + if (sock->bind_dev) > + { > +#if defined(TARGET_LINUX) > + setsockopt (sock->sd, SOL_SOCKET, SO_BINDTODEVICE, sock->bind_dev, > strlen (sock->bind_dev) + 1); > +#elif defined(TARGET_FREEBSD) > + setsockopt(fd, SOL_SOCKET, IP_SENDIF, sock->bind_dev, strlen > (sock->bind_dev) + 1); > +#endif > + } > + The +1 looks strange. A comment why this has to be +1. I cannot find that IP_SENDIF in any freebsd man page or /usr/include on a 10.3 system. I don't think this option exists. > bind_local (sock, addr->ai_family); > } > > @@ -1525,7 +1534,8 @@ link_socket_init_phase1 (struct link_socket *sock, > int sndbuf, > int mark, > struct event_timeout* server_poll_timeout, > - unsigned int sockflags) > + unsigned int sockflags, > + const char *bind_dev) > { > ASSERT (sock); > > @@ -1550,6 +1560,7 @@ link_socket_init_phase1 (struct link_socket *sock, > > sock->sockflags = sockflags; > sock->mark = mark; > + sock->bind_dev = bind_dev; > > sock->info.proto = proto; > sock->info.af = af; > diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h > index e1607f4..8a0a5c7 100644 > --- a/src/openvpn/socket.h > +++ b/src/openvpn/socket.h > @@ -213,6 +213,7 @@ struct link_socket > # define SF_GETADDRINFO_DGRAM (1<<4) > unsigned int sockflags; > int mark; > + char *bind_dev; > > /* for stream sockets */ > struct stream_buf stream_buf; > @@ -327,7 +328,8 @@ link_socket_init_phase1 (struct link_socket *sock, > int sndbuf, > int mark, > struct event_timeout* server_poll_timeout, > - unsigned int sockflags); > + unsigned int sockflags, > + const char *bind_dev); > > void link_socket_init_phase2 (struct link_socket *sock, > const struct frame *frame, > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel