[Openvpn-devel] [PATCH applied] Re: dco: don't use NetLink to exchange control packets

Mon, 13 Mar 2023 06:40:33 -0700 

I have tested this on ubuntu 20.04 against the kernel DCO (v2) module
from "next", commit 580608e.  All client and server side tests pass
(with and without DCO), and it survived UDP and TCP gremlin attacks
for ~1h each.  This is better than we ever had, so yay :-)

UDP gremlins still seems to make it lose track of a few clients
(kernel thinks "nothing left" and sends no more keepalive, userland
claims "6 clients left") - this is still not perfect, but no *real*
issue - if one of the clients reconnects, the session will be flushed,
and if key renegotiation comes up, it will eventually be expired.


Stare-at-code also looks good.  Taking out lots of stuff that was 
just complicating things.  I also like that this obsoletes quite
a bit of extra comments that we fought about quite a while to
make them understandable :-) - plus the #ifdef _WIN32 from my 
bandaid patch...

I have also compile-tested this for Windows (MinGW), not actually
runtime-tested it - but the logic wrt "dco_installed" -> "SF_DCO_WIN"
is clear enough (one could argue endlessly on "flag" or "bool", but
it does the same thing).

Uncrustify complains about ovpn_dco_linux.h, but since this is a
"foreign import" I ignored it (as previously).

I have added a note to the commit message that this is an API
breaking change and needs a newer kernel module (as agreed on IRC).

Your patch has been applied to the master and release/2.6 branch.

commit ac1d24286ad4788415ce6f56e97c18562d1cadbd (master)
commit 321b04fac8aaaad254fe884472109042d8fb83d7 (release/2.6)
Author: Antonio Quartulli
Date:   Thu Mar 9 22:03:44 2023 +0100

     dco: don't use NetLink to exchange control packets

     Signed-off-by: Antonio Quartulli <a...@unstable.cc>
     Acked-by: Arne Schwabe <a...@rfc2549.org>
     Message-Id: <20230309210344.5763-...@unstable.cc>
     URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26384.html
     Signed-off-by: Gert Doering <g...@greenie.muc.de>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to