Attention is currently required from: cron2, flichtenheld, plaisthos. d12fk has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/489?usp=email )
Change subject: Windows: enforce 'block-local' with WFP filters ...................................................................... Patch Set 1: (10 comments) File doc/man-sections/vpn-network-options.rst: http://gerrit.openvpn.net/c/openvpn/+/489/comment/616966e3_6506d21f : PS1, Line 357: Push this flag to defend against the TunnelCrack attacks. > Should explain a bit more what this protects against. […] Agree not to explain TunnelCrack in the openvpn man page, but then references are not much of a thing in roff either. Could you elaborate what you have in mind? The technicalities are explained before the concluding sentence, so if you have a clue about TunnnelCrack things should be clear enough. File src/openvpn/init.c: http://gerrit.openvpn.net/c/openvpn/+/489/comment/b47799d4_dca0b2c0 : PS1, Line 1971: /* Fortify 'redirect-gateway block-local' with firewall rules? */ > Since this hunk and the previous are completely identical I would move them > to a separate function. […] I think there's even more duplicate code before. I'll take a look and submit a separate commit if it is not tightly related to wfp only. File src/openvpn/route.h: http://gerrit.openvpn.net/c/openvpn/+/489/comment/0c835951_e7364760 : PS1, Line 248: * is connected. This definatly returns false when not redirecting the gateway > Typo "definatly" Done File src/openvpn/route.c: http://gerrit.openvpn.net/c/openvpn/+/489/comment/eb7787ef_be0c1c5c : PS1, Line 78: static bool add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, > this breaks compilation on a zillion of platforms that want to call > add_route() from tun. […] Right, failed to spot this. The build results speak for themselves. =/ http://gerrit.openvpn.net/c/openvpn/+/489/comment/0e347637_c3fa5a5a : PS1, Line 612: size_t i; > no reason to leave that on its own line Done File src/openvpn/wfp_block.c: http://gerrit.openvpn.net/c/openvpn/+/489/comment/97c5a316_ea67f28e : PS1, Line 167: * Block outgoing port 53 traffic except for > "port 53" needs to be changed to reflect the new functionality Done http://gerrit.openvpn.net/c/openvpn/+/489/comment/ff62cf3d_89d511ff : PS1, Line 197: FWPM_FILTER_CONDITION0 Condition[2]; > Why remove the "= {0}" here? because the filters are zeroed right below, and than copied into [0] and/or [1] below as needed, so there's no uninitialized memory. http://gerrit.openvpn.net/c/openvpn/+/489/comment/662c3688_6dc87eea : PS1, Line 294: /* Third filter. Block IPv4 to port 53 or all besided loopback. */ > "besides"? Or maybe "except"? Done http://gerrit.openvpn.net/c/openvpn/+/489/comment/af60e388_d7cb7c20 : PS1, Line 303: /* Forth filter. Block IPv6 to port 53 or all besides loopback */ > "Fourth" Done File src/openvpn/win32.c: http://gerrit.openvpn.net/c/openvpn/+/489/comment/bdfe473f_2369c40d : PS1, Line 1225: if (ret == false) > Simplify to "!win_get_exe_path(openvpnpath, _countof(openvpnpath))" We need to set ret as return value anyway, so doing it before the if is more readable IMHO compared to cramming the function call between the parentheses. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/489?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic9bf797bfc7e2d471998a84cb0f071db3e4832ba Gerrit-Change-Number: 489 Gerrit-PatchSet: 1 Gerrit-Owner: d12fk <he...@openvpn.net> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: cron2 <g...@greenie.muc.de> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: cron2 <g...@greenie.muc.de> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-Comment-Date: Tue, 09 Jan 2024 13:16:20 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 <g...@greenie.muc.de> Comment-In-Reply-To: flichtenheld <fr...@lichtenheld.com> Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
