Your patch has been applied to the master branch.
commit 2f702291484ccecba455b039bc4c04b4cf87e972
Author: Heiko Hund
Date: Fri May 13 01:19:01 2022 +0200
make %x destination unsigned
Signed-off-by: Heiko Hund
Acked-by: Frank Lichtenheld
Message-Id: <20220512231901.1077306
Acked-by: Gert Doering
Arne has already ACKed the functionality (and I'm fine with that), and
I ACK the extra comments. We could spend days on perfect wordsmithing
here, but I think they are good enough.
Please do not forget to include the metric thing in the "overall
documentation" patch that
On 28 Jun 2022, at 21:05, Antonio Quartulli wrote:
> On 28/06/2022 18:28, Kristof Provost via Openvpn-devel wrote:
>> Hi,
>>
>> Here's the most recent version of the FreeBSD DCO patch.
>> This is based on top of the dco branch, at
>> 480fa1c983aba9b0790ea94df209e1686f08336b.
>>
>
> Thanks! DCO patc
Hi,
On 28/06/2022 18:28, Kristof Provost via Openvpn-devel wrote:
Hi,
Here's the most recent version of the FreeBSD DCO patch.
This is based on top of the dco branch, at
480fa1c983aba9b0790ea94df209e1686f08336b.
Thanks! DCO patches may still change a bit due to review, but their
converging
open_tun_generic already contains the logic required to find a device
name when not specified b the user. For this reason the DCO case can
easily leverage on function and avoid code duplication.
Signed-off-by: Antonio Quartulli
---
Changes from v1:
* improved INFO message when device already exi
When using DCO iroutes and routes all live in the same routing table,
However, the latter should always come after the former.
for this reason assign a default metric of 200 to routes. iroutes will
later get a metric of 100.
Signed-off-by: Antonio Quartulli
---
Changes from v1:
* added comments
Hi,
Here's the most recent version of the FreeBSD DCO patch.
This is based on top of the dco branch, at
480fa1c983aba9b0790ea94df209e1686f08336b.
Relatedly, the kernel side of that support has just landed in FreeBSD's
repo:
https://cgit.freebsd.org/src/commit/?id=ab91feabcc6f9da21d5c75028153af16
From: Kristof Provost
Implement data-channel offload for FreeBSD. The implementation and flow
is very similar to that of the Linux DCO support.
Signed-off-by: Kristof Provost
---
configure.ac | 5 +
src/openvpn/Makefile.am| 1 +
src/openvpn/dco_freebsd.c | 63
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Forwarding to openvpn-devel, as requested.
CC'ing -users FTR.
--- Original Message ---
On Tuesday, June 28th, 2022 at 02:59, Selva Nair wrote:
> Hi,
>
>
> >
> > the \\config-auto folder is only created if the 'openVPN Service' is
> > se
Hi,
On Tue, Jun 28, 2022 at 05:46:40PM +0200, Heiko Hund wrote:
> On Dienstag, 28. Juni 2022 17:07:14 CEST Gert Doering wrote:
> > Uncrustify has complained at me when I merged the patch (because in that
> > moment, ovpn_dco_linux.h was "newly modified" and the exclusion rule
> > does not match on
On Dienstag, 28. Juni 2022 17:07:14 CEST Gert Doering wrote:
> Uncrustify has complained at me when I merged the patch (because in that
> moment, ovpn_dco_linux.h was "newly modified" and the exclusion rule
> does not match on the pre-commit-hook) - but as discussed, this is a bit
> complicated due
I have taken the "why is this not a problem?" text from Arne's ACK and
included it into the commit message.
Your patch has been applied to the master and release/2.5 branch.
commit 462339a45089ef655faf02232d7d792def9b8afb (master)
commit ce24bec7e2518d4ea7aa931021454d1191f4906b (release/2.5)
Auth
This does not really do anything yet, and it won't affect "non dco"
builds. For DCO builds, it looks reasonable and compiles without
warning (and all it really does is "if dco, then add IFLA_OVPN_MODE"
to the netlink message, passing in p2p / p2mp mode)
Your patch has been applied to the master b
Trivial enough :-) - compile tested on Linux (with --enable-dco) and FreeBSD.
Your patch has been applied to the master branch.
commit 4f1671fabdce2df94f01e63ff97191325c5bfa8c
Author: Antonio Quartulli
Date: Fri Jun 24 10:37:46 2022 +0200
dco: add helper function to detect if DCO is enabl
I have stared at this code before, and it "seems to be reasonable".
What I *can* attest is that it does not break existing "master" functionality
on client or server, Linux or FreeBSD or "make distcheck" (autoconf changes,
new modules, ...). I did not expect anything, but this was sort of the
ri
Note that this patch is wrong. Do not waste time reviewing it. Maybe at
some point I will send a v2. But since it is not high priority it might
take some time.
On Thu, May 05, 2022 at 01:43:22PM +0200, Frank Lichtenheld wrote:
> I think that makes the code slightly more readable.
>
> Signed-off-b
Am 24.06.22 um 10:37 schrieb Antonio Quartulli:
A server may push options that are not compatible with DCO.
In this case we should log a message and bail out.
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
Am 24.06.22 um 10:37 schrieb Antonio Quartulli:
+if (!finish_options(c))
+{
+msg(D_TLS_ERRORS, "ERROR: Failed to finish option processing");
+return false;
+}
This error is a bit too generic for my taste. Can we make it more
specific? Like "Faile
Am 24.06.22 um 10:37 schrieb Antonio Quartulli:
+ASSERT(!primary || primary->dco_status != DCO_NOT_INSTALLED);
It would to be good to explain this assertion. I just spend too long
understanding it and I understand the code. Something along the lines
that we expect that primary key has bee
Am 28.06.22 um 11:41 schrieb Antonio Quartulli:
The tls-crypt-v2 key should be at least 2 bytes long in order to read
the actual length.
Bail out if the key is too short.
Failing to do so will lead to a read out of the buffer boundary.
Actually not. We read from BEND(), so this is defined for
On Dienstag, 28. Juni 2022 10:20:24 CEST Antonio Quartulli wrote:
> A server should push a route to a client only if there is no matching
> iroute for the same client.
>
> While this logic works fine for IPv4, there is no IPv6 counterpart.
>
> Implement the same check for IPv6 routes and discard
We had the ACK for this since a long time, but then had discussions on
"is this what we really want", leading to the "DNS foreign option" patch
committed just now - so after checking with Arne, this is now making sense
for the server side intent ("if IV_PROTO contains the DNS bit, the server
can st
Hi,
On Tue, Jun 28, 2022 at 02:13:29PM +0200, Gert Doering wrote:
> I have stared at the code (... weeks ago already) but never came around
> to actually test this - so, happy to see the ACK from Frank :-)
>
> Your patch has been applied to the master branch.
>
> commit 8d345ff16db8d797a1b8485c6
I have stared at the code (... weeks ago already) but never came around
to actually test this - so, happy to see the ACK from Frank :-)
Your patch has been applied to the master branch.
commit 8d345ff16db8d797a1b8485c65361e2949fd15d3
Author: Heiko Hund
Date: Fri May 27 03:24:57 2022 +0200
The tls-crypt-v2 key should be at least 2 bytes long in order to read
the actual length.
Bail out if the key is too short.
Failing to do so will lead to a read out of the buffer boundary.
While at it improve the error message a bit.
Signed-off-by: Antonio Quartulli
---
src/openvpn/tls_crypt.c
Hi,
I did some testing and found out that this breaks when establishing
TCP connection to a server which cannot be reached:
> +*tt = dco_create_socket(sock->info.lsa->current_remote,
> +sock->bind_local,
> +sock->info.lsa->bind_local,
>
Hi,
I did some review / testing and suggest following changes to this patch:
> +if (!DeviceIoControl(tt->hand, OVPN_IOCTL_START_VPN, NULL, 0, NULL, 0,
> + &bytes_returned, NULL))
> +{
> +msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_START_VPN) failed with code
>
A server should push a route to a client only if there is no matching
iroute for the same client.
While this logic works fine for IPv4, there is no IPv6 counterpart.
Implement the same check for IPv6 routes and discard matching ones
from the push list.
Trac: #354
Cc: Gert Doering
Signed-off-by:
Hi,
On 27/06/2022 23:52, Heiko Hund wrote:
On Mittwoch, 23. Mai 2018 21:28:02 CEST Antonio Quartulli wrote:
-if (o && o->push_list.head && o->iroutes)
+if (o && o->push_list.head && (o->iroutes || o->iroutes_ipv6))
[...]
+else if (p[0] && !strcmp(p[0], "route-ipv6") &&
- Fix various formatting inconsistencies
- Remove outdated (as of 2.6) information from
--data-ciphers and instead add a link to
cipher negotiation chapter.
- Some drive-by fixes in related code comments
and log messages as I was reading them.
Signed-off-by: Frank Lichtenheld
---
doc/man-s
30 matches
Mail list logo
