Re: [Openvpn-devel] [PATCH v4] Improve "recursive routing" warning message

Fri, 26 Mar 2021 00:13:31 -0700 

Hi,

On Tue, Oct 30, 2018 at 02:53:59PM +0200, Lev Stipakov wrote:
> From: Lev Stipakov <l...@openvpn.net>
> 
> This patch provides additional information, such as
> source address/port and destination address/port, to a
> "recursive routing" warning message. It also mentiones
> possible workaround.

I still do not like this patch.  It is quite a bit of extra code, and
I'm not convinced of the benefit.

Adding documentation is most welcome, though.

>  .B \-\-allow\-recursive\-routing
>  When this option is set, OpenVPN will not drop incoming tun packets
> -with same destination as host.
> +with same destination as host. Could be useful when packets sent by openvpn
> +itself are not subject to the routing tables that would move packets
> +into the tunnel.

So, this is good.  Maybe even extend this a bit more.


On the patch itself, it assumes "no IP options" for IPv4, and "no 
intermediate headers" for IPv6, and "all payload is UDP or TCP".  

Which is usually true for any packets that OpenVPN itself originates but 
if you want to log "this is packet from someone else, and we shouldn't
have dropped it because it's not one of ours" it could be anything.


Now...  if we consider a scenario where OpenVPN packets are not subject
to be routed into the tunnel (Linux VRF, policy routing, ...) - which
is actually something I want to see happen :-) - twisting this feature 
into some other direction might make the coding effort useful: what 
about "we only block packets that match destination IP *and port and
protocol* with what OpenVPN is using"? 

So, if we talk to 1.2.3.4/udp/1194, only packets inside the tunnel
destined to 1.2.3.4/udp/1994 would be dropped, and everything else can
be sent freely - because those are never "recursive openvpn packets".

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to