Hi, On 26/03/2021 08:12, Gert Doering wrote: > Now... if we consider a scenario where OpenVPN packets are not subject > to be routed into the tunnel (Linux VRF, policy routing, ...) - which > is actually something I want to see happen :-) - twisting this feature > into some other direction might make the coding effort useful: what > about "we only block packets that match destination IP *and port and > protocol* with what OpenVPN is using"? > > So, if we talk to 1.2.3.4/udp/1194, only packets inside the tunnel > destined to 1.2.3.4/udp/1994 would be dropped, and everything else can > be sent freely - because those are never "recursive openvpn packets".
I was just questioning this feature per se: why do we want to *allow* real loops? After your explanation I agree that this could be twisted into something more useful, where we actually drop packets we know should *not* be on the tunnel. I guess we can conclude that this patch can be rejected as is. We have two options now: 1) extend documentation (basically what part of this patch is doing); 2) rework this feature entirely. If we go with 2 I guess we don't even need 1. I'd go with 2, because this feature as it is now is not really meaningful to me. @Lev, are you up for the challenge? Regards, -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
