Hi, people have alreadycomplained at me that I write so long e-mails today, so I can write more...
On Wed, Oct 12, 2022 at 08:39:31AM +0200, Gert Doering wrote:
> Factor 1: single-peer (client or p2p) vs. multi-peer
>
> single-peer -> DCO has only 1 peer, all packets that go into the
> tun/dco interface are sent out to the single peer
> ("dumb pipe mode") - exactly like tun(4) behaves
>
> If a subnet is configured on the interface, packets to
> ALL IPs (!= local) in that subnet are sent to the other
> side. No next-hop lookup is done.
This is "sort of" handled in if_ovpn.c today
ovpn_route_peer(struct ovpn_softc *sc, struct mbuf **m0,
const struct sockaddr *dst)
{
...
/* Shortcut if we're a client (or are a server and have only one
client). */
if (sc->peercount == 1)
return (ovpn_find_only_peer(sc));
... so this works for the client, but has one interesting drawback on the
server - if there is only a single client connected, the server will send
ALL to-be-tunneled packets to that client. As soon as client #2 connects,
packets are properly sorted.
[..]
> Factor 2: IFF_POINTOPOINT vs. IFF_BROADCAST
>
> This seems to be a *BSD-specific thing, aka "there is nothing in the
> Linux specific code that seems to bother with this".
I've whacked at if_ovpn.c and dco_freebsd.c a bit now, and I seem
to have working code for both ends. I am not a FreeBSD kernel coder,
so I have no idea how many behavioural standards I am violating,
but it makes "real subnet mode in OpenVPN" work for me, with DCO.
Kernel patch attached, OpenVPN patches will follow soonish (outside
of this e-mail thread).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
From ddb95b7f57d78498003f3212b23e6adb0b5a9828 Mon Sep 17 00:00:00 2001
From: Gert Doering <g...@greenie.muc.de>
Date: Wed, 12 Oct 2022 15:30:07 +0200
Subject: [PATCH] if_ovpn(4): implement ioctl() to set if_flags
Fully working openvpn(8) --iroute support needs real subnet config
on ovpn(4) interfaces (IFF_BROADCAST), while client-side/p2p
configs need IFF_POINTOPOINT setting. So make this configurable.
---
sys/net/if_ovpn.c | 41 +++++++++++++++++++++++++++++++++++++++++
sys/net/if_ovpn.h | 1 +
2 files changed, 42 insertions(+)
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index ed0ff178972..dfb475e3072 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -1081,6 +1081,44 @@ ovpn_set_peer(struct ifnet *ifp, const nvlist_t *nvl)
return (0);
}
+static int
+ovpn_set_ifmode(struct ifnet *ifp, const nvlist_t *nvl)
+{
+ struct ovpn_softc *sc = ifp->if_softc;
+
+ if (nvl == NULL)
+ return (EINVAL);
+
+ if (! nvlist_exists_number(nvl, "ifmode") )
+ return (EINVAL);
+
+ int ifmode = nvlist_get_number(nvl, "ifmode");
+
+ OVPN_WLOCK(sc);
+
+ /* deny this if UP */
+ if (ifp->if_flags & IFF_UP) {
+ OVPN_WUNLOCK(sc);
+ return (EBUSY);
+ }
+
+ switch (ifmode & ~IFF_MULTICAST) {
+ case IFF_POINTOPOINT:
+ case IFF_BROADCAST:
+ ifp->if_flags &=
+ ~(IFF_BROADCAST|IFF_POINTOPOINT|IFF_MULTICAST);
+ ifp->if_flags |= ifmode;
+ break;
+ default:
+ OVPN_WUNLOCK(sc);
+ return (EINVAL);
+ }
+
+ OVPN_WUNLOCK(sc);
+
+ return (0);
+}
+
static int
ovpn_ioctl_set(struct ifnet *ifp, struct ifdrv *ifd)
{
@@ -1135,6 +1173,9 @@ ovpn_ioctl_set(struct ifnet *ifp, struct ifdrv *ifd)
case OVPN_SET_PEER:
ret = ovpn_set_peer(ifp, nvl);
break;
+ case OVPN_SET_IFMODE:
+ ret = ovpn_set_ifmode(ifp, nvl);
+ break;
default:
ret = ENOTSUP;
}
diff --git a/sys/net/if_ovpn.h b/sys/net/if_ovpn.h
index 26a9907711c..fd1c21e7043 100644
--- a/sys/net/if_ovpn.h
+++ b/sys/net/if_ovpn.h
@@ -60,5 +60,6 @@ enum ovpn_key_cipher {
#define OVPN_SEND_PKT _IO ('D', 9)
#define OVPN_POLL_PKT _IO ('D', 10)
#define OVPN_GET_PKT _IO ('D', 11)
+#define OVPN_SET_IFMODE _IO ('D', 12)
#endif
--
2.37.3
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
