[Openvpn-devel] [S] Change in openvpn[master]: Automatically enable --compress migrate on the server

Sun, 22 Sep 2024 07:23:03 -0700 

Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

    http://gerrit.openvpn.net/c/openvpn/+/756?usp=email

to look at the new patch set (#2).


Change subject: Automatically enable --compress migrate on the server
......................................................................

Automatically enable --compress migrate on the server

If we enable LZO compression, automatically switch to
migrate mode.

Change-Id: I00209b880cfcedd93e28f97fc3941d8b85e095f3
Signed-off-by: Frank Lichtenheld <fr...@lichtenheld.com>
---
M doc/man-sections/protocol-options.rst
M src/openvpn/comp.h
M src/openvpn/options.c
3 files changed, 31 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/756/2

diff --git a/doc/man-sections/protocol-options.rst 
b/doc/man-sections/protocol-options.rst
index 37e2240..b2a23fa 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -127,6 +127,12 @@
   configuration if supported by the client and otherwise switch to ``comp-lzo 
no``
   and add ``--push comp-lzo`` to the client specific configuration.

+  If used in a server configuration :code:`lzo` is an alias for 
:code:`migrate` in
+  current versions of OpenVPN. Compression will only be enabled if there is no
+  other choice. Note that these versions of OpenVPN also never actually 
compress
+  any packets. But they still will decompress packets received from the other 
side
+  of the connection if required.
+
   ***Security Considerations***

   Compression and encryption is a tricky combination. If an attacker knows
@@ -153,6 +159,11 @@
   ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive`
   but there is no actual change in behavior anymore.

+  In server mode we convert this setting to ``--compress migrate`` to
+  automatically disable it when the client doesn't need it. If you want
+  to remove this setting from your server config you might need to add
+  an explicit ``--compress migrate`` instead if some clients still have
+  any variant of ``--comp-lzo`` in their config.

 --comp-noadapt
   **DEPRECATED** This option does not have any effect anymore since current
diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h
index ed6a563..1bc4648 100644
--- a/src/openvpn/comp.h
+++ b/src/openvpn/comp.h
@@ -49,6 +49,7 @@
 #define COMP_ALG_LZO    2 /* LZO algorithm */
 #define COMP_ALG_SNAPPY 3 /* Snappy algorithm (no longer supported) */
 #define COMP_ALG_LZ4    4 /* LZ4 algorithm */
+#define COMP_ALG_LZO_NO 5 /* --comp-lzo no which is similar to COMP_ALG_STUB, 
but no SWAP */


 /* algorithm v2 */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 4fee671..f8688d4 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3448,6 +3448,24 @@
     }
 #endif /* ifdef _WIN32 */

+    if (options->mode == MODE_SERVER)
+    {
+        /*
+         * Enable comp migrate automatically on server
+         */
+        if (options->comp.alg == COMP_ALG_LZO || options->comp.alg == 
COMP_ALG_LZO_NO)
+        {
+            msg(M_INFO, "DEPRECATED OPTION: LZO compression enabled on the 
server side. "
+                "We will enable --compress migrate instead.");
+            options->comp.alg = COMP_ALG_UNDEF;
+            options->comp.flags = COMP_F_MIGRATE;
+        }
+    }
+    else if (options->comp.alg == COMP_ALG_LZO_NO)
+    {
+        options->comp.alg = COMP_ALG_STUB;
+    }
+
 #ifdef DEFAULT_PKCS11_MODULE
     /* If p11-kit is present on the system then load its p11-kit-proxy.so
      * by default if the user asks for PKCS#11 without otherwise specifying
@@ -8456,7 +8474,7 @@
         {
             if (streq(p[1], "no"))
             {
-                options->comp.alg = COMP_ALG_STUB;
+                options->comp.alg = COMP_ALG_LZO_NO;
             }
             /* There is no actual difference anymore between these variants.
              * We never compress. On the server side we replace this with

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/756?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I00209b880cfcedd93e28f97fc3941d8b85e095f3
Gerrit-Change-Number: 756
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-MessageType: newpatchset

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to