Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1383?usp=email
to look at the new patch set (#2).
Change subject: Extend '--multihome' to selectively ignore the incoming
interface index.
......................................................................
Extend '--multihome' to selectively ignore the incoming interface index.
Traditional OpenVPN ``--multihome`` behaviour is to send packets out the
same interface that they were received on (copy ipi_ifindex from ingress
to egress packet info). For some scenarios this makes sense, for other
scenarios it is breaking connectivity when there are no routes pointing
out the ingress interface (intentionally asymmetric traffic).
Add a flag ``--multihome ignore-iif`` to always send out packets with
ipi_ifindex = 0, to follow normal system interface selection rules.
Github: OpenVPN/openvpn#855
Github: OpenVPN/openvpn#554
Change-Id: Id429241e1b17a8ff51d9019efc357c910f3bde4c
Signed-off-by: Gert Doering <[email protected]>
---
M doc/man-sections/server-options.rst
M src/openvpn/options.c
M src/openvpn/socket.c
M src/openvpn/socket.h
4 files changed, 22 insertions(+), 9 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/1383/2
diff --git a/doc/man-sections/server-options.rst
b/doc/man-sections/server-options.rst
index 739be22..562783b 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -342,7 +342,7 @@
by ``--ifconfig-ipv6``, OpenVPN will install a /128 host route for the
``ipv6addr`` IP address.
---multihome
+--multihome [ignore-iif]
Configure a multi-homed UDP server. This option needs to be used when a
server has more than one IP address (e.g. multiple interfaces, or
secondary IP addresses), and is not using ``--local`` to force binding
@@ -354,11 +354,13 @@
*Notes:*
- This option is only relevant for UDP servers.
- - If you do an IPv6+IPv4 dual-stack bind on a Linux machine with
- multiple IPv4 address, connections to IPv4 addresses will not
- work right on kernels before 3.15, due to missing kernel
- support for the IPv4-mapped case (some distributions have
- ported this to earlier kernel versions, though).
+ - This will copy the "ip_ifindex" from the incoming to the outgoing
+ packet by default, that is, try to send the packet out over the
+ same interface where it came in on. This might not work if there
+ are not usable routes on that interface.
+ - if the ``ignore-iif`` flag is added, the outgoing interface index
+ is set to ``0``, which means "do not force a particular outgoing
+ interface, use whatever the system will choose".
--iroute args
Generate an internal route to a specific client. The ``netmask``
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 4794315..1243e54 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6335,10 +6335,18 @@
options->mlock = true;
}
#if ENABLE_IP_PKTINFO
- else if (streq(p[0], "multihome") && !p[1])
+ else if (streq(p[0], "multihome") && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->sockflags |= SF_USE_IP_PKTINFO;
+ if (p[1] && streq(p[1], "ignore-iif"))
+ {
+ options->sockflags |= SF_PKTINFO_IGN_IIF;
+ }
+ else if (p[1])
+ {
+ msg(msglevel, "Unknown parameter to --multihome: %s", p[1]);
+ }
}
#endif
else if (streq(p[0], "verb") && p[1] && !p[2])
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 8b6e35e..0217408 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2393,7 +2393,8 @@
{
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
struct in_pktinfo *pkti = (struct in_pktinfo *)CMSG_DATA(cmsg);
- from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
+ from->pi.in4.ipi_ifindex =
+ (sock->sockflags & SF_PKTINFO_IGN_IIF) ? 0 : pkti->ipi_ifindex;
from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst;
#elif defined(IP_RECVDSTADDR)
from->pi.in4 = *(struct in_addr *)CMSG_DATA(cmsg);
@@ -2406,7 +2407,8 @@
&& cmsg->cmsg_len >= CMSG_LEN(sizeof(struct in6_pktinfo)))
{
struct in6_pktinfo *pkti6 = (struct in6_pktinfo *)CMSG_DATA(cmsg);
- from->pi.in6.ipi6_ifindex = pkti6->ipi6_ifindex;
+ from->pi.in6.ipi6_ifindex =
+ (sock->sockflags & SF_PKTINFO_IGN_IIF) ? 0 :
pkti6->ipi6_ifindex;
from->pi.in6.ipi6_addr = pkti6->ipi6_addr;
}
else if (cmsg != NULL)
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 832d62e..d6ff258 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -195,6 +195,7 @@
#define SF_GETADDRINFO_DGRAM (1 << 4)
#define SF_DCO_WIN (1 << 5)
#define SF_PREPEND_SA (1 << 6)
+#define SF_PKTINFO_IGN_IIF (1 << 7)
unsigned int sockflags;
int mark;
const char *bind_dev;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1383?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id429241e1b17a8ff51d9019efc357c910f3bde4c
Gerrit-Change-Number: 1383
Gerrit-PatchSet: 2
Gerrit-Owner: cron2 <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
