Hi,
On Fri, Jan 06, 2023 at 03:38:41PM +0100, Arne Schwabe wrote:
> Patch v2: use strtol instead of atoi to be able to differentiate between
> an error parsing and parsing 0. Use int64_t instead int to
> avoid overflow errors.
I find this easier to read, so thanks.
This said.
From: Lev Stipakov
We got warnings from MinGW about function being defined
but not used when compiling modules which include tun.h.
This function is not defined as inline, so its definition
should not be in header. Since this is not a performance
critical, no need to make it inline.
Leave decla
Acked-by: Gert Doering
Thanks. Compile-tested on MinGW, it compiles and the warnings are gone.
Your patch has been applied to the master and release/2.6 branch.
commit a0eb1f764df39d9447b666e5a2cbd3aa01b41983 (master)
commit 9dd0bfb5983fdfbbb9e1fe2195642fbc4cc5f200 (release/2.6)
Author: Lev St
Hi,
On Fri, Jan 06, 2023 at 10:04:12AM -0500, selva.n...@gmail.com wrote:
> Note:
> net_route_v4/v6_add using netlink filters out EEXIST before returning
> this looks like a bug as add_route() and add_route_ipv6() should set
> RT_ADDED only if route was really added.
Actually we do have a Trac ti
Acked-by: Gert Doering
Lev has also ACKed, but since I did some previous digging into the code,
I gave it an extra-hard stare and can confirm that it looks very reasonable.
That said, I have a dislike for magic "0", "1" and "2" constants appearing
with no explanation - can we have a followup pat
On Fri, Jan 06, 2023 at 03:38:41PM +0100, Arne Schwabe wrote:
> This limits the nubmer of packets OpenVPN will respond to. This avoid
> OpenVPN server being abused for refelection attacks in a large scale
> as we gotten a lot more efficient with the cookie approach in our
> initial connection appro
On Mon, Dec 12, 2022 at 12:27:45PM +0100, Arne Schwabe wrote:
> Currently we have only one slot for renegotiation of the session/keys.
> If a replayed/faked packet is inserted by a malicous attacker, the
> legimate peer cannot renegotiate anymore.
>
> This commit introduces dynamic tls-crypt. When
Am 07.01.23 um 17:25 schrieb Gert Doering:
commit 5e19cc2c1bf22d introduced a workaround for a race condition
that showed itself on IPv6 ifconfig on FreeBSD 12.x - sometimes breaking
IPv6 connectivity on tun/tap interfaces.
This was fixed on the FreeBSD side in 12.4, 13.1 and up, and 13.0 is
no
This limits the nubmer of packets OpenVPN will respond to. This avoid
OpenVPN server being abused for refelection attacks in a large scale
as we gotten a lot more efficient with the cookie approach in our
initial connection approach.
The defaults of 100 attempts per 10s should work for most people
Thanks for the review and for fixing my fat fingers :-)
Patch has been applied to the master and release/2.6 branch.
commit 16d7f2cd4d904274580b2f031e92dde2f7f260c9 (master)
commit d9906d1523a8ed46fce81cb8d559279e345bf849 (release/2.6)
Author: Gert Doering
Date: Sat Jan 7 17:25:58 2023 +0100
This limits the nubmer of packets OpenVPN will respond to. This avoid
OpenVPN server being abused for refelection attacks in a large scale
as we gotten a lot more efficient with the cookie approach in our
initial connection approach.
The defaults of 100 attempts per 10s should work for most people
Am 09.01.23 um 16:01 schrieb Frank Lichtenheld:
On Mon, Dec 12, 2022 at 12:27:45PM +0100, Arne Schwabe wrote:
Currently we have only one slot for renegotiation of the session/keys.
If a replayed/faked packet is inserted by a malicous attacker, the
legimate peer cannot renegotiate anymore.
This
Currently we have only one slot for renegotiation of the session/keys.
If a replayed/faked packet is inserted by a malicous attacker, the
legimate peer cannot renegotiate anymore.
This commit introduces dynamic tls-crypt. When both peer support this
feature, both peer create a dynamic tls-crypt ke
p2p --tls-server with no active client/peer logs once per second
"dco_update_keys: peer_id=-1"
which does exactly nothing, except fill the disk. So skip the call to
dco_update_keys() if peer_id == -1.
Signed-off-by: Gert Doering
---
src/openvpn/forward.c | 6 ++
1 file changed, 6 insert
Hi,
On Mon, Jan 09, 2023 at 05:15:21PM +0100, Arne Schwabe wrote:
> This limits the nubmer of packets OpenVPN will respond to. This avoid
> OpenVPN server being abused for refelection attacks in a large scale
> as we gotten a lot more efficient with the cookie approach in our
> initial connection
Hi
On Mon, Jan 9, 2023 at 7:17 AM Gert Doering wrote:
>
> I also notice that there is quite a bit of imbalance between IPv4 and
> IPv6 route addition on Windows - for IPv6, add_route_ipv6() will not
> print any messages (so, no diff here), while IPv4 has all that...
> maybe something to clean up
This limits the nubmer of packets OpenVPN will respond to. This avoid
OpenVPN server being abused for refelection attacks in a large scale
as we gotten a lot more efficient with the cookie approach in our
initial connection approach.
The defaults of 100 attempts per 10s should work for most people
Acked-by: Gert Doering
The following tests were all done on v4. diff v4->v5 is only the extra
MSVC build files, so I did not completely re-test v5.
Stare-at-code looks good now (thanks). Fixed a bit of wording in the
commit message and reflect_filter.h comments.
Tested on the Linux server tes
18 matches
Mail list logo
