Re: [Openvpn-devel] NAK on Re: Drop recursively routed packets

[Gert D. <ge...@gr...>]

Hi,

On Wed, Nov 02, 2016 at 08:41:12PM +0100, Gert Doering wrote:
> ACK, thanks.  Took us long enough.

Bah.  I wanted to do everything right, but missed one crucial test: that
it "does what it says" in tap mode as well - well, it doesn't.  

Unlike v2, this will not break tap (or p2p server or --inetd) mode, but
the functionality is not right.

This code:

      /* make sure we got whole IP header */
      if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr))
        return;

      /* skip ipv4 packets for ipv6 tun */
      if (tun_sa.addr.sa.sa_family != AF_INET)
        return;

      pip = (struct openvpn_iphdr *) BPTR (buf);

      /* drop packets with same dest addr as gateway */
      if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
        drop = true;


... does not take "if it's TAP, skip the ethernet header" into account,
so is comparing tun_sa...s_addr with "something", but not with the 
IP address in the IP packet inside the ethernet frame.


So, unfortunately, another NAK.

But I noticed before pushing, so just totally ignore my previous mail -
this is not in the official tree (and won't make 2.3.13, meh).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             ge...@gr...
fax: +49-89-35655025                        ge...@ne...