Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(193) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Gert D. <ge...@gr...> - 2025-06-23 14:07:58
|
From: Ralf Lici <ra...@ma...> Starting with Linux kernel version 6.16, a couple of ovpn-related enum definitions were introduced in the `include/uapi/linux/if_link.h` header. Redefining them in openvpn when they are already present in the system headers can lead to conflicts or build issues. This commit ensures that enum redefinitions are avoided by conditionally using the existing definitions from the system header when available. Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425 Signed-off-by: Ralf Lici <ra...@ma...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1064 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h index 273a6ad..4e441ec 100644 --- a/src/openvpn/dco_linux.h +++ b/src/openvpn/dco_linux.h @@ -40,6 +40,8 @@ /* OVPN section */ +#ifndef IFLA_OVPN_MAX + enum ovpn_mode { OVPN_MODE_P2P, OVPN_MODE_MP, @@ -49,10 +51,13 @@ IFLA_OVPN_UNSPEC = 0, IFLA_OVPN_MODE, - __IFLA_OVPN_AFTER_LAST, - IFLA_OVPN_MAX = __IFLA_OVPN_AFTER_LAST - 1, + __IFLA_OVPN_MAX, }; +#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1) + +#endif /* ifndef IFLA_OVPN_MAX */ + typedef struct { struct nl_sock *nl_sock; |
|
From: ordex (C. Review) <ge...@op...> - 2025-06-23 13:47:22
|
Attention is currently required from: flichtenheld, plaisthos, ralf_lici. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1064?usp=email ) Change subject: dco linux: avoid redefining ovpn enums ...................................................................... Patch Set 2: Code-Review+1 (1 comment) Patchset: PS2: patch looks good to me, however the commit message says nothing about converting MAX from enum to define. I'd just add on line saying something like "While at it, convert ..._MAX to define, to reflect the way it is defined in kernel 6.16" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1064?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425 Gerrit-Change-Number: 1064 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: ralf_lici <ra...@ma...> Gerrit-Comment-Date: Mon, 23 Jun 2025 13:47:12 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-06-23 13:29:57
|
Attention is currently required from: comododragon, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email ) Change subject: Added PQE to WolfSSL ...................................................................... Patch Set 3: (1 comment) File README.wolfssl: http://gerrit.openvpn.net/c/openvpn/+/1046/comment/ab0e57c2_c22d8064 : PS3, Line 39: WolfSSL supports the following Quantum Safe algorithms by specifying them using the `tls-groups` you should also mention that wolfSSL uses different names for standard groups like secp384r1 vs P-384. Probably also good to add that as a remark in the man page for tls-groups -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Gerrit-Change-Number: 1046 Gerrit-PatchSet: 3 Gerrit-Owner: comododragon <rei...@fo...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: comododragon <rei...@fo...> Gerrit-Comment-Date: Mon, 23 Jun 2025 13:29:43 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-06-23 13:16:05
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1064?usp=email
to look at the new patch set (#2).
Change subject: dco linux: avoid redefining ovpn enums
......................................................................
dco linux: avoid redefining ovpn enums
Starting with Linux kernel version 6.16, a couple of ovpn-related enum
definitions were introduced in the `include/uapi/linux/if_link.h`
header. Redefining them in openvpn when they are already present in the
system headers can lead to conflicts or build issues.
This commit ensures that enum redefinitions are avoided by conditionally
using the existing definitions from the system header when available.
Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/dco_linux.h
1 file changed, 7 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/64/1064/2
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 273a6ad..4e441ec 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -40,6 +40,8 @@
/* OVPN section */
+#ifndef IFLA_OVPN_MAX
+
enum ovpn_mode {
OVPN_MODE_P2P,
OVPN_MODE_MP,
@@ -49,10 +51,13 @@
IFLA_OVPN_UNSPEC = 0,
IFLA_OVPN_MODE,
- __IFLA_OVPN_AFTER_LAST,
- IFLA_OVPN_MAX = __IFLA_OVPN_AFTER_LAST - 1,
+ __IFLA_OVPN_MAX,
};
+#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1)
+
+#endif /* ifndef IFLA_OVPN_MAX */
+
typedef struct
{
struct nl_sock *nl_sock;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1064?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425
Gerrit-Change-Number: 1064
Gerrit-PatchSet: 2
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: ralf_lici (C. Review) <ge...@op...> - 2025-06-23 13:12:56
|
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1064?usp=email
to review the following change.
Change subject: dco linux: avoid redefining ovpn enums
......................................................................
dco linux: avoid redefining ovpn enums
Starting with Linux kernel version 6.16, a couple of ovpn-related enum
definitions were introduced in the `include/uapi/linux/if_link.h`
header. Redefining them in openvpn when they are already present in the
system headers can lead to conflicts or build issues.
This commit ensures that enum redefinitions are avoided by conditionally
using the existing definitions from the system header when available.
Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425
Signed-off-by: Ralf Lici <ra...@ma...>
---
M src/openvpn/dco_linux.h
1 file changed, 6 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/64/1064/1
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 273a6ad..f6e2d13 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -40,6 +40,8 @@
/* OVPN section */
+#ifndef IFLA_OVPN_MAX
+
enum ovpn_mode {
OVPN_MODE_P2P,
OVPN_MODE_MP,
@@ -50,9 +52,12 @@
IFLA_OVPN_MODE,
__IFLA_OVPN_AFTER_LAST,
- IFLA_OVPN_MAX = __IFLA_OVPN_AFTER_LAST - 1,
};
+#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1)
+
+#endif /* ifndef IFLA_OVPN_MAX */
+
typedef struct
{
struct nl_sock *nl_sock;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1064?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425
Gerrit-Change-Number: 1064
Gerrit-PatchSet: 1
Gerrit-Owner: ralf_lici <ra...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-23 12:08:36
|
Attention is currently required from: flichtenheld, mattock, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/919?usp=email ) Change subject: t_server_null: add multi-socket testing ...................................................................... Patch Set 6: (1 comment) Patchset: PS6: The failures on NetBSD and OpenBSD are due to "by default there is only /dev/tun0 to /dev/tun3, and no dynamic device nodes". Running "sudo /dev/MAKEDEV /dev/tun4" enables 1 community VPN + 4 test servers. We should re-test when the other BBs are fixed -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/919?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4ebe1158c36a641888131e824f59004a0f8fb4c5 Gerrit-Change-Number: 919 Gerrit-PatchSet: 6 Gerrit-Owner: mattock <sa...@pr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: mattock <sa...@pr...> Gerrit-Comment-Date: Mon, 23 Jun 2025 12:08:26 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-23 11:53:26
|
Attention is currently required from: comododragon, flichtenheld. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email ) Change subject: Added PQE to WolfSSL ...................................................................... Patch Set 3: Code-Review-1 (3 comments) Patchset: PS3: getting closer ;-) File README.wolfssl: http://gerrit.openvpn.net/c/openvpn/+/1046/comment/7ec159a7_61317087 : PS3, Line 40: option in a config. the textual logic is weird here - "to build with these PQE...", while "these PQE" are only defined in the next paragraph...? File src/openvpn/ssl_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/1046/comment/e1a1e35c_b06c65eb : PS3, Line 564: if (!SSL_CTX_set1_groups_list(ctx->ctx, groups)) please do not do that - that is, move code blocks around, just to have an easier time in the #ifdef As far as I can see all the patch really does is "change the #ifdef", but with a larger diff due to swapping the if/else parts this is harder to see, and will also mess up "git blame" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Gerrit-Change-Number: 1046 Gerrit-PatchSet: 3 Gerrit-Owner: comododragon <rei...@fo...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: comododragon <rei...@fo...> Gerrit-Comment-Date: Mon, 23 Jun 2025 11:53:11 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: comododragon (C. Review) <ge...@op...> - 2025-06-23 10:50:53
|
Attention is currently required from: comododragon, flichtenheld.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
to look at the new patch set (#3).
Change subject: Added PQE to WolfSSL
......................................................................
Added PQE to WolfSSL
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
2 files changed, 45 insertions(+), 8 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/3
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..27b9087 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,40 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*************************************************************************
+To build WolfSSL with these PQE, you'll want to configure it like this:
+
+```bash
+./configure --enable-openvpn --enable-kyber --enable-mlkem --enable-curve25519
+```
+
+WolfSSL supports the following Quantum Safe algorithms by specifying them using the `tls-groups`
+option in a config.
+
+```
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+P256_ML_KEM_512
+P384_ML_KEM_768
+P256_ML_KEM_768
+P521_ML_KEM_1024
+P384_ML_KEM_1024
+X25519_ML_KEM_512
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+KYBER_LEVEL1
+KYBER_LEVEL3
+KYBER_LEVEL5
+
+P256_KYBER_LEVEL1
+P384_KYBER_LEVEL3
+P256_KYBER_LEVEL3
+P521_KYBER_LEVEL5
+
+X25519_KYBER_LEVEL1
+X448_KYBER_LEVEL3
+X25519_KYBER_LEVEL3
+```
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..b873e54 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -560,7 +560,13 @@
tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
{
ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if defined(ENABLE_CRYPTO_WOLFSSL) || OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
+ {
+ crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
+ groups);
+ }
+#else
struct gc_arena gc = gc_new();
/* This method could be as easy as
* SSL_CTX_set1_groups_list(ctx->ctx, groups)
@@ -607,13 +613,7 @@
groups);
}
gc_free(&gc);
-#else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
- if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
- {
- crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
- groups);
- }
-#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif
}
void
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 3
Gerrit-Owner: comododragon <rei...@fo...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: comododragon <rei...@fo...>
Gerrit-MessageType: newpatchset
|
|
From: comododragon (C. Review) <ge...@op...> - 2025-06-23 10:49:36
|
Attention is currently required from: comododragon, flichtenheld.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
to look at the new patch set (#2).
Change subject: Added PQE to WolfSSL
......................................................................
Added PQE to WolfSSL
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
---
M README.wolfssl
M src/openvpn/ssl_openssl.c
2 files changed, 47 insertions(+), 8 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/1046/2
diff --git a/README.wolfssl b/README.wolfssl
index a5dfe31..27b9087 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -28,3 +28,40 @@
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
+
+*************************************************************************
+To build WolfSSL with these PQE, you'll want to configure it like this:
+
+```bash
+./configure --enable-openvpn --enable-kyber --enable-mlkem --enable-curve25519
+```
+
+WolfSSL supports the following Quantum Safe algorithms by specifying them using the `tls-groups`
+option in a config.
+
+```
+ML_KEM_512
+ML_KEM_768
+ML_KEM_1024
+P256_ML_KEM_512
+P384_ML_KEM_768
+P256_ML_KEM_768
+P521_ML_KEM_1024
+P384_ML_KEM_1024
+X25519_ML_KEM_512
+X448_ML_KEM_768
+X25519_ML_KEM_768
+
+KYBER_LEVEL1
+KYBER_LEVEL3
+KYBER_LEVEL5
+
+P256_KYBER_LEVEL1
+P384_KYBER_LEVEL3
+P256_KYBER_LEVEL3
+P521_KYBER_LEVEL5
+
+X25519_KYBER_LEVEL1
+X448_KYBER_LEVEL3
+X25519_KYBER_LEVEL3
+```
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2fc77d8..dd3dcca 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,6 +76,8 @@
#include <openssl/applink.c>
#endif
+#include "wolfssl_compat.h"
+
OSSL_LIB_CTX *tls_libctx; /* Global */
static void unload_xkey_provider(void);
@@ -560,7 +562,13 @@
tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
{
ASSERT(ctx);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if defined(ENABLE_CRYPTO_WOLFSSL) || OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
+ {
+ crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
+ groups);
+ }
+#else
struct gc_arena gc = gc_new();
/* This method could be as easy as
* SSL_CTX_set1_groups_list(ctx->ctx, groups)
@@ -607,13 +615,7 @@
groups);
}
gc_free(&gc);
-#else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
- if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
- {
- crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
- groups);
- }
-#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif
}
void
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Gerrit-Change-Number: 1046
Gerrit-PatchSet: 2
Gerrit-Owner: comododragon <rei...@fo...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: comododragon <rei...@fo...>
Gerrit-MessageType: newpatchset
|
|
From: mattock (C. Review) <ge...@op...> - 2025-06-23 09:35:32
|
Attention is currently required from: flichtenheld, mattock, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/919?usp=email
to look at the new patch set (#6).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: t_server_null: add multi-socket testing
......................................................................
t_server_null: add multi-socket testing
This adds a new multi-socket server that listens on IPv4 and IPv6
localhost addresses for TCP and UDP connections respectively. It also
adds two success tests and one failure test with wrong protocol defined
at the client side.
Change-Id: I4ebe1158c36a641888131e824f59004a0f8fb4c5
Signed-off-by: Samuli Seppänen <sa...@pm...>
---
M tests/t_server_null_default.rc
1 file changed, 27 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/19/919/6
diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc
index 41ec591..a1c68cd 100755
--- a/tests/t_server_null_default.rc
+++ b/tests/t_server_null_default.rc
@@ -38,12 +38,14 @@
MAX_CLIENTS="10"
CLIENT_MATCH="Test-Client"
SERVER_EXEC="${top_builddir}/src/openvpn/openvpn"
-SERVER_BASE_OPTS="--local 127.0.0.1 --dev tun --topology subnet --max-clients $MAX_CLIENTS --persist-tun --verb 3 --duplicate-cn"
+SERVER_BASE_OPTS="--dev tun --topology subnet --max-clients $MAX_CLIENTS --persist-tun --verb 3 --duplicate-cn"
+SERVER_BIND_OPTS="--local 127.0.0.1"
SERVER_CIPHER_OPTS=""
SERVER_CERT_OPTS="--ca ${CA} --cert ${SERVER_CERT} --key ${SERVER_KEY} --tls-auth ${TA} 0"
-SERVER_CONF_BASE="${SERVER_BASE_OPTS} ${SERVER_CIPHER_OPTS} ${SERVER_CERT_OPTS}"
+SERVER_CONF_BASE="${SERVER_BASE_OPTS} ${SERVER_CIPHER_OPTS} ${SERVER_CERT_OPTS} ${SERVER_BIND_OPTS}"
+SERVER_CONF_BASE_MULTISOCKET="${SERVER_BASE_OPTS} ${SERVER_CIPHER_OPTS} ${SERVER_CERT_OPTS}"
-TEST_SERVER_LIST="1 2 3"
+TEST_SERVER_LIST="1 2 3 4"
SERVER_NAME_1="t_server_null_server-1194_udp"
SERVER_SERVER_1="--server 10.29.41.0 255.255.255.0"
@@ -63,6 +65,12 @@
SERVER_EXEC_3="${SERVER_EXEC}"
SERVER_CONF_3="${SERVER_CONF_BASE} ${SERVER_SERVER_3} --lport 1196 --proto udp --management 127.0.0.1 ${SERVER_MGMT_PORT_3} --dh none --cipher AES-192-CBC --data-ciphers DEFAULT:AES-192-CBC"
+SERVER_NAME_4="t_server_null_server-1197_multisocket_ipv4_ipv6"
+SERVER_SERVER_4="--server 10.29.44.0 255.255.255.0"
+SERVER_MGMT_PORT_4="11197"
+SERVER_EXEC_4="${SERVER_EXEC}"
+SERVER_CONF_4="${SERVER_CONF_BASE_MULTISOCKET} ${SERVER_SERVER_4} --local 127.0.0.1 1197 tcp --local ::1 1197 udp --management 127.0.0.1 ${SERVER_MGMT_PORT_4}"
+
# Test client configurations
CLIENT_EXEC="${top_builddir}/src/openvpn/openvpn"
CLIENT_BASE_OPTS="--client --nobind --remote-cert-tls server --persist-tun --verb 3 --resolv-retry infinite --connect-retry-max 3 --server-poll-timeout 5 --explicit-exit-notify 3 --script-security 2"
@@ -72,7 +80,7 @@
CLIENT_CIPHER_OPTS=""
CLIENT_CERT_OPTS="--ca ${CA} --cert ${CLIENT_CERT} --key ${CLIENT_KEY} --tls-auth ${TA} 1"
-TEST_RUN_LIST="1 1L 2 2L 3 4a 4b 4c"
+TEST_RUN_LIST="1 1L 2 2L 3 4a 4b 4c 5a 5b 5c"
CLIENT_CONF_BASE="${CLIENT_NULL_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}"
CLIENT_CONF_BASE_LWIP="${CLIENT_LWIP_OPTS} ${CLIENT_BASE_OPTS} ${CLIENT_CIPHER_OPTS} ${CLIENT_CERT_OPTS}"
@@ -121,3 +129,18 @@
SHOULD_PASS_4c="no"
CLIENT_EXEC_4c="${CLIENT_EXEC}"
CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC"
+
+TEST_NAME_5a="t_server_null_client.sh-openvpn_current_multisocket_ipv4_tcp"
+SHOULD_PASS_5a="yes"
+CLIENT_EXEC_5a="${CLIENT_EXEC}"
+CLIENT_CONF_5a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1197 tcp"
+
+TEST_NAME_5b="t_server_null_client.sh-openvpn_current_multisocket_ipv6_udp"
+SHOULD_PASS_5b="yes"
+CLIENT_EXEC_5b="${CLIENT_EXEC}"
+CLIENT_CONF_5b="${CLIENT_CONF_BASE} --remote ::1 1197 udp"
+
+TEST_NAME_5c="t_server_null_client.sh-openvpn_current_multisocket_ipv6_tcp_fail"
+SHOULD_PASS_5c="no"
+CLIENT_EXEC_5c="${CLIENT_EXEC}"
+CLIENT_CONF_5c="${CLIENT_CONF_BASE} --remote ::1 1197 tcp"
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/919?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I4ebe1158c36a641888131e824f59004a0f8fb4c5
Gerrit-Change-Number: 919
Gerrit-PatchSet: 6
Gerrit-Owner: mattock <sa...@pr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: mattock <sa...@pr...>
Gerrit-MessageType: newpatchset
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-22 11:36:37
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table ...................................................................... Route: add support for user defined routing table Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Trac #1399 Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Signed-off-by: Gianmarco De Gregori <gia...@ma...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31946.html Signed-off-by: Gert Doering <ge...@gr...> --- M doc/man-sections/vpn-network-options.rst M src/openvpn/helper.c M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/route.c M src/openvpn/route.h 7 files changed, 68 insertions(+), 20 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 40b8c19..4a64e8d 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -389,6 +389,14 @@ Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -463,14 +471,20 @@ Setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's *tun*. - Valid syntax: + Valid syntaxes: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits + route-ipv6 ipv6addr/bits gateway + route-ipv6 ipv6addr/bits gateway metric - The gateway parameter is only used for IPv6 routes across *tap* devices, - and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or - ``--route-ipv6-gateway`` is used. + ``gateway`` + Only used for IPv6 routes across *tap* devices, + and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or + ``--route-ipv6-gateway`` is used. + + ``metric`` + default taken from ``--route-metric`` if set, otherwise :code:`0`. --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 8761826..7cef9db 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -118,7 +118,8 @@ print_in_addr_t(network, 0, &o->gc), print_in_addr_t(netmask, 0, &o->gc), NULL, - NULL); + NULL, + o->route_default_table_id); } static void diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7d4eb85..77747a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1566,7 +1566,7 @@ { add_route_ipv6_to_option_list( options->routes_ipv6, string_alloc(opt_list[i], options->routes_ipv6->gc), - NULL, NULL ); + NULL, NULL, options->route_default_table_id); } } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3cf8c2a..7e26069 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -213,6 +213,10 @@ " pass --ifconfig parms by environment to scripts.\n" "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n" " connection doesn't match the remote side.\n" +#ifdef TARGET_LINUX + "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n" + " If not specified, the id of the default routing table will be used.\n" +#endif "--route network [netmask] [gateway] [metric] :\n" " Add route to routing table after connection\n" " is established. Multiple routes can be specified.\n" @@ -829,6 +833,7 @@ o->ce.mssfix = 0; o->ce.mssfix_default = true; o->ce.mssfix_encap = true; + o->route_default_table_id = 0; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; @@ -1799,6 +1804,7 @@ SHOW_STR(route_script); SHOW_STR(route_default_gateway); SHOW_INT(route_default_metric); + SHOW_INT(route_default_table_id); SHOW_BOOL(route_noexec); SHOW_INT(route_delay); SHOW_INT(route_delay_window); @@ -7064,6 +7070,14 @@ cnol_check_alloc(options); add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel); } + else if (streq(p[0], "route-table") && p[1] && !p[2]) + { +#ifndef ENABLE_SITNL + msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in"); +#endif + VERIFY_PERMISSION(OPT_P_ROUTE_TABLE); + options->route_default_table_id = positive_atoi(p[1], msglevel); + } else if (streq(p[0], "route") && p[1] && !p[5]) { VERIFY_PERMISSION(OPT_P_ROUTE); @@ -7085,8 +7099,9 @@ msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]); goto err; } + /* p[4] is metric, if specified */ } - add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]); + add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], options->route_default_table_id); } else if (streq(p[0], "route-ipv6") && p[1] && !p[4]) { @@ -7104,9 +7119,9 @@ msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]); goto err; } - /* p[3] is metric, if present */ + /* p[3] is metric, if specified */ } - add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]); + add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], options->route_default_table_id); } else if (streq(p[0], "max-routes") && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 46ec32b..56e85d7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -427,6 +427,7 @@ const char *route_predown_script; const char *route_default_gateway; const char *route_ipv6_default_gateway; + int route_default_table_id; int route_default_metric; bool route_noexec; int route_delay; @@ -758,6 +759,7 @@ #define OPT_P_PEER_ID (1<<28) #define OPT_P_INLINE (1<<29) #define OPT_P_PUSH_MTU (1<<30) +#define OPT_P_ROUTE_TABLE (1<<31) #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE)) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index bd79a28..156262a 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -330,13 +330,11 @@ r->option = ro; /* network */ - if (!is_route_parm_defined(ro->network)) { goto fail; } - /* get_special_addr replaces specialaddr with a special ip addr * like gw. getaddrinfo is called to convert a a addrinfo struct */ @@ -442,6 +440,9 @@ r->flags |= RT_DEFINED; + /* routing table id */ + r->table_id = ro->table_id; + return true; fail: @@ -498,6 +499,9 @@ r6->flags |= RT_DEFINED; + /* routing table id */ + r6->table_id = r6o->table_id; + return true; fail: @@ -511,7 +515,8 @@ const char *network, const char *netmask, const char *gateway, - const char *metric) + const char *metric, + int table_id) { struct route_option *ro; ALLOC_OBJ_GC(ro, struct route_option, l->gc); @@ -519,6 +524,7 @@ ro->netmask = netmask; ro->gateway = gateway; ro->metric = metric; + ro->table_id = table_id; ro->next = l->routes; l->routes = ro; @@ -528,13 +534,15 @@ add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, - const char *metric) + const char *metric, + int table_id) { struct route_ipv6_option *ro; ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc); ro->prefix = prefix; ro->gateway = gateway; ro->metric = metric; + ro->table_id = table_id; ro->next = l->routes_ipv6; l->routes_ipv6 = ro; } @@ -1610,9 +1618,10 @@ metric = r->metric; } + status = RTA_SUCCESS; int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, iface, 0, metric); + &r->gateway, iface, r->table_id, metric); if (ret == -EEXIST) { msg(D_ROUTE, "NOTE: Linux route add command failed because route exists"); @@ -2007,7 +2016,7 @@ status = RTA_SUCCESS; int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL, - device, 0, metric); + device, r6->table_id, metric); if (ret == -EEXIST) { msg(D_ROUTE, "NOTE: Linux route add command failed because route exists"); @@ -2227,7 +2236,7 @@ } if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, NULL, 0, metric) < 0) + &r->gateway, NULL, r->table_id, metric) < 0) { msg(M_WARN, "ERROR: Linux route delete command failed"); } @@ -2452,7 +2461,7 @@ } if (net_route_v6_del(ctx, &r6->network, r6->netbits, - gateway_needed ? &r6->gateway : NULL, device, 0, + gateway_needed ? &r6->gateway : NULL, device, r6->table_id, metric) < 0) { msg(M_WARN, "ERROR: Linux route v6 delete command failed"); diff --git a/src/openvpn/route.h b/src/openvpn/route.h index aa3114c..237375c 100644 --- a/src/openvpn/route.h +++ b/src/openvpn/route.h @@ -69,6 +69,7 @@ in_addr_t remote_host; int remote_host_local; /* TLA_x value */ struct route_bypass bypass; + int table_id; int default_metric; }; @@ -77,6 +78,7 @@ const char *network; const char *netmask; const char *gateway; + int table_id; const char *metric; }; @@ -101,6 +103,7 @@ const char *prefix; /* e.g. "2001:db8:1::/64" */ const char *gateway; /* e.g. "2001:db8:0::2" */ const char *metric; /* e.g. "5" */ + int table_id; }; struct route_ipv6_option_list { @@ -119,6 +122,7 @@ in_addr_t network; in_addr_t netmask; in_addr_t gateway; + int table_id; int metric; }; @@ -129,6 +133,7 @@ unsigned int netbits; struct in6_addr gateway; int metric; + int table_id; /* gateway interface */ #ifdef _WIN32 DWORD adapter_index; /* interface or ~0 if undefined */ @@ -290,12 +295,14 @@ const char *network, const char *netmask, const char *gateway, - const char *metric); + const char *metric, + int table_id); void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, - const char *metric); + const char *metric, + int table_id); bool init_route_list(struct route_list *rl, const struct route_option_list *opt, -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 10 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-22 11:36:36
|
cron2 has uploaded a new patch set (#10) to the change originally created by its_Giaan. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Route: add support for user defined routing table ...................................................................... Route: add support for user defined routing table Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Trac #1399 Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Signed-off-by: Gianmarco De Gregori <gia...@ma...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31946.html Signed-off-by: Gert Doering <ge...@gr...> --- M doc/man-sections/vpn-network-options.rst M src/openvpn/helper.c M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/route.c M src/openvpn/route.h 7 files changed, 68 insertions(+), 20 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/24/524/10 diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 40b8c19..4a64e8d 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -389,6 +389,14 @@ Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -463,14 +471,20 @@ Setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's *tun*. - Valid syntax: + Valid syntaxes: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits + route-ipv6 ipv6addr/bits gateway + route-ipv6 ipv6addr/bits gateway metric - The gateway parameter is only used for IPv6 routes across *tap* devices, - and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or - ``--route-ipv6-gateway`` is used. + ``gateway`` + Only used for IPv6 routes across *tap* devices, + and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or + ``--route-ipv6-gateway`` is used. + + ``metric`` + default taken from ``--route-metric`` if set, otherwise :code:`0`. --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 8761826..7cef9db 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -118,7 +118,8 @@ print_in_addr_t(network, 0, &o->gc), print_in_addr_t(netmask, 0, &o->gc), NULL, - NULL); + NULL, + o->route_default_table_id); } static void diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7d4eb85..77747a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1566,7 +1566,7 @@ { add_route_ipv6_to_option_list( options->routes_ipv6, string_alloc(opt_list[i], options->routes_ipv6->gc), - NULL, NULL ); + NULL, NULL, options->route_default_table_id); } } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3cf8c2a..7e26069 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -213,6 +213,10 @@ " pass --ifconfig parms by environment to scripts.\n" "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n" " connection doesn't match the remote side.\n" +#ifdef TARGET_LINUX + "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n" + " If not specified, the id of the default routing table will be used.\n" +#endif "--route network [netmask] [gateway] [metric] :\n" " Add route to routing table after connection\n" " is established. Multiple routes can be specified.\n" @@ -829,6 +833,7 @@ o->ce.mssfix = 0; o->ce.mssfix_default = true; o->ce.mssfix_encap = true; + o->route_default_table_id = 0; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; @@ -1799,6 +1804,7 @@ SHOW_STR(route_script); SHOW_STR(route_default_gateway); SHOW_INT(route_default_metric); + SHOW_INT(route_default_table_id); SHOW_BOOL(route_noexec); SHOW_INT(route_delay); SHOW_INT(route_delay_window); @@ -7064,6 +7070,14 @@ cnol_check_alloc(options); add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel); } + else if (streq(p[0], "route-table") && p[1] && !p[2]) + { +#ifndef ENABLE_SITNL + msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in"); +#endif + VERIFY_PERMISSION(OPT_P_ROUTE_TABLE); + options->route_default_table_id = positive_atoi(p[1], msglevel); + } else if (streq(p[0], "route") && p[1] && !p[5]) { VERIFY_PERMISSION(OPT_P_ROUTE); @@ -7085,8 +7099,9 @@ msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]); goto err; } + /* p[4] is metric, if specified */ } - add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]); + add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], options->route_default_table_id); } else if (streq(p[0], "route-ipv6") && p[1] && !p[4]) { @@ -7104,9 +7119,9 @@ msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]); goto err; } - /* p[3] is metric, if present */ + /* p[3] is metric, if specified */ } - add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]); + add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], options->route_default_table_id); } else if (streq(p[0], "max-routes") && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 46ec32b..56e85d7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -427,6 +427,7 @@ const char *route_predown_script; const char *route_default_gateway; const char *route_ipv6_default_gateway; + int route_default_table_id; int route_default_metric; bool route_noexec; int route_delay; @@ -758,6 +759,7 @@ #define OPT_P_PEER_ID (1<<28) #define OPT_P_INLINE (1<<29) #define OPT_P_PUSH_MTU (1<<30) +#define OPT_P_ROUTE_TABLE (1<<31) #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE)) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index bd79a28..156262a 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -330,13 +330,11 @@ r->option = ro; /* network */ - if (!is_route_parm_defined(ro->network)) { goto fail; } - /* get_special_addr replaces specialaddr with a special ip addr * like gw. getaddrinfo is called to convert a a addrinfo struct */ @@ -442,6 +440,9 @@ r->flags |= RT_DEFINED; + /* routing table id */ + r->table_id = ro->table_id; + return true; fail: @@ -498,6 +499,9 @@ r6->flags |= RT_DEFINED; + /* routing table id */ + r6->table_id = r6o->table_id; + return true; fail: @@ -511,7 +515,8 @@ const char *network, const char *netmask, const char *gateway, - const char *metric) + const char *metric, + int table_id) { struct route_option *ro; ALLOC_OBJ_GC(ro, struct route_option, l->gc); @@ -519,6 +524,7 @@ ro->netmask = netmask; ro->gateway = gateway; ro->metric = metric; + ro->table_id = table_id; ro->next = l->routes; l->routes = ro; @@ -528,13 +534,15 @@ add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, - const char *metric) + const char *metric, + int table_id) { struct route_ipv6_option *ro; ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc); ro->prefix = prefix; ro->gateway = gateway; ro->metric = metric; + ro->table_id = table_id; ro->next = l->routes_ipv6; l->routes_ipv6 = ro; } @@ -1610,9 +1618,10 @@ metric = r->metric; } + status = RTA_SUCCESS; int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, iface, 0, metric); + &r->gateway, iface, r->table_id, metric); if (ret == -EEXIST) { msg(D_ROUTE, "NOTE: Linux route add command failed because route exists"); @@ -2007,7 +2016,7 @@ status = RTA_SUCCESS; int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL, - device, 0, metric); + device, r6->table_id, metric); if (ret == -EEXIST) { msg(D_ROUTE, "NOTE: Linux route add command failed because route exists"); @@ -2227,7 +2236,7 @@ } if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, NULL, 0, metric) < 0) + &r->gateway, NULL, r->table_id, metric) < 0) { msg(M_WARN, "ERROR: Linux route delete command failed"); } @@ -2452,7 +2461,7 @@ } if (net_route_v6_del(ctx, &r6->network, r6->netbits, - gateway_needed ? &r6->gateway : NULL, device, 0, + gateway_needed ? &r6->gateway : NULL, device, r6->table_id, metric) < 0) { msg(M_WARN, "ERROR: Linux route v6 delete command failed"); diff --git a/src/openvpn/route.h b/src/openvpn/route.h index aa3114c..237375c 100644 --- a/src/openvpn/route.h +++ b/src/openvpn/route.h @@ -69,6 +69,7 @@ in_addr_t remote_host; int remote_host_local; /* TLA_x value */ struct route_bypass bypass; + int table_id; int default_metric; }; @@ -77,6 +78,7 @@ const char *network; const char *netmask; const char *gateway; + int table_id; const char *metric; }; @@ -101,6 +103,7 @@ const char *prefix; /* e.g. "2001:db8:1::/64" */ const char *gateway; /* e.g. "2001:db8:0::2" */ const char *metric; /* e.g. "5" */ + int table_id; }; struct route_ipv6_option_list { @@ -119,6 +122,7 @@ in_addr_t network; in_addr_t netmask; in_addr_t gateway; + int table_id; int metric; }; @@ -129,6 +133,7 @@ unsigned int netbits; struct in6_addr gateway; int metric; + int table_id; /* gateway interface */ #ifdef _WIN32 DWORD adapter_index; /* interface or ~0 if undefined */ @@ -290,12 +295,14 @@ const char *network, const char *netmask, const char *gateway, - const char *metric); + const char *metric, + int table_id); void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, - const char *metric); + const char *metric, + int table_id); bool init_route_list(struct route_list *rl, const struct route_option_list *opt, -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 10 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-06-22 11:35:51
|
Thanks, Gianmarco for persisting, and apologies that it took so long.
This is one of the features that do not really cost us much to maintain,
because (recent versions of the patch, at least ;-) ) this is very
lightweight and very non-intrusive - SITNL always had the code to deal
with table-IDs, we just lacked the config option and data structure
members to pass our demands to it. Which this patch adds.
When not using "--route-table <id>" it changes nothing whatsoever (id is
CLEAR()ed to "0", and "0" has been passed to SITNL since its introduction),
so the risk of unintended site effects was very small. Tested the full
t_server set nevertheless (and, as expected, no surprises there).
If using the option, it will put up routes configured / learned after
--route-table <id> into, well, "routing table <id>". Order matters, so
if you want some routes here and some routes there, just mix "route-table"
and "route" statements.
Example, adding to a --client command line
... --client --route-table 77 --route 10.195.0.0 255.255.0.0 --route-table
will result in
2025-06-22 13:14:01 net_route_v4_add: 10.195.0.0/16 via 10.194.2.169 dev [NULL] table 77 metric -1
2025-06-22 13:14:01 net_route_v4_add: 10.194.0.0/16 via 10.194.2.169 dev [NULL] table 78 metric -1
2025-06-22 13:14:01 net_route_v4_add: 10.194.2.1/32 via 10.194.2.169 dev [NULL] table 78 metric -1
2025-06-22 13:14:01 net_route_v6_add: fd00:abcd:194::/48 via :: dev tun8 table 78 metric -1
.. so the first route goes to 77, and all pushed routes go to 78, and
"ip route show table <n>" confirms that routes get installed correctly.
Now, whether this is *useful* depends a lot on the local setup, whether
VRFs and multiple routing tables are in use, and which goes where.
This is a field where we could come up with some sort of "best practices"
document for "when and why would you use OpenVPN with --bind-dev and
--route-table, and how to set up and debug that"?
Also, at least FreeBSD can also do multiple routing tables, and backend
code could be written :-)
Your patch has been applied to the master branch.
commit f93fc813ffa53d170f79222e76188a18f6819a54
Author: Gianmarco De Gregori
Date: Sun Jun 22 13:03:05 2025 +0200
Route: add support for user defined routing table
Signed-off-by: Gianmarco De Gregori <gia...@ma...>
Acked-by: Gert Doering <ge...@gr...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg31946.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-06-22 11:03:24
|
From: Gianmarco De Gregori <gia...@ma...> Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Trac #1399 Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Signed-off-by: Gianmarco De Gregori <gia...@ma...> Acked-by: Gert Doering <ge...@gr...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/524 This mail reflects revision 9 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 40b8c19..4a64e8d 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -389,6 +389,14 @@ Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -463,14 +471,20 @@ Setup IPv6 routing in the system to send the specified IPv6 network into OpenVPN's *tun*. - Valid syntax: + Valid syntaxes: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits + route-ipv6 ipv6addr/bits gateway + route-ipv6 ipv6addr/bits gateway metric - The gateway parameter is only used for IPv6 routes across *tap* devices, - and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or - ``--route-ipv6-gateway`` is used. + ``gateway`` + Only used for IPv6 routes across *tap* devices, + and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or + ``--route-ipv6-gateway`` is used. + + ``metric`` + default taken from ``--route-metric`` if set, otherwise :code:`0`. --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 8761826..7cef9db 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -118,7 +118,8 @@ print_in_addr_t(network, 0, &o->gc), print_in_addr_t(netmask, 0, &o->gc), NULL, - NULL); + NULL, + o->route_default_table_id); } static void diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7d4eb85..77747a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1566,7 +1566,7 @@ { add_route_ipv6_to_option_list( options->routes_ipv6, string_alloc(opt_list[i], options->routes_ipv6->gc), - NULL, NULL ); + NULL, NULL, options->route_default_table_id); } } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3cf8c2a..7e26069 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -213,6 +213,10 @@ " pass --ifconfig parms by environment to scripts.\n" "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n" " connection doesn't match the remote side.\n" +#ifdef TARGET_LINUX + "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n" + " If not specified, the id of the default routing table will be used.\n" +#endif "--route network [netmask] [gateway] [metric] :\n" " Add route to routing table after connection\n" " is established. Multiple routes can be specified.\n" @@ -829,6 +833,7 @@ o->ce.mssfix = 0; o->ce.mssfix_default = true; o->ce.mssfix_encap = true; + o->route_default_table_id = 0; o->route_delay_window = 30; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; @@ -1799,6 +1804,7 @@ SHOW_STR(route_script); SHOW_STR(route_default_gateway); SHOW_INT(route_default_metric); + SHOW_INT(route_default_table_id); SHOW_BOOL(route_noexec); SHOW_INT(route_delay); SHOW_INT(route_delay_window); @@ -7064,6 +7070,14 @@ cnol_check_alloc(options); add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel); } + else if (streq(p[0], "route-table") && p[1] && !p[2]) + { +#ifndef ENABLE_SITNL + msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in"); +#endif + VERIFY_PERMISSION(OPT_P_ROUTE_TABLE); + options->route_default_table_id = positive_atoi(p[1], msglevel); + } else if (streq(p[0], "route") && p[1] && !p[5]) { VERIFY_PERMISSION(OPT_P_ROUTE); @@ -7085,8 +7099,9 @@ msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]); goto err; } + /* p[4] is metric, if specified */ } - add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]); + add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], options->route_default_table_id); } else if (streq(p[0], "route-ipv6") && p[1] && !p[4]) { @@ -7104,9 +7119,9 @@ msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]); goto err; } - /* p[3] is metric, if present */ + /* p[3] is metric, if specified */ } - add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]); + add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], options->route_default_table_id); } else if (streq(p[0], "max-routes") && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 46ec32b..56e85d7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -427,6 +427,7 @@ const char *route_predown_script; const char *route_default_gateway; const char *route_ipv6_default_gateway; + int route_default_table_id; int route_default_metric; bool route_noexec; int route_delay; @@ -758,6 +759,7 @@ #define OPT_P_PEER_ID (1<<28) #define OPT_P_INLINE (1<<29) #define OPT_P_PUSH_MTU (1<<30) +#define OPT_P_ROUTE_TABLE (1<<31) #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE)) diff --git a/src/openvpn/route.c b/src/openvpn/route.c index bd79a28..156262a 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -330,13 +330,11 @@ r->option = ro; /* network */ - if (!is_route_parm_defined(ro->network)) { goto fail; } - /* get_special_addr replaces specialaddr with a special ip addr * like gw. getaddrinfo is called to convert a a addrinfo struct */ @@ -442,6 +440,9 @@ r->flags |= RT_DEFINED; + /* routing table id */ + r->table_id = ro->table_id; + return true; fail: @@ -498,6 +499,9 @@ r6->flags |= RT_DEFINED; + /* routing table id */ + r6->table_id = r6o->table_id; + return true; fail: @@ -511,7 +515,8 @@ const char *network, const char *netmask, const char *gateway, - const char *metric) + const char *metric, + int table_id) { struct route_option *ro; ALLOC_OBJ_GC(ro, struct route_option, l->gc); @@ -519,6 +524,7 @@ ro->netmask = netmask; ro->gateway = gateway; ro->metric = metric; + ro->table_id = table_id; ro->next = l->routes; l->routes = ro; @@ -528,13 +534,15 @@ add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, - const char *metric) + const char *metric, + int table_id) { struct route_ipv6_option *ro; ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc); ro->prefix = prefix; ro->gateway = gateway; ro->metric = metric; + ro->table_id = table_id; ro->next = l->routes_ipv6; l->routes_ipv6 = ro; } @@ -1610,9 +1618,10 @@ metric = r->metric; } + status = RTA_SUCCESS; int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, iface, 0, metric); + &r->gateway, iface, r->table_id, metric); if (ret == -EEXIST) { msg(D_ROUTE, "NOTE: Linux route add command failed because route exists"); @@ -2007,7 +2016,7 @@ status = RTA_SUCCESS; int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL, - device, 0, metric); + device, r6->table_id, metric); if (ret == -EEXIST) { msg(D_ROUTE, "NOTE: Linux route add command failed because route exists"); @@ -2227,7 +2236,7 @@ } if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), - &r->gateway, NULL, 0, metric) < 0) + &r->gateway, NULL, r->table_id, metric) < 0) { msg(M_WARN, "ERROR: Linux route delete command failed"); } @@ -2452,7 +2461,7 @@ } if (net_route_v6_del(ctx, &r6->network, r6->netbits, - gateway_needed ? &r6->gateway : NULL, device, 0, + gateway_needed ? &r6->gateway : NULL, device, r6->table_id, metric) < 0) { msg(M_WARN, "ERROR: Linux route v6 delete command failed"); diff --git a/src/openvpn/route.h b/src/openvpn/route.h index aa3114c..237375c 100644 --- a/src/openvpn/route.h +++ b/src/openvpn/route.h @@ -69,6 +69,7 @@ in_addr_t remote_host; int remote_host_local; /* TLA_x value */ struct route_bypass bypass; + int table_id; int default_metric; }; @@ -77,6 +78,7 @@ const char *network; const char *netmask; const char *gateway; + int table_id; const char *metric; }; @@ -101,6 +103,7 @@ const char *prefix; /* e.g. "2001:db8:1::/64" */ const char *gateway; /* e.g. "2001:db8:0::2" */ const char *metric; /* e.g. "5" */ + int table_id; }; struct route_ipv6_option_list { @@ -119,6 +122,7 @@ in_addr_t network; in_addr_t netmask; in_addr_t gateway; + int table_id; int metric; }; @@ -129,6 +133,7 @@ unsigned int netbits; struct in6_addr gateway; int metric; + int table_id; /* gateway interface */ #ifdef _WIN32 DWORD adapter_index; /* interface or ~0 if undefined */ @@ -290,12 +295,14 @@ const char *network, const char *netmask, const char *gateway, - const char *metric); + const char *metric, + int table_id); void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, - const char *metric); + const char *metric, + int table_id); bool init_route_list(struct route_list *rl, const struct route_option_list *opt, |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-22 11:03:06
|
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table ...................................................................... Patch Set 9: (1 comment) Patchset: PS9: Tested this on gentoo, with ```... --client --route-table 77 --route 10.195.0.0 255.255.0.0 --route-table 78``` which does what I expected - 10.195.0.0/16 shows up in table 77, and all pushed routes show up in table 78 ``` 2025-06-22 13:00:15 net_route_v4_del: 10.195.0.0/16 via 10.194.2.169 dev [NULL] table 77 metric -1 2025-06-22 13:00:15 net_route_v4_del: 10.194.0.0/16 via 10.194.2.169 dev [NULL] table 78 metric -1 2025-06-22 13:00:15 net_route_v4_del: 10.194.2.1/32 via 10.194.2.169 dev [NULL] table 78 metric -1 ``` (and "ip route list table 77 / 78" confirms that). It claims to do the right thing for IPv6 ``` 2025-06-22 13:00:15 net_route_v6_del: fd00:abcd:194::/48 via :: dev tun8 table 78 metric -1 ``` but `ip route -6 list` shows no table (but the same holds for ipv6 routes added via `ip route add -6 ... table 78` so this looks more like a linux weirdness than an OpenVPN/SITNL issue to me). -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 9 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: its_Giaan <gia...@ma...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Sun, 22 Jun 2025 11:02:51 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-22 11:00:52
|
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table ...................................................................... Patch Set 9: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 9 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: its_Giaan <gia...@ma...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Sun, 22 Jun 2025 11:00:37 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-21 12:30:52
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1062?usp=email ) Change subject: dns: add updown script for macOS ...................................................................... dns: add updown script for macOS Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31942.html Signed-off-by: Gert Doering <ge...@gr...> --- M configure.ac M distro/dns-scripts/Makefile.am A distro/dns-scripts/macos-dns-updown.sh 3 files changed, 219 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 8bdec32..02b45f8 100644 --- a/configure.ac +++ b/configure.ac @@ -364,8 +364,7 @@ *-*-darwin*) AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix]) - AM_CONDITIONAL([ENABLE_DNS_UPDOWN], [false]) - AC_SUBST([DNS_UPDOWN_TYPE], ["resolvconf_file"]) + AC_SUBST([DNS_UPDOWN_TYPE], ["macos"]) have_tap_header="yes" ac_cv_type_struct_in_pktinfo=no ;; diff --git a/distro/dns-scripts/Makefile.am b/distro/dns-scripts/Makefile.am index 9fcd3f7..e3f9043 100644 --- a/distro/dns-scripts/Makefile.am +++ b/distro/dns-scripts/Makefile.am @@ -12,6 +12,7 @@ $(srcdir)/Makefile.in EXTRA_DIST = \ + macos-dns-updown.sh \ systemd-dns-updown.sh \ openresolv-dns-updown.sh \ haikuos_file-dns-updown.sh \ diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh new file mode 100644 index 0000000..89d6882 --- /dev/null +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -0,0 +1,217 @@ +#!/bin/bash +# +# dns-updown - add/remove openvpn provided DNS information +# +# (C) Copyright 2025 OpenVPN Inc <sa...@op...> +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Example env from openvpn (most are not applied): +# +# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp +# +# or +# +# dev utun0 +# script_type dns-up +# dns_search_domain_1 mycorp.in +# dns_search_domain_2 eu.mycorp.com +# dns_server_1_address_1 192.168.99.254 +# dns_server_1_address_2 fd00::99:53 +# dns_server_1_port_2 53 +# dns_server_1_resolve_domain_1 mycorp.in +# dns_server_1_resolve_domain_2 eu.mycorp.com +# dns_server_1_dnssec true +# dns_server_1_transport DoH +# dns_server_1_sni dns.mycorp.in +# + +[ -z "${dns_vars_file}" ] || . "${dns_vars_file}" + +itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" +dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" + +function primary_dns_key { + local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) + echo "Setup:/Network/Service/${uuid}/DNS" +} + +function only_standard_server_ports { + local i=1 + while :; do + local addr_var=dns_server_${n}_address_${i} + [ -n "${!addr_var}" ] || return 0 + + local port_var=dns_server_${n}_port_${i} + [ -z "${!port_var}" -o "${!port_var}" = "53" ] || return 1 + + i=$((i+1)) + done +} + +function find_compat_profile { + local n=1 + while :; do + local addr_var=dns_server_${n}_address_1 + [ -n "${!addr_var}" ] || { + echo "setting DNS failed, no compatible server profile" + exit 1 + } + + # Skip server profiles which require DNSSEC, + # secure transport or use a custom port + local dnssec_var=dns_server_${n}_dnssec + local transport_var=dns_server_${n}_transport + [ -z "${!transport_var}" -o "${!transport_var}" = "plain" ] \ + && [ -z "${!dnssec_var}" -o "${!dnssec_var}" = "no" ] \ + && only_standard_server_ports && break + + n=$((n+1)) + done + return $n +} + +function get_search_domains { + local search_domains="" + local resolver=0 + /usr/sbin/scutil --dns | while read line; do + if [[ "$line" =~ resolver.# ]]; then + resolver=$((resolver+1)) + elif [ "$resolver" = 1 ] && [[ "$line" =~ search.domain ]]; then + search_domains+="$(echo $line | cut -d: -f2 | xargs) " + elif [ "$resolver" -gt 1 ]; then + echo "$search_domains" + break + fi + done +} + +function set_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="${1}$(get_search_domains)" + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function unset_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="$(get_search_domains)" + search_domains=$(echo $search_domains | sed -e "s/$1//") + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function set_dns { + find_compat_profile + local n=$? + + local i=1 + local addrs="" + while :; do + local addr_var=dns_server_${n}_address_${i} + local addr="${!addr_var}" + [ -n "$addr" ] || break + + local port_var=dns_server_${n}_port_${i} + if [ -n "${!port_var}" ]; then + if [[ "$addr" =~ : ]]; then + addr="[$addr]" + fi + addrs+="${addr}:${!port_var}${sni} " + else + addrs+="${addr}${sni} " + fi + i=$((i+1)) + done + + i=1 + local match_domains="" + while :; do + domain_var=dns_server_${n}_resolve_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as match domain, if it doesn't already exist + [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ + || match_domains+="${!domain_var} " + i=$((i+1)) + done + + i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + if [ -n "$match_domains" ]; then + local cmds="" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SupplementalMatchDomains * ${match_domains}\n" + cmds+="d.add SupplementalMatchDomainsNoSearch # 1\n" + cmds+="add ${itf_dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + set_search_domains "$search_domains" + else + local cmds="" + cmds+="get $(primary_dns_key)\n" + cmds+="set ${dns_backup_key}\n" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="d.add SearchOrder # 5000\n" + cmds+="set $(primary_dns_key)\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +function unset_dns { + find_compat_profile + local n=$? + + local i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + domain_var=dns_server_${n}_resolve_domain_1 + if [ -n "${!domain_var}" ]; then + echo "remove ${itf_dns_key}" | /usr/sbin/scutil + unset_search_domains "$search_domains" + else + local cmds="" + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + cmds+="remove ${dns_backup_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +if [ "$script_type" = "dns-up" ]; then + set_dns +else + unset_dns +fi -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1062?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Gerrit-Change-Number: 1062 Gerrit-PatchSet: 4 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-21 12:30:51
|
cron2 has uploaded a new patch set (#4) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1062?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: dns: add updown script for macOS ...................................................................... dns: add updown script for macOS Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31942.html Signed-off-by: Gert Doering <ge...@gr...> --- M configure.ac M distro/dns-scripts/Makefile.am A distro/dns-scripts/macos-dns-updown.sh 3 files changed, 219 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/62/1062/4 diff --git a/configure.ac b/configure.ac index 8bdec32..02b45f8 100644 --- a/configure.ac +++ b/configure.ac @@ -364,8 +364,7 @@ *-*-darwin*) AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix]) - AM_CONDITIONAL([ENABLE_DNS_UPDOWN], [false]) - AC_SUBST([DNS_UPDOWN_TYPE], ["resolvconf_file"]) + AC_SUBST([DNS_UPDOWN_TYPE], ["macos"]) have_tap_header="yes" ac_cv_type_struct_in_pktinfo=no ;; diff --git a/distro/dns-scripts/Makefile.am b/distro/dns-scripts/Makefile.am index 9fcd3f7..e3f9043 100644 --- a/distro/dns-scripts/Makefile.am +++ b/distro/dns-scripts/Makefile.am @@ -12,6 +12,7 @@ $(srcdir)/Makefile.in EXTRA_DIST = \ + macos-dns-updown.sh \ systemd-dns-updown.sh \ openresolv-dns-updown.sh \ haikuos_file-dns-updown.sh \ diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh new file mode 100644 index 0000000..89d6882 --- /dev/null +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -0,0 +1,217 @@ +#!/bin/bash +# +# dns-updown - add/remove openvpn provided DNS information +# +# (C) Copyright 2025 OpenVPN Inc <sa...@op...> +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Example env from openvpn (most are not applied): +# +# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp +# +# or +# +# dev utun0 +# script_type dns-up +# dns_search_domain_1 mycorp.in +# dns_search_domain_2 eu.mycorp.com +# dns_server_1_address_1 192.168.99.254 +# dns_server_1_address_2 fd00::99:53 +# dns_server_1_port_2 53 +# dns_server_1_resolve_domain_1 mycorp.in +# dns_server_1_resolve_domain_2 eu.mycorp.com +# dns_server_1_dnssec true +# dns_server_1_transport DoH +# dns_server_1_sni dns.mycorp.in +# + +[ -z "${dns_vars_file}" ] || . "${dns_vars_file}" + +itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" +dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" + +function primary_dns_key { + local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) + echo "Setup:/Network/Service/${uuid}/DNS" +} + +function only_standard_server_ports { + local i=1 + while :; do + local addr_var=dns_server_${n}_address_${i} + [ -n "${!addr_var}" ] || return 0 + + local port_var=dns_server_${n}_port_${i} + [ -z "${!port_var}" -o "${!port_var}" = "53" ] || return 1 + + i=$((i+1)) + done +} + +function find_compat_profile { + local n=1 + while :; do + local addr_var=dns_server_${n}_address_1 + [ -n "${!addr_var}" ] || { + echo "setting DNS failed, no compatible server profile" + exit 1 + } + + # Skip server profiles which require DNSSEC, + # secure transport or use a custom port + local dnssec_var=dns_server_${n}_dnssec + local transport_var=dns_server_${n}_transport + [ -z "${!transport_var}" -o "${!transport_var}" = "plain" ] \ + && [ -z "${!dnssec_var}" -o "${!dnssec_var}" = "no" ] \ + && only_standard_server_ports && break + + n=$((n+1)) + done + return $n +} + +function get_search_domains { + local search_domains="" + local resolver=0 + /usr/sbin/scutil --dns | while read line; do + if [[ "$line" =~ resolver.# ]]; then + resolver=$((resolver+1)) + elif [ "$resolver" = 1 ] && [[ "$line" =~ search.domain ]]; then + search_domains+="$(echo $line | cut -d: -f2 | xargs) " + elif [ "$resolver" -gt 1 ]; then + echo "$search_domains" + break + fi + done +} + +function set_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="${1}$(get_search_domains)" + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function unset_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="$(get_search_domains)" + search_domains=$(echo $search_domains | sed -e "s/$1//") + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function set_dns { + find_compat_profile + local n=$? + + local i=1 + local addrs="" + while :; do + local addr_var=dns_server_${n}_address_${i} + local addr="${!addr_var}" + [ -n "$addr" ] || break + + local port_var=dns_server_${n}_port_${i} + if [ -n "${!port_var}" ]; then + if [[ "$addr" =~ : ]]; then + addr="[$addr]" + fi + addrs+="${addr}:${!port_var}${sni} " + else + addrs+="${addr}${sni} " + fi + i=$((i+1)) + done + + i=1 + local match_domains="" + while :; do + domain_var=dns_server_${n}_resolve_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as match domain, if it doesn't already exist + [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ + || match_domains+="${!domain_var} " + i=$((i+1)) + done + + i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + if [ -n "$match_domains" ]; then + local cmds="" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SupplementalMatchDomains * ${match_domains}\n" + cmds+="d.add SupplementalMatchDomainsNoSearch # 1\n" + cmds+="add ${itf_dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + set_search_domains "$search_domains" + else + local cmds="" + cmds+="get $(primary_dns_key)\n" + cmds+="set ${dns_backup_key}\n" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="d.add SearchOrder # 5000\n" + cmds+="set $(primary_dns_key)\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +function unset_dns { + find_compat_profile + local n=$? + + local i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + domain_var=dns_server_${n}_resolve_domain_1 + if [ -n "${!domain_var}" ]; then + echo "remove ${itf_dns_key}" | /usr/sbin/scutil + unset_search_domains "$search_domains" + else + local cmds="" + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + cmds+="remove ${dns_backup_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +if [ "$script_type" = "dns-up" ]; then + set_dns +else + unset_dns +fi -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1062?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Gerrit-Change-Number: 1062 Gerrit-PatchSet: 4 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-06-21 12:30:37
|
I have not tested this myself, just stared a bit at the code if
there are surprises lurking ("unquoted eval" and such).
Arne has tested "all DNS via VPN" (was broken in v2) and "split DNS"
and both work. So here we go, more test reports welcome.
Your patch has been applied to the master branch.
commit a4db3c6e22fd48b83cc38a644762e33e0894b69b
Author: Heiko Hund
Date: Sat Jun 21 14:12:54 2025 +0200
dns: add updown script for macOS
Signed-off-by: Heiko Hund <he...@is...>
Acked-by: Arne Schwabe <arn...@rf...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg31942.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-06-21 12:13:15
|
From: Heiko Hund <he...@is...> Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1062 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arn...@rf...> diff --git a/configure.ac b/configure.ac index 8bdec32..02b45f8 100644 --- a/configure.ac +++ b/configure.ac @@ -364,8 +364,7 @@ *-*-darwin*) AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix]) - AM_CONDITIONAL([ENABLE_DNS_UPDOWN], [false]) - AC_SUBST([DNS_UPDOWN_TYPE], ["resolvconf_file"]) + AC_SUBST([DNS_UPDOWN_TYPE], ["macos"]) have_tap_header="yes" ac_cv_type_struct_in_pktinfo=no ;; diff --git a/distro/dns-scripts/Makefile.am b/distro/dns-scripts/Makefile.am index 9fcd3f7..e3f9043 100644 --- a/distro/dns-scripts/Makefile.am +++ b/distro/dns-scripts/Makefile.am @@ -12,6 +12,7 @@ $(srcdir)/Makefile.in EXTRA_DIST = \ + macos-dns-updown.sh \ systemd-dns-updown.sh \ openresolv-dns-updown.sh \ haikuos_file-dns-updown.sh \ diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh new file mode 100644 index 0000000..89d6882 --- /dev/null +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -0,0 +1,217 @@ +#!/bin/bash +# +# dns-updown - add/remove openvpn provided DNS information +# +# (C) Copyright 2025 OpenVPN Inc <sa...@op...> +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Example env from openvpn (most are not applied): +# +# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp +# +# or +# +# dev utun0 +# script_type dns-up +# dns_search_domain_1 mycorp.in +# dns_search_domain_2 eu.mycorp.com +# dns_server_1_address_1 192.168.99.254 +# dns_server_1_address_2 fd00::99:53 +# dns_server_1_port_2 53 +# dns_server_1_resolve_domain_1 mycorp.in +# dns_server_1_resolve_domain_2 eu.mycorp.com +# dns_server_1_dnssec true +# dns_server_1_transport DoH +# dns_server_1_sni dns.mycorp.in +# + +[ -z "${dns_vars_file}" ] || . "${dns_vars_file}" + +itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" +dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" + +function primary_dns_key { + local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) + echo "Setup:/Network/Service/${uuid}/DNS" +} + +function only_standard_server_ports { + local i=1 + while :; do + local addr_var=dns_server_${n}_address_${i} + [ -n "${!addr_var}" ] || return 0 + + local port_var=dns_server_${n}_port_${i} + [ -z "${!port_var}" -o "${!port_var}" = "53" ] || return 1 + + i=$((i+1)) + done +} + +function find_compat_profile { + local n=1 + while :; do + local addr_var=dns_server_${n}_address_1 + [ -n "${!addr_var}" ] || { + echo "setting DNS failed, no compatible server profile" + exit 1 + } + + # Skip server profiles which require DNSSEC, + # secure transport or use a custom port + local dnssec_var=dns_server_${n}_dnssec + local transport_var=dns_server_${n}_transport + [ -z "${!transport_var}" -o "${!transport_var}" = "plain" ] \ + && [ -z "${!dnssec_var}" -o "${!dnssec_var}" = "no" ] \ + && only_standard_server_ports && break + + n=$((n+1)) + done + return $n +} + +function get_search_domains { + local search_domains="" + local resolver=0 + /usr/sbin/scutil --dns | while read line; do + if [[ "$line" =~ resolver.# ]]; then + resolver=$((resolver+1)) + elif [ "$resolver" = 1 ] && [[ "$line" =~ search.domain ]]; then + search_domains+="$(echo $line | cut -d: -f2 | xargs) " + elif [ "$resolver" -gt 1 ]; then + echo "$search_domains" + break + fi + done +} + +function set_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="${1}$(get_search_domains)" + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function unset_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="$(get_search_domains)" + search_domains=$(echo $search_domains | sed -e "s/$1//") + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function set_dns { + find_compat_profile + local n=$? + + local i=1 + local addrs="" + while :; do + local addr_var=dns_server_${n}_address_${i} + local addr="${!addr_var}" + [ -n "$addr" ] || break + + local port_var=dns_server_${n}_port_${i} + if [ -n "${!port_var}" ]; then + if [[ "$addr" =~ : ]]; then + addr="[$addr]" + fi + addrs+="${addr}:${!port_var}${sni} " + else + addrs+="${addr}${sni} " + fi + i=$((i+1)) + done + + i=1 + local match_domains="" + while :; do + domain_var=dns_server_${n}_resolve_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as match domain, if it doesn't already exist + [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ + || match_domains+="${!domain_var} " + i=$((i+1)) + done + + i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + if [ -n "$match_domains" ]; then + local cmds="" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SupplementalMatchDomains * ${match_domains}\n" + cmds+="d.add SupplementalMatchDomainsNoSearch # 1\n" + cmds+="add ${itf_dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + set_search_domains "$search_domains" + else + local cmds="" + cmds+="get $(primary_dns_key)\n" + cmds+="set ${dns_backup_key}\n" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="d.add SearchOrder # 5000\n" + cmds+="set $(primary_dns_key)\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +function unset_dns { + find_compat_profile + local n=$? + + local i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + domain_var=dns_server_${n}_resolve_domain_1 + if [ -n "${!domain_var}" ]; then + echo "remove ${itf_dns_key}" | /usr/sbin/scutil + unset_search_domains "$search_domains" + else + local cmds="" + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + cmds+="remove ${dns_backup_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +if [ "$script_type" = "dns-up" ]; then + set_dns +else + unset_dns +fi |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-06-21 11:06:08
|
Attention is currently required from: d12fk, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1062?usp=email ) Change subject: dns: add updown script for macOS ...................................................................... Patch Set 3: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1062?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Gerrit-Change-Number: 1062 Gerrit-PatchSet: 3 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Sat, 21 Jun 2025 11:05:54 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: Yuriy D. <yur...@op...> - 2025-06-20 19:10:15
|
The OpenVPN community project team is proud to release OpenVPN 2.7_alpha2. This is the second Alpha release for the feature release 2.7.0. As the Alpha name implies this is an early release build, this is not intended for production use. This release include security fix for CVE-2025-50054 Highlights of this release include: * Multi-socket support for servers -- Handle multiple addresses/ports/protocols within one server * Improved Client support for DNS options * Client implementations for Linux/BSD, included with the default install * New client implementation for Windows, adding support for features like split DNS and DNSSEC * Architectural improvements on Windows * The block-local flag is now enforced with WFP filters * Windows network adapters are now generated on demand * Windows automatic service now runs as an unprivileged user * Support for server mode in win-dco driver Note: Support for the wintun driver has been removed. win-dco is now the default, tap-windows6 is the fallback solution for use-cases not covered by win-dco. * Improved data channel * Enforcement of AES-GCM usage limit * Epoch data keys and packet format * Support for new upstream DCO Linux kernel module * This release supports the new ovpn DCO Linux kernel module which will be available in future upstream Linux kernel releases. Backports of the new module to current kernels are available via the ovpn-backports project. * TLS 1.3 support with bleeding-edge mbedTLS versions More details can be found in the Changes document: <https://github.com/OpenVPN/openvpn/blob/master/Changes.rst> Source code and Windows installers can be downloaded from our download page: <https://openvpn.net/community-downloads/> Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various official Community repositories: <https://community.openvpn.net/Pages/OpenVPN%20software%20repos> Kind regards, Yuriy Darnobyt |
|
From: its_Giaan (C. Review) <ge...@op...> - 2025-06-19 16:04:51
|
Attention is currently required from: cron2, flichtenheld, plaisthos. its_Giaan has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table ...................................................................... Patch Set 9: (2 comments) File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/4a43f18d_49c13bde : PS8, Line 7020: options->route_default_table_id = positive_atoi(p[1]); > Unfortunately, `positive_atoi()` now wants 2 arguments... (`msglevel`). […] Done File src/openvpn/route.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/c62432ad_b77f46d7 : PS8, Line 332: /* network */ > spurious blank line removal... […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 9 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 19 Jun 2025 16:04:36 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 <ge...@gr...> Gerrit-MessageType: comment |
|
From: its_Giaan (C. Review) <ge...@op...> - 2025-06-19 16:04:07
|
Attention is currently required from: cron2, flichtenheld, its_Giaan, plaisthos.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/524?usp=email
to look at the new patch set (#9).
The following approvals got outdated and were removed:
Code-Review-1 by cron2
Change subject: Route: add support for user defined routing table
......................................................................
Route: add support for user defined routing table
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Trac #1399
Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7
Signed-off-by: Gianmarco De Gregori <gia...@ma...>
---
M doc/man-sections/vpn-network-options.rst
M src/openvpn/helper.c
M src/openvpn/init.c
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/route.c
M src/openvpn/route.h
7 files changed, 68 insertions(+), 20 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/24/524/9
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 40b8c19..4a64e8d 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -389,6 +389,14 @@
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
+--route-table id
+ Specify a default table id for use with --route.
+ By default, OpenVPN installs routes in the main routing
+ table of the operating system, but with this option,
+ a user defined routing table can be used instead.
+
+ (Supported on Linux only, on other platforms this is a no-op).
+
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
@@ -463,14 +471,20 @@
Setup IPv6 routing in the system to send the specified IPv6 network into
OpenVPN's *tun*.
- Valid syntax:
+ Valid syntaxes:
::
- route-ipv6 ipv6addr/bits [gateway] [metric]
+ route-ipv6 ipv6addr/bits
+ route-ipv6 ipv6addr/bits gateway
+ route-ipv6 ipv6addr/bits gateway metric
- The gateway parameter is only used for IPv6 routes across *tap* devices,
- and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
- ``--route-ipv6-gateway`` is used.
+ ``gateway``
+ Only used for IPv6 routes across *tap* devices,
+ and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
+ ``--route-ipv6-gateway`` is used.
+
+ ``metric``
+ default taken from ``--route-metric`` if set, otherwise :code:`0`.
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 8761826..7cef9db 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -118,7 +118,8 @@
print_in_addr_t(network, 0, &o->gc),
print_in_addr_t(netmask, 0, &o->gc),
NULL,
- NULL);
+ NULL,
+ o->route_default_table_id);
}
static void
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 7d4eb85..77747a2 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1566,7 +1566,7 @@
{
add_route_ipv6_to_option_list( options->routes_ipv6,
string_alloc(opt_list[i], options->routes_ipv6->gc),
- NULL, NULL );
+ NULL, NULL, options->route_default_table_id);
}
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3cf8c2a..7e26069 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -213,6 +213,10 @@
" pass --ifconfig parms by environment to scripts.\n"
"--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
" connection doesn't match the remote side.\n"
+#ifdef TARGET_LINUX
+ "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
+ " If not specified, the id of the default routing table will be used.\n"
+#endif
"--route network [netmask] [gateway] [metric] :\n"
" Add route to routing table after connection\n"
" is established. Multiple routes can be specified.\n"
@@ -829,6 +833,7 @@
o->ce.mssfix = 0;
o->ce.mssfix_default = true;
o->ce.mssfix_encap = true;
+ o->route_default_table_id = 0;
o->route_delay_window = 30;
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
o->resolve_in_advance = false;
@@ -1799,6 +1804,7 @@
SHOW_STR(route_script);
SHOW_STR(route_default_gateway);
SHOW_INT(route_default_metric);
+ SHOW_INT(route_default_table_id);
SHOW_BOOL(route_noexec);
SHOW_INT(route_delay);
SHOW_INT(route_delay_window);
@@ -7064,6 +7070,14 @@
cnol_check_alloc(options);
add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
}
+ else if (streq(p[0], "route-table") && p[1] && !p[2])
+ {
+#ifndef ENABLE_SITNL
+ msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in");
+#endif
+ VERIFY_PERMISSION(OPT_P_ROUTE_TABLE);
+ options->route_default_table_id = positive_atoi(p[1], msglevel);
+ }
else if (streq(p[0], "route") && p[1] && !p[5])
{
VERIFY_PERMISSION(OPT_P_ROUTE);
@@ -7085,8 +7099,9 @@
msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
goto err;
}
+ /* p[4] is metric, if specified */
}
- add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
+ add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], options->route_default_table_id);
}
else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
{
@@ -7104,9 +7119,9 @@
msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
goto err;
}
- /* p[3] is metric, if present */
+ /* p[3] is metric, if specified */
}
- add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
+ add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], options->route_default_table_id);
}
else if (streq(p[0], "max-routes") && !p[2])
{
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 46ec32b..56e85d7 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -427,6 +427,7 @@
const char *route_predown_script;
const char *route_default_gateway;
const char *route_ipv6_default_gateway;
+ int route_default_table_id;
int route_default_metric;
bool route_noexec;
int route_delay;
@@ -758,6 +759,7 @@
#define OPT_P_PEER_ID (1<<28)
#define OPT_P_INLINE (1<<29)
#define OPT_P_PUSH_MTU (1<<30)
+#define OPT_P_ROUTE_TABLE (1<<31)
#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index bd79a28..156262a 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -330,13 +330,11 @@
r->option = ro;
/* network */
-
if (!is_route_parm_defined(ro->network))
{
goto fail;
}
-
/* get_special_addr replaces specialaddr with a special ip addr
* like gw. getaddrinfo is called to convert a a addrinfo struct */
@@ -442,6 +440,9 @@
r->flags |= RT_DEFINED;
+ /* routing table id */
+ r->table_id = ro->table_id;
+
return true;
fail:
@@ -498,6 +499,9 @@
r6->flags |= RT_DEFINED;
+ /* routing table id */
+ r6->table_id = r6o->table_id;
+
return true;
fail:
@@ -511,7 +515,8 @@
const char *network,
const char *netmask,
const char *gateway,
- const char *metric)
+ const char *metric,
+ int table_id)
{
struct route_option *ro;
ALLOC_OBJ_GC(ro, struct route_option, l->gc);
@@ -519,6 +524,7 @@
ro->netmask = netmask;
ro->gateway = gateway;
ro->metric = metric;
+ ro->table_id = table_id;
ro->next = l->routes;
l->routes = ro;
@@ -528,13 +534,15 @@
add_route_ipv6_to_option_list(struct route_ipv6_option_list *l,
const char *prefix,
const char *gateway,
- const char *metric)
+ const char *metric,
+ int table_id)
{
struct route_ipv6_option *ro;
ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
ro->prefix = prefix;
ro->gateway = gateway;
ro->metric = metric;
+ ro->table_id = table_id;
ro->next = l->routes_ipv6;
l->routes_ipv6 = ro;
}
@@ -1610,9 +1618,10 @@
metric = r->metric;
}
+
status = RTA_SUCCESS;
int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask),
- &r->gateway, iface, 0, metric);
+ &r->gateway, iface, r->table_id, metric);
if (ret == -EEXIST)
{
msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
@@ -2007,7 +2016,7 @@
status = RTA_SUCCESS;
int ret = net_route_v6_add(ctx, &r6->network, r6->netbits,
gateway_needed ? &r6->gateway : NULL,
- device, 0, metric);
+ device, r6->table_id, metric);
if (ret == -EEXIST)
{
msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
@@ -2227,7 +2236,7 @@
}
if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask),
- &r->gateway, NULL, 0, metric) < 0)
+ &r->gateway, NULL, r->table_id, metric) < 0)
{
msg(M_WARN, "ERROR: Linux route delete command failed");
}
@@ -2452,7 +2461,7 @@
}
if (net_route_v6_del(ctx, &r6->network, r6->netbits,
- gateway_needed ? &r6->gateway : NULL, device, 0,
+ gateway_needed ? &r6->gateway : NULL, device, r6->table_id,
metric) < 0)
{
msg(M_WARN, "ERROR: Linux route v6 delete command failed");
diff --git a/src/openvpn/route.h b/src/openvpn/route.h
index aa3114c..237375c 100644
--- a/src/openvpn/route.h
+++ b/src/openvpn/route.h
@@ -69,6 +69,7 @@
in_addr_t remote_host;
int remote_host_local; /* TLA_x value */
struct route_bypass bypass;
+ int table_id;
int default_metric;
};
@@ -77,6 +78,7 @@
const char *network;
const char *netmask;
const char *gateway;
+ int table_id;
const char *metric;
};
@@ -101,6 +103,7 @@
const char *prefix; /* e.g. "2001:db8:1::/64" */
const char *gateway; /* e.g. "2001:db8:0::2" */
const char *metric; /* e.g. "5" */
+ int table_id;
};
struct route_ipv6_option_list {
@@ -119,6 +122,7 @@
in_addr_t network;
in_addr_t netmask;
in_addr_t gateway;
+ int table_id;
int metric;
};
@@ -129,6 +133,7 @@
unsigned int netbits;
struct in6_addr gateway;
int metric;
+ int table_id;
/* gateway interface */
#ifdef _WIN32
DWORD adapter_index; /* interface or ~0 if undefined */
@@ -290,12 +295,14 @@
const char *network,
const char *netmask,
const char *gateway,
- const char *metric);
+ const char *metric,
+ int table_id);
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l,
const char *prefix,
const char *gateway,
- const char *metric);
+ const char *metric,
+ int table_id);
bool init_route_list(struct route_list *rl,
const struct route_option_list *opt,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7
Gerrit-Change-Number: 524
Gerrit-PatchSet: 9
Gerrit-Owner: its_Giaan <gia...@ma...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: cron2 <ge...@gr...>
Gerrit-Attention: its_Giaan <gia...@ma...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-18 16:28:48
|
Attention is currently required from: flichtenheld, its_Giaan, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table ...................................................................... Patch Set 8: Code-Review-1 (3 comments) Patchset: PS8: Got left out in the sun too long, so now it needs polish... (sorry) File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/5ca01c93_caaa3aa2 : PS8, Line 7020: options->route_default_table_id = positive_atoi(p[1]); Unfortunately, `positive_atoi()` now wants 2 arguments... (`msglevel`). So this needs a rebase & fixup. File src/openvpn/route.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/2f114621_8e4ffe35 : PS8, Line 332: /* network */ spurious blank line removal... if you want to remove one, I think removing the one after the `/* network */` comment makes more sense, and maybe one of the 2 blank lines further down (337). But removing this one does no good. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 8 Gerrit-Owner: its_Giaan <gia...@ma...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: its_Giaan <gia...@ma...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Wed, 18 Jun 2025 16:28:34 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
153 messages has been excluded from this view by a project administrator.
