diff options
| author | Gianmarco De Gregori | 2024-03-07 13:46:16 +0100 |
|---|---|---|
| committer | Gert Doering | 2024-03-08 11:21:02 +0100 |
| commit | 6456d861f3f1006ccee0a7f94a159f4afe1d3178 (patch) | |
| tree | af8f4b28ecc278ccb2e6a0e3150158769c66bb2c | |
| parent | 802fcce5448741bb1e34dd06ac3674b6b6c55a94 (diff) | |
| download | openvpn-6456d861f3f1006ccee0a7f94a159f4afe1d3178.zip openvpn-6456d861f3f1006ccee0a7f94a159f4afe1d3178.tar.gz | |
Minor fix to process_ip_header
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.
While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.
Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240307124616.16358-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28345.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
| -rw-r--r-- | src/openvpn/forward.c | 95 | ||||
| -rw-r--r-- | src/openvpn/forward.h | 5 | ||||
| -rw-r--r-- | src/openvpn/multi.c | 2 |
3 files changed, 45 insertions, 57 deletions
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ process_incoming_tun(struct context *c) * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, &c->c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,74 +1644,61 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) } if (!c->options.block_ipv6) { - flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); + flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { - /* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - - if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) + struct buffer ipbuf = *buf; + if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) { - struct buffer ipbuf = *buf; - if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) - { #if PASSTOS_CAPABILITY - /* extract TOS from IP header */ - if (flags & PIPV4_PASSTOS) - { - link_socket_extract_tos(c->c2.link_socket, &ipbuf); - } + /* extract TOS from IP header */ + if (flags & PIPV4_PASSTOS) + { + link_socket_extract_tos(c->c2.link_socket, &ipbuf); + } #endif - /* possibly alter the TCP MSS */ - if (flags & PIP_MSSFIX) - { - mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); - } + /* possibly alter the TCP MSS */ + if (flags & PIP_MSSFIX) + { + mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); + } - /* possibly do NAT on packet */ - if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) - { - const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; - client_nat_transform(c->options.client_nat, &ipbuf, direction); - } - /* possibly extract a DHCP router message */ - if (flags & PIPV4_EXTRACT_DHCP_ROUTER) - { - const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf); - if (dhcp_router) - { - route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); - } - } + /* possibly do NAT on packet */ + if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) + { + const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; + client_nat_transform(c->options.client_nat, &ipbuf, direction); } - else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) + /* possibly extract a DHCP router message */ + if (flags & PIPV4_EXTRACT_DHCP_ROUTER) { - /* possibly alter the TCP MSS */ - if (flags & PIP_MSSFIX) - { - mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); - } - if (!(flags & PIP_OUTGOING) && (flags - &(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) + const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf); + if (dhcp_router) { - ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); - /* Drop the IPv6 packet */ - buf->len = 0; + route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); } - } } + else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) + { + /* possibly alter the TCP MSS */ + if (flags & PIP_MSSFIX) + { + mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); + } + if (!(flags & PIP_OUTGOING) && (flags + &(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER))) + { + ipv6_send_icmp_unreachable(c, buf, + (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT)); + /* Drop the IPv6 packet */ + buf->len = 0; + } + + } } } diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index e19115e..bc00ba5 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -297,8 +297,9 @@ void reschedule_multi_process(struct context *c); #define PIP_OUTGOING (1<<2) #define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) #define PIPV4_CLIENT_NAT (1<<4) -#define PIPV6_IMCP_NOHOST_CLIENT (1<<5) -#define PIPV6_IMCP_NOHOST_SERVER (1<<6) +#define PIPV6_ICMP_NOHOST_CLIENT (1<<5) +#define PIPV6_ICMP_NOHOST_SERVER (1<<6) + void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 4344126..712456c 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3645,7 +3645,7 @@ multi_get_queue(struct mbuf_set *ms) if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */ { - unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER; + unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER; set_prefix(item.instance); item.instance->context.c2.buf = item.buffer->buf; |