diff options
| -rw-r--r-- | src/openvpn/forward.c | 95 | ||||
| -rw-r--r-- | src/openvpn/forward.h | 5 | ||||
| -rw-r--r-- | src/openvpn/multi.c | 2 |
3 files changed, 45 insertions, 57 deletions
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0443ca0..556c465 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1460,7 +1460,7 @@ process_incoming_tun(struct context *c) * us to examine the IP header (IPv4 or IPv6). */ unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT - | PIPV6_IMCP_NOHOST_CLIENT; + | PIPV6_ICMP_NOHOST_CLIENT; process_ip_header(c, flags, &c->c2.buf); #ifdef PACKET_TRUNCATION_CHECK @@ -1644,74 +1644,61 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) } if (!c->options.block_ipv6) { - flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER); + flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER); } if (buf->len > 0) { - /* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - - if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) + struct buffer ipbuf = *buf; + if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) { - struct buffer ipbuf = *buf; - if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) - { #if PASSTOS_CAPABILITY - /* extract TOS from IP header */ - if (flags & PIPV4_PASSTOS) - { - link_socket_extract_tos(c->c2.link_socket, &ipbuf); - } + /* extract TOS from IP header */ + if (flags & PIPV4_PASSTOS) + { + link_socket_extract_tos(c->c2.link_socket, &ipbuf); + } #endif - /* possibly alter the TCP MSS */ - if (flags & PIP_MSSFIX) - { - mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); - } + /* possibly alter the TCP MSS */ + if (flags & PIP_MSSFIX) + { + mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix); + } - /* possibly do NAT on packet */ - if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) - { - const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; - client_nat_transform(c->options.client_nat, &ipbuf, direction); - } - /* possibly extract a DHCP router message */ - if (flags & PIPV4_EXTRACT_DHCP_ROUTER) - { - const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf); - if (dhcp_router) - { - route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); - } - } + /* possibly do NAT on packet */ + if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) + { + const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING; + client_nat_transform(c->options.client_nat, &ipbuf, direction); } - else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) + /* possibly extract a DHCP router message */ + if (flags & PIPV4_EXTRACT_DHCP_ROUTER) { - /* possibly alter the TCP MSS */ - if (flags & PIP_MSSFIX) - { - mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); - } - if (!(flags & PIP_OUTGOING) && (flags - &(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER))) + const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf); + if (dhcp_router) { - ipv6_send_icmp_unreachable(c, buf, - (bool)(flags & PIPV6_IMCP_NOHOST_CLIENT)); - /* Drop the IPv6 packet */ - buf->len = 0; + route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router); } - } } + else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf)) + { + /* possibly alter the TCP MSS */ + if (flags & PIP_MSSFIX) + { + mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix); + } + if (!(flags & PIP_OUTGOING) && (flags + &(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER))) + { + ipv6_send_icmp_unreachable(c, buf, + (bool)(flags & PIPV6_ICMP_NOHOST_CLIENT)); + /* Drop the IPv6 packet */ + buf->len = 0; + } + + } } } diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index e19115e..bc00ba5 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -297,8 +297,9 @@ void reschedule_multi_process(struct context *c); #define PIP_OUTGOING (1<<2) #define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) #define PIPV4_CLIENT_NAT (1<<4) -#define PIPV6_IMCP_NOHOST_CLIENT (1<<5) -#define PIPV6_IMCP_NOHOST_SERVER (1<<6) +#define PIPV6_ICMP_NOHOST_CLIENT (1<<5) +#define PIPV6_ICMP_NOHOST_SERVER (1<<6) + void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 4344126..712456c 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3645,7 +3645,7 @@ multi_get_queue(struct mbuf_set *ms) if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */ { - unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER; + unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER; set_prefix(item.instance); item.instance->context.c2.buf = item.buffer->buf; |