Skip to content

Commit

Permalink
Minor fix to process_ip_header
Browse files Browse the repository at this point in the history 
Removed if-guard checking if any feature is
enabled before performing per-feature check.
It doesn't save us much but instead introduces
uneeded complexity.

While at it, fixed a typo IMCP -> ICMP for defined
PIPV6_ICMP_NOHOST_CLIENT and PIPV6_ICMP_NOHOST_SERVER
macros.

Fixes: Trac https://community.openvpn.net/openvpn/ticket/269
Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202
Signed-off-by: Gianmarco De Gregori <[email protected]>
Acked-by: Arne Schwabe <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg28345.html
Signed-off-by: Gert Doering <[email protected]>
  • Loading branch information
@itsGiaan @cron2
itsGiaan authored and cron2 committed Mar 8, 2024
1 parent 802fcce commit 6456d86
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 57 deletions.
95 changes: 41 additions & 54 deletions src/openvpn/forward.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1460,7 +1460,7 @@ process_incoming_tun(struct context *c)
* us to examine the IP header (IPv4 or IPv6).
*/
unsigned int flags = PIPV4_PASSTOS | PIP_MSSFIX | PIPV4_CLIENT_NAT
| PIPV6_IMCP_NOHOST_CLIENT;
| PIPV6_ICMP_NOHOST_CLIENT;
process_ip_header(c, flags, &c->c2.buf);

#ifdef PACKET_TRUNCATION_CHECK
Expand Down Expand Up @@ -1644,74 +1644,61 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
}
if (!c->options.block_ipv6)
{
flags &= ~(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER);
flags &= ~(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER);
}

if (buf->len > 0)
{
/*
* The --passtos and --mssfix options require
* us to examine the IPv4 header.
*/

if (flags & (PIP_MSSFIX
#if PASSTOS_CAPABILITY
| PIPV4_PASSTOS
#endif
| PIPV4_CLIENT_NAT
))
struct buffer ipbuf = *buf;
if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
{
struct buffer ipbuf = *buf;
if (is_ipv4(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
{
#if PASSTOS_CAPABILITY
/* extract TOS from IP header */
if (flags & PIPV4_PASSTOS)
{
link_socket_extract_tos(c->c2.link_socket, &ipbuf);
}
/* extract TOS from IP header */
if (flags & PIPV4_PASSTOS)
{
link_socket_extract_tos(c->c2.link_socket, &ipbuf);
}
#endif

/* possibly alter the TCP MSS */
if (flags & PIP_MSSFIX)
{
mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
}
/* possibly alter the TCP MSS */
if (flags & PIP_MSSFIX)
{
mss_fixup_ipv4(&ipbuf, c->c2.frame.mss_fix);
}

/* possibly do NAT on packet */
if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
{
const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
client_nat_transform(c->options.client_nat, &ipbuf, direction);
}
/* possibly extract a DHCP router message */
if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
{
const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
if (dhcp_router)
{
route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
}
}
/* possibly do NAT on packet */
if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
{
const int direction = (flags & PIP_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
client_nat_transform(c->options.client_nat, &ipbuf, direction);
}
else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
/* possibly extract a DHCP router message */
if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
{
/* possibly alter the TCP MSS */
if (flags & PIP_MSSFIX)
{
mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
}
if (!(flags & PIP_OUTGOING) && (flags
&(PIPV6_IMCP_NOHOST_CLIENT | PIPV6_IMCP_NOHOST_SERVER)))
const in_addr_t dhcp_router = dhcp_extract_router_msg(&ipbuf);
if (dhcp_router)
{
ipv6_send_icmp_unreachable(c, buf,
(bool)(flags & PIPV6_IMCP_NOHOST_CLIENT));
/* Drop the IPv6 packet */
buf->len = 0;
route_list_add_vpn_gateway(c->c1.route_list, c->c2.es, dhcp_router);
}

}
}
else if (is_ipv6(TUNNEL_TYPE(c->c1.tuntap), &ipbuf))
{
/* possibly alter the TCP MSS */
if (flags & PIP_MSSFIX)
{
mss_fixup_ipv6(&ipbuf, c->c2.frame.mss_fix);
}
if (!(flags & PIP_OUTGOING) && (flags
&(PIPV6_ICMP_NOHOST_CLIENT | PIPV6_ICMP_NOHOST_SERVER)))
{
ipv6_send_icmp_unreachable(c, buf,
(bool)(flags & PIPV6_ICMP_NOHOST_CLIENT));
/* Drop the IPv6 packet */
buf->len = 0;
}

}
}
}

Expand Down
5 changes: 3 additions & 2 deletions src/openvpn/forward.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,8 +297,9 @@ void reschedule_multi_process(struct context *c);
#define PIP_OUTGOING (1<<2)
#define PIPV4_EXTRACT_DHCP_ROUTER (1<<3)
#define PIPV4_CLIENT_NAT (1<<4)
#define PIPV6_IMCP_NOHOST_CLIENT (1<<5)
#define PIPV6_IMCP_NOHOST_SERVER (1<<6)
#define PIPV6_ICMP_NOHOST_CLIENT (1<<5)
#define PIPV6_ICMP_NOHOST_SERVER (1<<6)


void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);

Expand Down
2 changes: 1 addition & 1 deletion src/openvpn/multi.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3645,7 +3645,7 @@ multi_get_queue(struct mbuf_set *ms)

if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
{
unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER;

set_prefix(item.instance);
item.instance->context.c2.buf = item.buffer->buf;
Expand Down

0 comments on commit 6456d86

Please sign in to comment.