Alon Bar-Lev [Wed, 29 Feb 2012 20:12:09 +0000 (22:12 +0200)]
build: proper lzo detection and usage
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:04 +0000 (22:12 +0200)]
build: autoconf: minor cleanups
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:12:02 +0000 (22:12 +0200)]
build: libdl usage
1. properly detect.
2. Link only required components.
3. No way we don't have LoadLibrary on Windows.
4. ENABLE_PLUGIN should be controlled in autoconf.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:56 +0000 (22:11 +0200)]
build: autotools: first pass of trivial autotools changes
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:49 +0000 (22:11 +0200)]
Remove tap-win32
Introduce tap-windows.h which is modified tap-win32/common.h.
Except of function rename, it is the same without the tap_id.
This file should be provided as part of tap-win32 MSI.
For now we hold a copy.
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:45 +0000 (22:11 +0200)]
build: plugins: properly use CC, CFLAGS and LDFLAGS
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:40 +0000 (22:11 +0200)]
fixup: init.c: add missing conditional for ENABLE_CLIENT_CR
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:37 +0000 (22:11 +0200)]
cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6
autoconf rejecting this anyway:
----
AC_MSG_CHECKING([that OpenSSL Library is at least version 0.9.6])
<snip>
AC_MSG_ERROR([OpenSSL crypto Library is too old.])
----
Alon Bar-Lev [Wed, 29 Feb 2012 20:11:35 +0000 (22:11 +0200)]
cleanup: win32.c: wrong printf format
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Heiko Hund [Wed, 17 Aug 2011 15:53:01 +0000 (15:53 +0000)]
remove wrapper code for Windows CryptoAPI function
The CryptoAPI function CryptAcquireCertificatePrivateKey() was previously
unsupported in MinGW. With recent w32api headers it's now defined, mostly.
Since the code used to load the CryptoAPI DLL is prone to a DLL hijacking
attack [1], it's now a good time to get rid of wrapper completely.
Just a few macros left that may still be undefined on some
systems using the original MinGW headers.
[1] http://isc.sans.edu/diary.html?storyid=9445
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: James Yonan <james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/4979 Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 20 Feb 2012 09:31:54 +0000 (10:31 +0100)]
Revamp check_file_access() checks in stdin scenarios
It was discovered that --management also can take stdin as argument
instead of a file. Enabled this by revamping the check_file_access()
flags by adding CHKACC_ACPTSTDIN. Setting this flag will then consider
filenames as 'stdin' as always present.
The other place where 'stdin' was accepted is also modified to use this
flag instead.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 18 Feb 2012 19:44:12 +0000 (20:44 +0100)]
define access mode flag X_OK as 0 on Windows
The _access and _waccess functions in Windows don't know about
X_OK (1). If you pass an uneven mode flag the C runtime's default
invalid parameter handler ends execution of openvpn.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Fri, 17 Feb 2012 11:09:51 +0000 (12:09 +0100)]
Makefile.am referenced a now non-existing config-win32.h
This file was moved to win/config.h.in and is the template used
by the Python build tools in win/. This happened in
commit 4b312378e9e7084a0699ca6d4b895bdadb7540db
For all other autotools based environments, ./configure will take
care of creating the proper config.h
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Thu, 16 Feb 2012 17:30:40 +0000 (18:30 +0100)]
use the underscore version of stat on Windows
MSVC does not know wstat(). Instead _wstat() must be used here.
Unfortunately _wstat() takes a 'struct _stat'. A type 'stat_t' is
introduced to handle this situation in a portable way.
[v2: Use openvpn_stat_t instead of stat_t (David Sommerseth)]
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
The cipher_kt_mode uses bool as return type, this should be int. On
some platforms like OS X, any returned value larger than one will
be converted to 1.
Signed-off-by: Frank de Brabander <brabander@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Tue, 14 Feb 2012 10:45:27 +0000 (11:45 +0100)]
Connection entry {tun,link}_mtu_defined not set correctly
Commit 76809cae0eae07817160b423d3f9551df1a1d68e enabled setting MTU
variables inside <connection> blocks. But in that process, the
tun_mtu_defined and link_mtu_defined was not set as it should.
By moving this out of the options_postprocess_mutate_invariant()
function and into options_postprocess_mutate_ce(), these
{tun,link}_mtu_defined variables are set correctly in each
connection entry.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
The following options may now be used in a connection block:
fragment
mssfix
tun-mtu
tun-mtu-extra
link-mtu
mtu_discover_type
explicit-exit-notification
In order to support stuff like
<connection>
remote host
proto udp
fragment
explicit-exit-notification 3
</connection>
<connection>
remote host
proto tcp
</connection>
Signed-off-by: Jan Just Keijser <janjust@nikhef.nl> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 13 Feb 2012 16:29:52 +0000 (17:29 +0100)]
Fix compile issues with status.c
Commit 71bbbd76c62630c88441237d72fe5b61f0b45b2a moved over from
calling open() directly to go via the openvpn_open(). It was not
detected that status.c had to include misc.h too.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Heiko Hund <heiko.hund@sophos.com>
David Sommerseth [Mon, 13 Feb 2012 15:03:46 +0000 (16:03 +0100)]
Remove --show-gateway if debug info is not enabled (--disable-debug)
The --show-gateway feature depends on functions only being enabled when
--disable-debug is _not_ used. As this I consider --show-gateway more
a handy function for debugging, removing this feature when --disable-debug
is used seems like the proper approach.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 13 Feb 2012 14:52:00 +0000 (15:52 +0100)]
Fix compile issues when plug-ins are disabled.
Commit 1876ccd012e9e2ca6f8e1cd9e7e9bb4bf24ccecb modified
plugin_call() and introduced plugin_call_ssl(). But the similar
approach was missing for situations without plug-ins.
Solution: Rename plugin_call() in the #else !ENABLE_PLUGIN
section to plugin_call_ssl(). Then move the plugin_ssl() function
inside the #ifdef ENABLE_PLUGIN section outside the #ifdef, making
it available for builds with and without plug-ins enabled.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Fri, 10 Feb 2012 14:13:42 +0000 (15:13 +0100)]
handle Windows unicode paths
Openvpn for Windows is not compiled as a Unicode binary and thus cannot
handle paths which contain non-ASCII characters using the argv vector.
Characters that are not present in the system codepage are simply replaced
with a question mark, e.g. if started as 'openvpn --config домой.ovpn'
the file '?????.ovpn' is tried to be opened as configuration.
The same applies to paths in config files which need to be UTF-8
encoded if they contain non ASCII characters. The option line
'key лев.pem' will lead to openvpn trying to open 'лев.pem' on a
system with codepage 1252.
This patch makes openvpn read the command line in UCS-2 and convert
it to UTF-8 internally. Windows stores names in the filesystem in UCS-2.
When using a paths openvpn converts it from UTF-8 to UCS-2 and uses the
wide character Windows API function.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Igor Novgorodov [Sun, 12 Feb 2012 18:40:02 +0000 (22:40 +0400)]
The code blocks enabled by ENABLE_CLIENT_CR depends on management
If the management interface is not enabled, it makes no sense in
including the ENABLE_CLIENT_CR #ifdef blocks. This will also in
some configurations cause build issues if these blocks are enabled.
Signed-off-by: Igor Novgorodov <igor@novg.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Fix assert() situations where gc_malloc() is called without a gc_arena object
In commit bee92b479414d12035b0422f81ac5fcfe14fa645 the gc_malloc() was hardened
to always require a gc_arena object for garbage collection. Some places in the
code expected the old behaviour of a normal malloc() in these cases, that is a
memory allocation without garbage collection.
This old behaviour is partly restored by allowing string_alloc() to do a non-gc
based allocation if no gc_arena object is available. In addition some other
places string_alloc() will now be called with a gc_arena pointer where such an
object is available.
The alloc_buf() function has also been refactored to not use gc_malloc() at
all.
v2: - removes a memleak when --ifconfig-ipv6 is used several times
- makes string_alloc() behave properly if DMALLOC is enabled
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 5 Feb 2012 12:35:03 +0000 (13:35 +0100)]
Platform cleanup for OpenBSD
Turn around initialization order (IFCONFIG_AFTER_TUN_OPEN) to make it
"the same as all other platforms besides Windows" (tun.h).
Remove "ifconfig destroy / ifconfig create" from open_tun() and change
to generic "create tun device by opening /dev/tunN" approach, thus
cleaning up the IFCONFIG_BEFORE_TUN_OPEN bit.
Add "-link0" for ifconfig calls in tun mode, to make sure that even if
we happen to re-use a not-cleaned-up tun interface in tap mode, it will
then be setup correctly (-link0 -> tun, link0 -> tap).
Add correct ifconfig calls for "topology subnet".
On tunnel close, only call "ifconfig destroy" if it was a tap interface
(tun + link0), because those do not auto-disappear (OpenBSD bug?)
Get rid of READV/WRITEV #ifdef's - as per the man page, these calls have
been added to 4.2BSD, and there never was an OpenBSD version without.
Tested on OpenBSD 4.9 with tun+tap, ipv4+ipv6, topology net30+subnet
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Robert Fischer [Sat, 10 Dec 2011 14:51:30 +0000 (15:51 +0100)]
Documented --push-peer-info option
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Robert Fischer [Sat, 10 Dec 2011 13:56:40 +0000 (14:56 +0100)]
Documented --errors-to-stderr option
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Heiko Hund [Wed, 7 Dec 2011 17:59:21 +0000 (18:59 +0100)]
set Windows environment variables as UCS-2
Windows uses 16 bit wide characters to represent Unicode in the
process environment. Convert UTF-8 to UCS-2 and use the wide
character API to set environment variables.
Heiko Hund [Sat, 4 Feb 2012 12:56:24 +0000 (12:56 +0000)]
UTF-8 X.509 distinguished names
The UTF-8 support that came with commit 2627335 does allow international
usernames and passwords. This patch introduces UTF-8 support for X.509 DNs.
Additionally, instead of using the legacy openssl format, DNs are now
displayed in RFC 2253 format; "/C=ru/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0
\xB2\xD0\xB0/O=\xD0\x9A\xD1\x80\xD0\xB5\xD0\xBC\xD0\xBB\xD1\x8C/CN=kreml.ru"
becomes "C=ru, L=Москва, O=Кремль, CN=kreml.ru".
Since the specific character classes for X.509 names are removed, the
"no-name-remapping" configuration option has no use anymore and is removed
as well.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Fri, 3 Feb 2012 17:18:07 +0000 (19:18 +0200)]
Fix RUN_SUDO functionality for t_client.sh
Commit 9c6ee9d1ecd85535c was incomplete - while it will run openvpn with
sudo, it will not use sudo for the "kill" commands needed to test whether
the background process is still there, and for actually stopping openvpn
after the test has finished.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Fri, 3 Feb 2012 16:11:03 +0000 (17:11 +0100)]
Implement IPv6 interface config with non-/64 prefix lengths.
Add "ifconfig_ipv6_netbits_parm" parameter to init_tun(), use that to
initialize tt->netbits_ipv6 (previously: always /64). Actual interface
setup code already used tt->netbits_ipv6, so no changes needed there.
Remove restrictions on "/netbits" value for --server-ipv6 config option
(can now be /64.../112, previously had to be exactly /64). Supporting
even smaller networks could cause problems with ipv6-pool handling and
are only allowed for explicit "ifconfig-ipv6", not for "server-ipv6".
Add /netbits to pushed "ifconfig-ipv6" values on server side (client
side always accepted this, but ignored it so far, so this does not
break compatibility).
Tested on Linux/ifconfig, Linux/iproute2 and FreeBSD 7.4
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Mon, 26 Dec 2011 00:18:50 +0000 (00:18 +0000)]
Added support for "on-link" routes on Linux client
These are routes where the gateway is specified as an interface rather
than an address. This allows redirect-gateway to work on Linux clients
whose connection to the internet is via a point-to-point link such as
PPP.
Note that at the moment, this capability is incompatible with
the "redirect-gateway block-local" directive -- this is because
the block-local directive blocks all traffic from the local LAN
except for the local and gateway addresses. Since a PPP link
is essentially a subnet of two addresses, local and remote (i.e.
gateway), the set of addresses that would be blocked by block-local
is empty. Therefore, the "redirect-gateway block-local" directive
will be ignored on PPP links.
To view the OpenVPN client's current determination of the default
gateway, use this command:
./openvpn --show-gateway
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7794 e7ae566f-a301-0410-adde-c780ea21d3b5 Signed-off-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
This patchs adds a script/plug-in hook which is called right before the
network routes are taken down. This gives external processes a
possibility to tear down communication over the VPN before the VPN
disappears.
One use case can be to mount a networked file system over the VPN via
--route-up. And then to unmount this file system via --route-pre-down
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 22 Jan 2012 21:21:22 +0000 (23:21 +0200)]
Platform cleanup for FreeBSD
- cleanup TUN/TAP devices at program end ("ifconfig ... destroy")
- make TUN device setup for "topology subnet" work together with IPv6
(setup correct netmask and route, but do not use IFF_BROADCAST)
There's one catch for FreeBSD 8.2 if you use pf(4): it will block IPv6
fragments by default, so the standard t_client.sh test sets fail unless
you specifically add "pass in on tun1 fragment" rules - but there's
nothing OpenVPN can do about it.
Tested with IPv4 and IPv6 on 7.4-RELEASE/amd64 and 8.2-RELEASE/amd64
Signed-off-by: Gert Doering <gert@greenie.muc.de>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5303 Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 16 Jan 2012 11:00:33 +0000 (12:00 +0100)]
Don't check for file presence on inline files
The configuration file supports inline files for --ca, --cert, --dh,
--extra-certs, --key, --pkcs12, --secret and --tls-auth. When this
is used, the filename is set to [[INLINE]] (defined by INLINE_FILE_TAG).
If the filename is set to INLINE_FILE_TAG for these options, don't
call check_file_access().
[v2 Simplify the code, using a flag to check_file_access()]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 14 Jan 2012 11:34:59 +0000 (12:34 +0100)]
Fix pool logging when IPv6 is not enabled
If IPv6 tunnelling is not enabled, a bogus IPv6 address would be
printed in the log, like this:
MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=2180:8:2100:0:d4b4:f11d:18bf:2f00
It turns out that the remote_ipv6 buffer was not cleared. Added
an extra check to also replace a "IPv6=::" log message with
information that the IPv6 feature is disabled in these cases.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 11 Jan 2012 13:52:21 +0000 (14:52 +0100)]
autotools ./configure don't like compat.h
The compat.h include file cannot be loaded when ./configure runs,
as many of the HAVE_* declarations are not set. This makes test
compilations when looking for features fail.
As ./configure will load syshead.h, it pulls in compat.h this way.
Looking more carefully at syshead.h, there's a #ifndef PACKAGE_NAME
check if config.h should be included. This looks like a check if
syshead.h is loaded via ./configure or if it is a more normal
compilation. Moving the compat.h inclusion into this #ifndef block.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 21 Nov 2011 15:17:44 +0000 (16:17 +0100)]
Fix compilation errors on Linux platforms without SO_MARK
When trying to compile OpenVPN on RHEL5/CentOS5, it would fail
due to missing declaration of SO_MARK. SO_MARK is a feature which
first arrived in 2.6.26, and was never backported to RHEL5's 2.6.18
kernel base.
This patch adds a check at configure time, to see if SO_MARK is
available or not.
Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Wed, 11 Jan 2012 14:30:28 +0000 (15:30 +0100)]
New Windows build fixes
compat.c: In basename() a typo had gone undetected through the review process,
and also that the declaration was a little bit different from what's defined in
compat.h
misc.c: commit 9449e6a9eba30c9ed054f57d630a88c9f087080f adds #include <unistd.h>.
This breaks building on Windows. As unistd.h is already loaded via syshead.h on
systems where unistd.h exists, we don't need it here.
Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Visual Studio does not enable certiain standard Unix functions,
such as access(). By defining _CRT_NONSTDC_NO_WARNINGS and
_CRT_SECURE_NO_WARNINGS, these functions are enabled.
This patch also adds a ./configure check for access() as well,
in case this needs to be implemented on other platforms lacking
this feature. Which is why HAVE_ACCESS is defined in win/config.h.in
Thanks to Alon Bar-Lev for helping solving this.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5179/focus=5200
Move away from openvpn_basename() over to platform provided basename()
This kicks out the openvpn_basename() function from misc.[ch] and puts
glibc equivalents into compat.[ch]. This is to provide the same
functionality on platforms not having a native basename() function
available.
In addition this patch adds dirname() which commit 0f2bc0dd92f43c91e
depends. Without dirname(), openvpn won't build in Visual Studio.
v2: Move all functions from compat.h to compat.c
v3: Use glibc versions of basename() and dirname() instead
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5178/focus=5215
If openvpn_execve() is not able to fork(), it would not make any noise
about it. So this patch adds a log notification if this happens.
In addition, if openvpn_execve() is called with an empty argv array,
it should exit instantly. This is not expected to happen at all and
might indicate a much more serious issue (or programming error)
somewhere else in the code. Thus, abort execution to get these issues
flushed out as quickly as possible.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 30 Dec 2011 20:42:13 +0000 (21:42 +0100)]
Fix list-overrun checks in copy_route_[ipv6_]option_list()
The old code checks how many items are in use(!) in the source
list, but then copies the full list over the destination memory
arena. Check the source list *capacity*.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Fri, 30 Dec 2011 20:08:49 +0000 (21:08 +0100)]
Fix build-up of duplicate IPv6 routes on reconnect.
options.c: extend pre_pull_save() and pre_pull_restore() to
save/restore options->routes_ipv6 as well
options.h: add routes_ipv6 to "struct options_pre_pull"
route.h, route.c: add clone_route_ipv6_option_list() and
copy_route_ipv6_option_list() helper functions
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Thu, 3 Nov 2011 02:03:35 +0000 (02:03 +0000)]
Fixed client issues with DHCP Router option extraction/deletion when
using layer 2 with DHCP proxy:
* Extract/delete Router option from both DHCPOFFER and DHCPACK
messages. Prevously we only considered DHCPACK messages.
With DHCPACK messages, we extract the Router IP for
use as the vpn_gateway, as well as delete the Router option from
the DHCP message. For DHCPOFFER, we only delete the Router
message.
* Monitor all DHCPOFFER and DHCPACK messages for possible Router
options needing to be extracted/deleted. Previously, we turned
off monitoring after the first successful extraction/deletion
from a DHCPACK message.
* Previously, we deleted Router options by padding them with DHCP
PAD options. This has proven not to work with some DHCP clients,
so we now delete the message entirely, and add PADs to the end of
the message so as not to change its length.
* In some cases, UDP checksum was not being correctly updated for
modified DHCP packets.
To properly use this feature on Linux, after tunnel comes up,
run these commands:
projects / thirdparty / openvpn.git / log
