aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormandree <mandree@FreeBSD.org>2016-11-10 06:06:26 +0800
committermandree <mandree@FreeBSD.org>2016-11-10 06:06:26 +0800
commitf0f9116e5a6624cfbf8fddc09942eb89605b9989 (patch)
treee3e984ddba5444662f2a644d4057f448033ee576
parent7972e479efab015744b2f932eceeecaa9d596233 (diff)
downloadfreebsd-ports-graphics-f0f9116e5a6624cfbf8fddc09942eb89605b9989.tar.gz
freebsd-ports-graphics-f0f9116e5a6624cfbf8fddc09942eb89605b9989.tar.zst
freebsd-ports-graphics-f0f9116e5a6624cfbf8fddc09942eb89605b9989.zip
Experimental patch for topology subnet.
Added as an extra patch behind an option that defaults to ON so people can still opt out, this is slated for an upcoming 2.3.14 release that is, however, not yet scheduled. PR: 207831 (related) Obtained from: Gert Doering, via upstream Git repository 446ef5bda4cdc75d
-rw-r--r--security/openvpn/Makefile8
-rw-r--r--security/openvpn/files/extra-patch-fix-subnet90
2 files changed, 96 insertions, 2 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 3368a096b68..b1636040107 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -3,6 +3,7 @@
PORTNAME= openvpn
DISTVERSION= 2.3.13
+PORTREVISION= 1
CATEGORIES= security net
MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \
http://build.openvpn.net/downloads/releases/
@@ -31,8 +32,8 @@ LDFLAGS+= -L${LOCALBASE}/lib
CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
- TUNNELBLICK TEST
-OPTIONS_DEFAULT= EASYRSA OPENSSL TEST
+ TUNNELBLICK TEST FIXSUBNET
+OPTIONS_DEFAULT= EASYRSA OPENSSL TEST FIXSUBNET
OPTIONS_SINGLE= SSL
OPTIONS_SINGLE_SSL= OPENSSL POLARSSL
# The following feature is always enabled since 2.3.9 and no longer optional.
@@ -42,6 +43,7 @@ EASYRSA_DESC= Install security/easy-rsa RSA helper package
POLARSSL_DESC= SSL/TLS via mbedTLS 1.3.X (not 2.x)
TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
+FIXSUBNET_DESC= Enable 'topology subnet' fix (experimental)
EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
@@ -50,6 +52,8 @@ PKCS11_CONFIGURE_ENABLE= pkcs11
TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
+FIXSUBNET_EXTRA_PATCHES= ${FILESDIR}/extra-patch-fix-subnet
+
X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
X509ALTUSERNAME_PREVENTS= POLARSSL
diff --git a/security/openvpn/files/extra-patch-fix-subnet b/security/openvpn/files/extra-patch-fix-subnet
new file mode 100644
index 00000000000..4f95dac692f
--- /dev/null
+++ b/security/openvpn/files/extra-patch-fix-subnet
@@ -0,0 +1,90 @@
+commit 446ef5bda4cdc75d4cb955e274846faff0181fd3
+Author: Gert Doering <gert@greenie.muc.de>
+Date: Tue Nov 8 13:45:06 2016 +0100
+
+ Repair topology subnet on FreeBSD 11
+
+ We used to add "route for this subnet" by using our own address as
+ the gateway address, which used to mean "connected to the interface,
+ no gateway". FreeBSD commit 293159 changed the kernel side of that
+ assumption so "my address" is now always bound to "lo0" - thus, our
+ subnet route also ended up pointing to "lo0", breaking connectivity
+ for all hosts in the subnet except the one we used as "remote".
+
+ commit 60fd44e501f200 already introduced a "remote address" we use
+ for the "ifconfig tunX <us> <remote>" part - extend that to be used
+ as gateway address for the "tunX subnet" as well, and things will
+ work more robustly.
+
+ Tested on FreeBSD 11.0-RELEASE and 7.4-RELEASE (client and server)
+ (this particular issue is not present before 11.0, but "adding the
+ subnet route" never worked right, not even in 7.4 - 11.0 just made
+ the problem manifest more clearly)
+
+ Trac #425
+ URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207831
+
+ Signed-off-by: Gert Doering <gert@greenie.muc.de>
+ Acked-by: Steffan Karger <steffan.karger@fox-it.com>
+ Message-Id: <20161108124506.32559-1-gert@greenie.muc.de>
+ URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12950.html
+ Signed-off-by: Gert Doering <gert@greenie.muc.de>
+ (cherry picked from commit a433b3813d8c38b491d2baa7b433973f2d6cd7c6)
+
+diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
+index 11027dd..9bb586d 100644
+--- ./src/openvpn/tun.c
++++ ./src/openvpn/tun.c
+@@ -635,8 +635,8 @@ void delete_route_connected_v6_net(struct tuntap * tt,
+ * is still point to point and no layer 2 resolution is done...
+ */
+
+-const char *
+-create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
++in_addr_t
++create_arbitrary_remote( struct tuntap *tt )
+ {
+ in_addr_t remote;
+
+@@ -644,7 +644,7 @@ create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
+
+ if ( remote == tt->local ) remote ++;
+
+- return print_in_addr_t (remote, 0, gc);
++ return remote;
+ }
+ #endif
+
+@@ -1126,6 +1126,8 @@ do_ifconfig (struct tuntap *tt,
+
+ #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
+
++ in_addr_t remote_end; /* for "virtual" subnet topology */
++
+ /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
+ if (tun)
+ argv_printf (&argv,
+@@ -1138,12 +1140,13 @@ do_ifconfig (struct tuntap *tt,
+ );
+ else if ( tt->topology == TOP_SUBNET )
+ {
++ remote_end = create_arbitrary_remote( tt );
+ argv_printf (&argv,
+ "%s %s %s %s mtu %d netmask %s up",
+ IFCONFIG_PATH,
+ actual,
+ ifconfig_local,
+- create_arbitrary_remote( tt, &gc ),
++ print_in_addr_t (remote_end, 0, &gc),
+ tun_mtu,
+ ifconfig_remote_netmask
+ );
+@@ -1170,7 +1173,7 @@ do_ifconfig (struct tuntap *tt,
+ r.flags = RT_DEFINED;
+ r.network = tt->local & tt->remote_netmask;
+ r.netmask = tt->remote_netmask;
+- r.gateway = tt->local;
++ r.gateway = remote_end;
+ add_route (&r, tt, 0, NULL, es);
+ }
+