1. openvpn
  2. Commit 3c0b2770a3fea1eea22a8a849254931d14ceca9c
Browse code

doc: remove PF leftovers from documentation

PF (Packet Filter) has been dropped from the OpenVPN code base, however
some bits and pieces are left in the documentation.

Erase them all.

Reported-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220113200030.18656-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23531.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Antonio Quartulli authored on 2022/01/14 05:00:30
Showing 2 changed files
doc/man-sections/management-options.rst
History View file @ 3c0b277
... ... 
@@ -65,11 +65,6 @@ server and client mode operations.
65 65 
   When the management interface is listening on a unix domain socket, only
66 66 
   allow connections from group ``g``.
67 67
68 
-  Management interface clients must specify a packet filter file for each
69 
-  connecting client. See :code:`management-notes.txt` in OpenVPN
70 
-  distribution for detailed notes.
71 
-
72 68 
 --management-client-user u
73 69 
   When the management interface is listening on a unix domain socket, only
74 70 
   allow connections from user ``u``.
doc/management-notes.txt
History View file @ 3c0b277
... ... 
@@ -785,118 +785,6 @@ Immediately kill a client instance by CID.
785 785 
 CID -- client ID.  See documentation for ">CLIENT:" notification for more
786 786 
 info.
787 787
788 
-COMMAND -- client-pf  (OpenVPN 2.1 or higher)
789 
-
790 
-Push a packet filter file to a specific client.
791 
-
792 
-The OpenVPN server should have been started with the
793 
-VPN tunnel packets sent or received by client instances must
794 
-conform to that client's packet filter configuration.
795 
-
796 
-  client-pf {CID}
797 
-  line_1
798 
-  line_2
799 
-  ...
800 
-  line_n
801 
-  END
802 
-
803 
-CID -- client ID.  See documentation for ">CLIENT:" notification for
804 
-more info.
805 
-
806 
-line_1 to line_n -- the packet filter configuration file for this
807 
-client.
808 
-
809 
-Packet filter file grammar:
810 
-
811 
- [CLIENTS DROP|ACCEPT]
812 
- {+|-}common_name1
813 
- {+|-}common_name2
814 
- . . .
815 
- [SUBNETS DROP|ACCEPT]
816 
- {+|-}subnet1
817 
- {+|-}subnet2
818 
- . . .
819 
- [END]
820 
-
821 
- Subnet: IP-ADDRESS | IP-ADDRESS/NUM_NETWORK_BITS | "unknown"
822 
-
823 
- CLIENTS refers to the set of clients (by their common-name) which
824 
- this instance is allowed ('+') to connect to, or is excluded ('-')
825 
- from connecting to.  Note that in the case of client-to-client
826 
- connections, such communication must be allowed by the packet filter
827 
- configuration files of both clients AND the --client-to-client
828 
- directive must have been specified in the OpenVPN server config.
829 
-
830 
- SUBNETS refers to IP addresses or IP address subnets which this
831 
- client instance may connect to ('+') or is excluded ('-') from
832 
- connecting to, and applies to IPv4 and ARP packets.  The special
833 
- "unknown" tag refers to packets of unknown type, i.e. a packet that
834 
- is not IPv4 or ARP.
835 
-
836 
- DROP or ACCEPT defines default policy when there is no explicit match
837 
- for a common-name or subnet.  The [END] tag must exist.
838 
-
839 
- Notes:
840 
-
841 
- * The SUBNETS section currently only supports IPv4 addresses and
842 
-   subnets.
843 
-
844 
- * A given client or subnet rule applies to both incoming and
845 
-   outgoing packets.
846 
-
847 
- * The CLIENTS list is order-invariant.  Because the list is stored
848 
-   as a hash-table, the order of the list does not affect its function.
849 
-
850 
- * The SUBNETS table is scanned sequentially, and the first item to
851 
-   match is chosen.  Therefore the SUBNETS table is NOT order-invariant.
852 
-
853 
- * No client-to-client communication is allowed unless the
854 
-   --client-to-client configuration directive is enabled AND
855 
-   the CLIENTS list of BOTH clients allows the communication.
856 
-
857 
-Example packet filter spec, as transmitted to the management interface:
858 
-
859 
- client-pf 42
860 
- [CLIENTS ACCEPT]
861 
- -accounting
862 
- -enigma
863 
- [SUBNETS DROP]
864 
- -10.46.79.9
865 
- +10.0.0.0/8
866 
- [END]
867 
- END
868 
-
869 
-The above example sets the packet filter policy for the client
870 
-identified by CID=42.  This client may connect to all other clients
871 
-except those having a common name of "accounting" or "enigma".
872 
-The client may only interact with external IP addresses in the
873 
-10.0.0.0/8 subnet, however access to 10.46.79.9 is specifically
874 
-excluded.
875 
-
876 
-Another example packet filter spec, as transmitted to the
877 
-management interface:
878 
-
879 
- client-pf 99
880 
- [CLIENTS DENY]
881 
- +public
882 
- [SUBNETS ACCEPT]
883 
- +10.10.0.1
884 
- -10.0.0.0/8
885 
- -unknown
886 
- [END]
887 
- END
888 
-
889 
-The above example sets the packet filter policy for the client
890 
-identified by CID=99.  This client may not connect to any other
891 
-clients except those having a common name of "public".  It may
892 
-interact with any external IP address except those in the
893 
-10.0.0.0/8 netblock.  However interaction with one address in
894 
-the 10.0.0.0/8 netblock is allowed: 10.10.0.1.  Also, the client
895 
-may not interact with external IP addresses using an "unknown"
896 
-protocol (i.e. one that is not IPv4 or ARP).
897 
-
898 788 
 COMMAND -- remote  (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher)
899 789 
 --------------------------------------------
900 790