@@ -1005,7 +1005,7 @@ process_incoming_tun (struct context *c)

 void

 process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf)

 {

-  if (!c->options.mssfix)

+  if (!c->options.ce.mssfix)

     flags &= ~PIPV4_MSSFIX;

 #if PASSTOS_CAPABILITY

   if (!c->options.passtos)

@@ -1779,10 +1779,10 @@ do_deferred_options (struct context *c, const unsigned int found)

 #ifdef ENABLE_OCC

   if (found & OPT_P_EXPLICIT_NOTIFY)

     {

-      if (!proto_is_udp(c->options.ce.proto) && c->options.explicit_exit_notification)

+      if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)

 	{

 	  msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");

-	  c->options.explicit_exit_notification = 0;

+	  c->options.ce.explicit_exit_notification = 0;

 	}

       else

 	msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");

@@ -1955,10 +1955,10 @@ frame_finalize_options (struct context *c, const struct options *o)

     }

   frame_finalize (&c->c2.frame,

-		  o->link_mtu_defined,

-		  o->link_mtu,

-		  o->tun_mtu_defined,

-		  o->tun_mtu);

+		  o->ce.link_mtu_defined,

+		  o->ce.link_mtu,

+		  o->ce.tun_mtu_defined,

+		  o->ce.tun_mtu);

 }

 /*

@@ -2404,8 +2404,8 @@ do_init_frame (struct context *c)

   /*

    * Adjust frame size based on the --tun-mtu-extra parameter.

    */

-  if (c->options.tun_mtu_extra_defined)

-    tun_adjust_frame_parameters (&c->c2.frame, c->options.tun_mtu_extra);

+  if (c->options.ce.tun_mtu_extra_defined)

+    tun_adjust_frame_parameters (&c->c2.frame, c->options.ce.tun_mtu_extra);

   /*

    * Adjust frame size based on link socket parameters.

@@ -2434,13 +2434,13 @@ do_init_frame (struct context *c)

   /*

    * MTU advisories

    */

-  if (c->options.fragment && c->options.mtu_test)

+  if (c->options.ce.fragment && c->options.mtu_test)

     msg (M_WARN,

 	 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");

 #endif

 #ifdef ENABLE_FRAGMENT

-  if ((c->options.mssfix || c->options.fragment)

+  if ((c->options.ce.mssfix || c->options.ce.fragment)

       && TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU)

     msg (M_WARN,

 	 "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",

@@ -2612,9 +2612,9 @@ do_init_buffers (struct context *c)

 static void

 do_init_fragment (struct context *c)

 {

-  ASSERT (c->options.fragment);

+  ASSERT (c->options.ce.fragment);

   frame_set_mtu_dynamic (&c->c2.frame_fragment,

-			 c->options.fragment, SET_MTU_UPPER_BOUND);

+			 c->options.ce.fragment, SET_MTU_UPPER_BOUND);

   fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment);

 }

 #endif

@@ -2625,10 +2625,10 @@ do_init_fragment (struct context *c)

 static void

 do_init_mssfix (struct context *c)

 {

-  if (c->options.mssfix)

+  if (c->options.ce.mssfix)

     {

       frame_set_mtu_dynamic (&c->c2.frame,

-			     c->options.mssfix, SET_MTU_UPPER_BOUND);

+			     c->options.ce.mssfix, SET_MTU_UPPER_BOUND);

     }

 }

@@ -2684,7 +2684,7 @@ do_init_socket_1 (struct context *c, const int mode)

 			   c->options.ce.connect_retry_seconds,

 			   c->options.ce.connect_timeout,

 			   c->options.ce.connect_retry_max,

-			   c->options.mtu_discover_type,

+			   c->options.ce.mtu_discover_type,

 			   c->options.rcvbuf,

 			   c->options.sndbuf,

 			   c->options.mark,

@@ -3399,7 +3399,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int

 #ifdef ENABLE_FRAGMENT

   /* initialize internal fragmentation object */

-  if (options->fragment && (c->mode == CM_P2P || child))

+  if (options->ce.fragment && (c->mode == CM_P2P || child))

     c->c2.fragment = fragment_init (&c->c2.frame);

 #endif

@@ -3435,7 +3435,7 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int

 #ifdef ENABLE_FRAGMENT

   /* initialize internal fragmentation capability with known frame size */

-  if (options->fragment && (c->mode == CM_P2P || child))

+  if (options->ce.fragment && (c->mode == CM_P2P || child))

     do_init_fragment (c);

 #endif

@@ -368,7 +368,7 @@ process_received_occ_msg (struct context *c)

 	       c->c2.max_recv_size_remote,

 	       c->c2.max_send_size_remote,

 	       c->c2.max_recv_size_local);

-	  if (!c->options.fragment

+	  if (!c->options.ce.fragment

 	      && (proto_is_dgram(c->options.ce.proto))

 	      && c->c2.max_send_size_local > TUN_MTU_MIN

 	      && (c->c2.max_recv_size_remote < c->c2.max_send_size_local

@@ -767,10 +767,10 @@ init_options (struct options *o, const bool init_gc)

   o->status_file_update_freq = 60;

   o->status_file_version = 1;

   o->ce.bind_local = true;

-  o->tun_mtu = TUN_MTU_DEFAULT;

-  o->link_mtu = LINK_MTU_DEFAULT;

-  o->mtu_discover_type = -1;

-  o->mssfix = MSSFIX_DEFAULT;

+  o->ce.tun_mtu = TUN_MTU_DEFAULT;

+  o->ce.link_mtu = LINK_MTU_DEFAULT;

+  o->ce.mtu_discover_type = -1;

+  o->ce.mssfix = MSSFIX_DEFAULT;

   o->route_delay_window = 30;

   o->max_routes = MAX_ROUTES_DEFAULT;

   o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;

@@ -1360,8 +1360,26 @@ show_connection_entry (const struct connection_entry *o)

   SHOW_INT (socks_proxy_port);

   SHOW_BOOL (socks_proxy_retry);

 #endif

+  SHOW_INT (tun_mtu);

+  SHOW_BOOL (tun_mtu_defined);

+  SHOW_INT (link_mtu);

+  SHOW_BOOL (link_mtu_defined);

+  SHOW_INT (tun_mtu_extra);

+  SHOW_BOOL (tun_mtu_extra_defined);

+

+  SHOW_INT (mtu_discover_type);

+

+#ifdef ENABLE_FRAGMENT

+  SHOW_INT (fragment);

+#endif

+  SHOW_INT (mssfix);

+

+#ifdef ENABLE_OCC

+  SHOW_INT (explicit_exit_notification);

+#endif

 }

+

 static void

 show_connection_entries (const struct options *o)

 {

@@ -1432,19 +1450,6 @@ show_settings (const struct options *o)

 #ifdef HAVE_GETTIMEOFDAY

   SHOW_INT (shaper);

 #endif

-  SHOW_INT (tun_mtu);

-  SHOW_BOOL (tun_mtu_defined);

-  SHOW_INT (link_mtu);

-  SHOW_BOOL (link_mtu_defined);

-  SHOW_INT (tun_mtu_extra);

-  SHOW_BOOL (tun_mtu_extra_defined);

-

-#ifdef ENABLE_FRAGMENT

-  SHOW_INT (fragment);

-#endif

-

-  SHOW_INT (mtu_discover_type);

-

 #ifdef ENABLE_OCC

   SHOW_INT (mtu_test);

 #endif

@@ -1459,16 +1464,11 @@ show_settings (const struct options *o)

   SHOW_INT (ping_rec_timeout_action);

   SHOW_BOOL (ping_timer_remote);

   SHOW_INT (remap_sigusr1);

-#ifdef ENABLE_OCC

-  SHOW_INT (explicit_exit_notification);

-#endif

   SHOW_BOOL (persist_tun);

   SHOW_BOOL (persist_local_ip);

   SHOW_BOOL (persist_remote_ip);

   SHOW_BOOL (persist_key);

-  SHOW_INT (mssfix);

-  

 #if PASSTOS_CAPABILITY

   SHOW_BOOL (passtos);

 #endif

@@ -1958,7 +1958,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

   /*

    * Sanity check on MTU parameters

    */

-  if (options->tun_mtu_defined && options->link_mtu_defined)

+  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)

     msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);

 #ifdef ENABLE_OCC

@@ -2041,12 +2041,12 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

    */

 #ifdef ENABLE_FRAGMENT

-  if (!proto_is_udp(ce->proto) && options->fragment)

+  if (!proto_is_udp(ce->proto) && ce->fragment)

     msg (M_USAGE, "--fragment can only be used with --proto udp");

 #endif

 #ifdef ENABLE_OCC

-  if (!proto_is_udp(ce->proto) && options->explicit_exit_notification)

+  if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)

     msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");

 #endif

@@ -2131,7 +2131,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne

       if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)

 	msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");

 #ifdef ENABLE_OCC

-      if (options->explicit_exit_notification)

+      if (ce->explicit_exit_notification)

 	msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server");

 #endif

       if (options->routes && (options->routes->flags & RG_ENABLE))

@@ -2426,27 +2426,28 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)

   /* if protocol forcing is enabled, disable all protocols except for the forced one */

   if (o->proto_force >= 0 && proto_is_tcp(o->proto_force) != proto_is_tcp(ce->proto))

     ce->flags |= CE_DISABLED;

-}

-

-static void

-options_postprocess_mutate_invariant (struct options *options)

-{

-  const int dev = dev_type_enum (options->dev, options->dev_type);

   /*

    * If --mssfix is supplied without a parameter, default

    * it to --fragment value, if --fragment is specified.

    */

-  if (options->mssfix_default)

+  if (o->ce.mssfix_default)

     {

 #ifdef ENABLE_FRAGMENT

-      if (options->fragment)

-	options->mssfix = options->fragment;

+      if (ce->fragment)

+	o->ce.mssfix = ce->fragment;

 #else

       msg (M_USAGE, "--mssfix must specify a parameter");

 #endif      

     }

+}

+

+static void

+options_postprocess_mutate_invariant (struct options *options)

+{

+  const int dev = dev_type_enum (options->dev, options->dev_type);

+

   /*

    * In forking TCP server mode, you don't need to ifconfig

    * the tap device (the assumption is that it will be bridged).

@@ -2458,14 +2459,14 @@ options_postprocess_mutate_invariant (struct options *options)

    * Set MTU defaults

    */

   {

-    if (!options->tun_mtu_defined && !options->link_mtu_defined)

+    if (!options->ce.tun_mtu_defined && !options->ce.link_mtu_defined)

       {

-	options->tun_mtu_defined = true;

+	options->ce.tun_mtu_defined = true;

       }

-    if ((dev == DEV_TYPE_TAP) && !options->tun_mtu_extra_defined)

+    if ((dev == DEV_TYPE_TAP) && !options->ce.tun_mtu_extra_defined)

       {

-	options->tun_mtu_extra_defined = true;

-	options->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;

+	options->ce.tun_mtu_extra_defined = true;

+	options->ce.tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;

       }

   }

@@ -2951,7 +2952,7 @@ options_string (const struct options *o,

 #endif

 #ifdef ENABLE_FRAGMENT

-  if (o->fragment)

+  if (o->ce.fragment)

     buf_printf (&out, ",mtu-dynamic");

 #endif

@@ -4729,39 +4730,40 @@ add_option (struct options *options,

     }

   else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1])

     {

-      VERIFY_PERMISSION (OPT_P_MTU);

-      options->link_mtu = positive_atoi (p[1]);

-      options->link_mtu_defined = true;

+      VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);

+      options->ce.link_mtu = positive_atoi (p[1]);

+      options->ce.link_mtu_defined = true;

     }

   else if (streq (p[0], "tun-mtu") && p[1])

     {

-      VERIFY_PERMISSION (OPT_P_MTU);

-      options->tun_mtu = positive_atoi (p[1]);

-      options->tun_mtu_defined = true;

+      VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);

+      options->ce.tun_mtu = positive_atoi (p[1]);

+      options->ce.tun_mtu_defined = true;

     }

   else if (streq (p[0], "tun-mtu-extra") && p[1])

     {

-      VERIFY_PERMISSION (OPT_P_MTU);

-      options->tun_mtu_extra = positive_atoi (p[1]);

-      options->tun_mtu_extra_defined = true;

+      VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);

+      options->ce.tun_mtu_extra = positive_atoi (p[1]);

+      options->ce.tun_mtu_extra_defined = true;

     }

 #ifdef ENABLE_FRAGMENT

   else if (streq (p[0], "mtu-dynamic"))

     {

-      VERIFY_PERMISSION (OPT_P_GENERAL);

+      VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);

       msg (msglevel, "--mtu-dynamic has been replaced by --fragment");

       goto err;

     }

   else if (streq (p[0], "fragment") && p[1])

     {

-      VERIFY_PERMISSION (OPT_P_MTU);

-      options->fragment = positive_atoi (p[1]);

+//      VERIFY_PERMISSION (OPT_P_MTU);

+      VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);

+      options->ce.fragment = positive_atoi (p[1]);

     }

 #endif

   else if (streq (p[0], "mtu-disc") && p[1])

     {

-      VERIFY_PERMISSION (OPT_P_MTU);

-      options->mtu_discover_type = translate_mtu_discover_type_name (p[1]);

+      VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);

+      options->ce.mtu_discover_type = translate_mtu_discover_type_name (p[1]);

     }

 #ifdef ENABLE_OCC

   else if (streq (p[0], "mtu-test"))

@@ -5106,14 +5108,15 @@ add_option (struct options *options,

 #ifdef ENABLE_OCC

   else if (streq (p[0], "explicit-exit-notify"))

     {

-      VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY);

+      VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);

+//      VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY);

       if (p[1])

 	{

-	  options->explicit_exit_notification = positive_atoi (p[1]);

+	  options->ce.explicit_exit_notification = positive_atoi (p[1]);

 	}

       else

 	{

-	  options->explicit_exit_notification = 1;

+	  options->ce.explicit_exit_notification = 1;

 	}

     }

 #endif

@@ -5369,13 +5372,13 @@ add_option (struct options *options,

     }

   else if (streq (p[0], "mssfix"))

     {

-      VERIFY_PERMISSION (OPT_P_GENERAL);

+      VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);

       if (p[1])

 	{

-	  options->mssfix = positive_atoi (p[1]);

+	  options->ce.mssfix = positive_atoi (p[1]);

 	}

       else

-	options->mssfix_default = true;

+	options->ce.mssfix_default = true;

     }

 #ifdef ENABLE_OCC

@@ -111,6 +111,24 @@ struct connection_entry

   bool socks_proxy_retry;

 #endif

+  int tun_mtu;           /* MTU of tun device */

+  bool tun_mtu_defined;  /* true if user overriding parm with command line option */

+  int tun_mtu_extra;

+  bool tun_mtu_extra_defined;

+  int link_mtu;          /* MTU of device over which tunnel packets pass via TCP/UDP */

+  bool link_mtu_defined; /* true if user overriding parm with command line option */

+

+  /* Advanced MTU negotiation and datagram fragmentation options */

+  int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */

+

+  int fragment;          /* internal fragmentation size */

+  int mssfix;            /* Upper bound on TCP MSS */

+  bool mssfix_default;   /* true if --mssfix was supplied without a parameter */

+

+#ifdef ENABLE_OCC

+  int explicit_exit_notification;  /* Explicitly tell peer when we are exiting via OCC_EXIT message */

+#endif

+

 # define CE_DISABLED (1<<0)

 #if HTTP_PROXY_FALLBACK

 # define CE_HTTP_PROXY_FALLBACK (1<<1)

@@ -245,24 +263,13 @@ struct options

 #ifdef HAVE_GETTIMEOFDAY

   int shaper;

 #endif

-  int tun_mtu;           /* MTU of tun device */

-  int tun_mtu_extra;

-  bool tun_mtu_extra_defined;

-  int link_mtu;          /* MTU of device over which tunnel packets pass via TCP/UDP */

-  bool tun_mtu_defined;  /* true if user overriding parm with command line option */

-  bool link_mtu_defined; /* true if user overriding parm with command line option */

   int proto_force;

-  /* Advanced MTU negotiation and datagram fragmentation options */

-  int mtu_discover_type; /* used if OS supports setting Path MTU discovery options on socket */

-

 #ifdef ENABLE_OCC

   bool mtu_test;

 #endif

-  int fragment;                 /* internal fragmentation size */

-

 #ifdef ENABLE_MEMSTATS

   char *memstats_fn;

 #endif

@@ -285,18 +292,11 @@ struct options

 # define PING_RESTART 2

   int ping_rec_timeout_action;  /* What action to take on ping_rec_timeout (exit or restart)? */

-#ifdef ENABLE_OCC

-  int explicit_exit_notification;  /* Explicitly tell peer when we are exiting via OCC_EXIT message */

-#endif

-

   bool persist_tun;             /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */

   bool persist_local_ip;        /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */

   bool persist_remote_ip;       /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */

   bool persist_key;             /* Don't re-read key files on SIGUSR1 or PING_RESTART */

-  int mssfix;                   /* Upper bound on TCP MSS */

-  bool mssfix_default;          /* true if --mssfix was supplied without a parameter */

-

 #if PASSTOS_CAPABILITY

   bool passtos;                  

 #endif

@@ -300,8 +300,8 @@ process_explicit_exit_notification_timer_wakeup (struct context *c)

 			     &c->c2.timeval,

 			     ETT_DEFAULT))

     {

-      ASSERT (c->c2.explicit_exit_notification_time_wait && c->options.explicit_exit_notification);

-      if (now >= c->c2.explicit_exit_notification_time_wait + c->options.explicit_exit_notification)

+      ASSERT (c->c2.explicit_exit_notification_time_wait && c->options.ce.explicit_exit_notification);

+      if (now >= c->c2.explicit_exit_notification_time_wait + c->options.ce.explicit_exit_notification)

 	{

 	  event_timeout_clear (&c->c2.explicit_exit_notification_interval);

 	  c->sig->signal_received = SIGTERM;

@@ -340,7 +340,7 @@ process_sigterm (struct context *c)

 {

   bool ret = true;

 #ifdef ENABLE_OCC

-  if (c->options.explicit_exit_notification

+  if (c->options.ce.explicit_exit_notification

       && !c->c2.explicit_exit_notification_time_wait)

     {

       process_explicit_exit_notification_init (c);