GitList

Browse code

Make --nobind default for --pull

Currently we default to local binding with udp. But the majority of
configuration files actually uses --nobind in the configuration to
change the default for --client. And client protocols should normally
use a random source port. This changes the default. Local binding with
--client can still be done using --bind.

This commit refactors the current code to be more easy to add to understand
and adds the the o->pull condition as additional option to opt into setting
local binding to false.

Patch v2: add more commments

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211206010007.3072528-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23303.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Arne Schwabe authored on 2021/12/06 10:00:07
Showing 2 changed files

Changes.rst

History View file @ de02c82

@@ -120,7 +120,8 @@ PF (Packet Filtering) support has been removed
                      User-visible Changes
                      --------------------
                      - CHACHA20-POLY1305 is included in the default of ``--data-ciphers`` when available.
                     -- Option ``--prng`` is ignored as we rely on the SSL library radnom generator.
                     +- Option ``--prng`` is ignored as we rely on the SSL library random number generator.
                     +- Option ``--nobind`` is default when ``--client`` or ``--pull`` is used in the configuration
                      Overview of changes in 2.5
                      ==========================

src/openvpn/options.c

History View file @ de02c82

@@ -2859,14 +2859,16 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
+                             }
+                         }
                     -    if (ce->proto == PROTO_TCP_CLIENT && !ce->local
                     -        && !ce->local_port_defined && !ce->bind_defined)
                     -    {
                     -        ce->bind_local = false;
                     -    }
                     +    /* an option is present that requires local bind to enabled */
                     +    bool need_bind = ce->local || ce->local_port_defined || ce->bind_defined;
+                    +
                     +    /* socks proxy is enabled */
                     +    bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
                     -    if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local
                     -        && !ce->local_port_defined && !ce->bind_defined)
                     +    /* If binding is not forced by an explicit option and we have (at least)
                     +     * one of --tcp-client, --pull (or --client), or socks we do not bind
                     +     * locally to have "normal" IP client behaviour of a random source port */
                     +    if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
+                         {
                              ce->bind_local = false;
+                         }