From owner-svn-ports-head@FreeBSD.ORG Fri May 22 21:39:39 2015 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1585851B; Fri, 22 May 2015 21:39:39 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0362D10FC; Fri, 22 May 2015 21:39:39 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t4MLdcg7085332; Fri, 22 May 2015 21:39:38 GMT (envelope-from mandree@FreeBSD.org) Received: (from mandree@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t4MLdcU8085330; Fri, 22 May 2015 21:39:38 GMT (envelope-from mandree@FreeBSD.org) Message-Id: <201505222139.t4MLdcU8085330@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mandree set sender to mandree@FreeBSD.org using -f From: Matthias Andree Date: Fri, 22 May 2015 21:39:38 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r387083 - in head/security/openvpn: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 May 2015 21:39:39 -0000 Author: mandree Date: Fri May 22 21:39:37 2015 New Revision: 387083 URL: https://svnweb.freebsd.org/changeset/ports/387083 Log: Add experimental patch by Gert Döring to fix PR #194745. Must be enabled through the options framework ("make config"). PR: 194745 Added: head/security/openvpn/files/EF-subnet.patch (contents, props changed) Modified: head/security/openvpn/Makefile Modified: head/security/openvpn/Makefile ============================================================================== --- head/security/openvpn/Makefile Fri May 22 20:34:27 2015 (r387082) +++ head/security/openvpn/Makefile Fri May 22 21:39:37 2015 (r387083) @@ -3,7 +3,7 @@ PORTNAME= openvpn DISTVERSION= 2.3.6 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ @@ -28,7 +28,8 @@ LDFLAGS+= -L${LOCALBASE}/lib # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" -OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX2 +OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ + ENGINEFIX2 SUBNETFIX OPTIONS_DEFAULT= EASYRSA OPENSSL OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL POLARSSL @@ -38,6 +39,7 @@ EASYRSA_DESC= Install security/easy-rsa POLARSSL_DESC= SSL/TLS support via PolarSSL X509ALTUSERNAME_DESC= Enable --x509-username-field (only with OpenSSL) ENGINEFIX2_DESC= New EXPERIMENTAL patchset for SSL engine use (OpenSSL) +SUBNETFIX_DESC= EXPERIMENTAL patch to fix subnet mode (tkt \#481) EASYRSA_RUN_DEPENDS= easy-rsa>=0:${PORTSDIR}/security/easy-rsa @@ -57,6 +59,11 @@ EXTRA_PATCHES+= ${FILESDIR}/EF1.patch:- ${FILESDIR}/EF3.patch:-p1 .endif +# patch to fix PR 194745, https://community.openvpn.net/openvpn/ticket/481 +.if ${PORT_OPTIONS:MSUBNETFIX} +EXTRA_PATCHES+= ${FILESDIR}/EF-subnet.patch:-p1 +.endif + .if ${PORT_OPTIONS:MPOLARSSL} . if ${PORT_OPTIONS:MX509ALTUSERNAME} BROKEN= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead Added: head/security/openvpn/files/EF-subnet.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn/files/EF-subnet.patch Fri May 22 21:39:37 2015 (r387083) @@ -0,0 +1,63 @@ +From b8f70b0f25c44e6d6a17b9f76756de87146a55d9 Mon Sep 17 00:00:00 2001 +From: Gert Doering +Date: Sun, 26 Apr 2015 18:16:39 +0200 +Subject: [PATCH] Fix FreeBSD ifconfig for topology subnet tunnels. + +For "topology subnet", we only pretend to have a subnet and keep +using the tun if in point-to-point mode - but for that to fully +work, the "remote" address needs to be different from the "local" +address. So just arbitrarily construct one from the on-link +subnet - base+1, if "that is not us", base+2, otherwise. + +Fix trac #481 + +Signed-off-by: Gert Doering +--- + src/openvpn/tun.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c +index 11a6d71..aa7a9f0 100644 +--- a/src/openvpn/tun.c ++++ b/src/openvpn/tun.c +@@ -626,6 +626,28 @@ void delete_route_connected_v6_net(struct tuntap * tt, + } + #endif + ++#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) ++/* we can't use true subnet mode on tun on all platforms, as that ++ * conflicts with IPv6 (wants to use ND then, which we don't do), ++ * but the OSes want "a remote address that is different from ours" ++ * - so we construct one, normally the first in the subnet, but if ++ * this is the same as ours, use the second one. ++ * The actual address does not matter at all, as the tun interface ++ * is still point to point and no layer 2 resolution is done... ++ */ ++ ++char * ++create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc ) ++{ ++ in_addr_t remote; ++ ++ remote = (tt->local & tt->remote_netmask) +1; ++ ++ if ( remote == tt->local ) remote ++; ++ ++ return print_in_addr_t (remote, 0, &gc); ++} ++#endif + + /* execute the ifconfig command through the shell */ + void +@@ -1150,7 +1172,7 @@ do_ifconfig (struct tuntap *tt, + IFCONFIG_PATH, + actual, + ifconfig_local, +- ifconfig_local, ++ create_arbitrary_remote( tt, &gc ), + tun_mtu, + ifconfig_remote_netmask + ); +-- +2.2.2 +