Commit 4ca6438d authored May 07, 2025 by Antonio Quartulli

ovpn: don't drop skb's dst when xmitting packet



When routing a packet to a LAN behind a peer, ovpn needs to
inspect the route entry that brought the packet there in the
first place.

If this packet is truly routable, the route entry provides the
GW to be used when looking up the VPN peer to send the packet to.

However, the route entry is currently dropped before entering
the ovpn xmit function, because the IFF_XMIT_DST_RELEASE priv_flag
is enabled by default.

Clear the IFF_XMIT_DST_RELEASE flag during interface setup to allow
the route entry (skb's dst) to survive and thus be inspected
by the ovpn routing logic.

Fixes: a3aaef8c ("ovpn: implement peer lookup logic")
Reported-by: Gert Doering <gert@greenie.muc.de>
Closes: https://github.com/OpenVPN/ovpn-net-next/issues/2


Tested-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de> # as a primary user
Link: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31583.html


Signed-off-by: Antonio Quartulli <antonio@openvpn.net>

parent 4e51141f

drivers/net/ovpn/io.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -398,6 +398,8 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff skb, struct net_device dev)
		netdev_name(ovpn->dev));
		goto drop;
		}
		/* dst was needed for peer selection - it can now be dropped */
		skb_dst_drop(skb);

		ovpn_peer_stats_increment_tx(&peer->vpn_stats, skb->len);
		ovpn_send(ovpn, skb_list.next, peer);

drivers/net/ovpn/main.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -157,6 +157,11 @@ static void ovpn_setup(struct net_device *dev)
		dev->type = ARPHRD_NONE;
		dev->flags = IFF_POINTOPOINT \| IFF_NOARP;
		dev->priv_flags \|= IFF_NO_QUEUE;
		/* when routing packets to a LAN behind a client, we rely on the
		* route entry that originally brought the packet into ovpn, so
		* don't release it
		*/
		netif_keep_dst(dev);

		dev->lltx = true;
		dev->features \|= feat;