From 4ca6438da45688dae5c5958f640560f9496f21a4 Mon Sep 17 00:00:00 2001 From: Antonio Quartulli Date: Wed, 7 May 2025 09:58:31 +0200 Subject: [PATCH] ovpn: don't drop skb's dst when xmitting packet When routing a packet to a LAN behind a peer, ovpn needs to inspect the route entry that brought the packet there in the first place. If this packet is truly routable, the route entry provides the GW to be used when looking up the VPN peer to send the packet to. However, the route entry is currently dropped before entering the ovpn xmit function, because the IFF_XMIT_DST_RELEASE priv_flag is enabled by default. Clear the IFF_XMIT_DST_RELEASE flag during interface setup to allow the route entry (skb's dst) to survive and thus be inspected by the ovpn routing logic. Fixes: a3aaef8cd173 ("ovpn: implement peer lookup logic") Reported-by: Gert Doering Closes: https://github.com/OpenVPN/ovpn-net-next/issues/2 Tested-by: Gert Doering Acked-by: Gert Doering # as a primary user Link: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31583.html Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/io.c | 2 ++ drivers/net/ovpn/main.c | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/drivers/net/ovpn/io.c b/drivers/net/ovpn/io.c index dd8a8055d967..7e4b89484c9d 100644 --- a/drivers/net/ovpn/io.c +++ b/drivers/net/ovpn/io.c @@ -398,6 +398,8 @@ netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev) netdev_name(ovpn->dev)); goto drop; } + /* dst was needed for peer selection - it can now be dropped */ + skb_dst_drop(skb); ovpn_peer_stats_increment_tx(&peer->vpn_stats, skb->len); ovpn_send(ovpn, skb_list.next, peer); diff --git a/drivers/net/ovpn/main.c b/drivers/net/ovpn/main.c index 0acb0934c1be..1bb1afe766a4 100644 --- a/drivers/net/ovpn/main.c +++ b/drivers/net/ovpn/main.c @@ -157,6 +157,11 @@ static void ovpn_setup(struct net_device *dev) dev->type = ARPHRD_NONE; dev->flags = IFF_POINTOPOINT | IFF_NOARP; dev->priv_flags |= IFF_NO_QUEUE; + /* when routing packets to a LAN behind a client, we rely on the + * route entry that originally brought the packet into ovpn, so + * don't release it + */ + netif_keep_dst(dev); dev->lltx = true; dev->features |= feat; -- 2.25.1