'[Openvpn-users] HEADS UP: fate of the built-in packet filter (PF)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvpn-users
Subject:    [Openvpn-users] HEADS UP: fate of the built-in packet filter (PF)
From:       Gert Doering <gert () greenie ! muc ! de>
Date:       2021-01-21 11:11:16
Message-ID: 20210121111116.GS976 () greenie ! muc ! de
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Hi,

OpenVPN has a built-in packet filter, which has a couple of issues

 - it is IPv4 only (though IPv6 patches existed at some point, but nobody
   reviewed them, so they did not get merged)

 - it can only be configured by a plugin or the management interface
   (so actually *using* it is not very straightforward)

 - it is not tested in any automated way today

 - none of the core developers uses it, or knows any deployment where it
   is used - so if we break it, we might not even notice

   (this was actually what brought up the discussion today - if a plugin 
    returns OPENVPN_PLUGIN_FUNC_ERROR on OPENVPN_PLUGIN_ENABLE_PF, openvpn
    will crash with a NULL pointer access...)

 - not even OpenVPN AS, which usually uses "those interesting features that
   nobody else knows about" uses PF (compiles with --disable-pf)


Based on this, we consider ripping all the PF stuff *out* of OpenVPN
for the 2.6 release ("hopefully later this year").


This is your chance to speak up and tell us "I use OpenVPN pf for this
totally cool thing, and there is no way to do this with the firewalling
layer the operating system provides, because..." :-)

So - surprise us!

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert@greenie.muc.de

["signature.asc" (application/pgp-signature)]



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic