This looks good, thanks! Please could you include a Signed-off-by: tag as discussed at http://www.infradead.org/openconnect/contribute.html ? On Thu, 2015-08-13 at 17:31 +0200, Ralph Schmieder wrote: > diff -rupN openconnect-7.06/dtls.c openconnect-7.06-rschmied/dtls.c > --- openconnect-7.06/dtls.c> > 2015-02-27 10:56:03.000000000 +0000 > +++ openconnect-7.06-rschmied/dtls.c> > 2015-08-13 15:05:46.400228058 +0000 > @@ -25,6 +25,8 @@ > #include > #include > #include > +#include > +#include > > #include "openconnect-internal.h" > > @@ -901,7 +903,38 @@ int dtls_mainloop(struct openconnect_inf > > > while (vpninfo->outgoing_queue.head) { > > > > struct pkt *this = dequeue_packet(&vpninfo->outgoing_queue); > > > > struct pkt *send_pkt = this; > -> > > int ret; > +> > > int ret, valid=1; > +> > > struct ip *iph; > +> > > struct ip6_hdr *ip6h; > +> > > uint8_t tos; > + > +> > > /* Unless no-tos-copy is set we want to copy the TOS/TCLASS header */ > +> > > /* to the outer UDP packet */ > +> > > if (!vpninfo->dtls_no_tos_copy) { qv. > + /* get the TOS / TCLASS value of the original frame */ > +> > > > iph = (struct ip *)this->data; > +> > > > if (iph->ip_v == 6 && this->len > sizeof(struct ip6_hdr)) { > +> > > > > /* AF_INET6 */ > +> > > > > ip6h = (struct ip6_hdr *)this->data; > +> > > > > tos = (ntohl(0x0FF00000) & ip6h->ip6_flow) >> 20; > +> > > > } else if (iph->ip_v == 4 && this->len > sizeof(struct iphdr)) { > +> > > > > /* AF_INET */ > +> > > > > tos = iph->ip_tos; > +> > > > } else { This is the right thing to do. However, it's painful. The definitions of IPv6 and Legacy IP headers are in different places on different systems. In oncp.c you'll see I eventually bailed on doing it 'nicely' and just did it manually ? see the code which gets 'iplen' at around line 997. Please could you do the same here for the TOS/TCLASS bits? It's not so nice, but you can console yourself with the fact that the IPv4 and IPv6 header structures *aren't* going to change... > --- openconnect-7.06/ssl.c> > 2015-03-17 13:29:49.000000000 +0000 > +++ openconnect-7.06-rschmied/ssl.c> > 2015-08-13 14:43:38.848221182 +0000 > @@ -810,9 +810,13 @@ int udp_sockaddr(struct openconnect_info > > > if (vpninfo->peer_addr->sa_family == AF_INET) { > > > > struct sockaddr_in *sin = (void *)vpninfo->dtls_addr; > > > > sin->sin_port = htons(port); #ifdef IP_TOS if (!vpninfo->dtls_no_tos_copy) { > + vpninfo->dtls_tos_level = IPPROTO_IP; > +> > > vpninfo->dtls_tos_optname = IP_TOS; } #endif > } else if (vpninfo->peer_addr->sa_family == AF_INET6) { > > > > struct sockaddr_in6 *sin = (void *)vpninfo->dtls_addr; > > > > sin->sin6_port = htons(port); #ifdef IPV6_TCLASS if (vpninfo->dtls_no_tos_copy) { > + vpninfo->dtls_tos_level = IPPROTO_IPV6; > +> > > vpninfo->dtls_tos_optname = IPV6_TCLASS; } > } else { > > > > vpn_progress(vpninfo, PRG_ERR, > > > > > _("Unknown protocol family %d. Cannot create UDP server address\n"), You can probably get away without a configure check, iuf you do what I showed above. And then up there where I said 'qv' to your 'if (!vpninfo->dtls_no_tos_copy)', make that 'if (vpninfo->dtls_tos_optname)' instead. Which will make it happen if it's not disabled *and* if the system we're running on supports it for the IP protocol that we happen to be connected over. Does that make sense? You'll want to reset vpninfo->dtls_tos_optname when the connection is reset, to prevent it being inappropriately reused. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150813/ad3b7fd6/attachment.bin>
