[Bug 286263] security/openvpn: requires legacy IP support for ovpn(4) DCO module to be operational

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 286263] ovpn(4) DCO module requires legacy IP support"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 20 Feb 2026 22:32:42 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286263

--- Comment #4 from Gert Doering <gert@greenie.muc.de> ---
Yeah, this is a bit nasty, especially as it has no logging at this point

bool
dco_available(msglvl_t msglevel)
{
...
    fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
    if (fd < 0)
    {
        return false;
    }

... this silently fails on a system built without INET, so the highlevel code
gets "whoa, no DCO available" and falls back to userland - with no indication
in the log why this happens.

There's another AF_INET socket being opened in open_fd() - if I change both
occurances to AF_INET6, DCO will work fine on a system without "options INET".

Now, I'm reasonably sure this will break on a system with no INET6 - which is
also not desirable.

@kp: any suggestion how to fix this in a nice way?  We can, of course, try
AF_INET6 first, and if that fails, fall back to AF_INET, but that feels
somewhat unelegant...

-- 
You are receiving this mail because:
You are the assignee for the bug.