On 25/11/2024 22:32, Sergey Ryazanov wrote: [...]
FTR, here is the text in the manpage:
--persist-tun Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.
SIGUSR1 is a session reconnection, not a process restart. The manpage just indicates what happens at the low level when this option is provided.
Still no mentions of the traffic leaking prevention. Is it?
Like I said, the manpage only mentions the low level bits. I have already proposed a patch to further extend this text.
[...]
Having userspace configure a blackhole route is something that can be considered by whoeever decides to implement the "kill switch" feature.
OpenVPN does not. It just implements --persist-tun.
So all in all, the conclusion is that in this case it's usersapce to decide when the interface should go up and down, depending on the configuration. I'd like to keep it as it is to avoid the ovpn interface to make decisions on its own.
I can spell this out in the comment (I think it definitely makes sense), to clarify that the netcarrier is expected to be driven by userspace (where the control plane is) rather than having the device make decisions without having the full picture.
What do you think?
It wasn't suggested to destroy the interface in case of interface becoming non-operational. I apologize if something I wrote earlier sounded like that. The interface existence stays unquestionable. It's going to be solid persistent.
Back to the proposed rephrasing. If the 'full picture' means forcing the running state indication even when the netdev is not capable to deliver packets, then it looks like an attempt to hide the control knob of the misguiding feature somewhere else.
And since the concept of on-purpose false indication is still here, many words regarding the control plane and a full picture do not sound good either.
Can you please point out the code where other virtual drivers are doing what you are suggesting so I can have a look?
Wireguard is the closest module in terms of concept and I couldn't see anything like that. Neither in ipsec. But I may have overlooked something.
Please let me know.
Regards,