Notable changes since v24:
* disable TCP disconnections of attached sockets (tcp_disconnect()
  returns -EBUSY) - similarly to kTLS.
* used rcu_replace_pointer instead of rcu_dereference_protected+rcu_assign_pointer
* dropped useless skb->ignore_df = 1
* dropped unneded EXPORT_SYMBOL_GPL(udpv6_prot)
* dropped obsolete comment for ovpn_crypto_key_slots_swap()
* dropped calls to kfree() in ovpn_aead_encrypt/decrypt() (release is
  performed in ovpn_encrypt/decrypt_post())
* dropped NULL check before calling kfree() in
  ovpn_encrypt/decrypt_done()
* converted seq_num from atomic64_t to atomic_t (IV exhaustion is now
  detected in case of wrap around)
* call consume_skb() on skb when dropping keepalive message (it is not a
  failure)
* made REMOTE_PORT mandatory when REMOTE_IPV4/6 is specified in
  peer_new/set call
* ensured ovpn_nl_key_swap_notify() is called only once, even when
  parsing a batch of received packets concurrently

Please note that some patches were already reviewed/tested by a few
people. These patches have retained the tags as they have hardly been
touched.

The latest code can also be found at:

https://github.com/OpenVPN/ovpn-net-next

Thanks a lot!
Best Regards,

Antonio Quartulli
OpenVPN Inc.

---
Antonio Quartulli (23):
      net: introduce OpenVPN Data Channel Offload (ovpn)
      ovpn: add basic netlink support
      ovpn: add basic interface creation/destruction/management routines
      ovpn: keep carrier always on for MP interfaces
      ovpn: introduce the ovpn_peer object
      ovpn: introduce the ovpn_socket object
      ovpn: implement basic TX path (UDP)
      ovpn: implement basic RX path (UDP)
      ovpn: implement packet processing
      ovpn: store tunnel and transport statistics
      ovpn: implement TCP transport
      skb: implement skb_send_sock_locked_with_flags()
      ovpn: add support for MSG_NOSIGNAL in tcp_sendmsg
      ovpn: implement multi-peer support
      ovpn: implement peer lookup logic
      ovpn: implement keepalive mechanism
      ovpn: add support for updating local or remote UDP endpoint
      ovpn: implement peer add/get/dump/delete via netlink
      ovpn: implement key add/get/del/swap via netlink
      ovpn: kill key and notify userspace in case of IV exhaustion
      ovpn: notify userspace when a peer is deleted
      ovpn: add basic ethtool support
      testing/selftests: add test tool and scripts for ovpn module

 Documentation/netlink/specs/ovpn.yaml              |  367 +++
 Documentation/netlink/specs/rt_link.yaml           |   16 +
 MAINTAINERS                                        |   11 +
 drivers/net/Kconfig                                |   15 +
 drivers/net/Makefile                               |    1 +
 drivers/net/ovpn/Makefile                          |   22 +
 drivers/net/ovpn/bind.c                            |   55 +
 drivers/net/ovpn/bind.h                            |  101 +
 drivers/net/ovpn/crypto.c                          |  210 ++
 drivers/net/ovpn/crypto.h                          |  145 ++
 drivers/net/ovpn/crypto_aead.c                     |  383 ++++
 drivers/net/ovpn/crypto_aead.h                     |   29 +
 drivers/net/ovpn/io.c                              |  446 ++++
 drivers/net/ovpn/io.h                              |   34 +
 drivers/net/ovpn/main.c                            |  330 +++
 drivers/net/ovpn/main.h                            |   14 +
 drivers/net/ovpn/netlink-gen.c                     |  213 ++
 drivers/net/ovpn/netlink-gen.h                     |   41 +
 drivers/net/ovpn/netlink.c                         | 1258 ++++++++++
 drivers/net/ovpn/netlink.h                         |   18 +
 drivers/net/ovpn/ovpnpriv.h                        |   57 +
 drivers/net/ovpn/peer.c                            | 1364 +++++++++++
 drivers/net/ovpn/peer.h                            |  163 ++
 drivers/net/ovpn/pktid.c                           |  129 ++
 drivers/net/ovpn/pktid.h                           |   86 +
 drivers/net/ovpn/proto.h                           |  118 +
 drivers/net/ovpn/skb.h                             |   61 +
 drivers/net/ovpn/socket.c                          |  239 ++
 drivers/net/ovpn/socket.h                          |   49 +
 drivers/net/ovpn/stats.c                           |   21 +
 drivers/net/ovpn/stats.h                           |   47 +
 drivers/net/ovpn/tcp.c                             |  598 +++++
 drivers/net/ovpn/tcp.h                             |   36 +
 drivers/net/ovpn/udp.c                             |  439 ++++
 drivers/net/ovpn/udp.h                             |   25 +
 include/linux/skbuff.h                             |    2 +
 include/uapi/linux/if_link.h                       |   15 +
 include/uapi/linux/ovpn.h                          |  109 +
 include/uapi/linux/udp.h                           |    1 +
 net/core/skbuff.c                                  |   18 +-
 net/ipv6/af_inet6.c                                |    1 +
 tools/testing/selftests/Makefile                   |    1 +
 tools/testing/selftests/net/ovpn/.gitignore        |    2 +
 tools/testing/selftests/net/ovpn/Makefile          |   31 +
 tools/testing/selftests/net/ovpn/common.sh         |   92 +
 tools/testing/selftests/net/ovpn/config            |   10 +
 tools/testing/selftests/net/ovpn/data64.key        |    5 +
 tools/testing/selftests/net/ovpn/ovpn-cli.c        | 2395 ++++++++++++++++++++
 tools/testing/selftests/net/ovpn/tcp_peers.txt     |    5 +
 .../testing/selftests/net/ovpn/test-chachapoly.sh  |    9 +
 .../selftests/net/ovpn/test-close-socket-tcp.sh    |    9 +
 .../selftests/net/ovpn/test-close-socket.sh        |   45 +
 tools/testing/selftests/net/ovpn/test-float.sh     |    9 +
 tools/testing/selftests/net/ovpn/test-tcp.sh       |    9 +
 tools/testing/selftests/net/ovpn/test.sh           |  113 +
 tools/testing/selftests/net/ovpn/udp_peers.txt     |    5 +
 56 files changed, 10022 insertions(+), 5 deletions(-)
---
base-commit: 61f96e684edd28ca40555ec49ea1555df31ba619
change-id: 20241002-b4-ovpn-eeee35c694a2

Best regards,
-- 
Antonio Quartulli <antonio@openvpn.net>

On 07. 04. 25, 21:46, Antonio Quartulli wrote:
> Notable changes since v24:
> * disable TCP disconnections of attached sockets (tcp_disconnect()
>    returns -EBUSY) - similarly to kTLS.
> * used rcu_replace_pointer instead of rcu_dereference_protected+rcu_assign_pointer
> * dropped useless skb->ignore_df = 1
> * dropped unneded EXPORT_SYMBOL_GPL(udpv6_prot)
> * dropped obsolete comment for ovpn_crypto_key_slots_swap()
> * dropped calls to kfree() in ovpn_aead_encrypt/decrypt() (release is
>    performed in ovpn_encrypt/decrypt_post())
> * dropped NULL check before calling kfree() in
>    ovpn_encrypt/decrypt_done()
> * converted seq_num from atomic64_t to atomic_t (IV exhaustion is now
>    detected in case of wrap around)
> * call consume_skb() on skb when dropping keepalive message (it is not a
>    failure)
> * made REMOTE_PORT mandatory when REMOTE_IPV4/6 is specified in
>    peer_new/set call
> * ensured ovpn_nl_key_swap_notify() is called only once, even when
>    parsing a batch of received packets concurrently
> 
> Please note that some patches were already reviewed/tested by a few
> people. These patches have retained the tags as they have hardly been
> touched.
> 
> The latest code can also be found at:
> 
> https://github.com/OpenVPN/ovpn-net-next

Given:
 > +#define OVPN_FAMILY_NAME	"ovpn"
and
 > ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);

Is there also an openvpn branch understanding the new (in-kernel) 
naming? I.e. something like s/ovpn-dco-v2/ovpn/?

As with 2.6.10, I see:
$ grep -iE 'offl|dco' log
2025-04-08 08:24:59 us=718854 Note: Kernel support for ovpn-dco missing, 
disabling data channel offload.
2025-04-08 08:24:59 us=719060 OpenVPN 2.6.10 x86_64-suse-linux-gnu [SSL 
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-04-08 08:24:59 us=719110 DCO version: N/A

thanks,
-- 
js
suse labs

Hi,

On 08/04/2025 08:34, Jiri Slaby wrote:
>> Given:
>  > +#define OVPN_FAMILY_NAME    "ovpn"
> and
>  > ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);
> 
> Is there also an openvpn branch understanding the new (in-kernel) 
> naming? I.e. something like s/ovpn-dco-v2/ovpn/?
> 
> As with 2.6.10, I see:
> $ grep -iE 'offl|dco' log
> 2025-04-08 08:24:59 us=718854 Note: Kernel support for ovpn-dco missing, 
> disabling data channel offload.
> 2025-04-08 08:24:59 us=719060 OpenVPN 2.6.10 x86_64-suse-linux-gnu [SSL 
> (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
> 2025-04-08 08:24:59 us=719110 DCO version: N/A

2.6.x and master do not "speak" the new "ovpn" family, because the new 
uAPI wasn't considered stable yet (due to ongoing reviews).

We have a WIP branch which you can use for test:

https://github.com/mandelbitdev/openvpn/tree/gianmarco/179-ovpn-support

Please do not try to measure performance at this time as we have various 
improvements that we are working on, but we wanted to wait for the first 
version of ovpn to be merged first.

Regards,

-- 
Antonio Quartulli
OpenVPN Inc.

2025-04-07, 21:46:08 +0200, Antonio Quartulli wrote:
> Notable changes since v24:
> * disable TCP disconnections of attached sockets (tcp_disconnect()
>   returns -EBUSY) - similarly to kTLS.
> * used rcu_replace_pointer instead of rcu_dereference_protected+rcu_assign_pointer
> * dropped useless skb->ignore_df = 1
> * dropped unneded EXPORT_SYMBOL_GPL(udpv6_prot)
> * dropped obsolete comment for ovpn_crypto_key_slots_swap()
> * dropped calls to kfree() in ovpn_aead_encrypt/decrypt() (release is
>   performed in ovpn_encrypt/decrypt_post())
> * dropped NULL check before calling kfree() in
>   ovpn_encrypt/decrypt_done()
> * converted seq_num from atomic64_t to atomic_t (IV exhaustion is now
>   detected in case of wrap around)
> * call consume_skb() on skb when dropping keepalive message (it is not a
>   failure)
> * made REMOTE_PORT mandatory when REMOTE_IPV4/6 is specified in
>   peer_new/set call
> * ensured ovpn_nl_key_swap_notify() is called only once, even when
>   parsing a batch of received packets concurrently
> 
> Please note that some patches were already reviewed/tested by a few
> people. These patches have retained the tags as they have hardly been
> touched.
> 
> The latest code can also be found at:
> 
> https://github.com/OpenVPN/ovpn-net-next
> 
> Thanks a lot!
> Best Regards,
> 
> Antonio Quartulli
> OpenVPN Inc.
> 
> ---
> Antonio Quartulli (23):
>       net: introduce OpenVPN Data Channel Offload (ovpn)
>       ovpn: add basic netlink support
>       ovpn: add basic interface creation/destruction/management routines
>       ovpn: keep carrier always on for MP interfaces
>       ovpn: introduce the ovpn_peer object
>       ovpn: introduce the ovpn_socket object
>       ovpn: implement basic TX path (UDP)
>       ovpn: implement basic RX path (UDP)
>       ovpn: implement packet processing
>       ovpn: store tunnel and transport statistics
>       ovpn: implement TCP transport
>       skb: implement skb_send_sock_locked_with_flags()
>       ovpn: add support for MSG_NOSIGNAL in tcp_sendmsg
>       ovpn: implement multi-peer support
>       ovpn: implement peer lookup logic
>       ovpn: implement keepalive mechanism
>       ovpn: add support for updating local or remote UDP endpoint
>       ovpn: implement peer add/get/dump/delete via netlink
>       ovpn: implement key add/get/del/swap via netlink
>       ovpn: kill key and notify userspace in case of IV exhaustion
>       ovpn: notify userspace when a peer is deleted
>       ovpn: add basic ethtool support
>       testing/selftests: add test tool and scripts for ovpn module

For the series:
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

Thanks again for your patience, Antonio.

-- 
Sabrina

On 10/04/2025 16:03, Sabrina Dubroca wrote:
[...]
> For the series:
> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
> 
> Thanks again for your patience, Antonio.

Thank you (!) Sabrina for all the effort you've put during this long 
journey.
You've been of incredible help to the ovpn prototype and to me.

"And we're just getting started!"

Regards,

-- 
Antonio Quartulli
OpenVPN Inc.