[PATCH V2 11/11] library: Add setup_tun() callback

Kevin Cernekee cernekee at gmail.com
Wed Feb 10 20:00:52 PST 2016

On Wed, Feb 10, 2016 at 1:35 PM, Woodhouse, David
<david.woodhouse at intel.com> wrote:
> On Mon, 2016-02-08 at 22:34 -0800, Kevin Cernekee wrote:
>>   openconnect_obtain_cookie()
>>   openconnect_make_cstp_connection()
>>   openconnect_setup_dtls()
>>   openconnect_get_ip_info()
>>   # ask the OS to create the tun interface
>>   openconnect_setup_tun_fd()
>>   openconnect_mainloop()
>> But now that MTU is calculated a few seconds after the mainloop starts
>> up, it is necessary to provide a callback so that the calling application
>> can create a tun interface with the correct MTU.
> What happens if apps *don't* update, and the library is just updated
> (with no soname bump) without the application being changed.
> Does the dynamic MTU detection still happen, but achieve nothing and
> basically leave things as they were in OpenConnect 7.05?

Yes, that is the intention.

One thing that worries me: it looks like ip_info.mtu could potentially
change on each DTLS reconnection?  That's probably the right thing to
do if the device is roaming between wifi/mobile networks.  But the tun
interface MTU then needs to be updated every time openconnect computes
a new MTU - we don't want to keep getting 1341-byte packets from the
kernel if we just decided that the MTU should be lowered to 1300.
Changing the tun interface MTU should be possible via set_tun_mtu() if
we're running as root, but it isn't currently possible using the
Android / Chrome OS / script-tun APIs.  Maybe the library API should
add an mtu_changed callback, and if it is NULL, only perform MTU
detection when !tun_is_up.

Also, I'm not sure if this code is safe if ip_info.mtu is low when
cstp_pkt is allocated, but higher when the buffer gets populated:

        int len = vpninfo->deflate_pkt_size ? : vpninfo->ip_info.mtu;
        int payload_len;

        if (!vpninfo->cstp_pkt) {
            vpninfo->cstp_pkt = malloc(sizeof(struct pkt) + len);
            if (!vpninfo->cstp_pkt) {
                vpn_progress(vpninfo, PRG_ERR, _("Allocation failed\n"));

        len = ssl_nonblock_read(vpninfo, vpninfo->cstp_pkt->cstp.hdr, len + 8);

More information about the openconnect-devel mailing list