)]}'
{"id":"openvpn~1473","triplet_id":"openvpn~master~Idbd0a47ba4d297a833a350611a23f19fd9a797b5","project":"openvpn","branch":"master","attention_set":{},"removed_from_attention_set":{"1000003":{"account":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"last_update":"2026-01-14 11:51:25.000000000","reason":"Change was submitted"},"1000002":{"account":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"last_update":"2026-01-14 11:51:25.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"Idbd0a47ba4d297a833a350611a23f19fd9a797b5","subject":"Repair interaction between DCO and persist-tun after reconnection","status":"MERGED","created":"2026-01-14 07:54:00.000000000","updated":"2026-01-14 11:51:25.000000000","submitted":"2026-01-14 11:51:25.000000000","submitter":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"1473","meta_rev_id":"519b72d4eb87e0838c33d2b82dc0b4ee72cb6cbc","_number":1473,"virtual_id_number":1473,"owner":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"actions":{},"labels":{"Code-Review":{"all":[{"value":0,"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},{"value":0,"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"}],"values":{"-2":"This shall not be submitted","-1":"I would prefer this is not submitted as is"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"default_value":0}},"removable_reviewers":[{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"}],"reviewers":{"REVIEWER":[{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"}],"CC":[{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-01-14 07:54:01.000000000","updated_by":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"reviewer":{"_account_id":1000026,"name":"openvpn-devel","email":"openvpn-devel@lists.sourceforge.net","username":"openvpn-devel"},"state":"CC"},{"updated":"2026-01-14 07:54:01.000000000","updated_by":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"reviewer":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"state":"REVIEWER"},{"updated":"2026-01-14 09:54:49.000000000","updated_by":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"reviewer":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"state":"REVIEWER"}],"messages":[{"id":"6885d0fcaaabb5a3d32766a2e9d1db82e90d3598","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2026-01-14 07:54:00.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"74f96b064628d1e5ca436640a90aed44ce3566ff","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2026-01-14 09:17:44.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"8fa4d4ac5598982defe7678101952af908a60c21","author":{"_account_id":1000007,"name":"ordex","display_name":"Antonio Quartulli","email":"antonio@mandelbit.com","username":"ordex"},"date":"2026-01-14 09:54:49.000000000","message":"Patch Set 2: Code-Review+2","accounts_in_message":[],"_revision_number":2},{"id":"519b72d4eb87e0838c33d2b82dc0b4ee72cb6cbc","tag":"autogenerated:gerrit:merged","author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"date":"2026-01-14 11:51:25.000000000","message":"Change has been successfully pushed.","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"52c3b435b11e6daf7f3f9524ff801ba285c1d985","revisions":{"4022e1cda208a982cbe2f990db1d89b68d7cfdcf":{"kind":"REWORK","_number":1,"created":"2026-01-14 07:54:00.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/73/1473/1","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/73/1473/1","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/1 \u0026\u0026 git checkout -b change-1473 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/73/1473/1","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"4a15d4e51ddb58fbc7a2b2369f30e51616a2a591","subject":"Require script-security 2 when using unix: tun"}],"author":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2025-12-30 15:58:45.000000000","tz":60},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2026-01-14 07:37:54.000000000","tz":60},"subject":"Repair interaction between DCO and persist-tun after reconnection","message":"Repair interaction between DCO and persist-tun after reconnection\n\nWhen --persist-tun is active, openvpn userland Linux and FreeBSD fails\nto re-enable \"poll for DCO events\" after a reconnect (e.g. triggered by\na ping timeout).  The reconnect will still work fine, but on the *next*\nDCO event from the kernel, OpenVPN userland will not notice, and so\nthe system will get into an inconsistent state (Userland assumes \"all is\nwell\", kernel DCO has disconnected the peer, connection is broken until\nthe next tls-renegotion and/or manual restart, *and* the next DCO key\nsetup might fail due to \"peer id gone\").\n\nThis only affects client side, --server tun is always \"persistent\", and\nthere is no \"full restart\" (and the code path in question is also\nonly used for client and p2p server).\n\nThe root cause is an incorrect check for \"is this interface up?\" when\ncalling dco_event_set() in forard.c::io_wait() - \"c2.did_open_tun\" is\nonly true if the tun interface was actually configured on this reconnect,\nwhich it isn\u0027t if --persist-tun is active.  Replace with a check for\n\"do we have a tuntap structure, and if yes, do we have active DCO?\"\nwhich reflects the original intent much better.\n\nThe original code also had a check for \"out_socket \u0026 EVENT_READ\" there,\nwhich did to some extend avoid calling dco_event_set() for every single\nUDP packet sent and received by userland - but this only worked on initial\nconnection, and is always true on reconnect, so this condition was removed\nfor simplicity.  We should come back here...\n\nGithub: OpenVPN/openvpn#947\n\nChange-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5\n"},"branch":"refs/heads/master"},"6b9d45943b80a88da0c17f38ce4a8e87e1844bbb":{"kind":"REWORK","_number":2,"created":"2026-01-14 09:17:44.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/73/1473/2","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/73/1473/2","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/2 \u0026\u0026 git checkout -b change-1473 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/73/1473/2","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"4a15d4e51ddb58fbc7a2b2369f30e51616a2a591","subject":"Require script-security 2 when using unix: tun"}],"author":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2025-12-30 15:58:45.000000000","tz":60},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2026-01-14 09:11:06.000000000","tz":60},"subject":"Repair interaction between DCO and persist-tun after reconnection","message":"Repair interaction between DCO and persist-tun after reconnection\n\nWhen --persist-tun is active, openvpn userland on Linux and FreeBSD fails\nto re-enable \"poll for DCO events\" after a reconnect (e.g. triggered by\na ping timeout).  The reconnect will still work fine, but the *next*\nDCO event notification from the kernel will not be received by OpenVPN\nuserland, and so the system will get into an inconsistent state (Userland\nassumes \"all is well\", kernel DCO has disconnected the peer, connection\nis broken until the next tls-renegotion and/or manual restart, *and* the\nnext DCO key setup might fail due to \"peer id gone\").\n\nThis only affects client side, --server tun is always \"persistent\", and\nthere is no \"full restart\" (and the code path in question is also\nonly used for client and p2p server).\n\nThe root cause is an incorrect check for \"is this interface up?\" when\ncalling dco_event_set() in forard.c::io_wait() - \"c2.did_open_tun\" is\nonly true if the tun interface was actually configured on this reconnect,\nwhich it isn\u0027t if --persist-tun is active.  Replace with a check for\n\"do we have a tuntap structure, and if yes, do we have active DCO?\"\nwhich reflects the original intent much better.\n\nThe original code also had a check for \"out_socket \u0026 EVENT_READ\" there,\nwhich did to some extend avoid calling dco_event_set() for every single\nUDP packet sent and received by userland - but this only worked on initial\nconnection, and is always true on reconnect, so this condition was removed\nfor simplicity.  We should come back here...\n\nv2:\n  - some language fixes on the commit message\n  - do not check -\u003edco.open in forward.c, as this is not available if\n    not on FreeBSD, or if compiled with --disable-dco.\n    FreeBSD DCO does the \"if (!dco || !dco-\u003eopen)\" check in dco_event_set()\n    anyway, so it\u0027s not needed, and Linux DCO has \"dco-\u003enl_sock\", which is\n    also reliably set/unset, and checked by dco_event_set() already.\n\nGithub: OpenVPN/openvpn#947\n\nChange-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5\n"},"branch":"refs/heads/master"},"52c3b435b11e6daf7f3f9524ff801ba285c1d985":{"kind":"TRIVIAL_REBASE_WITH_MESSAGE_UPDATE","_number":3,"created":"2026-01-14 11:51:25.000000000","uploader":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"ref":"refs/changes/73/1473/3","fetch":{"anonymous http":{"url":"http://gerrit.openvpn.net/openvpn","ref":"refs/changes/73/1473/3","commands":{"Branch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/3 \u0026\u0026 git checkout -b change-1473 FETCH_HEAD","Checkout":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull http://gerrit.openvpn.net/openvpn refs/changes/73/1473/3","Reset To":"git fetch http://gerrit.openvpn.net/openvpn refs/changes/73/1473/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"faac9681cce54f576eddea4b6389395542c24315","subject":"remove ENABLE_X509ALTUSERNAME conditional"}],"author":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2026-01-14 11:23:49.000000000","tz":60},"committer":{"name":"Gert Doering","email":"gert@greenie.muc.de","date":"2026-01-14 11:29:58.000000000","tz":60},"subject":"Repair interaction between DCO and persist-tun after reconnection","message":"Repair interaction between DCO and persist-tun after reconnection\n\nWhen --persist-tun is active, openvpn userland on Linux and FreeBSD fails\nto re-enable \"poll for DCO events\" after a reconnect (e.g. triggered by\na ping timeout).  The reconnect will still work fine, but the *next*\nDCO event notification from the kernel will not be received by OpenVPN\nuserland, and so the system will get into an inconsistent state (Userland\nassumes \"all is well\", kernel DCO has disconnected the peer, connection\nis broken until the next tls-renegotion and/or manual restart, *and* the\nnext DCO key setup might fail due to \"peer id gone\").\n\nThis only affects client side, --server tun is always \"persistent\", and\nthere is no \"full restart\" (and the code path in question is also\nonly used for client and p2p server).\n\nThe root cause is an incorrect check for \"is this interface up?\" when\ncalling dco_event_set() in forard.c::io_wait() - \"c2.did_open_tun\" is\nonly true if the tun interface was actually configured on this reconnect,\nwhich it isn\u0027t if --persist-tun is active.  Replace with a check for\n\"do we have a tuntap structure, and if yes, do we have active DCO?\"\nwhich reflects the original intent much better.\n\nThe original code also had a check for \"out_socket \u0026 EVENT_READ\" there,\nwhich did to some extend avoid calling dco_event_set() for every single\nUDP packet sent and received by userland - but this only worked on initial\nconnection, and is always true on reconnect, so this condition was removed\nfor simplicity.  We should come back here...\n\nv2:\n  - some language fixes on the commit message\n  - do not check -\u003edco.open in forward.c, as this is not available if\n    not on FreeBSD, or if compiled with --disable-dco.\n    FreeBSD DCO does the \"if (!dco || !dco-\u003eopen)\" check in dco_event_set()\n    anyway, so it\u0027s not needed, and Linux DCO has \"dco-\u003enl_sock\", which is\n    also reliably set/unset, and checked by dco_event_set() already.\n\nGithub: OpenVPN/openvpn#947\n\nChange-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\nAcked-by: Antonio Quartulli \u003cantonio@mandelbit.com\u003e\nGerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473\nMessage-Id: \u003c20260114112403.7046-1-gert@greenie.muc.de\u003e\nURL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35239.html\nSigned-off-by: Gert Doering \u003cgert@greenie.muc.de\u003e\n"},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}