From 0f7c5dde1bbd23353467ebd549ae955a6a03746f Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 1 Dec 2022 12:01:28 +0100
Subject: [PATCH] Allow reconnecting in p2p mode work under FreeBSD

This commit consists of two parts.
 - explicitly removing an existing peer in p2p mode
 - ignoring the ping timeout notification that is generated by the first
part

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221201110128.271064-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25602.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/dco.c         |  9 +++++++++
 src/openvpn/dco_freebsd.c |  2 ++
 src/openvpn/forward.c     | 13 +++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 47fb0003..b1a3e783 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -458,6 +458,15 @@ dco_p2p_add_new_peer(struct context *c)
 
     struct sockaddr *remoteaddr = &ls->info.lsa->actual.dest.addr.sa;
     struct tls_multi *multi = c->c2.tls_multi;
+#ifdef TARGET_FREEBSD
+    /* In Linux in P2P mode the kernel automatically removes an existing peer
+     * when adding a new peer. FreeBSD needs to explicitly be told to do that */
+    if (c->c2.tls_multi->dco_peer_id != -1)
+    {
+        dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->dco_peer_id);
+        c->c2.tls_multi->dco_peer_id = -1;
+    }
+#endif
     int ret = dco_new_peer(&c->c1.tuntap->dco, multi->peer_id,
                            c->c2.link_socket->sd, NULL, remoteaddr, NULL, NULL);
     if (ret < 0)
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 4e03f52e..a52ac8c1 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -312,6 +312,8 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid)
     nvlist_t *nvl;
     int ret;
 
+    msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid);
+
     nvl = nvlist_create(0);
     nvlist_add_number(nvl, "peerid", peerid);
 
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 1b418b1b..5cd7eaa6 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1174,9 +1174,22 @@ process_incoming_dco(struct context *c)
 
     dco_do_read(dco);
 
+    /* FreeBSD currently sends us removal notifcation with the old peer-id in
+     * p2p mode with the ping timeout reason, so ignore that one to not shoot
+     * ourselves in the foot and removing the just established session */
+    if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
+    {
+        msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
+            "expected %d", __func__, dco->dco_message_peer_id,
+            c->c2.tls_multi->dco_peer_id);
+        return;
+    }
+
     if ((dco->dco_message_type == OVPN_CMD_DEL_PEER)
         && (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED))
     {
+        msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id "
+            "%d", __func__, dco->dco_message_peer_id);
         trigger_ping_timeout_signal(c);
         return;
     }