Opened 7 years ago
Closed 7 years ago
#832 closed Bug / Defect (fixed)
attempt to add IPv6 route even when no IPv6 address was configured
Reported by: | tct | Owned by: | Antonio Quartulli |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | IPv6 | Version: | OpenVPN 2.4.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | Gert Döring |
Description
Original problem:
https://forums.openvpn.net/viewtopic.php?f=4&t=22991
Conclusion:
IRC Discussion with cron2 and ordex as attachment
Attachments (1)
Change History (8)
Changed 7 years ago by
Attachment: | tapipv6.txt added |
---|
comment:1 follow-up: 3 Changed 7 years ago by
Owner: | set to Antonio Quartulli |
---|---|
Status: | new → accepted |
Summary: | TAP mode IPv6 address assigned by Router advertisement not recognised by openvpn → attempt to add IPv6 route even when no IPv6 address was configured |
comment:2 Changed 7 years ago by
First patch proposal:
diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 223cb5f4..f6ae7271 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -1882,12 +1882,10 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag } #endif - if (!tt->did_ifconfig_ipv6_setup) + if ((tt->type == DEV_TYPE_TAP) && !tt->did_ifconfig_ipv6_setup) { - msg( M_INFO, "add_route_ipv6(): not adding %s/%d: " - "no IPv6 address been configured on interface %s", - network, r6->netbits, device); - return; + msg(M_WARN, "WARNING: OpenVPN was configured to add a route towards %s/%d via %s over %s. However, no IPv6 has been configured for this interface, therefore the route installation may fail.", + network, r6->netbits, gateway, device); } msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
comment:3 follow-up: 4 Changed 7 years ago by
Moin,
Replying to ordex:
After discussing with cron2, the final idea is to print a WARNING when the interface is configured in TAP mode, no IPv6 was configured and an IPv6-route is about to be added. This way, if the route installation should fail, the user is able to understand why.
"Close". I'd remove the "in TAP mode" check.
Generally speaking, the assumption is "if you want routing, you should have an interface IP (=ifconfig-ipv6) as well". By removing that check, we give people rope to hang themselves :-) - but we should tell them, in all cases.
The patch is close but I'm not sure we really want to print the warning 20 times if there are 20 route-ipv6 statements...? Maybe remove the check here completely, and add the warning to add_routes()
in the if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
section...
comment:4 Changed 7 years ago by
Replying to cron2:
Moin,
Replying to ordex:
After discussing with cron2, the final idea is to print a WARNING when the interface is configured in TAP mode, no IPv6 was configured and an IPv6-route is about to be added. This way, if the route installation should fail, the user is able to understand why.
"Close". I'd remove the "in TAP mode" check.
Generally speaking, the assumption is "if you want routing, you should have an interface IP (=ifconfig-ipv6) as well". By removing that check, we give people rope to hang themselves :-) - but we should tell them, in all cases.
Yeah, I agree.
The patch is close but I'm not sure we really want to print the warning 20 times if there are 20 route-ipv6 statements...? Maybe remove the check here completely, and add the warning to
add_routes()
in theif (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
section...
yeah, we can print a generic message once only.
comment:5 Changed 7 years ago by
Reworked following your suggestions:
--- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -1196,6 +1196,13 @@ add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tunt if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) { struct route_ipv6 *r; + + if (!tt->did_ifconfig_ipv6_setup) + { + msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 route over %s. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.", + device); + } + for (r = rl6->routes_ipv6; r; r = r->next) { if (flags & ROUTE_DELETE_FIRST) @@ -1882,14 +1889,6 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag } #endif - if (!tt->did_ifconfig_ipv6_setup) - { - msg( M_INFO, "add_route_ipv6(): not adding %s/%d: " - "no IPv6 address been configured on interface %s", - network, r6->netbits, device); - return; - } - msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway, r6->metric, device );
comment:7 Changed 7 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
Your patch has been applied to the master and release/2.4 branch.
commit 2b7650e7ec9241745e4f66c932d6cffaece927d7 (master)
commit c74d574417b8b491fe6ad44e89843af8479cc9be (release/2.4)
Author: Antonio Quartulli
Date: Tue Jan 31 19:21:31 2017 +0800
attempt to add IPv6 route even when no IPv6 address was configured
thanks :-)
as discussed on IRC, we can't expect OpenVPN to know about what's going on at the IP layer of a TAP interface. For this reason, if no IPv6 is configured, no IPv6-route is allowed.
However, there are cases where it still makes sense to attempt to install an IOv6 route even though no ipv6 address was configured.
For example a route using a fe80:: as GW should still work because the system should take care of configuring such class on the TAP interface upon creation.
OTOH, if the interface is configured as TUN the route can always be installed because there is no need to specify a reachable GW.
After discussing with cron2, the final idea is to print a WARNING when the interface is configured in TAP mode, no IPv6 was configured and an IPv6-route is about to be added. This way, if the route installation should fail, the user is able to understand why.