Opened 3 years ago

Closed 3 years ago

#832 closed Bug / Defect (fixed)

attempt to add IPv6 route even when no IPv6 address was configured

Reported by: tincantech Owned by: Antonio
Priority: minor Milestone:
Component: IPv6 Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Gert Döring

Description

Original problem:
https://forums.openvpn.net/viewtopic.php?f=4&t=22991

Conclusion:
IRC Discussion with cron2 and ordex as attachment

Attachments (1)

tapipv6.txt (9.5 KB) - added by tincantech 3 years ago.

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by tincantech

Attachment: tapipv6.txt added

comment:1 Changed 3 years ago by Antonio

Owner: set to Antonio
Status: newaccepted
Summary: TAP mode IPv6 address assigned by Router advertisement not recognised by openvpnattempt to add IPv6 route even when no IPv6 address was configured

as discussed on IRC, we can't expect OpenVPN to know about what's going on at the IP layer of a TAP interface. For this reason, if no IPv6 is configured, no IPv6-route is allowed.

However, there are cases where it still makes sense to attempt to install an IPv6 route even though no ipv6 address was configured.

For example a route using a fe80:: as GW should still work because the system should take care of configuring such class on the TAP interface upon creation.

OTOH, if the interface is configured as TUN the route can always be installed because there is no need to specify a reachable GW.

After discussing with cron2, the final idea is to print a WARNING when the interface is configured in TAP mode, no IPv6 was configured and an IPv6-route is about to be added. This way, if the route installation should fail, the user is able to understand why.

Last edited 3 years ago by Antonio (previous) (diff)

comment:2 Changed 3 years ago by Antonio

First patch proposal:

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 223cb5f4..f6ae7271 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -1882,12 +1882,10 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag
     }
 #endif
 
-    if (!tt->did_ifconfig_ipv6_setup)
+    if ((tt->type == DEV_TYPE_TAP) && !tt->did_ifconfig_ipv6_setup)
     {
-        msg( M_INFO, "add_route_ipv6(): not adding %s/%d: "
-             "no IPv6 address been configured on interface %s",
-             network, r6->netbits, device);
-        return;
+        msg(M_WARN, "WARNING: OpenVPN was configured to add a route towards %s/%d via %s over %s. However, no IPv6 has been configured for this interface, therefore the route installation may fail.",
+            network, r6->netbits, gateway, device);
     }
 
     msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",

comment:3 in reply to:  1 ; Changed 3 years ago by Gert Döring

Moin,

Replying to ordex:

After discussing with cron2, the final idea is to print a WARNING when the interface is configured in TAP mode, no IPv6 was configured and an IPv6-route is about to be added. This way, if the route installation should fail, the user is able to understand why.

"Close". I'd remove the "in TAP mode" check.

Generally speaking, the assumption is "if you want routing, you should have an interface IP (=ifconfig-ipv6) as well". By removing that check, we give people rope to hang themselves :-) - but we should tell them, in all cases.

The patch is close but I'm not sure we really want to print the warning 20 times if there are 20 route-ipv6 statements...? Maybe remove the check here completely, and add the warning to add_routes() in the if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) section...

comment:4 in reply to:  3 Changed 3 years ago by Antonio

Replying to cron2:

Moin,

Replying to ordex:

After discussing with cron2, the final idea is to print a WARNING when the interface is configured in TAP mode, no IPv6 was configured and an IPv6-route is about to be added. This way, if the route installation should fail, the user is able to understand why.

"Close". I'd remove the "in TAP mode" check.

Generally speaking, the assumption is "if you want routing, you should have an interface IP (=ifconfig-ipv6) as well". By removing that check, we give people rope to hang themselves :-) - but we should tell them, in all cases.

Yeah, I agree.

The patch is close but I'm not sure we really want to print the warning 20 times if there are 20 route-ipv6 statements...? Maybe remove the check here completely, and add the warning to add_routes() in the if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) section...

yeah, we can print a generic message once only.

comment:5 Changed 3 years ago by Antonio

Reworked following your suggestions:

--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -1196,6 +1196,13 @@ add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tunt
     if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
     {
         struct route_ipv6 *r;
+
+        if (!tt->did_ifconfig_ipv6_setup)
+        {
+            msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 route over %s. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.",
+                device);
+        }
+
         for (r = rl6->routes_ipv6; r; r = r->next)
         {
             if (flags & ROUTE_DELETE_FIRST)
@@ -1882,14 +1889,6 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag
     }
 #endif
 
-    if (!tt->did_ifconfig_ipv6_setup)
-    {
-        msg( M_INFO, "add_route_ipv6(): not adding %s/%d: "
-             "no IPv6 address been configured on interface %s",
-             network, r6->netbits, device);
-        return;
-    }
-
     msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
          network, r6->netbits, gateway, r6->metric, device );

comment:6 Changed 3 years ago by Antonio

Patch sent over the ml.

comment:7 Changed 3 years ago by Gert Döring

Resolution: fixed
Status: acceptedclosed

Your patch has been applied to the master and release/2.4 branch.

commit 2b7650e7ec9241745e4f66c932d6cffaece927d7 (master)
commit c74d574417b8b491fe6ad44e89843af8479cc9be (release/2.4)
Author: Antonio Quartulli
Date: Tue Jan 31 19:21:31 2017 +0800

attempt to add IPv6 route even when no IPv6 address was configured

thanks :-)

Note: See TracTickets for help on using tickets.