Message ID | 20200530000600.1680-7-a@unstable.cc |
---|---|
State | Superseded |
Headers | show |
Series | Allow IPv6-only tunnels | expand |
Hi, On Sat, May 30, 2020 at 02:05:59AM +0200, Antonio Quartulli wrote: > From: Antonio Quartulli <antonio@openvpn.net> > > If no IPv4 redirection flag is set, do not enable the IPv4 > redirection logic at all so that it won't bother adding any > useless IPv4 route. > > Trac: #208 > Signed-off-by: Antonio Quartulli <antonio@openvpn.net> I can see why we want this - I tried to connect to a "v6-only-in-tunnel" server over v4, specifying "redirect-gateway !ipv4 ipv6", and it tried to install a v4 /32 redirect route... Sun Jun 7 13:20:43 2020 net_route_v4_add: 199.102.77.82/32 via 193.149.48.190 dev [NULL] table 0 metric -1 ... which is harmless, but "unnecesary fumbling" is not desirable. The reason why I'm a bit unhappy about applying it is that it will change behaviour for the "redirect-private" case, and that might break people's setups. For "redirect-gateway" or "redirect-gateway def1" (etc), it will not change anything. Can we make this conditional in a way that does not break "redirect-private"? (I used to use "redirect-private" to handle overlapping IPv4 routes without actually redirecting the whole gateway - think "VPN server is on 192.0.2.1 and you want to push 'route 192.0.2.0/24'". IPv6 handles this automatically, but v4 needs "redirect-private" for that to work) thanks :) gert
Hi,
On Sun, Jun 07, 2020 at 01:25:01PM +0200, Gert Doering wrote:
> Can we make this conditional in a way that does not break "redirect-private"?
A very simple patch would be
if (streq(p[0], "redirect-gateway"))
{
options->routes->flags |= RG_REROUTE_GW;
}
+ if (streq(p[0], "redirect-private"))
+ {
+ options->routes->flags |= RG_ENABLE;
+ }
and then take your patch as-is ("redirect-gateway with no options" would
set RG_REROUTE_GW, which, if not cleared by !ipv4, would set RG_ENABLE
later on, while "redirect-private" sets the RG_ENABLE itself).
Alternatively, set RG_ENABLE at the top (always), and clear it for "!ipv4"
else if (streq(p[j], "!ipv4"))
{
options->routes->flags &= ~(RG_REROUTE_GW|RG_ENABLE);
}
... this should do the same thing, with less code convolutions.
Configs that have *both* "redirect-private" and "redirect-gateway !ipv4 ipv6"
would still be broken. But I'm not sure such a config is well-defined
in the first place.
gert
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7556e7ee..3798731e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6591,7 +6591,14 @@ add_option(struct options *options, /* we need this here to handle pushed --redirect-gateway */ remap_redirect_gateway_flags(options); #endif - options->routes->flags |= RG_ENABLE; + /* enable IPv4 redirection logic only if at least one IPv4 flag is set. + * For instance, when "redirect-gateway !ipv4 ipv6" is specified no + * IPv4 redirection should be activated. + */ + if (options->routes->flags) + { + options->routes->flags |= RG_ENABLE; + } } else if (streq(p[0], "block-ipv6") && !p[1]) {