From patchwork Mon Sep 14 23:41:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 1453 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id cBwHF4iMYF90IgAAIUCqbw (envelope-from ) for ; Tue, 15 Sep 2020 05:42:32 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id mMayFoiMYF/dLgAAovjBpQ (envelope-from ) for ; Tue, 15 Sep 2020 05:42:32 -0400 Received: from smtp32.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTPS id IB9pFoiMYF/tCQAAtEH5vw (envelope-from ) for ; Tue, 15 Sep 2020 05:42:32 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp32.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: c663de90-f737-11ea-8258-52540099eaf5-1-1 Received: from [216.105.38.7] ([216.105.38.7:35938] helo=lists.sourceforge.net) by smtp32.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 15/36-07487-78C806F5; Tue, 15 Sep 2020 05:42:31 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kI7So-0000xp-Bh; Tue, 15 Sep 2020 09:41:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kI7Sk-0000xd-MU for openvpn-devel@lists.sourceforge.net; Tue, 15 Sep 2020 09:41:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Arv/RVnS+Ga6p/lYu3/1UmWQK4kLrfm+M6THebc73eY=; b=fVmfeANzmMHQxN5j2Ihci3FfX0 kwY1Q2WwL35N9ElpnhXvE8jyzctg9K5GPqHvgFqa9q38WktnlCvbRkRhhnD6wxcRQNQu0w1TnqEZT qcyqWqUf5I9Jiz/AtvbmjfTFePoLUOLaw4nT6FwVtBaKm2suA76jzr7f6XS4QkE2JlfY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Arv/RVnS+Ga6p/lYu3/1UmWQK4kLrfm+M6THebc73eY=; b=Dr4phdcRafhFkDkq2c8Kg/XA84 iZVeLxkjuUOBdZ3gtltiHJ4LKQTtDeR7LIRt7eg90hA7LKdPvSDHvWihSDch98KK5H/E577ekAvZz QfHwhHs4GfjcBY8fOZ8VSnSjfnSdG2kfKF+cAAg8p2T0wMrqgRI/mn3fd4tzsj8ax9vg=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kI7Sd-00AeDO-N2 for openvpn-devel@lists.sourceforge.net; Tue, 15 Sep 2020 09:41:22 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.15.2/8.15.2) with ESMTPS id 08F9f1r3086514 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 15 Sep 2020 11:41:01 +0200 (CEST) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.15.2/8.15.2/Submit) id 08F9f1sl086513 for openvpn-devel@lists.sourceforge.net; Tue, 15 Sep 2020 11:41:01 +0200 (CEST) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Sep 2020 11:41:01 +0200 Message-Id: <20200915094101.86470-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200914182323.71971-1-gert@greenie.muc.de> References: <20200914182323.71971-1-gert@greenie.muc.de> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kI7Sd-00AeDO-N2 Subject: [Openvpn-devel] [PATCH v2] Fix netbits setting (in TAP mode) for IPv6 on Windows. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox For TUN interfaces, the IPv6 address needs to be configured with "address/128" and a local subnet route is needed, pointing to our fake gateway fe80::8. There is no ethernet headers or ND outside the tun/tap interface, so anything but fe80::8 is not resolvable. For TAP interfaces, the proper subnet mask (netbits) must be configured, and no connected route to "our local host address" must be configured, to make make IPv6 ND work inside the local subnet. Our code was nicely consistent in doing the same thing in tun.c ("gui/openvpn running with admin privileges") and in the requests to the interactive service ("gui running with user privs"). Fix in both places. On tun close, symmetric to addition, remove the on-link subnet route only for "tun" interfaces. Address removal works without specifying netbits. While at it, extend do_address_service() to actually log both IPv4 and IPv6 addresses requested via it. Tested on Win10/64. v2: - change logging to use D_IFCONFIG - fix whitespace on "?" operator Reported-By: Laurent Fasnacht Reported-By: Klara Mall Trac: #1054 Signed-off-by: Gert Doering Acked-by: Lev Stipakov --- src/openvpn/errlevel.h | 1 + src/openvpn/tun.c | 32 +++++++++++++++++++++++++------- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index e448fc37..5663f841 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -91,6 +91,7 @@ #define D_OSBUF LOGLEV(3, 43, 0) /* show socket/tun/tap buffer sizes */ #define D_PS_PROXY LOGLEV(3, 44, 0) /* messages related to --port-share option */ #define D_PF_INFO LOGLEV(3, 45, 0) /* packet filter informational messages */ +#define D_IFCONFIG LOGLEV(3, 0, 0) /* show ifconfig info (don't mute) */ #define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */ #define D_SHOW_OCC LOGLEV(4, 51, 0) /* show options compatibility string */ diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index fde94294..faa02504 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -115,11 +115,17 @@ do_address_service(const bool add, const short family, const struct tuntap *tt) { addr.address.ipv4.s_addr = htonl(tt->local); addr.prefix_len = netmask_to_netbits2(tt->adapter_netmask); + msg(D_IFCONFIG, "INET address service: %s %s/%d", + add ? "add" : "remove", + print_in_addr_t(tt->local, 0, &gc), addr.prefix_len); } else { addr.address.ipv6 = tt->local_ipv6; - addr.prefix_len = tt->netbits_ipv6; + addr.prefix_len = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6; + msg(D_IFCONFIG, "INET6 address service: %s %s/%d", + add ? "add" : "remove", + print_in6_addr(tt->local_ipv6, 0, &gc), addr.prefix_len); } if (!send_msg_iservice(pipe, &addr, sizeof(addr), &ack, "TUN")) @@ -1088,24 +1094,36 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, else if (tt->options.msg_channel) { do_address_service(true, AF_INET6, tt); - add_route_connected_v6_net(tt, es); + if (tt->type == DEV_TYPE_TUN) + { + add_route_connected_v6_net(tt, es); + } do_dns_service(true, AF_INET6, tt); do_set_mtu_service(tt, AF_INET6, tun_mtu); } else { /* example: netsh interface ipv6 set address interface=42 - * 2001:608:8003::d store=active + * 2001:608:8003::d/bits store=active */ char iface[64]; + /* in TUN mode, we only simulate a subnet, so the interface + * is configured with /128 + a route to fe80::8. In TAP mode, + * the correct netbits must be set, and no on-link route + */ + int netbits = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6; + openvpn_snprintf(iface, sizeof(iface), "interface=%lu", tt->adapter_index); - argv_printf(&argv, "%s%s interface ipv6 set address %s %s store=active", + argv_printf(&argv, "%s%s interface ipv6 set address %s %s/%d store=active", get_win_sys_path(), NETSH_PATH_SUFFIX, iface, - ifconfig_ipv6_local); + ifconfig_ipv6_local, netbits); netsh_command(&argv, 4, M_FATAL); - add_route_connected_v6_net(tt, es); + if (tt->type == DEV_TYPE_TUN) + { + add_route_connected_v6_net(tt, es); + } /* set ipv6 dns servers if any are specified */ netsh_set_dns6_servers(tt->options.dns6, tt->options.dns6_len, ifname); windows_set_mtu(tt->adapter_index, AF_INET6, tun_mtu); @@ -6688,7 +6706,7 @@ netsh_delete_address_dns(const struct tuntap *tt, bool ipv6, struct gc_arena *gc netsh_command(&argv, 1, M_WARN); } - if (ipv6) + if (ipv6 && tt->type == DEV_TYPE_TUN) { delete_route_connected_v6_net(tt); }