David Dahlberg([email protected]) on 2018.07.03 14:39:10 +0200: > Am Tuesday, den 03.07.2018, 13:42 +0200 schrieb Stefan Sperling: > > Would you be able to send a patch for the iked man page which > > explicitly mentions VPN traffic leakage and RFC 7359 (in the > > STANDARDS section, perhaps)? > > No problem; VPN leakage is already mentioned. As you mentioned, it is > slightly ambiguous. > > Yet in my case the problem was more that I did not expect something > there. Would I have read about the "-6" option, I would have understood > the significance. > > My problem was that I silently expected native OpenBSD daemons not have > a lot of startup options (appart from the usual "-dnv"). Indeed, I even > scanned iked(8) to find the "-ST" flags to reduce the noise. > > So I was expecting to find rather something in iked.conf(5) or maybe a > sysctl or something with "man -k any=flow" or "any=policy". > > I am not this much of an expert of mdoc(7), but other man pages declare > flows with ".Ic". "Internal or interactive command" does not sound > really correct though. > > A "preview" of the patch follows. > A file without the mangled line breaks is available here: > https://cloud.dahlberg.cologne/index.php/s/55HzfcHcrosC6CD > > Index: sbin/iked/iked.8 > =================================================================== > RCS file: /cvs/src/sbin/iked/iked.8,v > retrieving revision 1.20 > diff -u -p -u -r1.20 iked.8 > --- sbin/iked/iked.8 27 Mar 2017 10:06:41 -0000 1.20 > +++ sbin/iked/iked.8 3 Jul 2018 12:30:44 -0000 > @@ -59,9 +59,11 @@ The options are as follows: > Disable automatic blocking of IPv6 traffic. > By default, > .Nm > -blocks any IPv6 traffic unless a flow for this address family has been > -negotiated. > -This option is used to prevent VPN traffic leakages on dual stack > hosts. > +blocks any IPv6 traffic unless a > +.Ic flow > +for this address family has been negotiated. > +This option disables VPN traffic leakages prevention on dual stack > hosts
disable a leakages sounds funny, you can prevent or block it. Better: The default behaviour to block all IPv6 traffic is to prevent VPN traffic leakages on dual stack hosts (see RFC 7359). Or just use the original line + rfc. > +(RFC 7359). > .It Fl D Ar macro Ns = Ns Ar value > Define > .Ar macro >
