Send connman mailing list submissions to connman@lists.01.org To subscribe or unsubscribe via email, send a message with subject or body 'help' to connman-requ...@lists.01.org
You can reach the person managing the list at connman-ow...@lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of connman digest..." Today's Topics: 1. Re: [PATCH 08/11] provider: Toggle IPv6 on the transport of IPv4 VPN connection (Jussi Laakkonen) 2. Re: [PATCH 09/11] service: Change IPv6 support if split routing value changes on IPv4 VPN (Jussi Laakkonen) 3. Re: [PATCH 09/11] service: Change IPv6 support if split routing value changes on IPv4 VPN (David Woodhouse) ---------------------------------------------------------------------- Date: Thu, 8 Apr 2021 11:20:51 +0300 From: Jussi Laakkonen <jussi.laakko...@jolla.com> Subject: Re: [PATCH 08/11] provider: Toggle IPv6 on the transport of IPv4 VPN connection To: Daniel Wagner <w...@monom.org> Cc: connman@lists.01.org Message-ID: <b9a12aa4-8ab3-e27a-84cb-ed66f15c2...@jolla.com> Content-Type: text/plain; charset=utf-8; format=flowed Hi Daniel, On 4/6/21 9:42 PM, Daniel Wagner wrote: > Hi Jussi, > > >> There is a check for split routing of the VPN, the >> change is not done if the VPN is not going to be the default, i.e., split >> routing is true. But I guess you weren't after this. > > My setup is actually a splitted IPv4/IPv6 VPN tunnel which is not the > default route. > I slept on it and actually, since there is the possibility to stack VPNs the disabling of IPv6 on the provider should also check if the transport of the VPN in question is also a VPN and to skip disabling of IPv6 in that case. For me that sounds ok way to do it as in such case there would be no point in disabling IPv6 as another VPN can then handle the IPv6 traffic, which is presumably encrypted and protected. The transport is already used there, so it is just a bit of code-juggling (moving). Cheers, Jussi ------------------------------ Date: Thu, 8 Apr 2021 11:35:39 +0300 From: Jussi Laakkonen <jussi.laakko...@jolla.com> Subject: Re: [PATCH 09/11] service: Change IPv6 support if split routing value changes on IPv4 VPN To: David Woodhouse <dw...@infradead.org>, connman@lists.01.org Message-ID: <fd6d30b7-f49e-0c2a-c041-fab387973...@jolla.com> Content-Type: text/plain; charset=utf-8; format=flowed Hi David, On 4/6/21 11:34 AM, David Woodhouse wrote: > On Thu, 2021-04-01 at 17:46 +0300, Jussi Laakkonen wrote: >> Enable/disable IPv6 on VPNs transport when the split routing value is >> changed. This is important in both cases when a connected IPv4 VPN has >> the value changed as with split routing -> non-split routing IPv6 should >> be disabled as well as non-split-routing -> split routed IPv6 should be >> re-enabled. > > Not necessarily. In the Cisco AnyConnect protocol there's a separate > flag to indicate whether IPv6 should be blocked or not, even when the > VPN does take the default Legacy IP route. > > Surely this should be just part of the routing information that the > protocol-specific VPN provider itself passes back to ConnMan? It just > needs a way to request a default IPv6 'unreachable' route? > > Likewise, if a VPN is IPv6-only it *might* or might not want to add a > default Legacy IP 'unreachable' route. Actually this is already dealt with in the PATCH 08/11. Disabling of IPv6 depends on the disable_ipv6 value, that is utilized and retrieved via __connman_ipconfig_ipv6_is_enabled(), and disable_ipv6 value is also affected by the IPv6 ipconfig method, so when it is set to be CONNMAN_IPCONFIG_METHOD_OFF then disable_ipv6 will become 1. If the VPN config keeps the IPv6 ipconfig in any other state, then disabling of IPv6 is not done. Only thing is that puzzles me is that does ConnMan support VPNs to enable a specific ipconfig type while connected? > > Just expose that facility from core ConnMan and let the VPN providers > use it as they desire. > I thought of a simple way to avoid adding a new value to the config files, anyways it would be more of service.c config to be added to the vpn_*/settings. As there are the set/get for vpn_provider.c booleans it might be the most straightforward way to have it as run-time only value that depends on the actual VPN setting, so in case of OpenConnect I could just add simple follow on its disable IPv6 value (not sure where to apply that on WireGuard, though... Daniel?). So in a nutshell: - vpn_provider.c has a boolean with key "PreventIPv6Leak", accessible by the VPN plugins via vpn_provider_{set,get}_boolean(). - Each plugin can then be amended with the call to set the value for the "PreventIPv6Leak" - When changed, simply send a PropertyChanged signal that is listened by the connmand VPN plugin (plugins/vpn.c) - By default the boolean in provider.c on connmand side is set as on to indicate that IPv6 disabling is done by default, but with that signal vpn.c does change the value according to the VPN plugins' preference based usually on user selection. I see that as a option that is to be set by the actual VPN configuration, so later on when OpenVPN, for instance, gets IPv6 support enabled it should set the value accordingly to user preference. But keep in mind that even though the "PreventIPv6Leak" is on by default whenever there is an IPv6 ipconfig enabled on the VPN acting as default route disabling of IPv6 is not done. Cheers, Jussi ------------------------------ Date: Thu, 08 Apr 2021 10:20:39 +0100 From: David Woodhouse <dw...@infradead.org> Subject: Re: [PATCH 09/11] service: Change IPv6 support if split routing value changes on IPv4 VPN To: Jussi Laakkonen <jussi.laakko...@jolla.com>, connman@lists.01.org Message-ID: <2258a7f0e4dfee8bf788628fb29e04c5a6fb4a58.ca...@infradead.org> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-2oaUaOGiaMwPdMN2wvbt" --=-2oaUaOGiaMwPdMN2wvbt Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2021-04-08 at 11:35 +0300, Jussi Laakkonen wrote: > So in a nutshell: > - vpn_provider.c has a boolean with key "PreventIPv6Leak", accessible= =20 > by the VPN plugins via vpn_provider_{set,get}_boolean(). > - Each plugin can then be amended with the call to set the value for= =20 > the "PreventIPv6Leak" > - When changed, simply send a PropertyChanged signal that is listened= =20 > by the connmand VPN plugin (plugins/vpn.c) > - By default the boolean in provider.c on connmand side is set as on= =20 > to indicate that IPv6 disabling is done by default, but with that signal= =20 > vpn.c does change the value according to the VPN plugins' preference=20 > based usually on user selection. I'd suggest not calling it 'PreventIPv6Leak'. We need to prevent a leak to *any* unconfigured protocol, be it IPv6 or Legacy IP. Sure, the most common case these days might be a VPN that provides only Legacy IP traffic and wants to block the client from using local IPv6, but it's also *perfectly* feasible that a VPN could provide only IPv6 and want to block Legacy IP. Remember, the blocker to "IPv6 everywhere" has been deployment to crappy end-user networks, random airports and hotels etc. =E2=80=94 none of which matters when the client already established a VPN back to the "home" network. So a VPN which provides only IPv6 isn't even that unlikely. It wouldn't surprise me if Facebook are already doing it; isn't their network purely IPv6 internally, with proxying/NAT for incoming connections from the 1980s? Don't build asymmetric assumptions into the core of ConnMan. Make it capable of blocking Legacy IP when the VPN has only IPv6 as well. And don't forget to cope with the case of connecting *over* IPv6 to a Legacy-only VPN, and vice versa. You want to block everything in the unconfigured protocol *except* the actual VPN gateway in that case. --=-2oaUaOGiaMwPdMN2wvbt Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCECow ggUcMIIEBKADAgECAhEA4rtJSHkq7AnpxKUY8ZlYZjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UE BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhl bnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTkwMTAyMDAwMDAwWhcNMjIwMTAxMjM1 OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRlYWQub3JnMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAsv3wObLTCbUA7GJqKj9vHGf+Fa+tpkO+ZRVve9EpNsMsfXhvFpb8 RgL8vD+L133wK6csYoDU7zKiAo92FMUWaY1Hy6HqvVr9oevfTV3xhB5rQO1RHJoAfkvhy+wpjo7Q cXuzkOpibq2YurVStHAiGqAOMGMXhcVGqPuGhcVcVzVUjsvEzAV9Po9K2rpZ52FE4rDkpDK1pBK+ uOAyOkgIg/cD8Kugav5tyapydeWMZRJQH1vMQ6OVT24CyAn2yXm2NgTQMS1mpzStP2ioPtTnszIQ Ih7ASVzhV6csHb8Yrkx8mgllOyrt9Y2kWRRJFm/FPRNEurOeNV6lnYAXOymVJwIDAQABo4IB0zCC Ac8wHwYDVR0jBBgwFoAUgq9sjPjF/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFLfuNf820LvaT4AK xrGK3EKx1DE7MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF BwMEBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1o dHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3Js LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls Q0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2RvY2Eu Y29tL0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAeBgNVHREEFzAVgRNkd213MkBpbmZy YWRlYWQub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQALbSykFusvvVkSIWttcEeifOGGKs7Wx2f5f45b nv2ghcxK5URjUvCnJhg+soxOMoQLG6+nbhzzb2rLTdRVGbvjZH0fOOzq0LShq0EXsqnJbbuwJhK+ PnBtqX5O23PMHutP1l88AtVN+Rb72oSvnD+dK6708JqqUx2MAFLMevrhJRXLjKb2Mm+/8XBpEw+B 7DisN4TMlLB/d55WnT9UPNHmQ+3KFL7QrTO8hYExkU849g58Dn3Nw3oCbMUgny81ocrLlB2Z5fFG Qu1AdNiBA+kg/UxzyJZpFbKfCITd5yX49bOriL692aMVDyqUvh8fP+T99PqorH4cIJP6OxSTdxKM MIIFHDCCBASgAwIBAgIRAOK7SUh5KuwJ6cSlGPGZWGYwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MDEwMjAwMDAwMFoXDTIyMDEwMTIz NTk1OVowJDEiMCAGCSqGSIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALL98Dmy0wm1AOxiaio/bxxn/hWvraZDvmUVb3vRKTbDLH14bxaW /EYC/Lw/i9d98CunLGKA1O8yogKPdhTFFmmNR8uh6r1a/aHr301d8YQea0DtURyaAH5L4cvsKY6O 0HF7s5DqYm6tmLq1UrRwIhqgDjBjF4XFRqj7hoXFXFc1VI7LxMwFfT6PStq6WedhROKw5KQytaQS vrjgMjpICIP3A/CroGr+bcmqcnXljGUSUB9bzEOjlU9uAsgJ9sl5tjYE0DEtZqc0rT9oqD7U57My ECIewElc4VenLB2/GK5MfJoJZTsq7fWNpFkUSRZvxT0TRLqznjVepZ2AFzsplScCAwEAAaOCAdMw ggHPMB8GA1UdIwQYMBaAFIKvbIz4xf6WYXzoHz0rcUhexIvAMB0GA1UdDgQWBBS37jX/NtC72k+A CsaxitxCsdQxOzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF BQcDBAYIKwYBBQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwUwKzApBggrBgEFBQcCARYd aHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny bC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp bENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQG CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5m cmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAC20spBbrL71ZEiFrbXBHonzhhirO1sdn+X+O W579oIXMSuVEY1LwpyYYPrKMTjKECxuvp24c829qy03UVRm742R9Hzjs6tC0oatBF7KpyW27sCYS vj5wbal+TttzzB7rT9ZfPALVTfkW+9qEr5w/nSuu9PCaqlMdjABSzHr64SUVy4ym9jJvv/FwaRMP gew4rDeEzJSwf3eeVp0/VDzR5kPtyhS+0K0zvIWBMZFPOPYOfA59zcN6AmzFIJ8vNaHKy5QdmeXx RkLtQHTYgQPpIP1Mc8iWaRWynwiE3ecl+PWzq4i+vdmjFQ8qlL4fHz/k/fT6qKx+HCCT+jsUk3cS jDCCBeYwggPOoAMCAQICEGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRp b24gQXV0aG9yaXR5MB4XDTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYT AkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNV BAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAvrOeV6wodnVAFsc4A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQPTRI5Or1u6zf +bGBSyD9aH95dDSmeny1nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivlJTRENf+RKwrB6vcf WlP8dSsE3Rfywq09N0ZfxcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG9qrxpZxyb4o4yNNwTqza aPpGRqXB7IMjtf7tTmU2jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoSWY66nJN/VCJv5ym6Q0mdCbDK CMPybTjoNCQuelc0IAaO4nLUXk0BOSxSxt8kCvsUtQIDAQABo4IBPDCCATgwHwYDVR0jBBgwFoAU u69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFIKvbIz4xf6WYXzoHz0rcUhexIvAMA4GA1Ud DwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8E RTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9u QXV0aG9yaXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29t b2RvY2EuY29tL0NPTU9ET1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz cC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2 SQgG1NgvNc3fQP7TcePo7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs 0j8CGpfb+SJA3GaBQ+394k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDM KVmU/PUWNMKSTvtlenlxBhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+ E2pvOUtY+hPebuPtTbq7vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfH M5tdhYF/8v5UY5g2xANPECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4 jkhJiA7EuTecP/CFtR72uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJM/1t yZR2niOYihZ+FCbtf3D9mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJUmpvVdZ4o gnzgXtgtdk3ShrtOS1iAN2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTKTlL8YXLI8nAb R9HWdFqzcOoB/hxfEyIQpx9/s81rgzdEZOofSlZHynoSMYIDyjCCA8YCAQEwga0wgZcxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEA4rtJSHkq7AnpxKUY8ZlYZjANBglghkgB ZQMEAgEFAKCCAe0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEw NDA4MDkyMDM5WjAvBgkqhkiG9w0BCQQxIgQg0nvQVeD0TyGzx2VtfmTq1MS9tMnW+eV9E6y79Uh+ ybUwgb4GCSsGAQQBgjcQBDGBsDCBrTCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIg TWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx PTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEQDiu0lIeSrsCenEpRjxmVhmMIHABgsqhkiG9w0BCRACCzGBsKCBrTCBlzELMAkGA1UE BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhl bnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEQDiu0lIeSrsCenEpRjxmVhmMA0GCSqGSIb3 DQEBAQUABIIBAHoCF0v7QLksI4NDGIa0b/qPE1OgNbKDvFfw2nJNg2SGBxz76+VNlc2V1du5dK3L sTkjDJihH3Ka0lwhHFJ0J8IZ1vFygj4mkg7D9/7CDv+AZjBT4g/1Wu28yx68UrozBzHZgrzxZVVn B83QvJ1quZGj+ksvh0Vt85E3i9bzDoTJkaTSA+/LoxqAEzeAxWac+/fxOrNCicqqhw/5Pvfn2+j8 uc6ldFCSbkESG9vvE8nbk1shqb/trTraQpTxvrnC7/bv88QsTBalVplgOuk3NiOQW2oDIrk0bzvZ Ks8T1cERLfZt5wwgZzgQTkKE63aEGIEeR7S5nUeTYK3SxdwFUQoAAAAAAAA= --=-2oaUaOGiaMwPdMN2wvbt-- ------------------------------ Subject: Digest Footer _______________________________________________ connman mailing list -- connman@lists.01.org To unsubscribe send an email to connman-le...@lists.01.org ------------------------------ End of connman Digest, Vol 66, Issue 13 ***************************************