Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
Hi, On Sun, Jan 20, 2013 at 07:50:30PM +0100, Gert Doering wrote: > From cdfbc8952a01acde0eedf08fa0ebefed38fa2763 Mon Sep 17 00:00:00 2001 > From: Gert Doering > Date: Sun, 20 Jan 2013 20:50:38 +0200 > Subject: [PATCH] Permit pool size of /64.../112 for ifconfig-ipv6-pool > > (Leftover check from the early days where --server-ipv6 also only > accepted /64 - nowadays we handle smaller pools just fine) ... talking to myself again... committed to master and release/2.3 commit 704d9273b6e0e253b62eb728fddd5bbb02503eea (master) commit 0fb2391660a369853f20fd4807eaa5ed3461e755 (release/2.3) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpL_DuMguHrF.pgp Description: PGP signature
Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
Am 20.01.13 19:50, schrieb Gert Doering: > Hi, > > On Sun, Jan 20, 2013 at 04:49:51PM +0100, Marcel Pennewiß wrote: >>> in time for 2.3, one of the remaining open itches for the IPv6 code >>> is now fixed :-) (and the changes needed turned out to be fairly >>> trivial). >> Using ifconfig-ipv6-pool instead of server-ipv6(-macro) does not allow >> non-/64 prefix (in current 2.3). Bug or Feature? > Smells buggy. As server-ipv6 is just a macro (not really, but sort of). > > Indeed... options.c: > > else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] ) > ... > if ( netbits != 64 ) > { > msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported > righ > t now (not /%d)", netbits ); > goto err; > } > > ... this is a leftover from the initial days, where nothing else was > supported (not for server-ipv6 either). > > Patch is trivial, please find attached. David: 2.3.1 and 2.4.0, please :-) Patch looks good. ACK from me. Arne signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
Hi, On Sun, Jan 20, 2013 at 04:49:51PM +0100, Marcel Pennewiß wrote: > > in time for 2.3, one of the remaining open itches for the IPv6 code > > is now fixed :-) (and the changes needed turned out to be fairly > > trivial). > > Using ifconfig-ipv6-pool instead of server-ipv6(-macro) does not allow > non-/64 prefix (in current 2.3). Bug or Feature? Smells buggy. As server-ipv6 is just a macro (not really, but sort of). Indeed... options.c: else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] ) ... if ( netbits != 64 ) { msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported righ t now (not /%d)", netbits ); goto err; } ... this is a leftover from the initial days, where nothing else was supported (not for server-ipv6 either). Patch is trivial, please find attached. David: 2.3.1 and 2.4.0, please :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de From cdfbc8952a01acde0eedf08fa0ebefed38fa2763 Mon Sep 17 00:00:00 2001 From: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Sun, 20 Jan 2013 20:50:38 +0200 Subject: [PATCH] Permit pool size of /64.../112 for ifconfig-ipv6-pool (Leftover check from the early days where --server-ipv6 also only accepted /64 - nowadays we handle smaller pools just fine) Signem-off-by: Gert Doering --- src/openvpn/options.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8ca41a3..1d89e4b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5484,9 +5484,9 @@ add_option (struct options *options, msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters"); goto err; } - if ( netbits != 64 ) + if ( netbits < 64 || netbits > 112 ) { - msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported right now (not /%d)", netbits ); + msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits ); goto err; } -- 1.7.3.5 pgpluBHBLkzV3.pgp Description: PGP signature
Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
On Fri, 3 Feb 2012 09:44:26 +0100 Gert Doering wrote: > Hi, > > in time for 2.3, one of the remaining open itches for the IPv6 code > is now fixed :-) (and the changes needed turned out to be fairly > trivial). Using ifconfig-ipv6-pool instead of server-ipv6(-macro) does not allow non-/64 prefix (in current 2.3). Bug or Feature? Best regards, Marcel signature.asc Description: PGP signature
Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6 [v2]
On 03/02/12 18:12, Gert Doering wrote: Hi, On Fri, Feb 03, 2012 at 04:19:31PM +0100, Gert Doering wrote: On Fri, Feb 03, 2012 at 03:10:37PM +0100, Michael wrote: the patch does not remove +++ b/push.c @@ -245,8 +245,9 @@ send_push_reply (struct context *c) /* TODO: push "/netbits" as well, to allow non-/64 subnet sizes * (needs changes in options.c, options.h, and other places) */ Now it does :-) - thanks for pointing this out. v2 patch attached. "git --reset" is my friend ;-) ACK. Applied to master branch on -testing and stable. commit c55e9562d64f381ba46b83a02503f6239e23d3ef Author: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Fri Feb 3 17:11:03 2012 +0100 Implement IPv6 interface config with non-/64 prefix lengths. Signed-off-by: Gert Doering Acked-by: David Sommerseth Signed-off-by: David Sommerseth kind regards, David Sommerseth
Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6 [v2]
Hi, On Fri, Feb 03, 2012 at 04:19:31PM +0100, Gert Doering wrote: > On Fri, Feb 03, 2012 at 03:10:37PM +0100, Michael wrote: > > the patch does not remove > > > > +++ b/push.c > > @@ -245,8 +245,9 @@ send_push_reply (struct context *c) > >/* TODO: push "/netbits" as well, to allow non-/64 subnet sizes > > * (needs changes in options.c, options.h, and other > > places) > > */ Now it does :-) - thanks for pointing this out. v2 patch attached. "git --reset" is my friend ;-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de From 53e78848f552235c3270419771f3e3293dfe91ec Mon Sep 17 00:00:00 2001 From: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Fri, 3 Feb 2012 17:11:03 +0100 Subject: [PATCH] Implement IPv6 interface config with non-/64 prefix lengths. Add "ifconfig_ipv6_netbits_parm" parameter to init_tun(), use that to initialize tt->netbits_ipv6 (previously: always /64). Actual interface setup code already used tt->netbits_ipv6, so no changes needed there. Remove restrictions on "/netbits" value for --server-ipv6 config option (can now be /64.../112, previously had to be exactly /64). Supporting even smaller networks could cause problems with ipv6-pool handling and are only allowed for explicit "ifconfig-ipv6", not for "server-ipv6". Add /netbits to pushed "ifconfig-ipv6" values on server side (client side always accepted this, but ignored it so far, so this does not break compatibility). Tested on Linux/ifconfig, Linux/iproute2 and FreeBSD 7.4 Signed-off-by: Gert Doering --- TODO.IPv6 |2 ++ helper.c |8 +--- init.c|1 + options.c |5 +++-- push.c|6 ++ tun.c |4 +++- tun.h |1 + 7 files changed, 17 insertions(+), 10 deletions(-) diff --git a/TODO.IPv6 b/TODO.IPv6 index 87c47b3..f23cce0 100644 --- a/TODO.IPv6 +++ b/TODO.IPv6 @@ -77,6 +77,8 @@ tun0: flags=8051 mtu 1500 of /netbits, and correctly ifconfig'ing this (default, if not specified: /64) +* done * 2012-02-03 + 11.) do not add ipv6-routes if tun-ipv6 is not set - complain instead * done * 12.1.10 diff --git a/helper.c b/helper.c index c7333f6..22ea652 100644 --- a/helper.c +++ b/helper.c @@ -184,12 +184,14 @@ helper_client_server (struct options *o) print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc ); o->ifconfig_ipv6_remote = print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc ); + o->ifconfig_ipv6_netbits = o->server_netbits_ipv6; + + /* pool starts at "base address + 0x1000" - leave enough room */ + ASSERT( o->server_netbits_ipv6 <= 112 );/* want 16 bits */ - /* pool starts at "base address + 0x1" */ - ASSERT( o->server_netbits_ipv6 < 96 ); /* want 32 bits */ o->ifconfig_ipv6_pool_defined = true; o->ifconfig_ipv6_pool_base = - add_in6_addr( o->server_network_ipv6, 0x1 ); + add_in6_addr( o->server_network_ipv6, 0x1000 ); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; o->tun_ipv6 = true; diff --git a/init.c b/init.c index b8cb84f..525f441 100644 --- a/init.c +++ b/init.c @@ -1415,6 +1415,7 @@ do_init_tun (struct context *c) c->options.ifconfig_local, c->options.ifconfig_remote_netmask, c->options.ifconfig_ipv6_local, + c->options.ifconfig_ipv6_netbits, c->options.ifconfig_ipv6_remote, addr_host (&c->c1.link_socket_addr.local), addr_host (&c->c1.link_socket_addr.remote), diff --git a/options.c b/options.c index 0fbe368..cb9738a 100644 --- a/options.c +++ b/options.c @@ -2926,6 +2926,7 @@ options_string (const struct options *o, o->ifconfig_local, o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, +o->ifconfig_ipv6_netbits, o->ifconfig_ipv6_remote, (in_addr_t)0, (in_addr_t)0, @@ -5396,9 +5397,9 @@ add_option (struct options *options, msg (msglevel, "error parsing --server-ipv6 parameter"); goto err; } - if ( netbits != 64 ) + if ( netbits < 64 || netbits > 112 ) { - msg( msglevel, "--server-ipv6 settings: only /64 supported right now (not /%d)", netbits ); + msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits ); goto err; } options->server_ipv6_defined = true; diff --git a/push.c b/push.c index a8ce356..8a8779
Re: [Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
Hi, On Fri, Feb 03, 2012 at 03:10:37PM +0100, Michael wrote: > the patch does not remove > > +++ b/push.c > @@ -245,8 +245,9 @@ send_push_reply (struct context *c) >/* TODO: push "/netbits" as well, to allow non-/64 subnet sizes > * (needs changes in options.c, options.h, and other > places) > */ > > though the code now does it? Indeed, thanks. I overlooked that. (Need to check with Dazo how to get that into the same commit...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
[Openvpn-devel] IPv6 enhancement: non-/64 prefix lengths for IPv6
Hi, in time for 2.3, one of the remaining open itches for the IPv6 code is now fixed :-) (and the changes needed turned out to be fairly trivial). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de From 8873bdf1c69c7fd655d7cce23b1dbf2d542b5cab Mon Sep 17 00:00:00 2001 From: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Fri, 3 Feb 2012 08:42:09 +0100 Subject: [PATCH] Implement IPv6 interface config with non-/64 prefix lengths. Add "ifconfig_ipv6_netbits_parm" parameter to init_tun(), use that to initialize tt->netbits_ipv6 (previously: always /64). Actual interface setup code already used tt->netbits_ipv6, so no changes needed there. Remove restrictions on "/netbits" value for --server-ipv6 config option (can now be /64.../112, previously had to be exactly /64). Supporting even smaller networks could cause problems with ipv6-pool handling and are only allowed for explicit "ifconfig-ipv6", not for "server-ipv6". Add /netbits to pushed "ifconfig-ipv6" values on server side (client side always accepted this, but ignored it so far, so this does not break compatibility). Tested on Linux/ifconfig, Linux/iproute2 and FreeBSD 7.4 Signed-off-by: Gert Doering --- helper.c |8 +--- init.c|1 + options.c |5 +++-- push.c|3 ++- tun.c |4 +++- tun.h |1 + 6 files changed, 15 insertions(+), 7 deletions(-) diff --git a/helper.c b/helper.c index c7333f6..22ea652 100644 --- a/helper.c +++ b/helper.c @@ -184,12 +184,14 @@ helper_client_server (struct options *o) print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc ); o->ifconfig_ipv6_remote = print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc ); + o->ifconfig_ipv6_netbits = o->server_netbits_ipv6; + + /* pool starts at "base address + 0x1000" - leave enough room */ + ASSERT( o->server_netbits_ipv6 <= 112 );/* want 16 bits */ - /* pool starts at "base address + 0x1" */ - ASSERT( o->server_netbits_ipv6 < 96 ); /* want 32 bits */ o->ifconfig_ipv6_pool_defined = true; o->ifconfig_ipv6_pool_base = - add_in6_addr( o->server_network_ipv6, 0x1 ); + add_in6_addr( o->server_network_ipv6, 0x1000 ); o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; o->tun_ipv6 = true; diff --git a/init.c b/init.c index b8cb84f..525f441 100644 --- a/init.c +++ b/init.c @@ -1415,6 +1415,7 @@ do_init_tun (struct context *c) c->options.ifconfig_local, c->options.ifconfig_remote_netmask, c->options.ifconfig_ipv6_local, + c->options.ifconfig_ipv6_netbits, c->options.ifconfig_ipv6_remote, addr_host (&c->c1.link_socket_addr.local), addr_host (&c->c1.link_socket_addr.remote), diff --git a/options.c b/options.c index 0fbe368..cb9738a 100644 --- a/options.c +++ b/options.c @@ -2926,6 +2926,7 @@ options_string (const struct options *o, o->ifconfig_local, o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, +o->ifconfig_ipv6_netbits, o->ifconfig_ipv6_remote, (in_addr_t)0, (in_addr_t)0, @@ -5396,9 +5397,9 @@ add_option (struct options *options, msg (msglevel, "error parsing --server-ipv6 parameter"); goto err; } - if ( netbits != 64 ) + if ( netbits < 64 || netbits > 112 ) { - msg( msglevel, "--server-ipv6 settings: only /64 supported right now (not /%d)", netbits ); + msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits ); goto err; } options->server_ipv6_defined = true; diff --git a/push.c b/push.c index a8ce356..9f4c50e 100644 --- a/push.c +++ b/push.c @@ -245,8 +245,9 @@ send_push_reply (struct context *c) /* TODO: push "/netbits" as well, to allow non-/64 subnet sizes * (needs changes in options.c, options.h, and other places) */ - buf_printf( &buf, ",ifconfig-ipv6 %s %s", + buf_printf( &buf, ",ifconfig-ipv6 %s/%d %s", print_in6_addr( c->c2.push_ifconfig_ipv6_local, 0, &gc), + c->c2.push_ifconfig_ipv6_netbits, print_in6_addr( c->c2.push_ifconfig_ipv6_remote, 0, &gc) ); if (BLEN (&buf) >= safe_cap) { diff --git a/tun.c b/tun.c index c9af168..1527ac8 100644 --- a/tun.c +++ b/tun.c @@ -404,6 +404,7 @@ init_tun (const char *dev, /*