Re: iked(8): get rid of IPv6 flow and -6 flag?
On Wed, Jan 15, 2020 at 07:41:46PM +, Stuart Henderson wrote: > On 2020/01/14 21:48, Stuart Henderson wrote: > > > while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { > > > switch (c) { > > > case '6': > > > - opts |= IKED_OPT_NOIPV6BLOCKING; > > > + log_warnx("the -6 option is deprecated and will be " > > > + "removed in the future."); > > > > "deprecated" implies that it still works but you shouldn't use it any more. > > > > Perhaps "ignored" or "no longer supported" instead? > > > > Now that this is committed anyway - can I do this or something similar? > > deprecate -> "discouragement of use of some terminology, feature, > design, or practice, typically because it has been superseded or is no > longer considered efficient or safe, without completely removing it or > prohibiting its use" > > Index: iked.c > === > RCS file: /cvs/src/sbin/iked/iked.c,v > retrieving revision 1.39 > diff -u -p -r1.39 iked.c > --- iked.c14 Jan 2020 22:28:29 - 1.39 > +++ iked.c15 Jan 2020 19:39:37 - > @@ -76,7 +76,7 @@ main(int argc, char *argv[]) > while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { > switch (c) { > case '6': > - log_warnx("the -6 option is deprecated and will be " > + log_warnx("the -6 option is ignored and will be " > "removed in the future."); > break; > case 'd': > I totally missed that part of your previous mail, sorry. Reading the definition it seems you are right that "ignored" is the better word here. ok tobhe@
Re: iked(8): get rid of IPv6 flow and -6 flag?
I strongly agree that we should avoid use of the word 'deprecated' towards the public. People interpret what it means differently, so try to be EXACT. 'deprecated' is our choice to make the change, but 'ignored' is the result of that decision upon the people. Stuart Henderson wrote: > On 2020/01/14 21:48, Stuart Henderson wrote: > > > while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { > > > switch (c) { > > > case '6': > > > - opts |= IKED_OPT_NOIPV6BLOCKING; > > > + log_warnx("the -6 option is deprecated and will be " > > > + "removed in the future."); > > > > "deprecated" implies that it still works but you shouldn't use it any more. > > > > Perhaps "ignored" or "no longer supported" instead? > > > > Now that this is committed anyway - can I do this or something similar? > > deprecate -> "discouragement of use of some terminology, feature, > design, or practice, typically because it has been superseded or is no > longer considered efficient or safe, without completely removing it or > prohibiting its use" > > Index: iked.c > === > RCS file: /cvs/src/sbin/iked/iked.c,v > retrieving revision 1.39 > diff -u -p -r1.39 iked.c > --- iked.c14 Jan 2020 22:28:29 - 1.39 > +++ iked.c15 Jan 2020 19:39:37 - > @@ -76,7 +76,7 @@ main(int argc, char *argv[]) > while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { > switch (c) { > case '6': > - log_warnx("the -6 option is deprecated and will be " > + log_warnx("the -6 option is ignored and will be " > "removed in the future."); > break; > case 'd': >
Re: iked(8): get rid of IPv6 flow and -6 flag?
On 2020/01/14 21:48, Stuart Henderson wrote: > > while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { > > switch (c) { > > case '6': > > - opts |= IKED_OPT_NOIPV6BLOCKING; > > + log_warnx("the -6 option is deprecated and will be " > > + "removed in the future."); > > "deprecated" implies that it still works but you shouldn't use it any more. > > Perhaps "ignored" or "no longer supported" instead? > Now that this is committed anyway - can I do this or something similar? deprecate -> "discouragement of use of some terminology, feature, design, or practice, typically because it has been superseded or is no longer considered efficient or safe, without completely removing it or prohibiting its use" Index: iked.c === RCS file: /cvs/src/sbin/iked/iked.c,v retrieving revision 1.39 diff -u -p -r1.39 iked.c --- iked.c 14 Jan 2020 22:28:29 - 1.39 +++ iked.c 15 Jan 2020 19:39:37 - @@ -76,7 +76,7 @@ main(int argc, char *argv[]) while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { switch (c) { case '6': - log_warnx("the -6 option is deprecated and will be " + log_warnx("the -6 option is ignored and will be " "removed in the future."); break; case 'd':
Re: iked(8): get rid of IPv6 flow and -6 flag?
On 2020/01/14 21:48, Stuart Henderson wrote: > On 2020/01/14 21:03, Tobias Heider wrote: > > On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote: > > > Stuart Henderson wrote: > > > > > > > On 2020/01/13 20:51, Klemens Nanni wrote: > > > > > I'm in favour of removing the option and OK with your diff, but simply > > > > > removing it is probably a bad idea given its nature. > > > > > > > > > > What about printing a deprecation warning so that users can safely > > > > > adjust their rcctl flags instead of running into "iked(failed)" on the > > > > > next snapshot. > > > > > > > > Yes please make -6 a noop or a warning rather than an error. Sometimes > > > > breakage is unavoidable, but this isn't one of those cases. > > > > > > I agree. > > > > > > > Makes sense. I added a warning and a notice in current.html. > > > > ok? > > > > Index: www/faq/current.html > > === > > RCS file: /cvs/www/faq/current.html,v > > retrieving revision 1.1017 > > diff -u -p -r1.1017 current.html > > --- www/faq/current.html31 Dec 2019 02:18:01 - 1.1017 > > +++ www/faq/current.html14 Jan 2020 19:32:25 - > > @@ -135,6 +135,12 @@ or they can be rebuilt from ports. > > > > > > +2020/1/14 - iked(8) automatic IPv6 blocking removed > > > > + > > +https://man.openbsd.org/iked.8";>iked(8) no longer > > automatically adds > > +an IPv6 blocking IPsec flow. > > +The -6 option is deprecated and should be removed from > > + > href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local. > > How about this? > > > Index: current.html > === > RCS file: /cvs/www/faq/current.html,v > retrieving revision 1.1017 > diff -u -p -r1.1017 current.html > --- current.html 31 Dec 2019 02:18:01 - 1.1017 > +++ current.html 14 Jan 2020 21:47:35 - > @@ -136,6 +136,33 @@ or they can be rebuilt from ports. > --> > > > +2020/1/14 - iked(8) automatic IPv6 blocking removed > + > +https://man.openbsd.org/iked.8";>iked(8) no longer automatically > +blocks unencrypted outbound IPv6 packets. > +This feature was intended to avoid accidental leakage, but in practice was > +found to mostly be a cause of misconfiguration. > +The -6 flag was used to disable this feature but is now no > longer > +needed and should be removed from +href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local > +if used. > + > +Instead, if you would like to explicitly block these packets, add the > following Actually, on reading it back now I've posted it, "instead" is bad here, with the previous sentence it makes it seem like this is something to do if you *did* use -6, when actually it's something to do if you *didn't* use -6 and want to keep the feature. ... So here's some reordering that works better: Index: current.html === RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1017 diff -u -p -r1.1017 current.html --- current.html31 Dec 2019 02:18:01 - 1.1017 +++ current.html14 Jan 2020 21:53:31 - @@ -136,6 +136,34 @@ or they can be rebuilt from ports. --> +2020/1/14 - iked(8) automatic IPv6 blocking removed + +https://man.openbsd.org/iked.8";>iked(8) no longer automatically +blocks unencrypted outbound IPv6 packets. +This feature was intended to avoid accidental leakage, but in practice was +found to mostly be a cause of misconfiguration. +Instead, if you would like to explicitly block these packets, add the following +line to https://man.openbsd.org/ipsec.conf.5";>/etc/ipsec.conf +(not iked.conf): + + +flow esp out from ::/0 to ::/0 type deny + + +and enable loading it with + + +# rcctl enable ipsec # to load at boot +# ipsecctl -f /etc/ipsec.conf # to load immediately + + +If you previously used https://man.openbsd.org/iked.8";>iked(8)'s +-6 flag to disable this feature, it is no longer needed and should +be removed from https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local +if used. + +
Re: iked(8): get rid of IPv6 flow and -6 flag?
On 2020/01/14 21:03, Tobias Heider wrote: > On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote: > > Stuart Henderson wrote: > > > > > On 2020/01/13 20:51, Klemens Nanni wrote: > > > > I'm in favour of removing the option and OK with your diff, but simply > > > > removing it is probably a bad idea given its nature. > > > > > > > > What about printing a deprecation warning so that users can safely > > > > adjust their rcctl flags instead of running into "iked(failed)" on the > > > > next snapshot. > > > > > > Yes please make -6 a noop or a warning rather than an error. Sometimes > > > breakage is unavoidable, but this isn't one of those cases. > > > > I agree. > > > > Makes sense. I added a warning and a notice in current.html. > > ok? > > Index: www/faq/current.html > === > RCS file: /cvs/www/faq/current.html,v > retrieving revision 1.1017 > diff -u -p -r1.1017 current.html > --- www/faq/current.html 31 Dec 2019 02:18:01 - 1.1017 > +++ www/faq/current.html 14 Jan 2020 19:32:25 - > @@ -135,6 +135,12 @@ or they can be rebuilt from ports. > > > +2020/1/14 - iked(8) automatic IPv6 blocking removed > + > +https://man.openbsd.org/iked.8";>iked(8) no longer automatically > adds > +an IPv6 blocking IPsec flow. > +The -6 option is deprecated and should be removed from > + href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local. How about this? Index: current.html === RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1017 diff -u -p -r1.1017 current.html --- current.html31 Dec 2019 02:18:01 - 1.1017 +++ current.html14 Jan 2020 21:47:35 - @@ -136,6 +136,33 @@ or they can be rebuilt from ports. --> +2020/1/14 - iked(8) automatic IPv6 blocking removed + +https://man.openbsd.org/iked.8";>iked(8) no longer automatically +blocks unencrypted outbound IPv6 packets. +This feature was intended to avoid accidental leakage, but in practice was +found to mostly be a cause of misconfiguration. +The -6 flag was used to disable this feature but is now no longer +needed and should be removed from https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local +if used. + +Instead, if you would like to explicitly block these packets, add the following +line to https://man.openbsd.org/ipsec.conf.5";>/etc/ipsec.conf +(not iked.conf): + + +flow esp out from ::/0 to ::/0 type deny + + +and enable loading it with + + +# rcctl enable ipsec # to load at boot +# ipsecctl -f /etc/ipsec.conf # to load immediately + + +
Re: iked(8): get rid of IPv6 flow and -6 flag?
On Tue, Jan 14, 2020 at 09:03:04PM +0100, Tobias Heider wrote: > Makes sense. I added a warning and a notice in current.html. OK kn
Re: iked(8): get rid of IPv6 flow and -6 flag?
On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote: > Stuart Henderson wrote: > > > On 2020/01/13 20:51, Klemens Nanni wrote: > > > I'm in favour of removing the option and OK with your diff, but simply > > > removing it is probably a bad idea given its nature. > > > > > > What about printing a deprecation warning so that users can safely > > > adjust their rcctl flags instead of running into "iked(failed)" on the > > > next snapshot. > > > > Yes please make -6 a noop or a warning rather than an error. Sometimes > > breakage is unavoidable, but this isn't one of those cases. > > I agree. > Makes sense. I added a warning and a notice in current.html. ok? Index: www/faq/current.html === RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1017 diff -u -p -r1.1017 current.html --- www/faq/current.html31 Dec 2019 02:18:01 - 1.1017 +++ www/faq/current.html14 Jan 2020 19:32:25 - @@ -135,6 +135,12 @@ or they can be rebuilt from ports. +2020/1/14 - iked(8) automatic IPv6 blocking removed + +https://man.openbsd.org/iked.8";>iked(8) no longer automatically adds +an IPv6 blocking IPsec flow. +The -6 option is deprecated and should be removed from +https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local.
Re: iked(8): get rid of IPv6 flow and -6 flag?
On Jan 13, 2020, at 11:55 AM, Tobias Heider wrote: > > Hi, > > iked by default blocks all IPv6 traffic on a host unless any > of the configured policies use v6. This was originally meant > as a measure to prevent VPN leakage for people who did not > think of IPv6 when configuring IPsec. With the -6 flag > set, iked does not install this IPv6 blocking flow. > > I think we should discuss whether we can remove the flow > (and the -6 flag) as I constantly hear people complaining > that it broke their setups and I don't think anyone > expects some seemingly unrelated program breaking IPv6. Ah, THAT's why iked nuked IPv6 on my router when I enabled it. I am strongly in favor of this proposal, with the subsequent recommendations to make it a warning instead of an error. - Dave
Re: iked(8): get rid of IPv6 flow and -6 flag?
Stuart Henderson wrote: > On 2020/01/13 20:51, Klemens Nanni wrote: > > I'm in favour of removing the option and OK with your diff, but simply > > removing it is probably a bad idea given its nature. > > > > What about printing a deprecation warning so that users can safely > > adjust their rcctl flags instead of running into "iked(failed)" on the > > next snapshot. > > Yes please make -6 a noop or a warning rather than an error. Sometimes > breakage is unavoidable, but this isn't one of those cases. I agree.
Re: iked(8): get rid of IPv6 flow and -6 flag?
On 2020/01/13 23:31, Sebastian Benoit wrote: > Alexander Bluhm(alexander.bl...@gmx.net) on 2020.01.13 18:19:31 +0100: > > On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > > > I think we should discuss whether we can remove the flow > > > (and the -6 flag) as I constantly hear people complaining > > > that it broke their setups and I don't think anyone > > > expects some seemingly unrelated program breaking IPv6. > > > > A missing -6 flag on the iked command line, is a very unexpected > > way to break your IPv6 setup. So we should remove that. > > > > OK bluhm@ > > > > If there is demand for such a feature, we could create an option > > in the example/iked.conf that shows how to disable IPv6. > > And perhaps one to disable IPv4 for the IPv6 hipser :-) > > I'm ok with getting rid of it, but as kn@ suggests please with disable and > warning. Please add comment /* XXX remove during OpenBSD 6.7-current */ > A current.html note is needed. > I somehow doubt anybody will actually see a warning - is there a real need to schedule it for removal rather than just keep it indefinitely?
Re: iked(8): get rid of IPv6 flow and -6 flag?
Alexander Bluhm(alexander.bl...@gmx.net) on 2020.01.13 18:19:31 +0100: > On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > > I think we should discuss whether we can remove the flow > > (and the -6 flag) as I constantly hear people complaining > > that it broke their setups and I don't think anyone > > expects some seemingly unrelated program breaking IPv6. > > A missing -6 flag on the iked command line, is a very unexpected > way to break your IPv6 setup. So we should remove that. > > OK bluhm@ > > If there is demand for such a feature, we could create an option > in the example/iked.conf that shows how to disable IPv6. > And perhaps one to disable IPv4 for the IPv6 hipser :-) I'm ok with getting rid of it, but as kn@ suggests please with disable and warning. Please add comment /* XXX remove during OpenBSD 6.7-current */ A current.html note is needed.
Re: iked(8): get rid of IPv6 flow and -6 flag?
On 2020/01/13 18:19, Alexander Bluhm wrote: > On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > > I think we should discuss whether we can remove the flow > > (and the -6 flag) as I constantly hear people complaining > > that it broke their setups and I don't think anyone > > expects some seemingly unrelated program breaking IPv6. > > A missing -6 flag on the iked command line, is a very unexpected > way to break your IPv6 setup. So we should remove that. > > OK bluhm@ > > If there is demand for such a feature, we could create an option > in the example/iked.conf that shows how to disable IPv6. > And perhaps one to disable IPv4 for the IPv6 hipser :-) It would need to be in ipsec.conf - iked.conf doesn't allow setting manual flows. On 2020/01/13 20:51, Klemens Nanni wrote: > I'm in favour of removing the option and OK with your diff, but simply > removing it is probably a bad idea given its nature. > > What about printing a deprecation warning so that users can safely > adjust their rcctl flags instead of running into "iked(failed)" on the > next snapshot. Yes please make -6 a noop or a warning rather than an error. Sometimes breakage is unavoidable, but this isn't one of those cases.
Re: iked(8): get rid of IPv6 flow and -6 flag?
We use the -6 option and I agree with deprecating it for one OpenBSD release instead. Especially now with sysupgrade(8), after upgrading our remote servers, our site-to-site VPN wouldn't come back up after upgrade. On Mon, Jan 13, 2020 at 12:58 PM Klemens Nanni wrote: > On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > > iked by default blocks all IPv6 traffic on a host unless any > > of the configured policies use v6. This was originally meant > > as a measure to prevent VPN leakage for people who did not > > think of IPv6 when configuring IPsec. With the -6 flag > > set, iked does not install this IPv6 blocking flow. > It it still considered a leakage prevention, altough I doubt its > usefulness. > > > I think we should discuss whether we can remove the flow > > (and the -6 flag) as I constantly hear people complaining > > that it broke their setups and I don't think anyone > > expects some seemingly unrelated program breaking IPv6. > iked(8) is the only tool I know going completely counter-intuitive with > it's `-6' option; I expect those to behave like in nc(1). > > I'm in favour of removing the option and OK with your diff, but simply > removing it is probably a bad idea given its nature. > > What about printing a deprecation warning so that users can safely > adjust their rcctl flags instead of running into "iked(failed)" on the > next snapshot. > >
Re: iked(8): get rid of IPv6 flow and -6 flag?
On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > iked by default blocks all IPv6 traffic on a host unless any > of the configured policies use v6. This was originally meant > as a measure to prevent VPN leakage for people who did not > think of IPv6 when configuring IPsec. With the -6 flag > set, iked does not install this IPv6 blocking flow. It it still considered a leakage prevention, altough I doubt its usefulness. > I think we should discuss whether we can remove the flow > (and the -6 flag) as I constantly hear people complaining > that it broke their setups and I don't think anyone > expects some seemingly unrelated program breaking IPv6. iked(8) is the only tool I know going completely counter-intuitive with it's `-6' option; I expect those to behave like in nc(1). I'm in favour of removing the option and OK with your diff, but simply removing it is probably a bad idea given its nature. What about printing a deprecation warning so that users can safely adjust their rcctl flags instead of running into "iked(failed)" on the next snapshot.
Re: iked(8): get rid of IPv6 flow and -6 flag?
On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > I think we should discuss whether we can remove the flow > (and the -6 flag) as I constantly hear people complaining > that it broke their setups and I don't think anyone > expects some seemingly unrelated program breaking IPv6. A missing -6 flag on the iked command line, is a very unexpected way to break your IPv6 setup. So we should remove that. OK bluhm@ If there is demand for such a feature, we could create an option in the example/iked.conf that shows how to disable IPv6. And perhaps one to disable IPv4 for the IPv6 hipser :-) bluhm
iked(8): get rid of IPv6 flow and -6 flag?
Hi, iked by default blocks all IPv6 traffic on a host unless any of the configured policies use v6. This was originally meant as a measure to prevent VPN leakage for people who did not think of IPv6 when configuring IPsec. With the -6 flag set, iked does not install this IPv6 blocking flow. I think we should discuss whether we can remove the flow (and the -6 flag) as I constantly hear people complaining that it broke their setups and I don't think anyone expects some seemingly unrelated program breaking IPv6. diff --git a/sbin/iked/iked.8 b/sbin/iked/iked.8 index f715db47afd..c7682500414 100644 --- a/sbin/iked/iked.8 +++ b/sbin/iked/iked.8 @@ -22,7 +22,7 @@ .Nd Internet Key Exchange version 2 (IKEv2) daemon .Sh SYNOPSIS .Nm iked -.Op Fl 6dnSTtv +.Op Fl dnSTtv .Op Fl D Ar macro Ns = Ns Ar value .Op Fl f Ar file .Sh DESCRIPTION @@ -55,14 +55,6 @@ infrastructure. .Pp The options are as follows: .Bl -tag -width Ds -.It Fl 6 -Disable automatic blocking of IPv6 traffic. -By default, -.Nm -blocks any IPv6 traffic unless a flow for this address family has been -negotiated. -This option disables VPN traffic leakage prevention on dual stack hosts -(RFC 7359). .It Fl D Ar macro Ns = Ns Ar value Define .Ar macro diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c index 6714e0b2088..bc0b8109651 100644 --- a/sbin/iked/iked.c +++ b/sbin/iked/iked.c @@ -56,7 +56,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-6dnSTtv] [-D macro=value] " + fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] " "[-f file]\n", __progname); exit(1); } @@ -73,11 +73,8 @@ main(int argc, char *argv[]) log_init(1, LOG_DAEMON); - while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { + while ((c = getopt(argc, argv, "dD:nf:vSTt")) != -1) { switch (c) { - case '6': - opts |= IKED_OPT_NOIPV6BLOCKING; - break; case 'd': debug++; break; diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 897669ac625..5a071a43f75 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -950,7 +950,6 @@ int eap_parse(struct iked *, struct iked_sa *, void *, int); int pfkey_couple(int, struct iked_sas *, int); int pfkey_flow_add(int fd, struct iked_flow *); int pfkey_flow_delete(int fd, struct iked_flow *); -int pfkey_block(int, int, unsigned int); int pfkey_sa_init(int, struct iked_childsa *, uint32_t *); int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *); int pfkey_sa_update_addresses(int, struct iked_childsa *); diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index b9f90687784..de8055c6863 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -50,9 +50,7 @@ static uint32_t sadb_msg_seq = 0; static unsigned int sadb_decoupled = 0; -static unsigned int sadb_ipv6refcnt = 0; -static int pfkey_blockipv6 = 0; static struct event pfkey_timer_ev; static struct timeval pfkey_timer_tv; @@ -1259,12 +1257,6 @@ pfkey_flow_add(int fd, struct iked_flow *flow) flow->flow_loaded = 1; - if (flow->flow_dst.addr_af == AF_INET6) { - sadb_ipv6refcnt++; - if (sadb_ipv6refcnt == 1) - return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW)); - } - return (0); } @@ -1284,42 +1276,6 @@ pfkey_flow_delete(int fd, struct iked_flow *flow) flow->flow_loaded = 0; - if (flow->flow_dst.addr_af == AF_INET6) { - sadb_ipv6refcnt--; - if (sadb_ipv6refcnt == 0) - return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)); - } - - return (0); -} - -int -pfkey_block(int fd, int af, unsigned int action) -{ - struct iked_flow flow; - - if (!pfkey_blockipv6) - return (0); - - /* -* Prevent VPN traffic leakages in dual-stack hosts/networks. -* https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. -* We forcibly block IPv6 traffic unless it is used in any of -* the flows by tracking a sadb_ipv6refcnt reference counter. -*/ - bzero(&flow, sizeof(flow)); - flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af; - flow.flow_src.addr_net = 1; - socket_af((struct sockaddr *)&flow.flow_src.addr, 0); - flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af; - flow.flow_dst.addr_net = 1; - socket_af((struct sockaddr *)&flow.flow_dst.addr, 0); - flow.flow_type = SADB_X_FLOW_TYPE_DENY; - flow.flow_dir = IPSP_DIRECTION_OUT; - - if (pfkey_flow(fd, 0, action, &flow) == -1) - return (-1); - return (0); } @@ -1550,14 +1506,6 @@ pfkey_init(struct iked *env, int fd) if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) fatal("pfkey_init: failed to set up AH acquires"); -