On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote: > Stuart Henderson <s...@spacehopper.org> wrote: > > > On 2020/01/13 20:51, Klemens Nanni wrote: > > > I'm in favour of removing the option and OK with your diff, but simply > > > removing it is probably a bad idea given its nature. > > > > > > What about printing a deprecation warning so that users can safely > > > adjust their rcctl flags instead of running into "iked(failed)" on the > > > next snapshot. > > > > Yes please make -6 a noop or a warning rather than an error. Sometimes > > breakage is unavoidable, but this isn't one of those cases. > > I agree. >
Makes sense. I added a warning and a notice in current.html. ok? Index: www/faq/current.html =================================================================== RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1017 diff -u -p -r1.1017 current.html --- www/faq/current.html 31 Dec 2019 02:18:01 -0000 1.1017 +++ www/faq/current.html 14 Jan 2020 19:32:25 -0000 @@ -135,6 +135,12 @@ or they can be rebuilt from ports. </b><!-- --></pre> +<h3 id="r20200114">2020/1/14 - iked(8) automatic IPv6 blocking removed </h3> + +<a href="https://man.openbsd.org/iked.8";>iked(8)</a> no longer automatically adds +an IPv6 blocking IPsec flow. +The <code>-6</code> option is deprecated and should be removed from +<a href="https://man.openbsd.org/rc.conf.local.8";><code>/etc/rc.conf.local</code></a>. <!-- Two blank lines before new sections. Index: src/sbin/iked/iked.8 =================================================================== RCS file: /cvs/src/sbin/iked/iked.8,v retrieving revision 1.22 diff -u -p -r1.22 iked.8 --- src/sbin/iked/iked.8 27 Feb 2019 06:33:56 -0000 1.22 +++ src/sbin/iked/iked.8 14 Jan 2020 19:32:25 -0000 @@ -22,7 +22,7 @@ .Nd Internet Key Exchange version 2 (IKEv2) daemon .Sh SYNOPSIS .Nm iked -.Op Fl 6dnSTtv +.Op Fl dnSTtv .Op Fl D Ar macro Ns = Ns Ar value .Op Fl f Ar file .Sh DESCRIPTION @@ -55,14 +55,6 @@ infrastructure. .Pp The options are as follows: .Bl -tag -width Ds -.It Fl 6 -Disable automatic blocking of IPv6 traffic. -By default, -.Nm -blocks any IPv6 traffic unless a flow for this address family has been -negotiated. -This option disables VPN traffic leakage prevention on dual stack hosts -(RFC 7359). .It Fl D Ar macro Ns = Ns Ar value Define .Ar macro Index: src/sbin/iked/iked.c =================================================================== RCS file: /cvs/src/sbin/iked/iked.c,v retrieving revision 1.38 diff -u -p -r1.38 iked.c --- src/sbin/iked/iked.c 30 Nov 2019 16:07:12 -0000 1.38 +++ src/sbin/iked/iked.c 14 Jan 2020 19:32:25 -0000 @@ -56,7 +56,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-6dnSTtv] [-D macro=value] " + fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] " "[-f file]\n", __progname); exit(1); } @@ -76,7 +76,8 @@ main(int argc, char *argv[]) while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { switch (c) { case '6': - opts |= IKED_OPT_NOIPV6BLOCKING; + log_warnx("the -6 option is deprecated and will be " + "removed in the future."); break; case 'd': debug++; Index: src/sbin/iked/iked.h =================================================================== RCS file: /cvs/src/sbin/iked/iked.h,v retrieving revision 1.130 diff -u -p -r1.130 iked.h --- src/sbin/iked/iked.h 7 Jan 2020 15:08:28 -0000 1.130 +++ src/sbin/iked/iked.h 14 Jan 2020 19:32:26 -0000 @@ -950,7 +950,6 @@ int eap_parse(struct iked *, struct ike int pfkey_couple(int, struct iked_sas *, int); int pfkey_flow_add(int fd, struct iked_flow *); int pfkey_flow_delete(int fd, struct iked_flow *); -int pfkey_block(int, int, unsigned int); int pfkey_sa_init(int, struct iked_childsa *, uint32_t *); int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *); int pfkey_sa_update_addresses(int, struct iked_childsa *); Index: src/sbin/iked/pfkey.c =================================================================== RCS file: /cvs/src/sbin/iked/pfkey.c,v retrieving revision 1.62 diff -u -p -r1.62 pfkey.c --- src/sbin/iked/pfkey.c 7 Jan 2020 15:08:28 -0000 1.62 +++ src/sbin/iked/pfkey.c 14 Jan 2020 19:32:26 -0000 @@ -50,9 +50,7 @@ static uint32_t sadb_msg_seq = 0; static unsigned int sadb_decoupled = 0; -static unsigned int sadb_ipv6refcnt = 0; -static int pfkey_blockipv6 = 0; static struct event pfkey_timer_ev; static struct timeval pfkey_timer_tv; @@ -1259,12 +1257,6 @@ pfkey_flow_add(int fd, struct iked_flow flow->flow_loaded = 1; - if (flow->flow_dst.addr_af == AF_INET6) { - sadb_ipv6refcnt++; - if (sadb_ipv6refcnt == 1) - return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW)); - } - return (0); } @@ -1284,42 +1276,6 @@ pfkey_flow_delete(int fd, struct iked_fl flow->flow_loaded = 0; - if (flow->flow_dst.addr_af == AF_INET6) { - sadb_ipv6refcnt--; - if (sadb_ipv6refcnt == 0) - return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)); - } - - return (0); -} - -int -pfkey_block(int fd, int af, unsigned int action) -{ - struct iked_flow flow; - - if (!pfkey_blockipv6) - return (0); - - /* - * Prevent VPN traffic leakages in dual-stack hosts/networks. - * https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. - * We forcibly block IPv6 traffic unless it is used in any of - * the flows by tracking a sadb_ipv6refcnt reference counter. - */ - bzero(&flow, sizeof(flow)); - flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af; - flow.flow_src.addr_net = 1; - socket_af((struct sockaddr *)&flow.flow_src.addr, 0); - flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af; - flow.flow_dst.addr_net = 1; - socket_af((struct sockaddr *)&flow.flow_dst.addr, 0); - flow.flow_type = SADB_X_FLOW_TYPE_DENY; - flow.flow_dir = IPSP_DIRECTION_OUT; - - if (pfkey_flow(fd, 0, action, &flow) == -1) - return (-1); - return (0); } @@ -1550,14 +1506,6 @@ pfkey_init(struct iked *env, int fd) if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) fatal("pfkey_init: failed to set up AH acquires"); - - if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING) - return; - - /* Block all IPv6 traffic by default */ - pfkey_blockipv6 = 1; - if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)) - fatal("pfkey_init: failed to block IPv6 traffic"); } void * Index: src/sbin/iked/types.h =================================================================== RCS file: /cvs/src/sbin/iked/types.h,v retrieving revision 1.30 diff -u -p -r1.30 types.h --- src/sbin/iked/types.h 11 May 2019 16:30:23 -0000 1.30 +++ src/sbin/iked/types.h 14 Jan 2020 19:32:26 -0000 @@ -49,7 +49,6 @@ #define IKED_OPT_NONATT 0x00000004 #define IKED_OPT_NATT 0x00000008 #define IKED_OPT_PASSIVE 0x00000010 -#define IKED_OPT_NOIPV6BLOCKING 0x00000020 #define IKED_IKE_PORT 500 #define IKED_NATT_PORT 4500
