On 2020/01/14 21:03, Tobias Heider wrote: > On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote: > > Stuart Henderson <s...@spacehopper.org> wrote: > > > > > On 2020/01/13 20:51, Klemens Nanni wrote: > > > > I'm in favour of removing the option and OK with your diff, but simply > > > > removing it is probably a bad idea given its nature. > > > > > > > > What about printing a deprecation warning so that users can safely > > > > adjust their rcctl flags instead of running into "iked(failed)" on the > > > > next snapshot. > > > > > > Yes please make -6 a noop or a warning rather than an error. Sometimes > > > breakage is unavoidable, but this isn't one of those cases. > > > > I agree. > > > > Makes sense. I added a warning and a notice in current.html. > > ok? > > Index: www/faq/current.html > =================================================================== > RCS file: /cvs/www/faq/current.html,v > retrieving revision 1.1017 > diff -u -p -r1.1017 current.html > --- www/faq/current.html 31 Dec 2019 02:18:01 -0000 1.1017 > +++ www/faq/current.html 14 Jan 2020 19:32:25 -0000 > @@ -135,6 +135,12 @@ or they can be rebuilt from ports. > </b><!-- > --></pre> > > +<h3 id="r20200114">2020/1/14 - iked(8) automatic IPv6 blocking removed </h3> > + > +<a href="https://man.openbsd.org/iked.8">iked(8)</a> no longer automatically > adds > +an IPv6 blocking IPsec flow. > +The <code>-6</code> option is deprecated and should be removed from > +<a > href="https://man.openbsd.org/rc.conf.local.8"><code>/etc/rc.conf.local</code></a>.
How about this? Index: current.html =================================================================== RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1017 diff -u -p -r1.1017 current.html --- current.html 31 Dec 2019 02:18:01 -0000 1.1017 +++ current.html 14 Jan 2020 21:47:35 -0000 @@ -136,6 +136,33 @@ or they can be rebuilt from ports. --></pre> +<h3 id="r20200114">2020/1/14 - iked(8) automatic IPv6 blocking removed </h3> + +<a href="https://man.openbsd.org/iked.8">iked(8)</a> no longer automatically +blocks unencrypted outbound IPv6 packets. +This feature was intended to avoid accidental leakage, but in practice was +found to mostly be a cause of misconfiguration. +The <code>-6</code> flag was used to disable this feature but is now no longer +needed and should be removed from <code><a +href="https://man.openbsd.org/rc.conf.local.8">/etc/rc.conf.local</a></code> +if used.<p> + +Instead, if you would like to explicitly block these packets, add the following +line to <code><a href="https://man.openbsd.org/ipsec.conf.5">/etc/ipsec.conf</a></code> +(<b>not</b> iked.conf): + +<pre class="cmdbox"> +<b>flow esp out from ::/0 to ::/0 type deny</b> +</pre> + +and enable loading it with + +<pre class="cmdbox"> +# <b>rcctl enable ipsec</b> # to load at boot +# <b>ipsecctl -f /etc/ipsec.conf</b> # to load immediately +</pre> + + <!-- Two blank lines before new sections. New sentences start on new lines. > while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { > switch (c) { > case '6': > - opts |= IKED_OPT_NOIPV6BLOCKING; > + log_warnx("the -6 option is deprecated and will be " > + "removed in the future."); "deprecated" implies that it still works but you shouldn't use it any more. Perhaps "ignored" or "no longer supported" instead?