mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-11-27 11:43:51 +08:00
c55e9562d6
Add "ifconfig_ipv6_netbits_parm" parameter to init_tun(), use that to initialize tt->netbits_ipv6 (previously: always /64). Actual interface setup code already used tt->netbits_ipv6, so no changes needed there. Remove restrictions on "/netbits" value for --server-ipv6 config option (can now be /64.../112, previously had to be exactly /64). Supporting even smaller networks could cause problems with ipv6-pool handling and are only allowed for explicit "ifconfig-ipv6", not for "server-ipv6". Add /netbits to pushed "ifconfig-ipv6" values on server side (client side always accepted this, but ignored it so far, so this does not break compatibility). Tested on Linux/ifconfig, Linux/iproute2 and FreeBSD 7.4 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
189 lines
6.6 KiB
Plaintext
189 lines
6.6 KiB
Plaintext
TODO for IPv6 payload support
|
|
-----------------------------
|
|
|
|
1.) "--topology subnet" doesn't work together with IPv6 payload on FreeBSD
|
|
(verified for FreeBSD server, Linux/ifconfig client, problems
|
|
with ICMP6 neighbor solicitations from BSD not being answered by Linux)
|
|
|
|
2.) NetBSD IPv6 support doesn't work
|
|
("connected" route is not auto-created, "route-ipv6" adding fails)
|
|
|
|
* fixed, 3.1.10 *
|
|
|
|
3.) route deletion for IPv6 routes is not yet done
|
|
|
|
* fixed for configured routes, 3.1.10 *
|
|
* missing for manual-ifconfig-connected (NetBSD, Darwin, Win32)
|
|
|
|
4.) do "ifconfig tun0 inet6 unplumb" or "ifconfig tun0 destroy" for
|
|
Solaris, *BSD, ... at program termination time, to clean up leftovers
|
|
(unless tunnel persistance is desired).
|
|
|
|
For Solaris, only the "ipv6 tun0" is affected, for the *BSDs all tun0
|
|
stay around.
|
|
|
|
4a.) deconfigure IPv6 on tun interface on session termination, otherwise
|
|
one could end up with something like this (on NetBSD):
|
|
|
|
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
|
|
inet 10.9.0.18 -> 10.9.0.17 netmask 0xffffffff
|
|
inet6 fe80::a00:20ff:fece:d299%tun0 -> prefixlen 64 scopeid 0x3
|
|
inet6 2001:608:4:eff::2000:3 -> prefixlen 64
|
|
inet6 2001:608:4:eff::1:3 -> prefixlen 64
|
|
|
|
(pool was changed, previous address still active on tun0, breakage)
|
|
|
|
* semi-fixed for NetBSD, 28.2.10, always do tun0 destroy / tun0 create
|
|
before actual ifconfig -- tunnel still lingers after OpenVPN quits
|
|
|
|
4b.) verify this - on FreeBSD, tun0 is auto-destroyed if created by
|
|
opening /dev/tun (and lingers if created by "ifconfig tun0 create")
|
|
|
|
-> use for persistant tunnels on not-linux?
|
|
|
|
5.) add new option "ifconfig-ipv6-push"
|
|
(per-client static IPv6 assignment, -> radiusplugin, etc)
|
|
|
|
* implemented, 14.1.10 *
|
|
|
|
6.) add new option "route-ipv6-gateway"
|
|
|
|
7.) add "full" gateway handling for IPv6 in route.c
|
|
(right now, the routes are just sent down the tun interface, if the
|
|
operating system in questions supports that, without care for the
|
|
gateway address - which does not work for gateways that are supposed
|
|
to point elsewhere. Also, it doesn't work for TAP interfaces.
|
|
|
|
8.) full IPv6 support for TAP interfaces
|
|
(main issue should be routes+gateway - and testing :-) )
|
|
|
|
test 2010/09/24: TAP itself works on linux/ifconfig+iproute2, but
|
|
route-via-tap doesn't work at all (route points to "tap0" which fails)
|
|
|
|
17:51:14.075412 fe:ab:6e:c5:53:71 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2001:608:4:a053::1:0 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2001:608:4:a001::1, length 32
|
|
|
|
how is iroute-via-tap supposed to work??
|
|
|
|
9.) verify that iroute-ipv6 and route-ipv6 interact in the same way as
|
|
documented for iroute/route:
|
|
|
|
A's subnet, OpenVPN must push this route to all clients
|
|
EXCEPT for A, since the subnet is already owned by A.
|
|
OpenVPN accomplishes this by not
|
|
not pushing a route to a client
|
|
if it matches one of the client's iroutes.
|
|
|
|
10.) extend "ifconfig-ipv6" to handle specification of /netbits, pushing
|
|
of /netbits, and correctly ifconfig'ing this
|
|
(default, if not specified: /64)
|
|
|
|
* done * 2012-02-03
|
|
|
|
11.) do not add ipv6-routes if tun-ipv6 is not set - complain instead
|
|
|
|
* done * 12.1.10
|
|
|
|
12.) handle incoming [::] and [fe80:...] packets in tun-p2mp MULTI mode
|
|
(most likely those are DAD packets)
|
|
silently ignore DAD?
|
|
Or accept-and-forward iff (multicast && client2client)?
|
|
handle NS/NA
|
|
|
|
13.) from Martin List-Petersen:
|
|
|
|
One thing, and I guess this requires modifications in
|
|
network-manager-openvpn: It also works, BUT ignores "push
|
|
route-ipv6-gateway" and "push route-ipv6 ...." (obviously routes pushed
|
|
from the server) entirely.
|
|
|
|
14.) from ##openvpn-discussion:
|
|
|
|
new features should be #ifdef'ed
|
|
|
|
(check whether this is feasible at all)
|
|
|
|
15.) IPv6 related environment variables
|
|
|
|
- document all of them in openvpn.8
|
|
- make sure that all existing IPv4 stuff has IPv6 counterparts
|
|
|
|
16.) OpenBSD
|
|
- implement ifconfig/route for IPv6
|
|
- revert ifconfig/open_tun order to "normal" (separate commit!!!)
|
|
(openvpn-devel, Subject: OpenBSD)
|
|
- test
|
|
|
|
17.) client-option (Elwood)
|
|
- ignore-v6-push-options yes/no
|
|
- ignore-v6-route-push ("as for IPv4 routes")
|
|
|
|
18.) fail-save? "what if 'ip -6 addr add' fails" -> fail, or fallback to v4?
|
|
(-> recomment setting "ignore-v6-push-options yes")
|
|
|
|
19.) safety check: if connecting over IPv6 (v6 transport) and the pushed
|
|
route-ipv6 network encompasses the server IPv6 address, make sure
|
|
we at least log a warning (until we can fiddle with external routing
|
|
to make this work correctly).
|
|
|
|
20.) show "route add" / "route delete" commands for IPv6 in log file
|
|
(we show the "ifconfig" commands, so why not the routes?)
|
|
|
|
2010-08-07: this is a null-feature - it's already there, but with
|
|
different debug level (M_INFO vs. D_ROUTE) so user
|
|
didn't notice
|
|
|
|
21.) enable ipv6-only server operations
|
|
- decouple ipv6 pool handling from ipv4 pool
|
|
- make sure Rest of OpenVPN doesn't assume "there will always be IPv4"
|
|
|
|
22.) implement --learn-address for IPv6
|
|
|
|
23.) FreeBSD 8 seems to require explicit setting of the "ifconfig" IPv6
|
|
route, while FreeBSD 6+7 don't --> more testing, and code fix
|
|
|
|
workaround for the time being: just add
|
|
|
|
server-ipv6 2001:608:4:a051::/64
|
|
route-ipv6 2001:608:4:a051::/64
|
|
|
|
to the config
|
|
|
|
(problem + workaround applies both to tun and tap style devices)
|
|
|
|
|
|
|
|
|
|
TODO for IPv6 transport support
|
|
-------------------------------
|
|
|
|
[ Last updated: 11-Nov-2009. ]
|
|
|
|
* All platforms:
|
|
o mgmt console: as currently passes straight in_addr_t bits around
|
|
|
|
o make possible to get AF from getaddrinfo() answer, ie allow openvpn to
|
|
use ipv4/6 if DNS returns A/AAAA without specifying protocol.
|
|
Hard: requires deep changes in initialization/calling logic
|
|
|
|
o use AI_PASSIVE
|
|
|
|
o the getaddr()/getaddr6() interface is not prepared for handling socktype
|
|
"tagging", currently I abuse the sockflags bits for getting the ai_socktype
|
|
downstream.
|
|
|
|
o implement comparison for mapped addesses: server in dual stack
|
|
listening IPv6 must permit incoming streams from allowed IPv4 peer,
|
|
currently you need to pass eg: --remote ffff::1.2.3.4
|
|
|
|
o do something with multi mode learn routes, for now just ignoring
|
|
ipv6 addresses seems the most sensible thing to do, because there's
|
|
no support for intra-tunnel ipv6 stuff.
|
|
|
|
* win32:
|
|
o find out about mapped addresses, as I can't make it work
|
|
with bound at ::1 and connect to 127.0.0.1
|
|
|
|
* N/A:
|
|
o this is ipv6 *endpoint* support, so don't expect "ifconfig6"-like
|
|
support in this patch
|