Hello all,
since my uni's computing centre added inside ipv6 to their tunnel two
days ago I found that OpenConnect hat problems tearing down and
often, setting up the routes.
Three items I had to fix or enhance:
a) an ifconfig ... del ... somewhere. Correct syntax on all BSD's
I've been in touch with over the last decades is ifconifg ... delete ...
b) route handling for the default route was not really there - it wasn't
restored on shutting down the tunnel.
I've done a ::/1 + 8000::1 instead of default (== ::/0) trick here,
in concept what OpenVPN does for IPv4 (0.0.0.0/1 + 128.0.0.0/1)
(has higher priority as more-specific than default due to the shorter
mask, and is unlikely to be more specific than any real local route).
c) protection of the ipv6 transport route didn't work, as it implicitly
assumed always going via ipv4.
This wasn't a problem as long as the inner addresses were
IPv4-only, but broke the tunnel once the effective ipv6 default
route kicked in via the tunnel.
Regards,
Ignatios Souvatzis
Signed-off-by: Ignatios Souvatzis <is@xxxxxxxxxxxxxxxxxxxx>
diff --git a/vpnc-script b/vpnc-script
index c21f479..77f88e1 100755
--- a/vpnc-script
+++ b/vpnc-script
@@ -354,11 +354,17 @@ else # use route command
}
set_vpngateway_route() {
- route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
+ case "$VPNGATEWAY" in
+ *:*) route add -inet6 -host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";;
+ *.*) route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`";;
+ esac
}
del_vpngateway_route() {
- route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
+ case "$VPNGATEWAY" in
+ *:*) route $route_syntax_del -inet6 -host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";;
+ *.*) route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`";;
+ esac
}
set_default_route() {
@@ -422,8 +428,15 @@ else # use route command
route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$NETGW"
}
+ get_ipv6_default_gw() {
+ # isn't -n supposed to give --numeric output?
+ # apperently not...
+ netstat -r -n -f inet6 | awk '/^(default|::\/0)/ { print $2"%"$NF; }'
+ }
+
set_ipv6_default_route() {
- route add -inet6 default "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
+ route add -inet6 ::/1 "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
+ route add -inet6 8000::/1 "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
}
set_ipv6_network_route() {
@@ -445,12 +458,13 @@ else # use route command
# Add explicit route to keep traffic for this target separate
# from tunnel. FIXME: We use default gateway - this is our best
# guess in absence of "ip" command to query effective route.
- route add -inet6 -net "$NETWORK/$NETMASK" "`get_default_gw`" $route_syntax_interface
+ route add -inet6 -net "$NETWORK/$NETMASK" "`get_ipv6_default_gw`" $route_syntax_interface
:
}
reset_ipv6_default_route() {
- route $route_syntax_del -inet6 default "$INTERNAL_IP6_ADDRESS"
+ route $route_syntax_del -inet6 ::/1 "$INTERNAL_IP6_ADDRESS"
+ route $route_syntax_del -inet6 8000::/1 "$INTERNAL_IP6_ADDRESS"
:
}
@@ -990,7 +1004,7 @@ do_disconnect() {
INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
- ifconfig "$TUNDEV" inet6 del $INTERNAL_IP6_NETMASK
+ ifconfig "$TUNDEV" inet6 delete $INTERNAL_IP6_NETMASK
fi
fi
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
