Mailing List Archive: vpnc: devel

IPv6 support in vpnc-script

Index | Next | Previous | View Threaded

dwmw2 at infradead

Nov 10, 2009, 5:05 PM

Post #1 of 6 (807 views)
Permalink

IPv6 support in vpnc-script

I've just added IPv6 support to OpenConnect, and hence to vpnc-script.

If anyone is planning to add IPv6 support to vpnc, feel free to shout if
you don't like the way I've done it. I don't really want vpnc and
openconnect to end up being incompatible in the way they invoke
vpnc-script.

For the IPv6 address, it assumes that it'll either be passed an address
in $INTERNAL_IP6_ADDRESS, or full address/mask in $INTERNAL_IP6_NETMASK.
It'll use the latter by preference.

Routes are handled just like the Legacy IP routes -- with
$CISCO_IPV6_SPLIT_INC giving the number of routes, and each route in
$CISCO_IPV6_SPLIT_INC_x_ADDR and $CISCO_IPV6_SPLIT_INC_x_NETMASKLEN.
We don't bother with the netmask -- it's just netmasklen.

I've left IPv6 nameservers in $INTERNAL_IP4_DNS for now, alongside the
Legacy IP nameservers. I could be persuaded to do it differently,
perhaps.

I haven't yet made it cope with the fact that the VPN gateway might be
on IPv6; it currently assumes that it'll be on Legacy IP.

Neither have I made it work on non-Linux; the IPv6 route handling
functions for non-iproute2 systems are just a stubs for now.

diff --git a/vpnc-script b/vpnc-script
index 673e8a3..9faaf00 100755
--- a/vpnc-script
+++ b/vpnc-script
@@ -105,6 +105,13 @@ do_ifconfig() {
if [ -n "$INTERNAL_IP4_NETMASK" ]; then
set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN
fi
+
+ # If the netmask is provided, it contains the address _and_ netmask
+ if [ -n "$INTERNAL_IP6_NETMASK" -a -n "$IPROUTE" ]; then
+ $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
+ elif [ -n "$INTERNAL_IP6_ADDRESS" -a -n "$IPROUTE" ]; then
+ $IPROUTE -6 addr add $INTERNAL_IP6_ADDRESS/128 dev $TUNDEV
+ fi
}

destroy_tun_device() {
@@ -161,6 +168,31 @@ if [ -n "$IPROUTE" ]; then
$IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
$IPROUTE route flush cache
}
+
+ set_ipv6_default_route() {
+ # We don't save/restore IPv6 default route; just add a higher-priority one.
+ $IPROUTE -6 route add default dev "$TUNDEV" metric 1
+ $IPROUTE -6 route flush cache
+ }
+
+ set_ipv6_network_route() {
+ NETWORK="$1"
+ NETMASKLEN="$2"
+ $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+ $IPROUTE route flush cache
+ }
+
+ reset_ipv6_default_route() {
+ $IPROUTE -6 route del default dev "$TUNDEV"
+ $IPROUTE route flush cache
+ }
+
+ del_ipv6_network_route() {
+ NETWORK="$1"
+ NETMASKLEN="$2"
+ $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+ $IPROUTE -6 route flush cache
+ }
else # use route command
get_default_gw() {
# isn't -n supposed to give --numeric output?
@@ -213,6 +245,27 @@ else # use route command
NETMASKLEN="$3"
route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS"
}
+
+ set_ipv6_default_route() {
+ # FIXME
+ :
+ }
+
+ set_ipv6_network_route() {
+ # FIXME
+ :
+ }
+
+ reset_ipv6_default_route() {
+ # FIXME
+ :
+ }
+
+ del_ipv6_network_route() {
+ # FIXME
+ :
+ }
+
fi

# =========== resolv.conf handling ====================================
@@ -467,11 +520,33 @@ do_connect() {
i=`expr $i + 1`
done
for i in $INTERNAL_IP4_DNS ; do
- set_network_route "$i" "255.255.255.255" "32"
+ if ! echo "$i" | grep -q : ; then
+ set_network_route "$i" "255.255.255.255" "32"
+ fi
done
- else
+ elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
set_default_route
fi
+ if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
+ i=0
+ while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
+ if [ $NETMASKLEN -lt 128 ]; then
+ set_ipv6_network_route "$NETWORK" "$NETMASKLEN"
+ else
+ set_ipv6_default_route
+ fi
+ i=`expr $i + 1`
+ done
+ for i in $INTERNAL_IP4_DNS ; do
+ if echo "$i" | grep -q : ; then
+ set_ipv6_network_route "$i" "128"
+ fi
+ done
+ elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
+ set_ipv6_default_route
+ fi

if [ -n "$INTERNAL_IP4_DNS" ]; then
$MODIFYRESOLVCONF
@@ -500,6 +575,24 @@ do_disconnect() {
else
reset_default_route
fi
+ if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
+ i=0
+ while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
+ eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
+ eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
+ if [ $NETMASKLEN -eq 128 ]; then
+ del_ipv6_network_route "$NETWORK" "$NETMASKLEN"
+ else
+ reset_ipv6_default_route
+ fi
+ i=`expr $i + 1`
+ done
+ for i in $INTERNAL_IP6_DNS ; do
+ del_ipv6_network_route "$i" "128"
+ done
+ else
+ reset_ipv6_default_route
+ fi

del_vpngateway_route

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 12, 2009, 8:02 AM

Post #2 of 6 (752 views)
Permalink

Re: IPv6 support in vpnc-script [In reply to]

On Wed, 2009-11-11 at 01:05 +0000, David Woodhouse wrote:
> I've just added IPv6 support to OpenConnect, and hence to vpnc-script.
>
> If anyone is planning to add IPv6 support to vpnc, feel free to shout if
> you don't like the way I've done it. I don't really want vpnc and
> openconnect to end up being incompatible in the way they invoke
> vpnc-script.
>
> For the IPv6 address, it assumes that it'll either be passed an address
> in $INTERNAL_IP6_ADDRESS, or full address/mask in $INTERNAL_IP6_NETMASK.
> It'll use the latter by preference.
>
> Routes are handled just like the Legacy IP routes -- with
> $CISCO_IPV6_SPLIT_INC giving the number of routes, and each route in
> $CISCO_IPV6_SPLIT_INC_x_ADDR and $CISCO_IPV6_SPLIT_INC_x_NETMASKLEN.
> We don't bother with the netmask -- it's just netmasklen.
>
> I've left IPv6 nameservers in $INTERNAL_IP4_DNS for now, alongside the
> Legacy IP nameservers. I could be persuaded to do it differently,
> perhaps.

Would you mind splitting them out into $INTERNAL_IP6_DNS?

Dan

> I haven't yet made it cope with the fact that the VPN gateway might be
> on IPv6; it currently assumes that it'll be on Legacy IP.
>
> Neither have I made it work on non-Linux; the IPv6 route handling
> functions for non-iproute2 systems are just a stubs for now.
>
> diff --git a/vpnc-script b/vpnc-script
> index 673e8a3..9faaf00 100755
> --- a/vpnc-script
> +++ b/vpnc-script
> @@ -105,6 +105,13 @@ do_ifconfig() {
> if [ -n "$INTERNAL_IP4_NETMASK" ]; then
> set_network_route $INTERNAL_IP4_NETADDR $INTERNAL_IP4_NETMASK $INTERNAL_IP4_NETMASKLEN
> fi
> +
> + # If the netmask is provided, it contains the address _and_ netmask
> + if [ -n "$INTERNAL_IP6_NETMASK" -a -n "$IPROUTE" ]; then
> + $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
> + elif [ -n "$INTERNAL_IP6_ADDRESS" -a -n "$IPROUTE" ]; then
> + $IPROUTE -6 addr add $INTERNAL_IP6_ADDRESS/128 dev $TUNDEV
> + fi
> }
>
> destroy_tun_device() {
> @@ -161,6 +168,31 @@ if [ -n "$IPROUTE" ]; then
> $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
> $IPROUTE route flush cache
> }
> +
> + set_ipv6_default_route() {
> + # We don't save/restore IPv6 default route; just add a higher-priority one.
> + $IPROUTE -6 route add default dev "$TUNDEV" metric 1
> + $IPROUTE -6 route flush cache
> + }
> +
> + set_ipv6_network_route() {
> + NETWORK="$1"
> + NETMASKLEN="$2"
> + $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
> + $IPROUTE route flush cache
> + }
> +
> + reset_ipv6_default_route() {
> + $IPROUTE -6 route del default dev "$TUNDEV"
> + $IPROUTE route flush cache
> + }
> +
> + del_ipv6_network_route() {
> + NETWORK="$1"
> + NETMASKLEN="$2"
> + $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
> + $IPROUTE -6 route flush cache
> + }
> else # use route command
> get_default_gw() {
> # isn't -n supposed to give --numeric output?
> @@ -213,6 +245,27 @@ else # use route command
> NETMASKLEN="$3"
> route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS"
> }
> +
> + set_ipv6_default_route() {
> + # FIXME
> + :
> + }
> +
> + set_ipv6_network_route() {
> + # FIXME
> + :
> + }
> +
> + reset_ipv6_default_route() {
> + # FIXME
> + :
> + }
> +
> + del_ipv6_network_route() {
> + # FIXME
> + :
> + }
> +
> fi
>
> # =========== resolv.conf handling ====================================
> @@ -467,11 +520,33 @@ do_connect() {
> i=`expr $i + 1`
> done
> for i in $INTERNAL_IP4_DNS ; do
> - set_network_route "$i" "255.255.255.255" "32"
> + if ! echo "$i" | grep -q : ; then
> + set_network_route "$i" "255.255.255.255" "32"
> + fi
> done
> - else
> + elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
> set_default_route
> fi
> + if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
> + i=0
> + while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
> + eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
> + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
> + if [ $NETMASKLEN -lt 128 ]; then
> + set_ipv6_network_route "$NETWORK" "$NETMASKLEN"
> + else
> + set_ipv6_default_route
> + fi
> + i=`expr $i + 1`
> + done
> + for i in $INTERNAL_IP4_DNS ; do
> + if echo "$i" | grep -q : ; then
> + set_ipv6_network_route "$i" "128"
> + fi
> + done
> + elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
> + set_ipv6_default_route
> + fi
>
> if [ -n "$INTERNAL_IP4_DNS" ]; then
> $MODIFYRESOLVCONF
> @@ -500,6 +575,24 @@ do_disconnect() {
> else
> reset_default_route
> fi
> + if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
> + i=0
> + while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
> + eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
> + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
> + if [ $NETMASKLEN -eq 128 ]; then
> + del_ipv6_network_route "$NETWORK" "$NETMASKLEN"
> + else
> + reset_ipv6_default_route
> + fi
> + i=`expr $i + 1`
> + done
> + for i in $INTERNAL_IP6_DNS ; do
> + del_ipv6_network_route "$i" "128"
> + done
> + else
> + reset_ipv6_default_route
> + fi
>
> del_vpngateway_route
>
>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 12, 2009, 8:10 AM

Post #3 of 6 (754 views)
Permalink

Re: IPv6 support in vpnc-script [In reply to]

On Thu, 2009-11-12 at 08:02 -0800, Dan Williams wrote:
> On Wed, 2009-11-11 at 01:05 +0000, David Woodhouse wrote:
> > I've just added IPv6 support to OpenConnect, and hence to vpnc-script.
> >
> > If anyone is planning to add IPv6 support to vpnc, feel free to shout if
> > you don't like the way I've done it. I don't really want vpnc and
> > openconnect to end up being incompatible in the way they invoke
> > vpnc-script.
> >
> > For the IPv6 address, it assumes that it'll either be passed an address
> > in $INTERNAL_IP6_ADDRESS, or full address/mask in $INTERNAL_IP6_NETMASK.
> > It'll use the latter by preference.
> >
> > Routes are handled just like the Legacy IP routes -- with
> > $CISCO_IPV6_SPLIT_INC giving the number of routes, and each route in
> > $CISCO_IPV6_SPLIT_INC_x_ADDR and $CISCO_IPV6_SPLIT_INC_x_NETMASKLEN.
> > We don't bother with the netmask -- it's just netmasklen.
> >
> > I've left IPv6 nameservers in $INTERNAL_IP4_DNS for now, alongside the
> > Legacy IP nameservers. I could be persuaded to do it differently,
> > perhaps.
>
> Would you mind splitting them out into $INTERNAL_IP6_DNS?

It's easy enough to do -- but why?

Do you really want to be told about them separately? When all you want
to do with them is put each one into a 'nameserver $XXXX' line
in /etc/resolv.conf, regardless of which address family it is.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 12, 2009, 8:58 AM

Post #4 of 6 (752 views)
Permalink

Re: IPv6 support in vpnc-script [In reply to]

On Thu, 2009-11-12 at 16:10 +0000, David Woodhouse wrote:
> On Thu, 2009-11-12 at 08:02 -0800, Dan Williams wrote:
> > On Wed, 2009-11-11 at 01:05 +0000, David Woodhouse wrote:
> > > I've just added IPv6 support to OpenConnect, and hence to vpnc-script.
> > >
> > > If anyone is planning to add IPv6 support to vpnc, feel free to shout if
> > > you don't like the way I've done it. I don't really want vpnc and
> > > openconnect to end up being incompatible in the way they invoke
> > > vpnc-script.
> > >
> > > For the IPv6 address, it assumes that it'll either be passed an address
> > > in $INTERNAL_IP6_ADDRESS, or full address/mask in $INTERNAL_IP6_NETMASK.
> > > It'll use the latter by preference.
> > >
> > > Routes are handled just like the Legacy IP routes -- with
> > > $CISCO_IPV6_SPLIT_INC giving the number of routes, and each route in
> > > $CISCO_IPV6_SPLIT_INC_x_ADDR and $CISCO_IPV6_SPLIT_INC_x_NETMASKLEN.
> > > We don't bother with the netmask -- it's just netmasklen.
> > >
> > > I've left IPv6 nameservers in $INTERNAL_IP4_DNS for now, alongside the
> > > Legacy IP nameservers. I could be persuaded to do it differently,
> > > perhaps.
> >
> > Would you mind splitting them out into $INTERNAL_IP6_DNS?
>
> It's easy enough to do -- but why?
>
> Do you really want to be told about them separately? When all you want
> to do with them is put each one into a 'nameserver $XXXX' line
> in /etc/resolv.conf, regardless of which address family it is.

Yes, since NM allows the user to override DNS servers on an IPv4 or IPv6
basis. In the end I can do some analysis on each element in the
INTERNAL_IP4_DNS array and figure out whether it's an IP6 or an IP4
nameserver and split them out that way, but that's more work for me :)

Dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dwmw2 at infradead

Nov 12, 2009, 9:09 AM

Post #5 of 6 (752 views)
Permalink

Re: IPv6 support in vpnc-script [In reply to]

On Thu, 2009-11-12 at 08:58 -0800, Dan Williams wrote:
> On Thu, 2009-11-12 at 16:10 +0000, David Woodhouse wrote:
> > On Thu, 2009-11-12 at 08:02 -0800, Dan Williams wrote:
> > > On Wed, 2009-11-11 at 01:05 +0000, David Woodhouse wrote:
> > > > I've just added IPv6 support to OpenConnect, and hence to vpnc-script.
> > > >
> > > > If anyone is planning to add IPv6 support to vpnc, feel free to shout if
> > > > you don't like the way I've done it. I don't really want vpnc and
> > > > openconnect to end up being incompatible in the way they invoke
> > > > vpnc-script.
> > > >
> > > > For the IPv6 address, it assumes that it'll either be passed an address
> > > > in $INTERNAL_IP6_ADDRESS, or full address/mask in $INTERNAL_IP6_NETMASK.
> > > > It'll use the latter by preference.
> > > >
> > > > Routes are handled just like the Legacy IP routes -- with
> > > > $CISCO_IPV6_SPLIT_INC giving the number of routes, and each route in
> > > > $CISCO_IPV6_SPLIT_INC_x_ADDR and $CISCO_IPV6_SPLIT_INC_x_NETMASKLEN.
> > > > We don't bother with the netmask -- it's just netmasklen.
> > > >
> > > > I've left IPv6 nameservers in $INTERNAL_IP4_DNS for now, alongside the
> > > > Legacy IP nameservers. I could be persuaded to do it differently,
> > > > perhaps.
> > >
> > > Would you mind splitting them out into $INTERNAL_IP6_DNS?
> >
> > It's easy enough to do -- but why?
> >
> > Do you really want to be told about them separately? When all you want
> > to do with them is put each one into a 'nameserver $XXXX' line
> > in /etc/resolv.conf, regardless of which address family it is.
>
> Yes, since NM allows the user to override DNS servers on an IPv4 or IPv6
> basis. In the end I can do some analysis on each element in the
> INTERNAL_IP4_DNS array and figure out whether it's an IP6 or an IP4
> nameserver and split them out that way, but that's more work for me :)

How about I just do that for you in the helper 'script' which passes
them back to NetworkManager by dbus?

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 12, 2009, 9:37 AM

Post #6 of 6 (752 views)
Permalink

Re: IPv6 support in vpnc-script [In reply to]

On Thu, 2009-11-12 at 17:09 +0000, David Woodhouse wrote:
> On Thu, 2009-11-12 at 08:58 -0800, Dan Williams wrote:
> > On Thu, 2009-11-12 at 16:10 +0000, David Woodhouse wrote:
> > > On Thu, 2009-11-12 at 08:02 -0800, Dan Williams wrote:
> > > > On Wed, 2009-11-11 at 01:05 +0000, David Woodhouse wrote:
> > > > > I've just added IPv6 support to OpenConnect, and hence to vpnc-script.
> > > > >
> > > > > If anyone is planning to add IPv6 support to vpnc, feel free to shout if
> > > > > you don't like the way I've done it. I don't really want vpnc and
> > > > > openconnect to end up being incompatible in the way they invoke
> > > > > vpnc-script.
> > > > >
> > > > > For the IPv6 address, it assumes that it'll either be passed an address
> > > > > in $INTERNAL_IP6_ADDRESS, or full address/mask in $INTERNAL_IP6_NETMASK.
> > > > > It'll use the latter by preference.
> > > > >
> > > > > Routes are handled just like the Legacy IP routes -- with
> > > > > $CISCO_IPV6_SPLIT_INC giving the number of routes, and each route in
> > > > > $CISCO_IPV6_SPLIT_INC_x_ADDR and $CISCO_IPV6_SPLIT_INC_x_NETMASKLEN.
> > > > > We don't bother with the netmask -- it's just netmasklen.
> > > > >
> > > > > I've left IPv6 nameservers in $INTERNAL_IP4_DNS for now, alongside the
> > > > > Legacy IP nameservers. I could be persuaded to do it differently,
> > > > > perhaps.
> > > >
> > > > Would you mind splitting them out into $INTERNAL_IP6_DNS?
> > >
> > > It's easy enough to do -- but why?
> > >
> > > Do you really want to be told about them separately? When all you want
> > > to do with them is put each one into a 'nameserver $XXXX' line
> > > in /etc/resolv.conf, regardless of which address family it is.
> >
> > Yes, since NM allows the user to override DNS servers on an IPv4 or IPv6
> > basis. In the end I can do some analysis on each element in the
> > INTERNAL_IP4_DNS array and figure out whether it's an IP6 or an IP4
> > nameserver and split them out that way, but that's more work for me :)
>
> How about I just do that for you in the helper 'script' which passes
> them back to NetworkManager by dbus?

We can do that too obviously.

Dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com