diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2012-07-02 17:41:54 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2012-07-02 17:41:54 +0200 |
| commit | 5c7e1caa46b76e0b8c522a88dc65b892459d3468 (patch) | |
| tree | 971c0c7c4b00d327c4f8177c931ca2df539865a9 | |
| parent | ce61456ba37dceee84389617b738e8fe15f565c4 (diff) | |
| download | vyos-strongswan-5c7e1caa46b76e0b8c522a88dc65b892459d3468.tar.gz vyos-strongswan-5c7e1caa46b76e0b8c522a88dc65b892459d3468.zip | |
Fix IPv6 tunnel not working
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | debian/patches/04-Fixed-IPv6-source-address-lookup.patch | 106 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 110 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 0bb031fe6..f59636bc2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,9 @@ strongswan (4.6.4-5) UNRELEASED; urgency=low so they are not installed in the wrong package. closes: #679745 * debian/po - add turkish translation, thanks Atila KOÇ. closes: #659879 + * debian/patches: + - 04-Fixed-IPv6-source-address-lookup added, backported from upstream. + Fix IPv6 tunnels, broken because of bad handling of source routing. [ Laurent Bigonville ] * Do not use multi-arch paths, this makes no sense as only one instance of diff --git a/debian/patches/04-Fixed-IPv6-source-address-lookup.patch b/debian/patches/04-Fixed-IPv6-source-address-lookup.patch new file mode 100644 index 000000000..91eac4094 --- /dev/null +++ b/debian/patches/04-Fixed-IPv6-source-address-lookup.patch @@ -0,0 +1,106 @@ +From 7beb31aae4e231f95366dc2ef83888e197bc693c Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 18 Jun 2012 12:01:10 +0200 +Subject: [PATCH] Fixed IPv6 source address lookup + +Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for +IPv6 routes we didn't use NLM_F_DUMP to get all routes. +Still routes installed with policies are installed also for IPv6. +So since only one route is returned without DUMP, and we ignore +all routes from our own routing table, no source address was found +during roaming if DST of the installed route included the IKE peer. + +With newer kernels we can now use DUMP as we did for IPv4 already, +for older kernels we do so if our own routes are installed in a +separate routing table, otherwise we still use GET. +--- + .../plugins/kernel_netlink/kernel_netlink_net.c | 48 ++++++++++++++++++-- + 1 file changed, 43 insertions(+), 5 deletions(-) + +Index: strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +=================================================================== +--- strongswan.orig/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c 2012-06-28 21:16:07.000000000 +0200 ++++ strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c 2012-07-02 17:10:51.224474221 +0200 +@@ -38,6 +38,7 @@ + */ + + #include <sys/socket.h> ++#include <sys/utsname.h> + #include <linux/netlink.h> + #include <linux/rtnetlink.h> + #include <unistd.h> +@@ -183,6 +184,11 @@ + bool install_virtual_ip; + + /** ++ * whether preferred source addresses can be specified for IPv6 routes ++ */ ++ bool rta_prefsrc_for_ipv6; ++ ++ /** + * list with routing tables to be excluded from route lookup + */ + linked_list_t *rt_exclude; +@@ -869,11 +875,11 @@ + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; +- if (dest->get_family(dest) == AF_INET) +- { +- /* We dump all addresses for IPv4, as we want to ignore IPsec specific +- * routes installed by us. But the kernel does not return source +- * addresses in a IPv6 dump, so fall back to get() for v6 routes. */ ++ if (dest->get_family(dest) == AF_INET || this->rta_prefsrc_for_ipv6 || ++ this->routing_table) ++ { /* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes. ++ * as we want to ignore routes with virtual IPs we cannot use DUMP ++ * if these routes are not installed in a separate table */ + hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP; + } + hdr->nlmsg_type = RTM_GETROUTE; +@@ -1443,6 +1449,36 @@ + return this->socket->send_ack(this->socket, hdr); + } + ++/** ++ * check for kernel features (currently only via version number) ++ */ ++static void check_kernel_features(private_kernel_netlink_net_t *this) ++{ ++ struct utsname utsname; ++ int a, b, c; ++ ++ if (uname(&utsname) == 0) ++ { ++ switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c)) ++ { ++ case 3: ++ if (a == 2) ++ { ++ DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for " ++ "RTA_PREFSRC for IPv6 routes", a, b, c); ++ break; ++ } ++ /* fall-through */ ++ case 2: ++ /* only 3.x+ uses two part version numbers */ ++ this->rta_prefsrc_for_ipv6 = TRUE; ++ break; ++ default: ++ break; ++ } ++ } ++} ++ + METHOD(kernel_net_t, destroy, void, + private_kernel_netlink_net_t *this) + { +@@ -1509,6 +1545,8 @@ + ); + timerclear(&this->last_roam); + ++ check_kernel_features(this); ++ + exclude = lib->settings->get_str(lib->settings, + "%s.ignore_routing_tables", NULL, hydra->daemon); + if (exclude) diff --git a/debian/patches/series b/debian/patches/series index d4429019e..ff06f2f04 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 01_fix-manpages.patch 02_add-LICENSE.patch 03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch +04-Fixed-IPv6-source-address-lookup.patch |