Skip to content

/ oi-userland

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openvpn: set_ipsec_bypass() doesn't work for IPV6 connections #3541

Merged
merged 1 commit into from Oct 10, 2017
Merged

openvpn: set_ipsec_bypass() doesn't work for IPV6 connections #3541

merged 1 commit into from Oct 10, 2017

Conversation

@pyhalov
Copy link
Contributor

pyhalov commented Oct 9, 2017

No description provided.

@pyhalov
Copy link
Contributor Author

pyhalov commented Oct 9, 2017

@danmcd , @gwr : please, review
@xen0l
xen0l approved these changes Oct 9, 2017
View changes
@danmcd
danmcd reviewed Oct 9, 2017
View changes
components/network/openvpn/patches/02-ipsec-bypass.patch Outdated
+ } else { /* AF_INET6 */
+ result = setsockopt(sock, IPPROTO_IPV6, IPV6_SEC_OPT, &ipsr, sizeof (ipsr));
+ }
+ if (result == -1) {
+ switch (errno) {
+ case EPROTONOSUPPORT:
+ dmsg (D_SOCKET_DEBUG, "Not using IPsec.");

This comment has been minimized.

Sign in to view
Copy link
@danmcd

danmcd Oct 9, 2017

Contributor

"IPsec not loaded" is a more accurate description.

This comment has been minimized.

Sign in to view
Copy link
@pyhalov

pyhalov Oct 10, 2017
edited

Author Contributor

Have one more question... If I receive EPROTONOSUPPORT error in zone, but it works in GZ, does this mean that zone misses some privileges?

This comment has been minimized.

Sign in to view
Copy link
@pyhalov

pyhalov Oct 10, 2017

Author Contributor

Also if it fails in zone with EPROTONOSUPPORT, in GZ when run as usual user, it will fail with EPERM (so tests will fail). The question is if we should also handle this fail gracefully (I mean, ignore EPERM as we do with EPROTONOSUPPORT)?

This comment has been minimized.

Sign in to view
Copy link
@danmcd

danmcd Oct 10, 2017
edited

Contributor

A regular user needs the privilege IP_CONFIG to trigger policy bypasses. EPERM is not ignorable like EPROTONOSUPPORT is.

This comment has been minimized.

Sign in to view
Copy link
@pyhalov

pyhalov Oct 10, 2017
edited

Author Contributor

yes, after ipseckey flush it fails differently - EPERM.

This comment has been minimized.

Sign in to view
Copy link
@danmcd

danmcd Oct 10, 2017

Contributor

So clearly we do the is-loaded check BEFORE the privilege check. A regular user will need the IP_CONFIG privilege to bypass. (I thought openvpn needed this privilege anyway?!)

This comment has been minimized.

Sign in to view
Copy link
@pyhalov

pyhalov Oct 10, 2017

Author Contributor

well, at least openvpn tests run without root privileges (without this patch). It can do simple client-server pings...
@pyhalov
Copy link
Contributor Author

pyhalov commented Oct 10, 2017

Now the only question is if we are going to ignore EPERM error, like we do for EPROTONOSUPPORT.
@pyhalov
openvpn: set_ipsec_bypass() doesn't work for IPV6 connections
49ee841
@pyhalov pyhalov force-pushed the pyhalov:openvpn branch from 3e2cc20 to 49ee841 Oct 10, 2017
@pyhalov pyhalov merged commit 98f9aef into OpenIndiana:oi/hipster Oct 10, 2017
@pyhalov
Copy link
Contributor Author

pyhalov commented Oct 10, 2017

With this patch applied openvpn needs IP_CONFIG privilege, so test can fail with EPERM
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danmcd danmcd

@xen0l xen0l

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
@pyhalov @danmcd @xen0l
You can’t perform that action at this time.