Re: Fedora 10; openvpn plugin, treat tun devices as tap devices in relation to netmask (do not hardcode tun to /32)

From: Dan Williams <dcbw redhat com>
To: Ove Everlid <Ove Everlid sun com>
Cc: jonathan Petersson <Jonathan Petersson sun com>, networkmanager-list gnome org
Subject: Re: Fedora 10; openvpn plugin, treat tun devices as tap devices in relation to netmask (do not hardcode tun to /32)
Date: Mon, 23 Mar 2009 18:47:12 -0400

On Mon, 2009-03-23 at 22:27 +0100, Ove Everlid wrote:
> Ove Everlid wrote:
> > Dan Williams wrote:
> >> On Mon, 2009-03-23 at 02:07 +0100, Ove Everlid wrote:
> >>> Hi!
> >>>
> >>> To connect to an OpenVPN server that uses tun-devices with a non /32 
> >>> netmask one need this patch. I'm using NetworkManager under Fedora 10 
> >>> (same issues still exists in F11 alpha/rawhide).
> >>
> >> So you're 100% sure that the server is configured to use tun mode, and
> >> that it's sending a netmask, right?  The OpenVPN manpage indicates that
> >> 'ifconfig_netmask' is only used with TAP mode.  Is the manpage not
> >> correct?
> > 
> > Jonathan (CC) has contacted OpenVPN folks to have this verified directly 
> > from them.
> > The TUN interface has support for more features today,such as a non /32 
> > netmask and I would suspect the manual page is lagging.
> 
> 
> Attached is another basic patch that will use the ifconfig_netmask if it 
>   exists in the env, if not, default to /32 netmask. This would cover if 
> older version of openvpn is used and minimize risks that this patch will 
> break anything due to an old version of openvpn.

Committed with a small cleanup; can you test and make sure current trunk
or 0.7 branches work for you?

Thanks!
Dan


> 
> Ove
> 
> 
> 
> > Ove
> > 
> >> Dan
> >>
> >>
> >>> The patch is the quick fix but the special treatment of tun/tap 
> >>> relative network mask can be removed.
> >>>
> >>> Question; will removing the tun /32 netmask hard coding cause other 
> >>> issues.
> >>>
> >>> Ove
> >>>
> >>>
> >>>
> >>> [root oehplap NetworkManager]# diff -c 
> >>> nm-openvpn-service-openvpn-helper.c 
> >>> nm-openvpn-service-openvpn-helper.c.fc10.orig
> >>> *** nm-openvpn-service-openvpn-helper.c    2009-03-22 
> >>> 22:13:35.227415799 +0100
> >>> --- nm-openvpn-service-openvpn-helper.c.fc10.orig    2009-01-28 
> >>> 18:38:30.000000000 +0100
> >>> ***************
> >>> *** 339,345 ****
> >>>         * TAP devices pass back the netmask, while TUN devices always 
> >>> use /32
> >>>         * since they are point-to-point.
> >>>         */
> >>> !     if (tapdev || 1) {
> >>>            tmp = getenv ("ifconfig_netmask");
> >>>            if (tmp && inet_pton (AF_INET, tmp, &temp_addr) > 0) {
> >>>                GValue *val;
> >>> --- 339,345 ----
> >>>         * TAP devices pass back the netmask, while TUN devices always 
> >>> use /32
> >>>         * since they are point-to-point.
> >>>         */
> >>> !     if (tapdev) {
> >>>            tmp = getenv ("ifconfig_netmask");
> >>>            if (tmp && inet_pton (AF_INET, tmp, &temp_addr) > 0) {
> >>>                GValue *val;
> >>> [root oehplap NetworkManager]#
> >>>
> >>>
> >>>
> >>
> > 
> > 
> 
> 
> plain text document attachment (tun-netmask.patch)
> --- nm-openvpn-service-openvpn-helper.c.fc10.orig       2009-01-28 18:38:30.000000000 +0100
> +++ nm-openvpn-service-openvpn-helper.c 2009-03-23 21:55:23.103127728 +0100
> @@ -338,19 +338,20 @@
>          *
>          * TAP devices pass back the netmask, while TUN devices always use /32
>          * since they are point-to-point.
> +        * FIX: 2009-03-23; recent versions of openvpn supports arbitrary netmasks for tun-devices. If a netmask env is present, use it.
>          */
> -       if (tapdev) {
> -               tmp = getenv ("ifconfig_netmask");
> -               if (tmp && inet_pton (AF_INET, tmp, &temp_addr) > 0) {
> -                       GValue *val;
> -
> -                       val = g_slice_new0 (GValue);
> -                       g_value_init (val, G_TYPE_UINT);
> -                       g_value_set_uint (val, nm_utils_ip4_netmask_to_prefix (temp_addr.s_addr));
> +       tmp = getenv ("ifconfig_netmask");
> +       if (tmp && inet_pton (AF_INET, tmp, &temp_addr) > 0) {
> +               /* Openvpn passed up a netmask, use it for the device in question */
> +               GValue *val;
>  
> -                       g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
> -               }
> -       } else {
> +               val = g_slice_new0 (GValue);
> +               g_value_init (val, G_TYPE_UINT);
> +               g_value_set_uint (val, nm_utils_ip4_netmask_to_prefix (temp_addr.s_addr));
> +
> +               g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
> +       } else  {
> +               /* No netmask passed up to helper, default to old behaviour of /32 */
>                 GValue *val;
>  
>                 val = g_slice_new0 (GValue);

Follow-Ups:
- Re: Fedora 10; openvpn plugin, treat tun devices as tap devices in relation to netmask (do not hardcode tun to /32)
  - From: Ove Everlid

References:
- Re: NM stops and doesn't connect
  - From: Cliff McDiarmid
- Fedora 10; openvpn plugin, treat tun devices as tap devices in relation to netmask (do not hardcode tun to /32)
  - From: Ove Everlid
- Re: Fedora 10; openvpn plugin, treat tun devices as tap devices in relation to netmask (do not hardcode tun to /32)
  - From: Dan Williams
- Re: Fedora 10; openvpn plugin, treat tun devices as tap devices in relation to netmask (do not hardcode tun to /32)
  - From: Ove Everlid
- Re: Fedora 10; openvpn plugin, treat tun devices as tap devices in relation to netmask (do not hardcode tun to /32)
  - From: Ove Everlid

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]