diff options
| author | Arne Schwabe | 2018-12-03 17:48:18 +0100 |
|---|---|---|
| committer | Gert Doering | 2018-12-04 21:01:15 +0100 |
| commit | e11d2d14a9ef5311f791a9a614ab367c6f50ff11 (patch) | |
| tree | 3ef63825794c0bea435c79136f14527db67bd933 /src/openvpn/forward.h | |
| parent | 584b1717e7eaa8e44c675efb1f2dcbbaed2c0db3 (diff) | |
| download | openvpn-e11d2d14a9ef5311f791a9a614ab367c6f50ff11.zip openvpn-e11d2d14a9ef5311f791a9a614ab367c6f50ff11.tar.gz | |
Implement block-ipv6
This can be used to redirect all IPv6 traffic to the tun interface,
effectively black holing the IPv6 traffic. Without ICMPv6 error
messages this will result in timeouts when the server does not send
error codes. block-ipv6 allows client side only blocking on all
platforms that OpenVPN supports IPv6. On Android it is only way to do
sensible IPv6 blocking on Android < 5.0 and broken devices (Samsung).
PATCH V6:
- Rebase on master and run uncrustify on the patch
PATCH V5:
- Fix even more style issues by Antonio
- Remove check for dev == tun as this also works for tap
PATCH V4:
- Fix more style issues reported by Antonio
- Clarify parts of the patch in comments and manpage
PATCH V3:
- Fix style iusses reported by Antonio and accidentily commited parts
- merge udp_checksum and ipv6_checkusm into common ip_checksum method
- Use fake ff80::7 address when no other address is configured.
- Make block-ipv6 also work for server by replying block-ipv6 to all
ipv6 traffic send to the server
Note for the server the process_ip happens before the ipv6 route
lookup so every ipv6 packet, regardless of its source address is
replyied to with a no route to host packet.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20181203164818.15756-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17977.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/forward.h')
| -rw-r--r-- | src/openvpn/forward.h | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 58b75d6..a791308 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -286,11 +286,13 @@ void process_outgoing_tun(struct context *c); bool send_control_channel_string(struct context *c, const char *str, int msglevel); -#define PIPV4_PASSTOS (1<<0) -#define PIP_MSSFIX (1<<1) /* v4 and v6 */ -#define PIPV4_OUTGOING (1<<2) -#define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) -#define PIPV4_CLIENT_NAT (1<<4) +#define PIPV4_PASSTOS (1<<0) +#define PIP_MSSFIX (1<<1) /* v4 and v6 */ +#define PIP_OUTGOING (1<<2) +#define PIPV4_EXTRACT_DHCP_ROUTER (1<<3) +#define PIPV4_CLIENT_NAT (1<<4) +#define PIPV6_IMCP_NOHOST_CLIENT (1<<5) +#define PIPV6_IMCP_NOHOST_SERVER (1<<6) void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); |