Patch: make ipv6 in ipv4 and ipv6 in ipv6 tunnels work on (Net)BSD

Hello all,

since my uni's computing centre added inside ipv6 to their tunnel two
days ago I found that OpenConnect hat problems tearing down and
often, setting up the routes.

Three items I had to fix or enhance:

a) an ifconfig ... del ... somewhere. Correct syntax on all BSD's
   I've been in touch with over the last decades is ifconifg ... delete ...

b) route handling for the default route was not really there - it wasn't
   restored on shutting down the tunnel.

   I've done a ::/1 + 8000::1 instead of default (== ::/0) trick here,
   in concept what OpenVPN does for IPv4 (0.0.0.0/1 + 128.0.0.0/1)
   (has higher priority as more-specific than default due to the shorter
   mask, and is unlikely to be more specific than any real local route).

c) protection of the ipv6 transport route didn't work, as it implicitly
   assumed always going via ipv4.

   This wasn't a problem as long as the inner addresses were
   IPv4-only, but broke the tunnel once the effective ipv6 default
   route kicked in via the tunnel.

Regards,
	Ignatios Souvatzis

Signed-off-by: Ignatios Souvatzis <is@beverly.kleinbus.org>

diff --git a/vpnc-script b/vpnc-script
index 6b8aff46917dc71bcdbd3f1e6475b98e788f2e8f..af7e9411f451e0ba246a5c3f29d97f92694dccce 100755 (executable)
--- a/vpnc-script
+++ b/vpnc-script
@@ -388,7 +388,10 @@ else # use route command
                # Unlike with iproute2, there is no way to determine which current
                # route(s) match the VPN gateway, so we simply find a default
                # route and use its gateway.
-               route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
+               case "$VPNGATEWAY" in
+               *:*)    route add -inet6 -host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";;
+               *.*)    route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`";;
+               esac
        }
 
         set_vpngateway_route_attempt_reconnect() {
@@ -396,7 +399,10 @@ else # use route command
         }
 
        del_vpngateway_route() {
-               route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`"
+               case "$VPNGATEWAY" in
+               *:*)    route $route_syntax_del -inet6 -host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";;
+               *.*)    route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`";;
+               esac
        }
 
        set_default_route() {
@@ -460,8 +466,15 @@ else # use route command
                route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$NETGW"
        }
 
+       get_ipv6_default_gw() {
+               # isn't -n supposed to give --numeric output?
+               # apperently not...
+               netstat -r -n -f inet6 | awk '/^(default|::\/0)/ { print $2"%"$NF; }'
+       }
+
        set_ipv6_default_route() {
-               route add -inet6 default "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
+               route add -inet6 ::/1 "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
+               route add -inet6 8000::/1 "$INTERNAL_IP6_ADDRESS" $route_syntax_interface
        }
 
        set_ipv6_network_route() {
@@ -483,12 +496,13 @@ else # use route command
                # Add explicit route to keep traffic for this target separate
                # from tunnel. FIXME: We use default gateway - this is our best
                # guess in absence of "ip" command to query effective route.
-               route add -inet6 -net "$NETWORK/$NETMASK" "`get_default_gw`" $route_syntax_interface
+               route add -inet6 -net "$NETWORK/$NETMASK" "`get_ipv6_default_gw`" $route_syntax_interface
                :
        }
 
        reset_ipv6_default_route() {
-               route $route_syntax_del -inet6 default "$INTERNAL_IP6_ADDRESS"
+               route $route_syntax_del -inet6 ::/1 "$INTERNAL_IP6_ADDRESS" 
+               route $route_syntax_del -inet6 8000::/1 "$INTERNAL_IP6_ADDRESS"
                :
        }
 
@@ -1066,7 +1080,7 @@ do_disconnect() {
                        INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
                fi
                if [ -n "$INTERNAL_IP6_NETMASK" ]; then
-                       ifconfig "$TUNDEV" inet6 del $INTERNAL_IP6_NETMASK
+                       ifconfig "$TUNDEV" inet6 delete $INTERNAL_IP6_NETMASK
                fi
        fi