Skip to content

Commit

Permalink
Refuse to try configuring IPv6 if MTU is <1280
Browse files Browse the repository at this point in the history
IPv6 requires a minimum MTU of 1280.

If MTU is <1280, it appears that any-and-all IPv6-related configuration,
including setting addresses and routes, will immediately fail on
Linux, where iproute(8) gives very cryptic errors like:

    RTNETLINK answers: Invalid argument error

This will prevent vpn-slice from completing a working setup even for IPv4.

Rather than overlooking this problem or silently ignoring IPv6 configuration
issues, we should *fail* when IPv6 configuration is requested but the MTU is
too small, and request that the user add `--disable-ipv6` to the OpenConnect
command line, which should prevent OpenConnect from requesting or providing
any IPv6 configuration to vpn-slice.

Ping #148.
  • Loading branch information
dlenski committed Apr 12, 2024
1 parent b0140e9 commit c890c22
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions vpn_slice/__main__.py
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,14 @@ def parse_env(environ=os.environ):
print("WARNING: IPv6 split network (CISCO_IPV6_SPLIT_%s_%d_{ADDR,MASKLEN}) %s/%d has host bits set, replacing with %s" % (pfx, n, ad, nml, net), file=stderr)
env['split' + pfx.lower()].append(net)

# If MTU is <1280, then IPv6 is not possible.
# Furthermore, it appears that any-and-all IPv6-related configuration will fail (at
# least on Linux, where iproute(8) gives very cryptic errors like
# "RTNETLINK answers: Invalid argument error"), preventing vpn-slice from completing
# a working setup even for IPv4.
if env.mtu < 1280 and (env.myaddr6 or any(r.version == 6 for r in env.splitinc)):
raise RuntimeError(f"MTU of {int(mtu)} is too small for IPv6 (minimum 1280). Invoke OpenConnect with --disable-ipv6 to configure for IPv4 only", file=stderr)

return env

# Parse command-line arguments and environment
Expand Down

0 comments on commit c890c22

Please sign in to comment.