On Tue, Jul 03, 2018 at 12:54:36PM +0100, Stuart Henderson wrote: > On 2018/07/03 13:42, Stefan Sperling wrote: > > On Tue, Jul 03, 2018 at 01:34:09PM +0200, David Dahlberg wrote: > > > Am Tuesday, den 03.07.2018, 13:29 +0200 schrieb Stefan Sperling: > > > > Not a bug. This behaviour is intentional and avoids VPN traffic > > > > leakage. > > > > See RFC 7359 and the iked(8) man page. Use the -6 option (risks > > > > leakage), > > > > > > Then sorry for the noise. I extensively seached for documentation of > > > this behaviour - apparently using the wrong keywords. > > > > > > Cheers, > > > David > > > > > > > I think the documentation could be improved. > > > > Would you be able to send a patch for the iked man page which > > explicitly mentions VPN traffic leakage and RFC 7359 (in the > > STANDARDS section, perhaps)? > > > > It would easily be missed if only looking at iked.conf(5), but iked(8) seems > reasonably clear? > > The options are as follows: > > -6 Disable automatic blocking of IPv6 traffic. By default, iked > blocks > any IPv6 traffic unless a flow for this address family has been > negotiated. This option is used to prevent VPN traffic leakages on > dual stack hosts. >
No, this is not good enough. That last sentence is rather misleading (-6 *allows* for leakage since it disables blocking). "RFC 7359" should be mentioned since it provides a wealth of context the man page cannot provide (to be fair, this RFC number wasn't yet available when this feature was first committed). It might also make sense to add a brief sentence in DESCRIPTION which already lists other related RFCs. If iked.conf doesn't mention this behaviour, it probably should. I'm only making a fuss because this is not the first time I have seen someone stumble over this as an "issue", and because it's a small task we can delegate and offer up as an opportunity for contributing a patch :)
