Thanks Bjørn! I have applied the patch to v4.6.3 of linux-stable and Juniper VPN works with the patch. Please let me know if I should test the patch applied to any other code revision.
Best, Jonas -------- Original Message -------- Subject: [PATCH v2 net] ipv6: addrconf: fix Juniper SSL VPN client regression From: Bjørn Mork <bj...@mork.no> To: netdev@vger.kernel.org CC: Valdis Kletnieks <valdis.kletni...@vt.edu>, Jonas Lippuner <jo...@lippuner.ca>, Bjørn Mork <bj...@mork.no>, 吉藤英明 <hideaki.yoshif...@miraclelinux.com> Date: 7/11/2016, 7:43:50 AM > The Juniper SSL VPN client use a "tun" interface and seems to > be picky about visible changes.to it. Commit cc9da6cc4f56 > ("ipv6: addrconf: use stable address generator for ARPHRD_NONE") > made such interfaces get an auto-generated IPv6 link local address > by default, similar to most other interface types. This made the > Juniper SSL VPN client fail for unknown reasons. > > Fixing this regression by adding a new private netdevice flag > which disables automatic IPv6 link local address generation, and > making the flag default for "tun" devices. > > Setting an explicit addrgenmode will disable the flag, so userspace > can choose to enable automatic LL generation by selecting a suitable > addrgenmode. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=121131 > Fixes: cc9da6cc4f56 ("ipv6: addrconf: use stable address generator for > ARPHRD_NONE") > Reported-by: Valdis Kletnieks <valdis.kletni...@vt.edu> > Reported-by: Jonas Lippuner <jo...@lippuner.ca> > Suggested-by: Hannes Frederic Sowa <han...@stressinduktion.org> > Cc: 吉藤英明 <hideaki.yoshif...@miraclelinux.com> > Signed-off-by: Bjørn Mork <bj...@mork.no> > --- > v2 changes: > - added a netdevice private flag to suppress automatic IPv6 LL > - suppressing only for "tun" devices > > > So, something like this? It has the bonus that it can be used for *any* > type of device which does not want the automatic link local addresses. > Only enabled for "tun" for now, of course. > > Is it OK to unconditionally disable the suppression if the user sets an > addrgenmode? I find that to match *my* expectations, but I don't know > much about the ordinary user :) > > And finally, Valdis and Jonas: could you please test this version too? It > works for me in my simulated setup, but I don't have the Juniper client > so I cannot verify that it actually solves the problem. > > > Bjørn > > > drivers/net/tun.c | 4 ++++ > include/linux/netdevice.h | 4 ++++ > net/ipv6/addrconf.c | 7 +++++++ > 3 files changed, 15 insertions(+) > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index e16487cc6a9a..6e7558f97013 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -1073,6 +1073,10 @@ static void tun_net_init(struct net_device *dev) > /* Zero header length */ > dev->type = ARPHRD_NONE; > dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST; > + > + /* IPv6 LL address is known to break some applications */ > + dev->priv_flags |= IFF_SUPPRESS_AUTO_IPV6_LL; > + > break; > > case IFF_TAP: > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > index f45929ce8157..d04ea7fcdaba 100644 > --- a/include/linux/netdevice.h > +++ b/include/linux/netdevice.h > @@ -1333,6 +1333,8 @@ struct net_device_ops { > * @IFF_PHONY_HEADROOM: the headroom value is controlled by an external > * entity (i.e. the master device for bridged veth) > * @IFF_MACSEC: device is a MACsec device > + * @IFF_SUPPRESS_AUTO_IPV6_LL: device will not get an automatic IPv6 > + * link local address > */ > enum netdev_priv_flags { > IFF_802_1Q_VLAN = 1<<0, > @@ -1363,6 +1365,7 @@ enum netdev_priv_flags { > IFF_RXFH_CONFIGURED = 1<<25, > IFF_PHONY_HEADROOM = 1<<26, > IFF_MACSEC = 1<<27, > + IFF_SUPPRESS_AUTO_IPV6_LL = 1<<28, > }; > > #define IFF_802_1Q_VLAN IFF_802_1Q_VLAN > @@ -1392,6 +1395,7 @@ enum netdev_priv_flags { > #define IFF_TEAM IFF_TEAM > #define IFF_RXFH_CONFIGURED IFF_RXFH_CONFIGURED > #define IFF_MACSEC IFF_MACSEC > +#define IFF_SUPPRESS_AUTO_IPV6_LL IFF_SUPPRESS_AUTO_IPV6_LL > > /** > * struct net_device - The DEVICE structure. > diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c > index 47f837a58e0a..331ea5ebff5f 100644 > --- a/net/ipv6/addrconf.c > +++ b/net/ipv6/addrconf.c > @@ -3113,6 +3113,10 @@ static void addrconf_dev_config(struct net_device *dev) > return; > } > > + /* this device does not want automatic IPv6 LLs */ > + if (dev->priv_flags & IFF_SUPPRESS_AUTO_IPV6_LL) > + return; > + > idev = addrconf_add_dev(dev); > if (IS_ERR(idev)) > return; > @@ -5104,6 +5108,9 @@ static int inet6_set_link_af(struct net_device *dev, > const struct nlattr *nla) > > idev->addr_gen_mode = mode; > err = 0; > + > + /* turn off suppression since user has requested addrgen */ > + dev->priv_flags &= ~IFF_SUPPRESS_AUTO_IPV6_LL; > } > > return err; > -- My email is signed and I encrypt email on request. To verify my signature or send me encrypted email, get my public key: http://lippuner.ca/key
signature.asc
Description: OpenPGP digital signature