From c2a3699e91d4276e652fabfb82cfce3b97b5ab4e Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Thu, 11 Apr 2024 23:14:32 -0700 Subject: [PATCH] Refuse to try configuring IPv6 if MTU is <1280 IPv6 requires a minimum MTU of 1280. If MTU is <1280, it appears that any-and-all IPv6-related configuration, including setting addresses and routes, will immediately fail on Linux, where iproute(8) gives very cryptic errors like: RTNETLINK answers: Invalid argument error This will prevent vpn-slice from completing a working setup even for IPv4. Rather than overlooking this problem or silently ignoring IPv6 configuration issues, we should *fail* when IPv6 configuration is requested but the MTU is too small, and request that the user add `--disable-ipv6` to the OpenConnect command line, which should prevent OpenConnect from requesting or providing any IPv6 configuration to vpn-slice. Ping #148. --- vpn_slice/__main__.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vpn_slice/__main__.py b/vpn_slice/__main__.py index 7b90072..0884633 100755 --- a/vpn_slice/__main__.py +++ b/vpn_slice/__main__.py @@ -455,6 +455,14 @@ def parse_env(environ=os.environ): print("WARNING: IPv6 split network (CISCO_IPV6_SPLIT_%s_%d_{ADDR,MASKLEN}) %s/%d has host bits set, replacing with %s" % (pfx, n, ad, nml, net), file=stderr) env['split' + pfx.lower()].append(net) + # IPv6 requires a minimum MTU of 1280. + # If the link is configured with a too-small MTU, it appears that any-and-all IPv6-related + # configuration, including setting addresses and routes, will immediately fail on Linux, where + # iproute(8) gives very cryptic errors like "RTNETLINK answers: Invalid argument error", + # preventing vpn-slice from completing a working setup even for IPv4. + if env.mtu < 1280 and env.myaddr6: + raise RuntimeError(f"MTU of {env.mtu} is too small for IPv6 (minimum 1280). Invoke OpenConnect with --disable-ipv6 to configure for IPv4 only.") + return env # Parse command-line arguments and environment