new file mode 100644

@@ -0,0 +1,189 @@

+Do 31. Dez 15:32:40 CET 2009 Gert Doering

+

+  * Basic IPv6 p2mp functionality implemented

+

+  * new options:

+     - server-ipv6

+     - ifconfig-ipv6

+     - ifconfig-ipv6-pool

+     - route-ipv6

+     - iroute-ipv6

+

+  * modules touched:

+     - init.c: init & setup IPv6 route list & add/delete IPv6 routes

+     - tun.c: add "ifconfig" and "route" handling for IPv6

+     - multi.c: IPv6 ifconfig-pool assignments

+		put to route-hash table

+		push to client

+     - pool.c: extend pools to handle IPv4+IPv6, and also return IPv6 address

+	       IPv6 address saved to file if ifconfig-pool-persist is set

+	       (but ignored on read due to the way pools work)

+     - mroute.c: handle reading src/dst addresses from IPv6 packets

+		 (so multi.c can check against route-hash table)

+		 handle printing of IPv6 mroute_addr structure

+     - helper.c: implement "server-ipv6" macro (->ifconfig-ipv6, pool, ...)

+     - options.c: implement all the new options

+		  add helper functions for IPv6 address handling

+     - forward.c: tell do_route() about IPv6 routes

+     - route.c:   handle IPv6 route lists + route option lists

+		  extend add_routes() to do IPv4 + IPv6 route lists

+		  extend delete_routes() to do IPv4 + IPv6 route lists

+		  implement add_route_ipv6(), delete_route_ipv6() to call

+		  system-dependend external program to do the work

+     - push.c:    handle pushing of "ifconfig-ipv6" option

+     - socket.c:  helper function to check & print IPv6 address strings

+

+  * known issues:

+     - operating system support on all but Linux (ifconfig, route)

+     - route-ipv6 gateway handling

+     - iroute-ipv6 not implemented

+     - TAP support: ifconfig, routing (route needs gateway!)

+

+  * release as patch 20091231-1

+

+Thu Dec 31 17:02:08 CET 2009

+

+  * NetBSD port (NetBSD 3.1 on Sparc64)

+

+  * mroute.c, socket.c: make byte/word access to in6_addr more portable

+

+  * tun.c: fix IPv6 ifconfig arguments on NetBSD

+

+    still doesn't work on NetBSD 3.1, "ifconfig tun0 inet6..." errors with

+

+    ifconfig: SIOCAIFADDR: Address family not supported by protocol family

+

+    (sys/net/if_tun.c, needs to be revision 1.80 or later, NetBSD PR 32944,

+    included in NetBSD 4.0 and up)

+

+

+Fri Jan  1 14:07:15 CET 2010

+

+  * FreeBSD port (FreeBSD 6.3-p12 on i386)

+

+  * tun.c: implement IPv6 ifconfig setting for FreeBSD

+

+  * route.c: fix %s/%s argument to IPv6 route add/delete command for *BSD

+

+  * TEST SUCCESS: FreeBSD 6.3-p12, server-ipv6, route-ipv6, ccd/iroute-ipv6

+

+  * multi.c: implement setting and deleting of iroute-ipv6 

+             (multi_add_iroutes(), multi_del_iroutes())

+  * mroute.c: add mroute_helper_add_iroute6(), mroute_helper_del_iroute6()

+  * mroute.h: add prototypes, increase MR_HELPER_NET_LEN to 129 (/0.../128)

+  * multi.c: zeroize host part of IPv6 iroutes in multi_learn_in6_addr()

+  * mroute.c: implement mroute_addr_mask_host_bits() for IPv6

+

+  * TEST SUCCESS: Linux 2.6.30 (Gentoo)/iproute2, server-ipv6, ccd/iroute-ipv6

+

+  * TEST SUCCESS: Linux 2.6.30 (Gentoo)/ifconfig, client-ipv6

+

+  * TEST FAIL: NetBSD 5.0, IPv6 client

+     - "ifconfig tun0 .../64" does not create a "connected" route

+     - adding routes fails

+

+     --> more work to do here.

+

+  * release as patch 20100101-1

+

+  * TEST FAIL: 

+      FreeBSD 6.3-p12 server "--topology subnet"

+      Linux/ifconfig client

+    - BSD sends ICMP6 neighbor solicitations, which are ignored by Linux

+    - server tun interface is not in p2p mode, client tun interface *is*

+

+  * TEST SUCCESS: non-ipv6 enabled client -> "--server-ipv6" server

+    (warnings in the log file, but no malfunctions)

+

+

+Sat Jan  2 19:48:35 CET 2010

+

+  * tun.c: change "ipv6_support()", do not turn off tt->ipv6 unconditionally

+    if we don't know about OS IPv6 support - just log warning

+

+  * tun.c: implement "ifconfig inet6" setting for MacOS X / Darwin

+

+  * route.c: split *BSD system dependent part of add/delete_route_ipv6() 

+             into FreeBSD/Dragonfly and NetBSD/Darwin/OpenBSD variants 

+             ("2001:db8::/64" vs. "2001:db8:: --prefixlen 64").

+

+  * tun.c: on MacOS X, NetBSD and OpenBSD, explicitely set on-link route

+

+  * TEST SUCCESS: MacOS X, client-ipv6 with route-ipv6

+

+

+Sun Jan  3 10:55:31 CET 2010

+

+  * route.c: NetBSD fails with "-iface tun0", needs gateway address

+    (assume that the same syntax is needed for OpenBSD)

+

+  * route.h: introduce "remote_endpoint_ipv6" into "struct route_ipv6_list"

+

+  * init.c: pass "ifconfig_ipv6_remote" as gateway to init_route_ipv6_list()

+

+  * route.c: 

+    - init_route_ipv6(): use "remote_endpoint_ipv6" as IPv6 gateway address

+                         if no gateway was specified explicitely

+

+    - init_route_ipv6_list(): fill in "remote_endpoint_ipv6", if parseable

+

+    - get rid of "GATEWAY-LESS ROUTE6" warning

+

+  * route.c, add_route_ipv6()

+    - explicitely clear host bits of base address, to be able to more 

+      easily set up "connected" /64 routes on NetBSD+Darwin

+

+    - split system-dependent part between Darwin and NetBSD/OpenBSD

+      (Darwin can use "-iface tun0", NetBSD/OpenBSD get gateway address)

+

+    - change Solaris comments from "known-broken" to "unknown"

+

+  * tun.c: rework NetBSD tunnel initialization and tun_read() / tun_write()

+    to work the same way OpenBSD and NetBSD do - tunnel is put into 

+    "multi-af" mode, and all packet read/write activity is prepended by 

+    a 32 bit value specifying the address family.

+

+  * TEST SUCCESS: NetBSD 5.0/Sparc64: client-ipv6 with route-ipv6

+

+  * TEST SUCCESS: MacOS X 10.5: client-ipv6 with route-ipv6

+

+  * (RE-)TEST SUCCESS: Linux/iproute2: server-ipv6

+                       Linux/ifconfig: client-ipv6

+                       FreeBSD 6.3: server-ipv6

+

+  * release as patch 20100103-1

+

+  * options.c: document all new options in "--help"

+

+  * tun.c: fix typo in Solaris-specific section

+

+  * socket.h, socket.c: change u_int32_t to uint32_t 

+    (Solaris - and all the rest of the code uses "uintNN" anyway)

+

+Mon Jan  4 17:46:58 CET 2010

+

+  * socket.c: rework add_in6_addr() to use 32-bit access to struct in6_addr

+    (Solaris has no 16-bit values in union, but this is more elegant as well)

+

+  * tun.c: fix "ifconfig inet6" command for Solaris

+

+  * tun.c: make sure "tun0 inet6" is unplumbed first, cleanup leftovers

+

+  * route.c: add routes with "metric 0" on solaris, otherwise they just

+    don't work (someone who understands Solaris might want to fix this).

+

+  * Solaris "sort of" works now - ifconfig works, route add does not give

+    errors, "netstat -rn" looks right, but packets are discarded unless

+    the routes are installed with "metric 0".  So we just use "metric 0"...

+

+  * CAVEAT: Solaris "ifconfig ... preferred" interferes with source address

+    selection.  So if there are any active IPv6 interfaces configured with 

+    "preferred", packets leaving out the tunnel will use the wrong source

+    IPv6 address.  Not fixable from within OpenVPN.

+

+  * CAVEAT2: Solaris insists on doing DHCPv6 on tun0 interfaces by default,

+    so DHCPv6 solicitation packets will be seen.  Since the server end has

+    no idea what to do with them, they are a harmless nuisance.  Fixable

+    on the Solaris side via "ndpd.conf" (see ``man ifconfig'').

+

+  * release as patch 20100104-1

new file mode 100644

@@ -0,0 +1,180 @@

+TODO:

+

+ * tun.c -> init_tun()

+    [ifconfig-Parameter vorbereiten]

+

+    init.c -> do_open_tun() -> init.c::do_init_tun() -> tun.c::init_tun()

+			    -> do_ifconfig()

+

+ o tun.c -> do_ifconfig()

+    [ifconfig/ip aufrufen]

+

+    * Linux / ifconfig  

+    / Linux / iproute2  ** TESTEN **

+    o FreeBSD

+    / NetBSD ("needs patch", googlen) ** TESTEN **

+    / Solaris                         ** TESTEN **

+    o OpenBSD

+    o MacOS X

+

+ o tun.c (?) -> interface cleanup ("ip addr del dev tun0 ...")

+

+ o TAP mode und IPv6?  Fehlermeldung?

+    o einfach confen

+

+ o ifconfig_ipv6_remote -> kann eigentlich ersatzlos wegfallen

+   [tun.c, init.c, options.c, options.h]

+   o [kann nicht, braucht man als default-gateway auf Solaris :( ]

+

+ * push ifconfig-ipv6

+   push::send_push_reply() -> c->c2.push_ifconfig_local

+

+   ** wo wird das gesetzt? ** multi.c (und ggf. options.c / ifconfig-push)

+

+   o /netbits pushen (push.c) -> options.c "ifconfig-ipv6" muss auch

+     damit zurecht kommen, tut es derzeit aber nicht

+

+ * ifconfig_pool_write() -> IPv6 "wenn pool IPv6 hat"

+

+ * multi::multi_init() -> ifconfig_pool_init()

+   

+

+ * "route-ipv6"-Option und "push route-ipv6"

+   o "gateway" 

+   o "metric"

+   o "route-gateway-ipv6"-Option

+   o "ifconfig-ipv6-push"-Option

+      options.c -> options.push_ifconfig_...

+      multi.c 

+	mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;

+

+

+ o "server-ipv6"-Option

+

+   o options.c, add_option() -> wird fuer "lokale" und "push"-Options

+     aufgerufen

+     no_more_than_n_args()

+     struct options [options.h]

+

+   * add_route_to_option_list() 

+     [route.c -> add_route_ipv6_to_option_list]

+     [options.h -> options->routes_ipv6]

+

+     o was passiert danach damit?

+

+   * socket.c: ip_or_dns_addr_safe()

+     --> ipv6_addr_safe()

+     --> ipv6_addr_safe_hexplusbits()

+

+   * Makro?  helper.c -> helper_client_server()      ******

+     * Fehler, wenn options->mode != MODE_SERVER

+     * "tun-ipv6" auto-enablen

+

+   * if (options->tun_ipv6)

+		 msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server");

+     [options.c, 1710]

+     [raus]

+

+   o struct tuntap->ipv6 = true, wenn "ipv6" und "system kann das"

+   o Fehler, wenn System kein IPv6 kann

+     ("NetBSD needs patch" -> googlen)

+

+ o Adress-Allokation an Clients (/128 aus ifconfig-ipv6-pool /64 erstmal nur)

+   o hash aus Client-Key als host part?

+     (nein, wir nehmen einfach "den gleichen Offset wie bei IPv4" und

+     add_in6_addr())

+

+ o "iroute-ipv6"-Option

+ o "ifconfig-ipv6"

+ o "ifconfig-ipv6-pool"

+ o "ifconfig-pool-persist-ipv6"-Option

+

+ o was tut #define LINUX_IPV6?

+ o was tut bestehender Code mit "ipv6"?

+

+

+ o Routing-/Forwarding-Funktion

+   read_tun() --> ??

+   ?? --> write_tun() 

+

+   server-seite anzupassen]

+

+ o ICMP

+

+ o Optionen dokumentieren (-> berniv6)

+   o server-ipv6

+   o ifconfig-ipv6

+   o ifconfig-ipv6-pool

+   o ifconfig-pool-persist (v4+v6, Formataenderung im File)

+   o iroute-ipv6

+   o route-ipv6

+   o tun-ipv6

+

+   * http://www.greenie.net/ipv6/openvpn.html  - DONE

+   o man pages, --help

+

+ * options.c

+    - get_ip_addr() --> socket.c getaddr()

+    - openvpn_inet_aton -> OIA_IP "ist IP"

+

+ * options.c, show_p2mp_parms()

+

+ * socket.c, print_in_addr_t()  --> print_in6_addr()

+

+ o forward_compatible?

+

+ o ifconfig_ipv6_pool_persist --> einfach ifconfig_pool_persist mitbenutzen?

+   Entscheidung: JA

+   o to be implemented: pool.c

+

+ o route.c:

+    clone_route_option_list(), copy_route_option_list(),

+    new_route_list(), add_route(), init_route_list(), ...

+    add_routes(), delete_routes(), setenv_routes(), 

+

+    -> wo werden die aufgerufen, wofuer verwendet, IPv6-Anpassung?

+

+    * add_route() ruft "/sbin/route add..." auf

+    o div. (redirect gateway related) -> route.c::add_route3() -> add_route()

+    o init.c::do_route() -> route.c::add_routes() -> add_route()

+    o init.c::do_open_tun() -> do_route()

+    o forward.c::check_add_routes_action() -> do_route()

+    o init.c::do_open_tun() -> init.c::do_init_route_list() ->

+      route.c::init_route_list()

+    * init.c::do_open_tun() -> do_alloc_route_list() -> new_route_ipv6_list()

+

+ o add_route_ipv6() - implementieren und testen

+    * Linux / ifconfig  

+    * Linux / iproute2

+    i FreeBSD

+    i NetBSD ("needs patch", googlen)

+    i Solaris *braucht Gateway*

+    i OpenBSD

+    i MacOS X

+

+ o delete_route_ipv6() - implementieren und testen

+    * Linux / ifconfig  

+    * Linux / iproute2

+    i FreeBSD

+    i NetBSD ("needs patch", googlen)

+    i Solaris

+    i OpenBSD

+    i MacOS X

+

+   aus ifconfig-ipv6 $remote")

+

+ o IPv6 TCPMSS oder "fragmentation required"?

+    o IPv6 MTU auf Interface setzen?

+    o sysdep!

+

+

+TESTEN

+ * ipv6_addr_safe() [--ifconfig-ipv6 null/zu lang/invalid]

+ o ipv6_addr_safe_hexplusbits() [--route-ipv6 ...]

+ * get_ipv6_addr() [--server-ipv6 ...]

+

+ o unmodifizierter 2.1-client -> 2.1+ipv6-Server?

+ o unmodifizierter 2.0-client -> 2.1+ipv6-Server?

+ o wie kann der Server das erkennen, und "kein v6" schicken?

new file mode 100644

@@ -0,0 +1,8 @@

+This is an experimentally patched version of OpenVPN 2.1 with IPv6

+payload support.

+

+Go here for release notes and documentation:

+

+  http://www.greenie.net/ipv6/openvpn.html

+

+Gert Doering, 31.12.2009

new file mode 100644

@@ -0,0 +1,37 @@

+known issues for IPv6 payload support in OpenVPN

+-----------------------------------------------

+

+1.) "--topology subnet" doesn't work together with IPv6 payload

+    (verified for FreeBSD server, Linux/ifconfig client, problems 

+    with ICMP6 neighbor solicitations from BSD not being answered by Linux)

+

+2.) NetBSD IPv6 support doesn't work

+    ("connected" route is not auto-created, "route-ipv6" adding fails)

+

+    * fixed, 3.1.10 *

+

+3.) route deletion for IPv6 routes is not yet done

+

+    * fixed for configured routes, 3.1.10 *

+    * missing for manual-ifconfig-connected (NetBSD, Darwin)

+

+4.) do "ifconfig tun0 inet6 unplumb"  or "ifconfig tun0 destroy" for

+    Solaris, *BSD, ... at program termination time, to clean up leftovers

+    (unless tunnel persistance is desired).

+

+    For Solaris, only the "ipv6 tun0" is affected, for the *BSDs all tun0

+    stay around.

+

+5.) add new option "ifconfig-ipv6-push"

+    (per-client static IPv6 assignment, -> radiusplugin, etc)

+

+6.) add new option "route-ipv6-gateway"

+

+7.) add "full" gateway handling for IPv6 in route.c 

+    (right now, the routes are just sent down the tun interface, if the

+    operating system in questions supports that, without care for the

+    gateway address - which does not work for gateways that are supposed

+    to point elsewhere.  Also, it doesn't work for TAP interfaces.

+

+8.) full IPv6 support for TAP interfaces 

+    (main issue should be routes+gateway - and testing :-) )

@@ -259,7 +259,8 @@ send_control_channel_string (struct context *c, const char *str, int msglevel)

 static void

 check_add_routes_action (struct context *c, const bool errors)

 {

-  do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, c->c2.es);

+  do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,

+	    c->c1.tuntap, c->plugins, c->c2.es);

   update_time ();

   event_timeout_clear (&c->c2.route_wakeup);

   event_timeout_clear (&c->c2.route_wakeup_expire);

@@ -142,6 +142,55 @@ helper_client_server (struct options *o)

 #if P2MP

 #if P2MP_SERVER

+

+  /* 

+   *

+   * HELPER DIRECTIVE for IPv6

+   *

+   * server-ipv6 2001:db8::/64

+   *

+   * EXPANDS TO:

+   *

+   * tun-ipv6

+   * push "tun-ipv6"

+   * ifconfig-ipv6 2001:db8::1 2001:db8::2

+   * if !nopool: 

+   *   ifconfig-ipv6-pool 2001:db8::1:0/64

+   * 

+   */

+   if ( o->server_ipv6_defined )

+     {

+	if ( ! o->server_defined )

+	  {

+	    msg (M_USAGE, "--server-ipv6 must be used together with --server");

+	  }

+	if ( o->server_flags & SF_NOPOOL )

+	  {

+	    msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" );

+	  }

+	if ( o->ifconfig_ipv6_pool_defined )

+	  {

+	    msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");

+	  }

+

+        /* local ifconfig is "base address + 1" and "+2" */

+	o->ifconfig_ipv6_local = 

+		print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc );

+	o->ifconfig_ipv6_remote = 

+		print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc );

+

+	/* pool starts at "base address + 0x10000" */

+	ASSERT( o->server_netbits_ipv6 < 96 );		/* want 32 bits */

+	o->ifconfig_ipv6_pool_defined = true;

+	o->ifconfig_ipv6_pool_base = 

+		add_in6_addr( o->server_network_ipv6, 0x10000 );

+	o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;

+

+	o->tun_ipv6 = true;

+

+	push_option( o, "tun-ipv6", M_USAGE );

+     }

+

   /*

    *

    * HELPER DIRECTIVE:

@@ -1066,6 +1066,8 @@ do_alloc_route_list (struct context *c)

 {

   if (c->options.routes && !c->c1.route_list)

     c->c1.route_list = new_route_list (c->options.max_routes, &c->gc);

+  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)

+    c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc);

 }

@@ -1108,6 +1110,45 @@ do_init_route_list (const struct options *options,

     }

 }

+static void

+do_init_route_ipv6_list (const struct options *options,

+		    struct route_ipv6_list *route_ipv6_list,

+		    bool fatal,

+		    struct env_set *es)

+{

+  const char *gw = NULL;

+  int dev = dev_type_enum (options->dev, options->dev_type);

+  int metric = 0;

+

+  if (dev != DEV_TYPE_TUN )

+    msg( M_WARN, "IPv6 routes on TAP devices are going to fail on some platforms (need gateway spec)" );	/* TODO-GERT */

+

+  gw = options->ifconfig_ipv6_remote;		/* default GW = remote end */

+#if 0					/* not yet done for IPv6 - TODO!*/

+  if ( options->route_ipv6_default_gateway )		/* override? */

+    gw = options->route_ipv6_default_gateway;

+#endif

+

+  if (options->route_default_metric)

+    metric = options->route_default_metric;

+

+  if (!init_route_ipv6_list (route_ipv6_list,

+			options->routes_ipv6,

+			gw,

+			metric,

+			es))

+    {

+      if (fatal)

+	openvpn_exit (OPENVPN_EXIT_STATUS_ERROR);	/* exit point */

+    }

+  else

+    {

+      /* copy routes to environment */

+      setenv_routes_ipv6 (es, route_ipv6_list);

+    }

+}

+

+

 /*

  * Called after all initialization has been completed.

  */

@@ -1171,12 +1212,13 @@ initialization_sequence_completed (struct context *c, const unsigned int flags)

 void

 do_route (const struct options *options,

 	  struct route_list *route_list,

+	  struct route_ipv6_list *route_ipv6_list,

 	  const struct tuntap *tt,

 	  const struct plugin_list *plugins,

 	  struct env_set *es)

 {

-  if (!options->route_noexec && route_list)

-    add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es);

+  if (!options->route_noexec && ( route_list || route_ipv6_list ) )

+    add_routes (route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS (options), es);

   if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP))

     {

@@ -1233,6 +1275,8 @@ do_init_tun (struct context *c)

 			   c->options.topology,

 			   c->options.ifconfig_local,

 			   c->options.ifconfig_remote_netmask,

+			   c->options.ifconfig_ipv6_local,

+			   c->options.ifconfig_ipv6_remote,

 			   addr_host (&c->c1.link_socket_addr.local),

 			   addr_host (&c->c1.link_socket_addr.remote),

 			   !c->options.ifconfig_nowarn,

@@ -1269,6 +1313,8 @@ do_open_tun (struct context *c)

       /* parse and resolve the route option list */

       if (c->options.routes && c->c1.route_list && c->c2.link_socket)

 	do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es);

+      if (c->options.routes_ipv6 && c->c1.route_ipv6_list )

+	do_init_route_ipv6_list (&c->options, c->c1.route_ipv6_list, false, c->c2.es);

       /* do ifconfig */

       if (!c->options.ifconfig_noexec

@@ -1315,7 +1361,8 @@ do_open_tun (struct context *c)

       /* possibly add routes */

       if (!c->options.route_delay_defined)

-	do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, c->c2.es);

+	do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,

+		  c->c1.tuntap, c->plugins, c->c2.es);

       /*

        * Did tun/tap driver give us an MTU?

@@ -1390,8 +1437,9 @@ do_close_tun (struct context *c, bool force)

 #endif

 	  /* delete any routes we added */

-	  if (c->c1.route_list)

-	    delete_routes (c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es);

+	  if (c->c1.route_list || c->c1.route_ipv6_list )

+	    delete_routes (c->c1.route_list, c->c1.route_ipv6_list,

+			   c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es);

 	  /* actually close tun/tap device based on --down-pre flag */

 	  if (!c->options.down_pre)

@@ -63,6 +63,7 @@ void init_instance (struct context *c, const struct env_set *env, const unsigned

 void do_route (const struct options *options,

 	       struct route_list *route_list,

+	       struct route_ipv6_list *route_ipv6_list,

 	       const struct tuntap *tt,

 	       const struct plugin_list *plugins,

 	       struct env_set *es);

@@ -1004,7 +1004,7 @@ setenv_str_ex (struct env_set *es,

 	{

 	  const char *str = construct_name_value (name_tmp, val_tmp, &gc);

 	  env_set_add (es, str);

-	  /*msg (M_INFO, "SETENV_ES '%s'", str);*/

+	  msg (M_INFO, "SETENV_ES '%s'", str);/**/

 	}

       else

 	env_set_del (es, name_tmp);

@@ -88,12 +88,33 @@ mroute_get_in_addr_t (struct mroute_addr *ma, const in_addr_t src, unsigned int

     }

 }

+static inline void

+mroute_get_in6_addr (struct mroute_addr *ma, const struct in6_addr src, unsigned int mask)

+{

+  if (ma)

+    {

+      ma->type = MR_ADDR_IPV6 | mask;

+      ma->netbits = 0;

+      ma->len = 16;

+      *(struct in6_addr *)ma->addr = src;

+    }

+}

+

 static inline bool

 mroute_is_mcast (const in_addr_t addr)

 {

   return ((addr & htonl(IP_MCAST_SUBNET_MASK)) == htonl(IP_MCAST_NETWORK));

 }

+/* RFC 4291, 2.7, "binary 11111111 at the start of an address identifies 

+ *                 the address as being a multicast address"

+ */

+static inline bool

+mroute_is_mcast_ipv6 (const struct in6_addr addr)

+{

+  return (addr.s6_addr[0] == 0xff);

+}

+

 #ifdef ENABLE_PF

 static unsigned int

@@ -155,10 +176,29 @@ mroute_extract_addr_ipv4 (struct mroute_addr *src,

 	    }

 	  break;

 	case 6:

-	  {

-	    msg (M_WARN, "Need IPv6 code in mroute_extract_addr_from_packet"); 

-	    break;

-	  }

+	  if (BLEN (buf) >= (int) sizeof (struct openvpn_ipv6hdr))

+	    {

+	      const struct openvpn_ipv6hdr *ipv6 = (const struct openvpn_ipv6hdr *) BPTR (buf);

+#if 0				/* very basic debug */

+	      struct gc_arena gc = gc_new ();

+	      msg( M_INFO, "IPv6 packet! src=%s, dst=%s",

+			print_in6_addr( ipv6->saddr, 0, &gc ),

+			print_in6_addr( ipv6->daddr, 0, &gc ));

+	      gc_free (&gc);

+#endif

+

+	      mroute_get_in6_addr (src, ipv6->saddr, 0);

+	      mroute_get_in6_addr (dest, ipv6->daddr, 0);

+

+	      if (mroute_is_mcast_ipv6 (ipv6->daddr))

+		ret |= MROUTE_EXTRACT_MCAST;

+

+	      ret |= MROUTE_EXTRACT_SUCCEEDED;

+	    }

+	  break;

+	default:

+	    msg (M_WARN, "IP packet with unknown IP version=%d seen",

+	                 OPENVPN_IPH_GET_VER (*BPTR(buf)));

 	}

     }

   return ret;

@@ -252,14 +292,36 @@ bool mroute_extract_openvpn_sockaddr (struct mroute_addr *addr,

  * Zero off the host bits in an address, leaving

  * only the network bits, using the netbits member of

  * struct mroute_addr as the controlling parameter.

+ *

+ * TODO: this is called for route-lookup for every yet-unhashed

+ * destination address, so for lots of active net-iroutes, this

+ * might benefit from some "zeroize 32 bit at a time" improvements

  */

 void

 mroute_addr_mask_host_bits (struct mroute_addr *ma)

 {

   in_addr_t addr = ntohl(*(in_addr_t*)ma->addr);

-  ASSERT ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV4);

-  addr &= netbits_to_netmask (ma->netbits);

-  *(in_addr_t*)ma->addr = htonl (addr);

+  if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV4)

+    {

+      addr &= netbits_to_netmask (ma->netbits);

+      *(in_addr_t*)ma->addr = htonl (addr);

+    }

+  else if ((ma->type & MR_ADDR_MASK) == MR_ADDR_IPV6)

+    {

+      int byte = ma->len-1;		/* rightmost byte in address */

+      int bits_to_clear = 128 - ma->netbits;

+

+      while( byte >= 0 && bits_to_clear > 0 )

+        {

+	  if ( bits_to_clear >= 8 )

+	    { ma->addr[byte--] = 0; bits_to_clear -= 8; }

+	  else

+	    { ma->addr[byte--] &= (~0 << bits_to_clear); bits_to_clear = 0; }

+        }

+      ASSERT( bits_to_clear == 0 );

+    }

+  else

+      ASSERT(0);

 }

 /*

@@ -337,17 +399,24 @@ mroute_addr_print_ex (const struct mroute_addr *ma,

 	  }

 	  break;

 	case MR_ADDR_IPV6:

-	  buf_printf (&out, "IPV6"); 

-	  break;

-	default:

-	  buf_printf (&out, "UNKNOWN"); 

-	  break;

-	}

-      return BSTR (&out);

-    }

-  else

-    return "[NULL]";

-}

+	  {

+	    buf_printf (&out, "%s",

+		  print_in6_addr( *(struct in6_addr*)&maddr.addr, 0, gc)); 

+	    if (maddr.type & MR_WITH_NETBITS)

+	      {

+		buf_printf (&out, "/%d", maddr.netbits);

+	      }

+	    }

+	    break;

+	  default:

+	    buf_printf (&out, "UNKNOWN"); 

+	    break;

+	  }

+	return BSTR (&out);

+      }

+    else

+      return "[NULL]";

+  }

 /*

  * mroute_helper's main job is keeping track of

@@ -418,6 +487,44 @@ mroute_helper_del_iroute (struct mroute_helper *mh, const struct iroute *ir)

     }

 }

+/* this is a bit inelegant, we really should have a helper to that 

+ * is only passed the netbits value, and not the whole struct iroute *

+ * - thus one helper could do IPv4 and IPv6.  For the sake of "not change

+ * code unrelated to IPv4" this is left for later cleanup, for now.

+ */

+void

+mroute_helper_add_iroute6 (struct mroute_helper *mh, 

+                           const struct iroute_ipv6 *ir6)

+{

+  if (ir6->netbits >= 0)

+    {

+      ASSERT (ir6->netbits < MR_HELPER_NET_LEN);

+      mroute_helper_lock (mh);

+      ++mh->cache_generation;

+      ++mh->net_len_refcount[ir6->netbits];

+      if (mh->net_len_refcount[ir6->netbits] == 1)

+	mroute_helper_regenerate (mh);

+      mroute_helper_unlock (mh);

+    }

+}

+

+void

+mroute_helper_del_iroute6 (struct mroute_helper *mh, 

+			   const struct iroute_ipv6 *ir6)

+{

+  if (ir6->netbits >= 0)

+    {

+      ASSERT (ir6->netbits < MR_HELPER_NET_LEN);

+      mroute_helper_lock (mh);

+      ++mh->cache_generation;

+      --mh->net_len_refcount[ir6->netbits];

+      ASSERT (mh->net_len_refcount[ir6->netbits] >= 0);

+      if (!mh->net_len_refcount[ir6->netbits])

+	mroute_helper_regenerate (mh);

+      mroute_helper_unlock (mh);

+    }

+}

+

 void

 mroute_helper_free (struct mroute_helper *mh)

 {

@@ -85,7 +85,7 @@ struct mroute_addr {

 /*

  * Number of bits in an address.  Should be raised for IPv6.

  */

-#define MR_HELPER_NET_LEN 32

+#define MR_HELPER_NET_LEN 129

 /*

  * Used to help maintain CIDR routing table.

@@ -127,6 +127,8 @@ struct mroute_helper *mroute_helper_init (int ageable_ttl_secs);

 void mroute_helper_free (struct mroute_helper *mh);

 void mroute_helper_add_iroute (struct mroute_helper *mh, const struct iroute *ir);

 void mroute_helper_del_iroute (struct mroute_helper *mh, const struct iroute *ir);

+void mroute_helper_add_iroute6 (struct mroute_helper *mh, const struct iroute_ipv6 *ir6);

+void mroute_helper_del_iroute6 (struct mroute_helper *mh, const struct iroute_ipv6 *ir6);

 /*

  * Given a raw packet in buf, return the src and dest

@@ -316,25 +316,18 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa

    */

   if (t->options.ifconfig_pool_defined)

     {

-      if (dev == DEV_TYPE_TAP)

-	{

-	  m->ifconfig_pool = ifconfig_pool_init (IFCONFIG_POOL_INDIV,

-						 t->options.ifconfig_pool_start,

-						 t->options.ifconfig_pool_end,

-						 t->options.duplicate_cn);

-	}

-      else if (dev == DEV_TYPE_TUN)

-	{

-	  m->ifconfig_pool = ifconfig_pool_init (

-	    (t->options.topology == TOP_NET30) ? IFCONFIG_POOL_30NET : IFCONFIG_POOL_INDIV,

-	    t->options.ifconfig_pool_start,

-	    t->options.ifconfig_pool_end,

-	    t->options.duplicate_cn);

-	}

-      else

-	{

-	  ASSERT (0);

-	}

+      int pool_type = IFCONFIG_POOL_INDIV;

+

+      if ( dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30 )

+	pool_type = IFCONFIG_POOL_30NET;

+

+      m->ifconfig_pool = ifconfig_pool_init (pool_type,

+				 t->options.ifconfig_pool_start,

+				 t->options.ifconfig_pool_end,

+				 t->options.duplicate_cn,

+				 t->options.ifconfig_ipv6_pool_defined,

+				 t->options.ifconfig_ipv6_pool_base,

+				 t->options.ifconfig_ipv6_pool_netbits );

       /* reload pool data from file */

       if (t->c1.ifconfig_pool_persist)

@@ -429,10 +422,14 @@ multi_del_iroutes (struct multi_context *m,

 		   struct multi_instance *mi)

 {

   const struct iroute *ir;

+  const struct iroute_ipv6 *ir6;