secnet bug: tun and mobile sites

Simon Tatham anakin at
Tue Nov 27 19:10:17 GMT 2012

secnet's 'tun' netlink will add and remove kernel routing table
entries during PHASE_RUN if the OPT_SOFTROUTE option is set.
However, at startup during PHASE_GETRESOURCES it will set up routes
for a site only if that site lists an address. So if you have a site
in your sites file with no address but also haven't enabled
OPT_SOFTROUTE (e.g. because you run secnet so that it drops privs),
then no route for that site will _ever_ be set up.

These two policies don't match. We should bring a site's route(s) up
at startup in any situation where we will not be prepared to do so
dynamically during run time. In other words, routes should be added
at startup time not only if they have a fixed address parameter, but
also if they do not have OPT_SOFTROUTE set.

(See also bdd4351ff2fc6dc8b1dad689f751ac46347636cf, which seems to
be fixing the analogous bug for userv-ipif.)

The attached patch implements this fix, and causes my home secnet
implementation to be able to route to my laptop successfully
(sgo/resolution/resolution). In order to do this I've had to move
the definition of OPT_SOFTROUTE out of netlink.c into netlink.h so
that tun_set_route can see it, which suggests a possible layering
violation, but on the other hand since the netlink_client structure
is visible outside netlink.c it seems only reasonable that the bit
flags used in its 'options' field should be visible too.

Simon Tatham         "_shin_, n. An ingenious device for
<anakin at>    finding tables and chairs in the dark."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-tun-add-hard-routes-even-if-they-are-currently-down.patch
Type: text/x-diff
Size: 3835 bytes
Desc: not available
URL: <>

More information about the sgo-software-discuss mailing list