Migration: openvpn device name lenght #1061

francio87 · 2025-02-04T15:27:01Z

While migrating OpenVPN tunnels, it has been observed that if the device name exceeds 16 characters, an error occurs in NFT. This issue prevents the proper startup of the service

Steps to reproduce

Migrate a firewall where the VPN tunnel name was tunnel-uffici

Expected behavior

The VPN tunnel should be active and functioning correctly after migration.

Actual behavior

The VPN tunnel is imported with its name properly truncated in the ns_name property, but the dev property of OpenVPN contains a device name that exceeds the maximum length of 16 characters.

root@ns-fwsede:~# uci show openvpn.ns_tunnel_.ns_name
openvpn.ns_tunnel_.ns_name='tunnel-uff'

root@ns-fwsede:~# uci show openvpn.ns_tunnel_.dev
openvpn.ns_tunnel_.dev='tuntunnel-uffici'

This leads to an error when nft attempts to apply the firewall rules:

/dev/stdin:83:11-28: Error: String exceeds maximum length of 16
                iifname "tuntunnel-uffici" jump input_openvpn comment "!fw4: Handle openvpn IPv4/IPv6 input traffic"
                        ^^^^^^^^^^^^^^^^^^

Components

NethSecurity version: 8-23.05.5-ns.1.4.1

The text was updated successfully, but these errors were encountered:

Previously, the limit was wrongly set to 17 #1061

github-actions · 2025-02-04T17:06:55Z

Testing image version: 8-23.05.5-ns.1.4.1-51-gcbbc735

gsanchietti · 2025-02-04T17:07:19Z

Test case
Check the issue is not reproducibile

francio87 · 2025-02-06T08:48:04Z

Confirm Fixed, tested with release 23.05.5-ns.1.4.1-53-g3049dab

Nsec 7.9:

Nsec 8:

root@ns79:~# uci show openvpn.ns_tunnel_.ns_name
openvpn.ns_tunnel_.ns_name='tunnel-sed'

root@ns79:~# uci show openvpn.ns_tunnel_.dev
openvpn.ns_tunnel_.dev='tuntunnel-seder'

root@ns79:~# ip a sh tuntunnel-seder
11: tuntunnel-seder: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.19.189.1/24 scope global tuntunnel-seder
       valid_lft forever preferred_lft forever
    inet6 fe80::c377:bb1d:490b:392b/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

fw4 reload without issue :

root@ns79:~# fw4 reload
Section ns_user_include specifies unreachable path '/etc/firewall.user', ignoring section
Automatically including '/usr/share/nftables.d/chain-pre/input/20-don.nft'
Automatically including '/usr/share/nftables.d/chain-pre/srcnat/20netmap.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20netmap.nft'

github-project-automation bot added this to NethSecurity Feb 4, 2025

github-project-automation bot moved this to ToDo 🕐 in NethSecurity Feb 4, 2025

gsanchietti mentioned this issue Feb 4, 2025

fix(ns-migration): limit tun name to 16 chars #1060

Merged

gsanchietti added a commit that referenced this issue Feb 4, 2025

fix(ns-migration): limit tun name to 16 chars (#1060)

cbbc735

Previously, the limit was wrongly set to 17 #1061

github-actions bot added the testing Packages are available from testing repositories label Feb 4, 2025

francio87 self-assigned this Feb 5, 2025

francio87 added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Feb 6, 2025

francio87 removed their assignment Feb 6, 2025

nethbot moved this from ToDo 🕐 to Verified in NethSecurity Feb 6, 2025

Tbaile added this to the NethSecurity 8.5 milestone Feb 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Migration: openvpn device name lenght #1061

Migration: openvpn device name lenght #1061

francio87 commented Feb 4, 2025

github-actions bot commented Feb 4, 2025

gsanchietti commented Feb 4, 2025

francio87 commented Feb 6, 2025

Migration: openvpn device name lenght #1061

Migration: openvpn device name lenght #1061

Comments

francio87 commented Feb 4, 2025

github-actions bot commented Feb 4, 2025

gsanchietti commented Feb 4, 2025

francio87 commented Feb 6, 2025