6 files changed, 69 insertions, 140 deletions
diff --git a/openvpn/README.IPv6 b/openvpn/README.IPv6
index d504f4ff..56c97abb 100644
--- a/openvpn/README.IPv6
+++ b/openvpn/README.IPv6
@@ -1,97 +1,65 @@
+Since 2.3.0, OpenVPN officially supports IPv6, and all widely used
+patches floating around for older versions have been integrated.
+
 IPv6 payload support
 --------------------
 
-Latest IPv6 payload support code and documentation can be found from here:
+This is for "IPv6 inside OpenVPN", with server-pushed IPv6 configuration
+on the client, and support for IPv6 configuration on the tun/tap interface
+from within the openvpn config.
+
+The code in 2.3.0 supersedes the IPv6 payload patches from Gert Doering,
+formerly located at http://www.greenie.net/ipv6/openvpn.html
+
 
-  http://www.greenie.net/ipv6/openvpn.html
+The following options have been added to handle IPv6 configuration,
+analogous to their IPv4 counterparts (--server <-> --server-ipv6, etc.)
 
-For TODO list, see TODO.IPv6.
+     - server-ipv6
+     - ifconfig-ipv6
+     - ifconfig-ipv6-pool
+     - ifconfig-ipv6-push
+     - route-ipv6
+     - iroute-ipv6
 
-Gert Doering, 31.12.2009
+see "man openvpn" for details how they are used.
 
 
 
 IPv6 transport support
 ----------------------
 
-[ Last updated: 25-Mar-2011. ]
-
-OpenVPN-2.1 over UDP6/TCP6 README for ipv6-0.4.x patch releases:
-( --udp6 and --tcp6-{client,server} )
-
-* Availability
-  Source code under GPLv2 from http://github.com/jjo/openvpn-ipv6
-
-  Distro ready repos/packages:
-  o Debian sid official repo, by Alberto Gonzalez Iniesta,
-    starting from openvpn_2.1~rc20-2
-  o Gentoo official portage tree, by Marcel Pennewiss:
-    - https://bugs.gentoo.org/show_bug.cgi?id=287896
-  o Ubuntu package, by Bernhard Schmidt:
-    - https://launchpad.net/~berni/+archive/ipv6/+packages
-  o Freetz.org, milestone freetz-1.2
-    - http://trac.freetz.org/milestone/freetz-1.2
-
-* Status:
-  o OK:
-    - upd6,tcp6: GNU/Linux, win32, openbsd-4.7, freebsd-8.1
-    - udp4->upd6,tcp4->tcp6 (ipv4/6 mapped): GNU/Linux
-      (gives a warning on local!=remote proto matching)
-  o NOT:
-    - win32: tcp4->tcp6 (ipv4/6 mapped) fails w/connection refused
-  o NOT tested:
-    - mgmt console
-
-* Build setup:
-  ./configure --enable-ipv6        (by default)
-
-* Usage:
-  For IPv6 just specify "-p upd6" an proper IPv6 hostnames, adapting the example
-  from man page ...
-
-  On may:
-    openvpn --proto udp6 --remote <june_IPv6_addr> --dev tun1 \
-      --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key
-
-  On june:
-    openvpn --proto udp6 --remote <may_IPv6_addr>  --dev tun1 \
-      --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key
-
-  Same for --proto tcp6-client, tcp6-server.
-
-* Main code changes summary:
-  - socket.h: New struct openvpn_sockaddr type that holds sockaddrs and pktinfo,
-    (here I omitted #ifdef USE_PF_xxxx, see socket.h )
-
-    struct openvpn_sockaddr {
-	union {
-		struct sockaddr sa;
-		struct sockaddr_in in;
-		struct sockaddr_in6 in6;
-	} addr;
-    };
-
-    struct link_socket_addr
-    {
-            struct openvpn_sockaddr local;
-            struct openvpn_sockaddr remote;
-            struct openvpn_sockaddr actual;
-    };
-
-    PRO: allows simple type overloading: local.addr.sa, local.addr.in, local.addr.in6 ... etc
-    (also local.pi.in and local.pi.in6)
-
-  - several function prototypes moved from sockaddr_in to openvpn_sockaddr
-  - several new sockaddr functions needed to "generalize" AF_xxxx operations:
-    addr_copy(), addr_zero(), ...etc
-    proto_is_udp(), proto_is_dgram(), proto_is_net()
-
-* For TODO list, see TODO.IPv6
-
---
-JuanJo Ciarlante   jjo () google () com ............................
-:                                                                  :
-.                                         Linux IP Aliasing author .
-.   Modular algo (AES et all) support for FreeSWAN/OpenSWAN author .
-.                                        OpenVPN over IPv6 support .
-:......     plus other scattered free software bits in the wild ...:
+This is to enable OpenVPN peers or client/servers to talk to each other
+over an IPv6 network ("OpenVPN over IPv6").
+
+The code in 2.3.0 supersedes the IPv6 transport patches from JuanJo Ciarlante,
+formerly located at http://github.com/jjo/openvpn-ipv6
+
+
+Use the following options to select IPv6 transport:
+
+  --proto udp6
+  --proto tcp6-client
+  --proto tcp6-server
+  --proto tcp6 --client / --proto tcp6 --server
+
+On systems that permit IPv4 connections on IPv6 sockets (Linux by
+default, FreeBSD and NetBSD if you turn off the "v6only" sysctl by
+running "sysctl -w net.inet6.ip6.v6only=0"), an OpenVPN server can
+handle IPv4 connections on the IPv6 socket as well, making it a true
+dual-stacked server.
+
+On other systems, as of 2.3.0, you need to run separate server instances
+for IPv4 and IPv6.
+
+The client side code is not really "dual-stacked" yet, as it does not
+automatically try both address families when connecting to a dual-stacked
+server.  For now, you can achieve this with <connection> stanzas in your
+openvpn config:
+
+  <connection>
+     remote my.dual.stack.server 1194 udp6
+  </connection>
+  <connection>
+     remote my.dual.stack.server 1194 udp
+  </connection>
diff --git a/openvpn/src/openvpn/event.c b/openvpn/src/openvpn/event.c
index 2a13e1cf..34a3c451 100644
--- a/openvpn/src/openvpn/event.c
+++ b/openvpn/src/openvpn/event.c
@@ -34,6 +34,7 @@
 #include "error.h"
 #include "integer.h"
 #include "event.h"
+#include "fdmisc.h"
 
 #include "memdbg.h"
 
@@ -582,6 +583,8 @@ ep_init (int *maxevents, unsigned int flags)
   if (fd < 0)
     return NULL;
 
+  set_cloexec (fd);
+
   ALLOC_OBJ_CLEAR (eps, struct ep_set);
 
   /* set dispatch functions */
diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c
index b3125282..28121235 100644
--- a/openvpn/src/openvpn/init.c
+++ b/openvpn/src/openvpn/init.c
@@ -3288,6 +3288,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
   /* init garbage collection level */
   gc_init (&c->c2.gc);
 
+  /* inherit environmental variables */
+  if (env)
+     do_inherit_env (c, env);
+    
   /* signals caught here will abort */
   c->sig->signal_received = 0;
   c->sig->signal_text = NULL;
@@ -3339,10 +3343,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
   if (c->mode == CM_P2P || c->mode == CM_TOP)
     do_option_warnings (c);
 
-  /* inherit environmental variables */
-  if (env)
-    do_inherit_env (c, env);
-
 #ifdef ENABLE_PLUGIN
   /* initialize plugins */
   if (c->mode == CM_P2P || c->mode == CM_TOP)
diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c
index 1e9a7fc0..fa327f8c 100644
--- a/openvpn/src/openvpn/misc.c
+++ b/openvpn/src/openvpn/misc.c
@@ -707,13 +707,6 @@ env_set_remove_from_environment (const struct env_set *es)
 
 static struct env_item *global_env = NULL; /* GLOBAL */
 
-void
-manage_env (char *str)
-{
-  remove_env_item (str, true, &global_env);
-  add_env_item (str, false, &global_env, NULL);
-}
-
 #endif
 
 /* add/modify/delete environmental strings */
@@ -789,27 +782,18 @@ setenv_str_ex (struct env_set *es,
   if (value)
     val_tmp = string_mod_const (value, value_include, value_exclude, value_replace, &gc);
 
-  if (es)
+  ASSERT (es);
+
+  if (val_tmp)
     {
-      if (val_tmp)
-	{
-	  const char *str = construct_name_value (name_tmp, val_tmp, &gc);
-	  env_set_add (es, str);
+      const char *str = construct_name_value (name_tmp, val_tmp, &gc);
+      env_set_add (es, str);
 #if DEBUG_VERBOSE_SETENV
-	  msg (M_INFO, "SETENV_ES '%s'", str);
+      msg (M_INFO, "SETENV_ES '%s'", str);
 #endif
-	}
-      else
-	env_set_del (es, name_tmp);
     }
   else
-    {
-      char *str = construct_name_value (name_tmp, val_tmp, &gc);
-      if (platform_putenv(str))
-      {
-        msg (M_WARN | M_ERRNO, "putenv('%s') failed", str);
-      }
-    }
+    env_set_del (es, name_tmp);
 
   gc_free (&gc);
 }
diff --git a/openvpn/src/openvpn/platform.c b/openvpn/src/openvpn/platform.c
index e79de7a7..16d4daca 100644
--- a/openvpn/src/openvpn/platform.c
+++ b/openvpn/src/openvpn/platform.c
@@ -275,34 +275,6 @@ platform_unlink (const char *filename)
 #endif
 }
 
-int platform_putenv(char *string)
-{
-  int status;
-#if defined(WIN32)
-  struct gc_arena gc = gc_new ();
-  char *s = string_alloc(string, &gc);
-  char *value = strchr(s, '=');
-  if (value!=NULL)
-    {
-      *value = '\0';
-      value++;
-      if (*value == '\0')
-        value = NULL;
-    }
-
-  status = SetEnvironmentVariableW (wide_string (s, &gc),
-      wide_string (value, &gc)) ? 1: 0;
-  gc_free (&gc);
-#elif defined(HAVE_PUTENV)
-  void manage_env (char *str); /* TODO: Resolve properly */
-  status = putenv (string);
-  if (!status)
-    manage_env (string);
-#endif
-
-  return status;
-}
-
 FILE *
 platform_fopen (const char *path, const char *mode)
 {
diff --git a/openvpn/src/openvpn/status.c b/openvpn/src/openvpn/status.c
index 5f9ab9ee..b7ff4843 100644
--- a/openvpn/src/openvpn/status.c
+++ b/openvpn/src/openvpn/status.c
@@ -33,6 +33,7 @@
 #include "status.h"
 #include "perf.h"
 #include "misc.h"
+#include "fdmisc.h"
 
 #include "memdbg.h"
 
@@ -98,6 +99,7 @@ status_open (const char *filename,
 	  if (so->fd >= 0)
 	    {
 	      so->filename = string_alloc (filename, NULL);
+             set_cloexec (so->fd);
 
 	      /* allocate read buffer */
 	      if (so->flags & STATUS_OUTPUT_READ)