[openwrt/openwrt] 6in4: improve HE tunnel update procedure

Sat Feb 14 15:02:47 PST 2026

hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/862b46dd8f65ed2ab298b63ca33f672fb6ec3be7

commit 862b46dd8f65ed2ab298b63ca33f672fb6ec3be7
Author: Rany Hany <rany_hany at riseup.net>
AuthorDate: Sat Feb 14 11:12:19 2026 +0200

    6in4: improve HE tunnel update procedure
    
    - uclient-fetch timeout bumped from 5s to 15s. If we do not do this
      we get flagged by HE as the update request is expensive and takes
      more than 5s to execute. Currently 5s timeout causes uclient-fetch
      to be killed prematurely as can be seen by the following log:
    
      10:34:57 user.notice 6in4-henet: update 1/3: timeout
      10:35:07 user.notice 6in4-henet: update 2/3: timeout
      10:35:17 user.notice 6in4-henet: update 3/3: timeout
      10:35:22 user.notice 6in4-henet: update failed
    
      The above is the worst case, what usually happens is:
    
      10:53:59 user.notice 6in4-henet: update 1/3: timeout
      10:54:06 user.notice 6in4-henet: update 2/3: abuse
      10:54:06 user.notice 6in4-henet: updated
    
    - We now use an exponential backoff starting from 5 seconds.
    
    - Detect ca-bundle so we don't use --no-check-certificates
      unnecessarily.
    
    - The while loop was changed so we don't retry unnecessarily
      after the final failure.
    
    - Worst-case total time the update operation might take before
      bailing out is:
    
         (sum(15 + (5 × (2^(x − 1))), 1, 2) + 15) seconds = 1 min
    
    Signed-off-by: Rany Hany <rany_hany at riseup.net>
    Link: https://github.com/openwrt/openwrt/pull/22016
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 package/network/ipv6/6in4/files/6in4.sh | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/package/network/ipv6/6in4/files/6in4.sh b/package/network/ipv6/6in4/files/6in4.sh
index dd055ecb63..015f8066b9 100755
--- a/package/network/ipv6/6in4/files/6in4.sh
+++ b/package/network/ipv6/6in4/files/6in4.sh
@@ -25,7 +25,7 @@ test_6in4_rfc1918()
 
 proto_6in4_update() {
 	sh -c '
-		timeout=5
+		timeout=15
 
 		(while [ $((timeout--)) -gt 0 ]; do
 			sleep 1
@@ -123,7 +123,7 @@ proto_6in4_setup() {
 		local ca_path="${SSL_CERT_DIR:-/etc/ssl/certs}"
 
 		[ -f /lib/libustream-ssl.so ] && http=https
-		[ "$http" = "https" -a -z "$(find $ca_path -name "*.0" 2>/dev/null)" ] && {
+		[ "$http" = "https" -a -z "$(find "$ca_path" \( -name "*.0" -o -name "*.crt" \) 2>/dev/null)" ] && {
 			urlget_opts="$urlget_opts --no-check-certificate"
 		}
 
@@ -135,10 +135,12 @@ proto_6in4_setup() {
 
 		local try=0
 		local max=3
+		local retry_delay=5
 
 		(
 			set -o pipefail
-			while [ $((++try)) -le $max ]; do
+			while true; do
+				try=$((try + 1))
 				if proto_6in4_update $urlget $urlget_opts --user="$username" --password="$password" "$url" 2>&1 | \
 					sed -e 's,^Killed$,timeout,' -e "s,^,update $try/$max: ," | \
 					logger -t "$link";
@@ -146,7 +148,11 @@ proto_6in4_setup() {
 					logger -t "$link" "updated"
 					return 0
 				fi
-				sleep 5
+
+				[ "$try" -ge "$max" ] && break
+
+				sleep "$retry_delay"
+				retry_delay=$((retry_delay * 2))
 			done
 			logger -t "$link" "update failed"
 		)


