Add IPv6 support to fwknop #285
Conversation
The remote code seems to be independent from the fwknop project though. Until it will be capable to return IPv6 addresses, in itself this will remain irrelevant for the purpose of adding IPv6 support to fwknop. On another hand, it does help us introduce definitions and update headers to actually support IPv6.
Again, this depends on the remote host to be actually supporting IPv6.
It is now called is_valid_ip_addr() and expects an additional parameter for the address family.
This greatly loosens the check for a valid IPv4/IPv6 there - but it is redundant anyway, since there is always a call to is_valid_ip_addr().
This alone should allow interacting with IPv4 firewalling rules over IPv6, for these two protocols.
This will allow porting the raw ICMP code to IPv6.
I believe it should be more portable this way, since AF_INET is required to be present in <sys/socket.h> in POSIX.
This should help with portability for the protocol family eventually.
This should help with portability for the protocol family eventually.
This should eventually help with portability to IPv6.
The correct syntax is the comma (",") instead.
The problem looks real, fix looks good to me, but have not been able to reproduce the actual issue so far :(
|
Wow, tons of work. I have a local ipv6 branch to track this. I'm going to add some test suite support for IPv6 so I can work into what you've done, and then push this branch to github so we can collaborate. Let's target the next release of fwknop to merge your changes into master. |
This should address #1.
|
That's indeed some epic work. Well done @khorben! Now if only the world could finally move to IPv6 ;) |
|
Thank you :) |
|
This was sponsored by Asahi Net, Inc. by the way, https://asahi-net.co.jp/en/corporate/ (as mentioned in #1) |
|
Great work Pierre thanks a lot , much appreciated. |
|
Diving into this finally, sorry for the delay. I've opened a new issue based on a start on IPv6 test suite support. |
|
Targeting this work for the next major release of fwknop. |
| @@ -87,8 +87,8 @@ typedef struct fko_cli_options | |||
| int no_save_args; | |||
| int use_hmac; | |||
| char spa_server_str[MAX_SERVER_STR_LEN]; /* may be a hostname */ | |||
| char allow_ip_str[MAX_IPV4_STR_LEN]; | |||
| char spoof_ip_src_str[MAX_IPV4_STR_LEN]; | |||
| char allow_ip_str[MAX_IPV46_STR_LEN]; | |||
There was a problem hiding this comment.
use INET6_ADDRSTRLEN
While you are right that longtest IPv6 address takes 39 bytes, with IPv4 tunneling, the longest form can be 45 bytes:
| char allow_ip_str[MAX_IPV4_STR_LEN]; | ||
| char spoof_ip_src_str[MAX_IPV4_STR_LEN]; | ||
| char allow_ip_str[MAX_IPV46_STR_LEN]; | ||
| char spoof_ip_src_str[MAX_IPV46_STR_LEN]; |
| @@ -59,6 +59,12 @@ | |||
| #define MAX_IPV4_STR_LEN 16 | |||
| @@ -59,6 +59,12 @@ | |||
| #define MAX_IPV4_STR_LEN 16 | |||
| #define MIN_IPV4_STR_LEN 7 | |||
|
|
|||
| #define MAX_IPV46_STR_LEN 40 | |||
| #define MAX_IPV46_STR_LEN 40 | ||
| #define MIN_IPV46_STR_LEN 3 | ||
|
|
||
| #define MAX_IPV6_STR_LEN 40 |
| int o1, o2, o3, o4, got_resp=0, i=0; | ||
| char *ndx, resp[MAX_IPV4_STR_LEN+1] = {0}; | ||
| int got_resp=0, error; | ||
| char resp[MAX_IPV4_STR_LEN+1] = {0}; |
| for (rp = result; rp != NULL; rp = rp->ai_next) { | ||
| /* the canonical value is in the first structure returned */ | ||
| strlcpy(options->allow_ip_str, | ||
| rp->ai_canonname, sizeof(options->allow_ip_str)); |
|
Why it wasn't merged still? |
|
I do not know. The reviewer (@bastien-roucaries) seems to have approved the changes 3 years ago; on my side I haven't had the opportunity to comment on the proposed changes. |
|
@mrash Could you comment please? |
|
Hi all,
Apologies for the long delays. Generally I need to get a
maintenance release out for fwknop to get grounded in the latest Linux
distributions and account for drift over the past few years. This should
happen before any large feature additions like IPv6 support. On the IPv6
support itself, there are a couple of observations. First, if we can get
nft support into fwknop, then v6 support becomes a lot easier. Either way
though, how many combinations of v4/v6 should be supported? If a v6 request
is made, should an ACCEPT rule go into both the iptables and ip6tables
rules? If a v6 request is made, should the assumption be that the access
will come over v6? Or v4? How about the other way, so using v4 to gain
access to a service that is only advertised via v6? Maybe we start with
some advertised assumptions that @khorben makes at the start - such as the
fact that v4+v6 are not supported simultaneously and work up from there if
user demand asks for additions. This would allow for iterative releases of
this feature. Also, for a feature like this, we definitely need to add
comprehensive test suite support, and that is not there yet.
Let me get a maintenance release out of fwknop in the next week or so, and
then look at this for a major release.
Thanks,
…--Mike
On Tue, Jun 6, 2023 at 6:13 AM Andrey Butirsky ***@***.***> wrote:
@mrash <https://github.com/mrash> Could you comment please?
Without IPv6 support, it looks mostly as abandon-ware these days, so it
makes sense to clarify the project status..
—
Reply to this email directly, view it on GitHub
<#285 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC42RENIJ6RP3II2WLUPGLXJ37DLANCNFSM4FQONLOQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
|
|
Thank you for the update Michael.
Yeah, that is the other blocker: #107. There seems to be a lot of work ahead but I hope we will get there eventually! |
This branch adds complete support for IPv6 on fwknop. It still has a few limitations though:
-6command-line parameterThis should close Add full IPv6 support to fwknop #1.