Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for IPv6 (1/x) #275

Closed
wants to merge 22 commits into from
Closed

Support for IPv6 (1/x) #275

wants to merge 22 commits into from

Conversation

khorben
Copy link
Contributor

@khorben khorben commented Jul 10, 2018

This group of commits of a series attempting to bring IPv6 support to fwknop (see #1). It notably allows IPv6 communication over TCP or UDP, with or without PCAP, for both the server and the client. At this stage, only IPv4 firewalling rules can be applied.
This currently requires SOURCE ANY to be set in the configuration.

@khorben
Copy link
Contributor Author

khorben commented Jul 10, 2018

You can find additional patches in the khorben/ipv6 branch here. It is my staging branch so the changes may be more intrusive while I rework them, but feel free to review and consider them for inclusion if you find them good enough.

@mrash
Copy link
Owner

mrash commented Jul 12, 2018

Many thanks. I’ll provide feedback by tomorrow night.

@mrash mrash self-assigned this Jul 13, 2018
@mrash
Copy link
Owner

mrash commented Jul 13, 2018

Thanks for starting the IPv6 integration. Looks like you have focused on the changes necessary on the ipv6-server branch to start accepting incoming SPA packets via IPv6. As you noted somewhere, this does not change the SPA packet format, but more about the mechanics of acquiring the packet data. Have you also started looking at what would be required to encode IPv6 addresses within the SPA packets themselves? I.e. changing the access request field for example?

I think it would be a good idea to also start bootstrapping the test suite to handle IPv6. At least, I have found this to be a good way to work on major features. Maybe what I should do is start helping with the test suite in this regard.

@khorben
Copy link
Contributor Author

khorben commented Jul 13, 2018

That's right, with this branch SPA packets can be received via IPv6. I saw that IPv4 addresses are base64-encoded in there, so I think it will be possible to use the regular IPv6 notation there (abc::123.port etc) and simply check for valid IPv4 or IPv6 information there - therefore not affecting compatibility with older IPv4-only services.
Indeed I had a look at the test suite, but it did not work for me on NetBSD. I have setup a Linux VM to test there instead though.

@khorben
Copy link
Contributor Author

khorben commented Jul 16, 2018

On master:

    Tests excluded (see output/tests.excluded): 243

[+] 9/0/9 Fuzzing tests passed/failed/executed
[+] 719/12/731 test buckets passed/failed/executed

On khorben/ipv6-server:

    Tests excluded (see output/tests.excluded): 243

[+] 9/0/9 Fuzzing tests passed/failed/executed
[+] 689/42/731 test buckets passed/failed/executed

Also, the IPv6 tests took much more time, but I ran them first and had activity in other VMs, so it is not necessarily reflecting performance degradation.

@khorben khorben force-pushed the khorben/ipv6-server branch from 21ab445 to 8d0fb60 Compare July 17, 2018 22:16
khorben added 17 commits July 18, 2018 00:20
@khorben
Allow connecting to remote IPv6 hosts for TCP or UDP
8c0a4e9 
This alone should allow interacting with IPv4 firewalling rules over
IPv6, for these two protocols.
@khorben
Rework the network listening routine
f23d9d4
@khorben
Rework the network listening routine some more
fe1704c
@khorben
Also check for <netinet/ip6.h> and <netinet/icmp6.h>
01fd694 
This will allow porting the raw ICMP code to IPv6.
@khorben
Let IPs resolve to IPv6 addresses
4c92ab1 
The remote code seems to be independent from the fwknop project though.
Until it will be capable to return IPv6 addresses, in itself this will
remain irrelevant for the purpose of adding IPv6 support to fwknop.

On another hand, it does help us introduce definitions and update
headers to actually support IPv6.
@khorben
Add support for receiving SPA messages over IPv6
c49c96b
@khorben
Interpret incoming addresses according to their family
d115b43
@khorben
Let access list stanzas be defined in IPv6
f95fcc7
@khorben
Allow access control "ANY" with any protocol family
083f812
@khorben
Rework IPv6 support when comparing addresses
c3acef5
@khorben
Use AF_INET instead of PF_INET
a9c834b 
I believe it should be more portable this way, since AF_INET is required
to be present in <sys/socket.h> in POSIX.
@khorben
Use sizeof() instead of re-using hard-coded values
a7ecf43 
This should help with portability for the protocol family eventually.
@khorben
Use sizeof() instead of re-using hard-coded values
d1625c7 
This should help with portability for the protocol family eventually.
@khorben
Use a constant for AF_INET
3b8ff51 
This should eventually help with portability to IPv6.
@khorben
Specify the family at run-time for TCP/UDP servers
5daa522 
This is still using IPv4 by default for the moment.
@khorben
Add IPv6 support to the plain UDP and TCP servers
3d4b153
@khorben
Terminate IPs resolved externally as expected
8d0fb60
@khorben
Copy link
Contributor Author

khorben commented Jul 17, 2018

I just (rebased on master and) added commit 8d0fb60 to fix an issue when parsing the response of the external IP resolver. This should also support IPv6 already, would it be added to the server in the future.

@khorben
Copy link
Contributor Author

khorben commented Aug 20, 2018

See #285 for feature-complete IPv6 support on the client and server sides.

@khorben khorben closed this Aug 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mrash mrash

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@khorben @mrash