Opened 5 years ago

Last modified 2 years ago

#636 assigned TODO (General task list)

Add IPv6 Support to packet filter (please)

Reported by: debbie10t Owned by: Antonio
Priority: major Milestone: release 2.5
Component: IPv6 Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Note: Using packet filter plugin from http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/

Adding IPv6 networks to a working OpenVPN IPv6(data) server client packet filter file:

[CLIENTS ACCEPT]
[SUBNETS DROP]
+10.234.56.0/24
+2001:db8:0:123::/64
[END]

Causes this error when reading the client packet filter file:

Mon Dec  7 20:56:18 2015 us=370154 client1/88.105.38.50:2000 PF: server/temp/openvpn_pf_624c22373430d537c902b6dc0c8ecc87.tmp/4: bad '/n' subnet specifier: must be between 0 and 32: '64'
Mon Dec  7 20:56:18 2015 us=370207 client/88.105.38.50:2000 PF: server/temp/openvpn_pf_624c22373430d537c902b6dc0c8ecc87.tmp rejected due to 1 error(s)

My extremely limited knowledge of C has bought me to this (pf.c - line 107):

msg (D_PF_INFO, "PF: %s/%d: bad '/n' subnet specifier: must be between 0 and 32: '%s'", prefix, line_num, div);

Thanks

Change History (9)

comment:1 Changed 5 years ago by Gert Döring

Changing that line is propably trivial, but I'm not sure we can actually apply filters to IPv6 today - it might work, given how the mroute stuff is totally magic inside, or not...

"Someone who understands the PF code needs to look into it"

comment:2 Changed 5 years ago by debbie10t

I realise this is not a trivial task as there is more to it than simply changing the boundaries of the mask (I did try but then openvpn rejects the IPv6 address as invalid). I added it here in order that it not be overlooked (hence the please).

comment:3 Changed 4 years ago by Antonio

Hello, is anybody still working on this feature? If not, is there any interest in getting it implemented?

It looks interesting and I am willing to spend some time on it.

comment:4 Changed 4 years ago by Gert Döring

Milestone: release 2.5

As far as I'm aware, nobody is working on it. Feature parity here (for 2.5) would be nice.

One of the main obstacles will be that review will be hard - nobody currently involved really understands these code parts very well. But that is really an opportunity to learn more ;-)

comment:5 Changed 4 years ago by Antonio

I've started digging into the pf code. It's a bit convoluted, but not too complex. I'll send some patches over the ml as soon as I come up with something reasonable (after 2.4 is released, of course).

comment:6 Changed 4 years ago by Gert Döring

Owner: set to Antonio
Status: newassigned

comment:7 Changed 4 years ago by Antonio

Basic patch is working fine (and compiles on windows!!)

However, PF needs to whitelist some low-level IPv6 traffic by default, otherwise nothing would work, unless the user knows what to allow.

cron2 pointed me towards RFC4890 where I should find some guidelines about what should never be dropped by an IPv6 firewall.

comment:8 Changed 4 years ago by Antonio

For the sake of keeping track what's going on: a branch implementing several changes around this component can be found on github at https://github.com/ordex/openvpn/tree/ipv6pf

slypknot has been testing this feature with success, but he realized that the PF component per se might require more thinking.

Let's put this in the drawer until we all have more time to discuss this further.

comment:9 Changed 2 years ago by Antonio

Update: patches are on the mailing list and waiting peer review

Note: See TracTickets for help on using tickets.