Opened 9 years ago
Closed 4 years ago
#636 closed TODO (General task list) (wontfix)
Add IPv6 Support to packet filter (please)
Reported by: | debbie10t | Owned by: | Antonio Quartulli |
---|---|---|---|
Priority: | major | Milestone: | release 2.6 |
Component: | IPv6 | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Note: Using packet filter plugin from http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/
Adding IPv6 networks to a working OpenVPN IPv6(data) server client packet filter file:
[CLIENTS ACCEPT] [SUBNETS DROP] +10.234.56.0/24 +2001:db8:0:123::/64 [END]
Causes this error when reading the client packet filter file:
Mon Dec 7 20:56:18 2015 us=370154 client1/88.105.38.50:2000 PF: server/temp/openvpn_pf_624c22373430d537c902b6dc0c8ecc87.tmp/4: bad '/n' subnet specifier: must be between 0 and 32: '64' Mon Dec 7 20:56:18 2015 us=370207 client/88.105.38.50:2000 PF: server/temp/openvpn_pf_624c22373430d537c902b6dc0c8ecc87.tmp rejected due to 1 error(s)
My extremely limited knowledge of C has bought me to this (pf.c - line 107):
msg (D_PF_INFO, "PF: %s/%d: bad '/n' subnet specifier: must be between 0 and 32: '%s'", prefix, line_num, div);
Thanks
Change History (11)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
I realise this is not a trivial task as there is more to it than simply changing the boundaries of the mask (I did try but then openvpn rejects the IPv6 address as invalid). I added it here in order that it not be overlooked (hence the please).
comment:3 Changed 8 years ago by
Hello, is anybody still working on this feature? If not, is there any interest in getting it implemented?
It looks interesting and I am willing to spend some time on it.
comment:4 Changed 8 years ago by
Milestone: | → release 2.5 |
---|
As far as I'm aware, nobody is working on it. Feature parity here (for 2.5) would be nice.
One of the main obstacles will be that review will be hard - nobody currently involved really understands these code parts very well. But that is really an opportunity to learn more ;-)
comment:5 Changed 8 years ago by
I've started digging into the pf code. It's a bit convoluted, but not too complex. I'll send some patches over the ml as soon as I come up with something reasonable (after 2.4 is released, of course).
comment:6 Changed 8 years ago by
Owner: | set to Antonio Quartulli |
---|---|
Status: | new → assigned |
comment:7 Changed 8 years ago by
Basic patch is working fine (and compiles on windows!!)
However, PF needs to whitelist some low-level IPv6 traffic by default, otherwise nothing would work, unless the user knows what to allow.
cron2 pointed me towards RFC4890 where I should find some guidelines about what should never be dropped by an IPv6 firewall.
comment:8 Changed 8 years ago by
For the sake of keeping track what's going on: a branch implementing several changes around this component can be found on github at https://github.com/ordex/openvpn/tree/ipv6pf
slypknot has been testing this feature with success, but he realized that the PF component per se might require more thinking.
Let's put this in the drawer until we all have more time to discuss this further.
comment:10 Changed 4 years ago by
Milestone: | release 2.5 → release 2.6 |
---|
Whatever will happen to the packet filter, it won't happen to 2.5 -> bumping milestone.
Then revisit...
Also, #1312
comment:11 Changed 4 years ago by
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
Superseded by #1379
Changing that line is propably trivial, but I'm not sure we can actually apply filters to IPv6 today - it might work, given how the mroute stuff is totally magic inside, or not...
"Someone who understands the PF code needs to look into it"