search

YunoHost-Apps / vpnclient_ynh

VPN Client app for YunoHost
GNU Affero General Public License v3.0
41 stars 24 forks source link

Allow icmpv6 neighbor-solicitation #91

Closed bugness-chl closed 2 years ago

bugness-chl commented 2 years ago

Problem

On my statically-configured instance, the neighbor-solicitation packets to the gateway have a link local fe80:: source address and the global unicast address of the gateway as destination. This is blocked by current firewall configuration.

Solution

Allow neighbor-solicitation packets from fe80:: addresses.

PR Status

(only tested by launching ip6tables -w -I vpnclient_out 10 -s fe80::/10 -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT manually, I couldn't grasp the workings of yunohost/hooks.d/post_iptable_rules/90-vpnclient and yunohost/apps/vpnclient/conf/hook_post-iptable-rules before bedtime)

Automatic tests

!testme

Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

alexAubin commented 2 years ago

LGTM, but can you elaborate what neighbor-solicitation is useful for out of curiosity ?

bugness-chl commented 2 years ago

Neighbor Solicitation is kinda similar to an ARP request in IPv4, although it is at level 3 (so subject to ip6tables). If my understanding is correct : the first NS (when the node has absolutely no data in cache) is sent to some ff02:: multicast address but subsequent solicitations can be sent more directly using unicast.

Since yesterday, I added some log on my instance, with a ip6tables -I vpnclient_out 16 -j LOG --log-prefix debug-yunohost- and I caught some traffic towards ff02:: (with the unicast address of the node as source). It worked in the end (maybe because the VPN restarted and its firewall rules got cleaned just long enough for the resolution to work) but I would suggest to rework my patch and remove the source specification :

ip6tables -w -A vpnclient_out -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT

or even more laxist:

ip6tables -w -A vpnclient_out -p icmpv6 -j ACCEPT

but I let you decide.

What I gathered from my lectures is that IPv6 aimed to be cleaner and more "level-independant", so a lot of features have been upgraded from level 2 to level 3. Thus, in general, one should be very wary about filtering ICMPv6 :)

zamentur commented 2 years ago

Thanks for your contribution :)