search

arno-iptables-firewall / aif

GNU General Public License v2.0
151 stars 24 forks source link

Add EXT_IF_DHCPV6_IPV6 variable #34

Closed abelbeck closed 7 years ago

abelbeck commented 7 years ago

My business internet connection finally got native IPv6 using DHCPv6-PD and ran across an AIF configuration issue.

In my case, IPv4 is statically assigned, so EXT_IF_DHCP_IP=0 .

But, in order to receive the return "dhcp6 advertise" in response to my "dhcp6 solicit", AIF needs to allow -p udp --sport 547 --dport 546.

Currently the code is:

  # Here we add support for DHCP assigned IP
  ##########################################
  if [ "$EXT_IF_DHCP_IP" = "1" ]; then
    echo " Enabling support for DHCP-assigned-IP (DHCP client)"
    # Allow this host to be an DHCP client:
    ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
    if [ "$IPV6_SUPPORT" = "1" ]; then
      # Allow this host to be an DHCPv6 client:
      ip6tables -A EXT_INPUT_CHAIN -p udp --sport 547 --dport 546 -j ACCEPT
    fi
  fi

It is not ideal to set EXT_IF_DHCP_IP=1 in this case.

I propose we add a EXT_IF_DHCPV6_IPV6 variable, as such:

  # Here we add support for DHCP assigned IP
  ##########################################
  if [ "$EXT_IF_DHCP_IP" = "1" ]; then
    echo " Enabling support for DHCP-assigned-IP (DHCP client)"
    # Allow this host to be an DHCP client:
    ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
    if [ "$IPV6_SUPPORT" = "1" ]; then
      # Allow this host to be an DHCPv6 client:
      ip6tables -A EXT_INPUT_CHAIN -p udp --sport 547 --dport 546 -j ACCEPT
    fi
+  elif [ "$EXT_IF_DHCPV6_IPV6" = "1" ]; then
+    if [ "$IPV6_SUPPORT" = "1" ]; then
+      # Allow this host to be an DHCPv6 client via Link-Local:
+      ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT
+    fi
  fi

While it would be a change, do we want to also limit EXT_IF_DHCP_IP=1 DHCPv6 client to Link-Local only as well ? If so we could combine them in one test.

Thoughts @arnova ?

abelbeck commented 7 years ago

Studying this more, I propose this code from the original:

# Here we add support for DHCP assigned IP
  ##########################################
  if [ "$EXT_IF_DHCP_IP" = "1" ]; then
    echo " Enabling support for DHCP-assigned-IP (DHCP client)"
    # Allow this host to be an DHCP client:
    ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
  fi
  if [ "$EXT_IF_DHCP_IP" = "1" -o "$EXT_IF_DHCPV6_IPV6" = "1" ]; then
    if [ "$IPV6_SUPPORT" = "1" ]; then
      # Allow this host to be an DHCPv6 client:
      ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT
    fi
  fi

Restricting DHCPv6 to Link-Local is a good change, and this adds support for EXT_IF_DHCP_IP=0 and EXT_IF_DHCPV6_IPV6=1 for the Static IPv4 with DHCPv6 case.

If no objections, I'll put together a commit.

arnova commented 7 years ago

Yeah looks good as proposed :)

arnova commented 7 years ago

One thing: Why still check for EXT_IF_DHCP_IP ? Why not label that IPv4 only?

abelbeck commented 7 years ago

One thing: Why still check for EXT_IF_DHCP_IP ? Why not label that IPv4 only?

I think we discussed this many years ago, and decided for EXT_IF_DHCP_IP=1 to automatically carry over to IPv6 if IPV6_SUPPORT=1.

So to not break any existing configs we let EXT_IF_DHCP_IP continue to be a IPv4/IPv6 setting.

Possibly making EXT_IF_DHCP_IP IPv4-only and introducing EXT_IF_DHCPV6_IPV6 years ago would have been a better choice with hindsight, but it is what it is. Tightening up the DHCPv6 rule to Link-Local is a good thing.

PS: I have this change running on my AstLinux edge router as I type this :-)

arnova commented 7 years ago

I must be getting old since i'm starting to forget stuff. Yeah, makes sense.