Closed lantis1008 closed 4 years ago
Commentary from @obsy , @pbix and @ispyisail certainly most welcome and encouraged. As well anyone else who would like to chime in.
Wow, very huge changes :)
I guess we wait a bit for Eric to comment?
plugin-gargoyle-openvpn: Not done (low priority, not sure of the benefits here)
What does this mean? OpenVPN IPv4 will still work?
OpenVPN is the main feature i use most days.
I don't know if he has seen it yet and is digesting it, or hasn't come across it. I'll send him an email in a few days time if nothing before then.
Yes it will still work over IPv4, I just won't (at least initially) put any effort into pushing IPv6 over the tunnel. Partly because I don't think it is overly necessary, and mostly because I don't fully understand how it works yet.
How about QOSMON? It is currently uses a IPv4 ping target.
QOSMON will get an upgrade, but so far I have left the ping target logic as is. I'll add it to the list so I don't forget, thanks!
Off the top of my head, that one should be straight forward.
Very powerful
I've heard from Eric and he is happy to defer to my judgement call on this one. Does anyone have any strong objections to me merging this into Master? Does anyone have any "show stoppers" that should be resolved first?
This will allow us to get test versions in more peoples hands and hopefully uncover bugs that i have not thought of.
@obsy @ispyisail @pbix
Do it.
I support testing, merge quickly
Work In Progress I've opened this PR so that it can start receiving reviews and feedback early. _More work will be pushed to this periodically, and I will let you know when I think it is ready for merge._ Particularly @ericpaulbishop i'd appreciate a thorough review of the netfilter-match-modules. I'm pretty good at writing inefficient code, dereferencing NULL pointers, and other generally awful memory faux pas.
This PR adds IPv6 support to Gargoyle. I've been running this as my main internet gateway for about 3 months now in various stages of completion. Besides when I've been working on it, it has been very stable.
Notable Changes:
timerange
has been enabled for all xtables. All other modules enabled for iptables and ip6tables only.union ipany
which can store either an ipv4 or ipv6 to save space. Generally this means that an accompanyingint family
travels with the data to keep track of what we are dealing with.string_map
instead oflong_map
to allow storage of IPv6 addresses without major modification totree_map.h
. 128 bit math is not easily supported so i did not go there. If this needs to be rethought for speed/efficiency, please let me know. Note that i did test sdbm collision with both ipv4 and ipv6 subnets occupying the same space and found no collisions in a basic home network setup, and did not encounter any in a larger test (not conclusive, ran out of RAM during computation lol)ref_count
not being incremented, this would lead to a kernel panic once this rule was cleaned up. This behaviour has been changed so that now largely similar rules are rejected, unless one rule is ipv4 and one is ipv6. If the rule is rejected, the iptables entry is also never created. This means that a single ID can have both IPv4 and IPv6 addresses stored in itsstring_map
. This saves complexity and memory in creating additional IDs, and also means that quotas can service both IPv4 and IPv6 devices at the same time (combined quotas anyone?)family
which is2
for IPv4 and10
for IPv6 (AF_INET/NFPROTO_IPV4
andAF_INET6/NFPROTO_IPV6
respectively). This means that bw data from earlier versions of Gargoyle are incompatible, i have not written a conversion module to handle this missing data. This would be relatively trivial (assume any data with no family is IPv4), but i don't think it is needed. Please let me know if you think otherwise.family
with same values as above.family
which is eitherIPv4
orIPv6
in the GUI for filtering purposessrc
ordst
style rules are being written, the IP Family must be specifically set (it can't be both). Matches for just ports or protocols can be Family non-specific.TODO:
2001:db8::
differently to2001:db8:0000::
etc.current_lan_ip6
andcurrent_wan_ip6
need to be fixed so they can fetch from UCI as well as just the interface. Tricky part is that these interfaces can have > 1 IP listed in UCI, so we need to bring them in as a list rather than static options. No big deal, just haven't done it yet.Pictures: Status -> Overview Status -> Bandwidth Usage Connection -> Basic Connection -> DHCP Firewall -> QoS Firewall -> Quotas Firewall -> Restrictions