search

sshambar / nmutils

Network Manager Utility Scripts
GNU General Public License v3.0
19 stars 1 forks source link

By the way, I grafed this patch onto dhcp-4.2.5 (well it just patched fine...) and we can.... #4

Open rshutt opened 5 years ago

rshutt commented 5 years ago

By the way, I grafted this patch onto dhcp-4.2.5 (well it just patched fine...) and I can request a prefix length now with a pd hint

PD Pref Patch Page The Patch

Oh and the specfile diff is below as well.

It just rpmbuild -bb's clean and then we have to edit the args to dhclient.

Finally, we add -Pl 60 to the WAN_DHCLIENT_OPTIONS in the wan def.

Jul 14 17:54:08 router.[REDACTED] ipv6-prefix-dhc[1220]: DBG: nmg_daemon: dhclient -P -nw -sf /usr/local/sbin/dhclient-ipv6-prefix -pf /run/nmutils/dhclient-ipv6-prefix-enp1s0.pid -lf /var/lib/dhclient/ipv6-prefix-enp1s0.leases -Pl 60 enp1s0
Jul 14 17:54:08 router.[REDACTED] ipv6-prefix-dhc[1223]: DBG: echo 1222 > /sys/fs/cgroup/systemd/system.slice/NetworkManager.service/tasks
Jul 14 17:54:08 router.[REDACTED] ipv6-prefix-dhc[1233]: DBG: interface: enp1s0 reason: PREINIT6
Jul 14 17:54:08 router.[REDACTED] ipv6-prefix-dhc[1234]: DBG: old:  new:  life:
Jul 14 17:54:09 router.[REDACTED] dhclient[1235]: XMT: Rebind on enp1s0, interval 970ms.
Jul 14 17:54:09 router.[REDACTED] dhclient[1235]: RCV: Reply message on enp1s0 from fe80::[REDACTED]:b046.
Jul 14 17:54:09 router.[REDACTED] ipv6-prefix-dhc[1244]: DBG: interface: enp1s0 reason: REBIND6
Jul 14 17:54:09 router.[REDACTED] ipv6-prefix-dhc[1245]: DBG: old: 2601:[REDACTED]:a160::/60 new: 2601:[REDACTED]:a160::/60 life: 3167
Jul 14 17:54:09 router.[REDACTED] ipv6-prefix-dhc[1266]: DBG: echo 2601:[REDACTED]:7255/64 > /run/nmutils/ipv6-prefix-enp1s0.state

*** dhcp.spec.orig  2019-07-14 16:55:06.029872196 -0400
--- dhcp.spec   2019-07-14 17:10:46.994198263 -0400
***************
*** 18,24 ****
  Summary:  Dynamic host configuration protocol software
  Name:     dhcp
  Version:  4.2.5
! Release:  68%{?dist}.1
  # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
  # dcantrell maintaining the package) made incorrect use of the epoch and
  # that's why it is at 12 now.  It should have never been used, but it was.
--- 18,24 ----
  Summary:  Dynamic host configuration protocol software
  Name:     dhcp
  Version:  4.2.5
! Release:  68%{?dist}.2wanted_plen
  # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
  # dcantrell maintaining the package) made incorrect use of the epoch and
  # that's why it is at 12 now.  It should have never been used, but it was.
***************
*** 109,114 ****
--- 109,115 ----
  # CVE-2018-5733
  Patch70:  dhcp-4.2.5-reference_count_overflow.patch
  Patch71:  dhcp-4.2.5-centos-branding.patch
+ Patch72:  dhcp-ia_pd-wanted_plen.patch

  BuildRequires: autoconf
***************
*** 439,444 ****
--- 440,447 ----
  %patch70 -p1 -b .reference_overflow
  %patch71 -p1

+ %patch72 -p0 -F2
+ 
  # Update paths in all man pages
  for page in client/dhclient.conf.5 client/dhclient.leases.5 \
              client/dhclient-script.8 client/dhclient.8 ; do
sshambar commented 5 years ago

Coincidentally, I actually expanded that patch back in 2014 for https://bugzilla.redhat.com/show_bug.cgi?id=876791 (Patch #2) to include specifying the prefix length option as a dhclient config option (so you don't even need to change the parameters :).

Of course, you can also now just use dhcp 4.4.0+ and it has the a built in option now...

rshutt commented 5 years ago

Yeah well for all of us old heads who don't want to run the latest and greatest rawhide on our firewall/router thing, I figured it's just easiest to leave centos 7 on the box and patch the dhcp jawn that ships with RHEL/Cent.

Yeah I read your post and saw it went back to forever back when I even worked for RHT, but that was pre HE and other 6in4 providers decided to shut down ip proto 41.

On Sun, Jul 14, 2019, 8:11 PM sshambar notifications@github.com wrote:

Coincidentally, I actually expanded that patch back in 2014 for https://bugzilla.redhat.com/show_bug.cgi?id=876791 (Patch #2 https://github.com/sshambar/nmutils/issues/2) to include specifying the prefix length option as a dhclient config option (so you don't even need to change the parameters :).

Of course, you can also now just use dhcp 4.4.0+ and it has the a built in option now...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sshambar/nmutils/issues/4?email_source=notifications&email_token=AMIHSGNKXCBSZTFE4PQQO6LP7O6DBA5CNFSM4IDSCV7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ4QC3Q#issuecomment-511246702, or mute the thread https://github.com/notifications/unsubscribe-auth/AMIHSGLF7YAOPFAIN56ORYDP7O6DBANCNFSM4IDSCV7A .

rshutt-va commented 1 year ago

Question - sorry to drag up this old issue :)

Not sure if you remember, its been a couple of years :)

Does this in any way support OPTION_PD_EXCLUDE and picking a network from the IA_PD as per RFC6603? FIOS... Sigh.

rshutt commented 1 year ago

It is working now! I just had to add the WAN back to the WAN_LAN_INTFS. Below, enp1s0 is WAN facing, and enp2s0 is my native untagged interface. Not adding the other VLANs right now on account of being lazy, but :). If with WAN_SIZE=0 the fist /64 in the range is used. I should probably make it WAN_SITE=(2^(64-56)-1) to simulate the other implementations that do this using PD_EXCLUDE?. This method of putting it together with sticks and glue remains an "RFC aberration." to me.

I'll tell you what makes this so fragile. Your average nerd is going to want to avoid understanding this stuff at even a 10,000ft level. Not so many folks want to dig deep down into the annals of DHCPV6 to understand what this is all about. Therefore every time any part of this ipv6 router based on RHEL/Cent/Rocky goes a bit cattywampus due to an ISP change or an impromptu software compatibility situation, it's a bit of a weekender to piece it all back together such that one can solve it. I remember the first time I spoke briefly with you when people had to hand patch this into an SRPM and maintain one-off patched binaries to support ia_pd.

Unrelatedly, these delegations' renew/rebind times are excessively short at 7200 seconds max-life and 3600 seconds renew. This will get ugly if the prefix changes with anything resembling this frequency.

$ cat ipv6-prefix-enp1s0.conf
WAN_DHCLIENT_OPTIONS="--prefix-len-hint 56"
WAN_LAN_INTFS="enp1s0 enp2s0"
WAN_PREFIX_LEN="128"
WAN_SITE="0"
    link/ether [redacted] brd ff:ff:ff:ff:ff:ff
    init [redacted]/24 brd [redacted] scope global dynamic noprefixroute enp1s0
       valid_lft 7139sec preferred_lft 7139sec
    inet6 [reda::cted]/128 scope global dynamic. # < This is a subnet, lying in the 1st /128 of the 1st /64 of the 
                                                                 # of the block offered in the ia_na-less ia_pd response.
                                                                 # This strange routing is, of course, the casus belli for 
                                                                 # RFC6603 PD_EXCLUDE option.
       valid_lft 7158sec preferred_lft 7158sec
    inet6 [reda::cted]/64 scope link noprefixroute
       valid_lft forever preferred_lft forever