Ipv6rebased #309
Ipv6rebased #309
Conversation
INET_ADDRSTRLEN is portable and allow to be robust against special crafted adress signed-off: Bastien Roucariès <[email protected]>
getaddrinfo is the correct API for resolving IP and checking correctness Use it, instead of manual parsing
Less code and less copy/paste thus less errors
Introduce IPV6 constant and IPV46 constant for adress length
The remote code seems to be independent from the fwknop project though. Until it will be capable to return IPv6 addresses, in itself this will remain irrelevant for the purpose of adding IPv6 support to fwknop. On another hand, it does help us introduce definitions and update headers to actually support IPv6.
It is now called is_valid_ip_addr() and expects an additional parameter for the address family.
This greatly loosens the check for a valid IPv4/IPv6 there - but it is redundant anyway, since there is always a call to is_valid_ip_addr().
This alone should allow interacting with IPv4 firewalling rules over IPv6, for these two protocols.
This will allow porting the raw ICMP code to IPv6.
I believe it should be more portable this way, since AF_INET is required to be present in <sys/socket.h> in POSIX.
This should help with portability for the protocol family eventually.
There was a problem hiding this comment.
I have no maintainer role in fwknop, but I reviewed and tested this PR.
It mostly work:
- when I launch
fwknopd -6 -Uthenss -tulpnshows fwknopd listens onudp *:62201, the chainsFWKNOP_INPUTare added in iptables and ip6tables, the jump from INPUT to FWKNOP_INPUT is added in iptables but not in ip6tables (functional issue 1) (maybe the rules in fwknopd.conf should be duplicated: e.g. IPT6_INPUT_ACCESS may be different than IPT_INPUT_ACCESS) - when submit a knock with an IPv6 address it is correctly authorised in ip6tables,
- but when I submit an IPv4 the logs say "Added access rule to FWKNOP_INPUT for x.x.x.x -> ::/0 tcp/22, expires at 1705057386" but there is no authorisation for this IPv4 in iptables (functional issue 2)
I backported this PR to 2.6.10 and integrated it in Debian package, but there were almost no merge conflict, so I don’t think it is an issue in my process.
Also, there should be an entry in the changelog.
Also, I wonder if the default behaviour should not be with IPv4+IPv6 even without the -6 flag (and perhaps -4 (resp. -6) to restrict to IPv4 (resp. IPv6)). In this case it should be highlighted in the changelog to warn the sysadmins.
| if (*ndx == '.') | ||
| total_size--; | ||
|
|
There was a problem hiding this comment.
I aggree it is useless to modify the variable total_size here, but it seems to be to allow the final dot without counting it in the last label (63 characters without counting the delimiting dots). I guess the original intent was label_size--;.
| log_msg(LOG_VERBOSITY_ERROR, | ||
| "[-] Could not resolve IP via: '%s%s'", extraerror1, extraerror2); | ||
| return(-1); | ||
| } |
There was a problem hiding this comment.
Very minor issue: wrong indentation from here to the end of the function.
Also, to stay aligned with the global style, it is 4 spaces and not 2 for this whole function.
| @@ -1381,6 +1394,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv) | |||
| case 'i': | |||
| set_config_entry(opts, CONF_PCAP_INTF, optarg); | |||
| break; | |||
| case '6': | |||
| opts->family = AF_INET6; | |||
There was a problem hiding this comment.
With that, fwknopd -6 authorises only IPv6. There should be a mode where both IPv4 and IPv6 are handled.
| { | ||
| if(ip_list->family == AF_UNSPEC) | ||
| return 1; | ||
| if(ip_list->family != AF_INET6) |
| { | ||
| int exists = 0; | ||
|
|
||
| if(have_ipt_chk_support == 1) | ||
| exists = jump_rule_exists_chk_support(opts, chain_num); | ||
| exists = jump_rule_exists_chk_support(opts, chain_num, ipv6); | ||
| else | ||
| exists = jump_rule_exists_no_chk_support(opts, chain_num); |
There was a problem hiding this comment.
The argument ipv6 is missing here, as well as the function definition a few lines above.
There was a problem hiding this comment.
Adding the parameter ipv6 here + the ternary condition for fw_command6 in jump_rule_exists_no_chk_support solves my functional issue 1.
For some reason (I activated debug), I have "ipt_chk_support() -C not supported" for ipv4 and ipv6, although "iptables -C" does work but display the rule on stderr, perhaps it is interpreted as "does not work" by fwknop.
| /* XXX set adequately per SPA message */ | ||
| int ipv6 = (opts->family == AF_INET6) ? 1 : 0; | ||
|
|
There was a problem hiding this comment.
Something like
int ipv6 = 0;
if(is_valid_ip_addr(spadat->use_src_ip, strlen(spadat->use_src_ip), AF_INET6))
{
ipv6 = 1;
}works to distinguish IPv4 and IPv6 in the SPA message.
It was already checked in incoming_spa than the IP is valid with is_valid_ip_addr(…, AF_UNSPEC) so there is no security issue not to do the same check for IPv4.
With this change, both IPv4 and IPv6 are handled by fwknopd (which solves my functional issue 2).
|
The important changes are available here if you want to add them in this branch. With that, I was be able to make fwknop work both in IPv4 and IPv6 with two knock messages (1 per IP family); a further step will be to send the two IPs in a single message. |
|
@Seb35 thanks! |
Old ipv6 rebased over simplify address and upstream.
For reference