Dear all, as a "learning exercise" I started working on #636 over the weekend in the attempt of digging deeper into the openvpn codebase.
As of now I managed to make the v6 filtering work. Most of the changes are in pf.c (but also mroute.c and other files required their small dose of tweaking). Now that v6 PF is working as expected, I stepped over a more "conceptual" problem. Here it is: in IPv4 we have ARP that takes care of providing the underlying information to make IP work. In IPv6, ARP (and other basic functionalities) has been substituted by a set of multicast protocols, operating on IPv6 itself. This means that, if we keep PF unaware of these protocols, the user is supposed to whitelist all those IPv6 subnets that are needed to make NDP and other protocols work. I haven't spent time digging into NDP yet, but an easy way to make everything work is to always allow "ff00::/8". This way NDP and other protocols will work just fine and then other rules can be used to accept/drop other traffic. What should the default behaviour of PF be, in your opinion? IMHO, it should allow basic functionalities like NDP by default, but should not permit any other multicast traffic, unless explicitly allowed by the user. If you guys also think this is the way to go, does anybody know how to translate this "make NDP work" into a whitelist rule? "+ff00::/8" is too broad. Cheers, -- Antonio Quartulli
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
