Dear all, by following the suggestion received by cron2 on IRC, I decided to whitelist all those ICMPv6 packet sub-types that are strictly required to let an IPv6 host join a network.
Such packets are described in RFC4890[0], sec. 4.4.1 (thanks cron2 for the pointer!), in the "Address Configuration and Router Selection messages" list. PF by default will always allow ICMPv6 packets having one of those packet types. ** TESTERS WANTED ** A working implementation of this change can be found on github at [1]. This branch is based on the current master (+ a style change) and is ready for testing. So far I managed to test this feature only on Linux, but it would be nice if anybody with a Windows server might test it as well. (I could only compile for Windows, but nothing more) The syntax of the PF v6 subnets is just "as expected". You can mix IPv6 subnets in the same block as IPv4 ones, like: [SUBNETS DROP] +10.0.0.0/24 +2001:ffff:aaaa::/48 Now you can also list a host without writing the netmask, i.e: [SUBNETS ACCEPT] -8.8.8.8 -2001:dead:cafe::12 PF will assume that /32 or /128 is the wanted netmask. Any feedback is welcome! Cheers, [0] https://www.ietf.org/rfc/rfc4890.txt [1] https://github.com/ordex/openvpn/tree/ipv6pf On Sun, Dec 04, 2016 at 12:51:43PM +0800, Antonio Quartulli wrote: > Dear all, > > as a "learning exercise" I started working on #636 over the weekend in the > attempt of digging deeper into the openvpn codebase. > > As of now I managed to make the v6 filtering work. > Most of the changes are in pf.c (but also mroute.c and other files required > their small dose of tweaking). > > Now that v6 PF is working as expected, I stepped over a more "conceptual" > problem. Here it is: > > in IPv4 we have ARP that takes care of providing the underlying > information to make IP work. > > In IPv6, ARP (and other basic functionalities) has been substituted by a set > of > multicast protocols, operating on IPv6 itself. > > This means that, if we keep PF unaware of these protocols, the user is > supposed > to whitelist all those IPv6 subnets that are needed to make NDP and other > protocols work. > > I haven't spent time digging into NDP yet, but an easy way to make everything > work is to always allow "ff00::/8". This way NDP and other protocols will work > just fine and then other rules can be used to accept/drop other traffic. > > What should the default behaviour of PF be, in your opinion? > > IMHO, it should allow basic functionalities like NDP by default, but should > not > permit any other multicast traffic, unless explicitly allowed by the user. > > If you guys also think this is the way to go, does anybody know how to > translate this "make NDP work" into a whitelist rule? "+ff00::/8" is too > broad. > > > Cheers, > > -- > Antonio Quartulli > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- Antonio Quartulli
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
