Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewall: global prefix in rules needs to be changed manually when IPv6 upstream prefix changes #2544

Open
RyuunoAelia opened this Issue Jul 14, 2018 · 9 comments

Comments

Projects
None yet
4 participants
@RyuunoAelia
Copy link

RyuunoAelia commented Jul 14, 2018

While playing a bit with NPTv6 I found a a workflow issue. The main and only reason to use NPTv6 is to avoid changing your local configuration (firewall rules, etc) when your upstream changes.

However, as things are done in opnsense right now, you need to manually update the NPTv6 rule each time the upstream changes.

This is fine for cases where you have complete control over when the prefix change occurs (multi-homed setup, etc). However, when the prefix may change without your knowledge (say a 6rd setup, or ISP providing ipv6 connectivity with short lived DHCP leases), having to manually update the rule painful.

I understand selecting the IPv6 might be problematic to implement in general. An interface may have multiple IPv6 at a point in time (even if you ignore link-local addresses). So maybe having a way to select on an interface if this interface will have dynamic NPTv6 rules might be a more straightforward flow for setting up things. But since I do not know much about the internals of the UI, I cannot give a pertinent insight.

My full context is described in #2538.

@RyuunoAelia RyuunoAelia changed the title [NPTv6] global prefix interface needs to be changed manually when upstream prefix changes [NPTv6] global prefix needs to be changed manually when upstream prefix changes Jul 14, 2018

@fichtner

This comment has been minimized.

Copy link
Member

fichtner commented Jul 15, 2018

This is also useful for DHCPv6 and SLAAC, but will require more tinkering.

@fichtner fichtner added this to the Future milestone Jul 15, 2018

@marjohn56

This comment has been minimized.

Copy link
Member

marjohn56 commented Jul 17, 2018

With the manual addition we did to dhcpd6 it should change the prefix as the config for dhcpd6 has is re-written and re-loaded, that was always the bugbear, but I think that side is working. Whether it works when not using manual override (default) I did not test.

@fichtner

This comment has been minimized.

Copy link
Member

fichtner commented Jul 17, 2018

Not for the rules currently. It doesn't allow tracking the interface prefix change.

@marjohn56

This comment has been minimized.

Copy link
Member

marjohn56 commented Jul 17, 2018

So maybe we try splitting the rules into prefix/suffix..,, Alias for Prefix+suffix. It does make it complex for the user too, but that's the problem with a changing prefix, it's not for the faint-hearted.

@fichtner

This comment has been minimized.

Copy link
Member

fichtner commented Jul 17, 2018

We already have a larger change in that area to make 6RD usable for "inet6" type rules and need to see if that is alright before we stack another layer on top, but generally an automatic prefix adaption option should be possible.

@fichtner fichtner removed this from the Future milestone Jul 30, 2018

@chris42

This comment has been minimized.

Copy link

chris42 commented Aug 16, 2018

Having similar troubles discussed with marjohn56 in https://forum.opnsense.org/index.php?topic=9438.0

Being completely obvious on how technically the DHCPv6, SLAAC, RADV and the firewall works: Since the clients in the network negotiate their IPv6 couldn't Opnsense create a central register in the DNS, that is build during the negotiation process? This would keep the changing IP information centralized and up to date in realtime. (This would cover prefix changes as well as changes by e.g. privacy extensions)
Then you could use that register with Hostname in the firewall rules?

Basically using the Alias, but not having a 5min delay between resolving the hostname, but accessing the register (which should be up-to-date) of IPv6s in the network?

@fichtner

This comment has been minimized.

Copy link
Member

fichtner commented Aug 16, 2018

Since we need to force a rules update on IP changes it's probably better to read the current IPv6 and merge the prefix accordingly and reload the rules. That should cover 99% of the use cases. The only tricky thing is integrating this logic and how to present it to the user (if applicable).

@chris42

This comment has been minimized.

Copy link

chris42 commented Aug 16, 2018

I would put an option next to the prefix delegation option to enable automatic prefix update to firewall rules. Then have in the Firewall rule next to the IP window an option to use delegated prefix. IP window then only holds the suffix part.
Then you could control if you actually want to use that feature next to the prefix delegation and then control per firewall rule, if it is a rule, that uses this feature.
Just to mark it: opinion.... ;-)

@RyuunoAelia

This comment has been minimized.

Copy link
Author

RyuunoAelia commented Aug 18, 2018

To answer the "use hostname in rules" remark. It is not recommended by pf (the firwall software) documentation (because in general the firewall is started before any other services thus there is no DNS available to query).

The thing is, we don't need a convoluted thing like DNS, since opnsense (and pfsense for that matter) already regenerates all firewall rules when the IPv4 changes via DHCP, so we only need to have a way to map the IPv6 change too. With IPv6 it makes sense to split the network part and the machine part of addresses I think.
Event if both parts of IPv6 addresses can be dynamic since the internal network controls the machine part we can forget about it, and only concerntrate on managing changes in the network part (A.K.A. prefix).

The way I see things, you don't even need to change that much to UI, just make the IPv6 firewall rule editing look more like the IPv4 rule, with the drop-down list for Type of Source/Destination with a "Interface subnet" option and an optional "machine part of address" field or something like that. Then there's a bit of a tricky mangling of the input to regenerate the full address to pass to the pf command to do in the *.inc files.

@fichtner fichtner added this to the 19.7 milestone Jan 13, 2019

@fichtner fichtner added feature and removed help wanted labels Jan 13, 2019

@fichtner fichtner self-assigned this Jan 13, 2019

@fichtner fichtner changed the title [NPTv6] global prefix needs to be changed manually when upstream prefix changes firewall: global prefix in rules needs to be changed manually when IPv6 upstream prefix changes Mar 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.