security/tinc: Fix switch mode #1733
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A Host class with empty self._payload['subnet'] is considered invalid (lines 38-39). Thus, we can remove self._payload['subnet'] = None from __init__() and add a check for existance to config_text().
Set network.subnet.required and host.subnet.required to N, add a required constraint for network.subnet if network.mode is router.
In order to support various dual-stack configs (primary IPv4/v6 assigned by VPN/Tinc and any combination of alias IPv4/v6 assigned by Firewall/VIP) we need to trigger configctl: - Primary IPv4: /usr/local/opnsense/service/configd_ctl.py interface newip $interface - Primary IPv6: /usr/local/opnsense/service/configd_ctl.py interface newipv6 $interface
Destroying tun/tap interface each time Tinc daemon stops/restarts resolves the issue of losing IPv6 network routes (see #3972).
AdSchellevis
requested changes
May 6, 2020
There was a problem hiding this comment.
@vnxme sorry for the late reply, finally got around checking the code a bit, I've added some small findings inline.
The network.mode field is now linked to the network.subnet field.
AdSchellevis
added a commit
to opnsense/core
that referenced
this pull request
May 12, 2020
…eld (shows validation message on field where the option is set, should be the one it's pointing to). ref opnsense/plugins#1733
fichtner
pushed a commit
to opnsense/core
that referenced
this pull request
May 19, 2020
…eld (shows validation message on field where the option is set, should be the one it's pointing to). ref opnsense/plugins#1733 (cherry picked from commit 2eb1ee5)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
What I would like to achieve is a dual-stack ethernet bridge using Tinc (layer 2 VPN). Since it is completely possible using Tinc on Linux, it should be achievable in OPNsense.
Current situation summary
About this PR
If I change Tinc mode from router (L3VPN) to switch (L2VPN), it wont start properly because irrelevant
subnetvariables are included in host configuration files. Before this commit I cannot leave them empty in OPNsense WebGUI. Commenting out these variables and restarting Tinc daemon from console fixes the problem.Following the official manual,
subnetconfiguration variable seems to be used by Tinc for routing purposes in router mode. Although this field can also be a single MAC address which might be suitable for switch mode purposes, OPNsense does not currently support such an option.This PR includes the following changes:
What could be further improved (but I have failed to implement):