View previous topic :: View next topic |
Author |
Message |
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Wed Feb 11, 2015 9:23 am Post subject: WANIPv6Firewallcontrol support for IPv4-mapped-IPv6 address |
|
|
Hi me again,
I would like to see a support for IPv4-mapped-IPv6 addresses like defined in RFC 4291 Section 2.5.5.2. This should be an extension of the method AddPinhole() because their is no equivalent method in IGD1.
The aim would be to have a same behaviour like PCP described in RFC 6887 Section 5. This feature is very helpful for scenarios where a stateful firewall is present which allows only outbound connections and no NAT44 is present.
I would implement it myself, but I am now quite sure where. I would expect changes in the file upnppinhole.c in the method upnp_add_inboundpinhole_internal() are necesseray but I saw that a lot of code is commented or will not compiled because of #ifdef 0
So I don't know whether this is the right place, but I think only minor changes are required.
1.) Check whether the first 80bit are 0000:0000:0000:0000:FFFF:0000:: of the RemoteHost and Internalclient. OR RemoteHost should also allow the wildcard.
2a) if no, use do same like already implemented.
2b) if yes, replace the ip6tables rules by iptables rules and use the last 32bit of the RemoteHost and InternalClient as IPv4 address. Also here it should be possible that the RemoteHost excepts the wildcard.
Probably the following methods should be changed as well:
UpdatePinhole()
DeletePinhole()
GetOutboundPinholeTimeout()
GetPinholePackets()
CheckPinholeWorking()
Thank you and best regards
Sebastian
EDIT:
I looked a little bit deeper in the code and discovered the files iptcrdr.c and iptpinhole.c.
I think the method add_filter_rule() in iptcrdr.c is what I need. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Wed Feb 11, 2015 10:33 am Post subject: |
|
|
I don't think WANIPv6Firewallcontrol supports IPv4 mappings to IPv6
Use PCP standard which supports it. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Wed Feb 11, 2015 12:01 pm Post subject: |
|
|
Can you recommend a PCP client? |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
|
Back to top |
|
|
sseidel
Joined: 10 Feb 2015 Posts: 8
|
Posted: Wed Feb 11, 2015 4:24 pm Post subject: |
|
|
This software doesn't really work like I want. The test script produced a lot of Fails.
I tried to implement my idea using ipv4-mapped-ipv6 addresses. Its a quick and dirty solution. At the end I have a question.
I inserted the following lines in upnppinhole.c in method AddPinhole() right after the line
This checks whether InternalClient is an ipv4-mapped-ipv6 Address
Code: | u_int8_t ipv4mappedipv6[12] = {0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xff,0x0,0x0};
int zaehler;
int ipv4mappedipv6Address=1;
for(zaehler=0;zaehler<12;zaehler++){
if(ipv4mappedipv6[zaehler] != address.s6_addr[zaehler]){
ipv4mappedipv6Address=0;
}
} |
additionally I changed the following part
Code: | #if defined(USE_PF) || defined(USE_NETFILTER)
//TODO
static const char ipv4mask[] = "%d.%d.%d.%d";
char ipv4Address[15];
snprintf(ipv4Address,sizeof(ipv4Address),ipv4mask,address.s6_addr[12],address.s6_addr[13],address.s6_addr[14],address.s6_addr[15]);
if(ipv4mappedipv6Address!=0){
//forget the next line, it is rubbish but works if rhost is empty string
//the rest I will do later
const char * rhost=raddr+12;
*uid = add_filter_rule3(0/*ext_if_name*/,rhost,ipv4Address,
rport,iport,proto,desc,timestamp);
}
else{
*uid = add_pinhole (0/*ext_if_name*/, raddr, rport,
iaddr, iport, proto, desc, timestamp);
}
return *uid >= 0 ? 1 : -1;
#else
return -42; /* not implemented */
#endif |
I added the method add_filter_rule3 in netfilter/iptcrdr.c and the signatur in netfilter/iptcrdr.h
Code: | int
add_filter_rule3(const char * ifname,
const char * rhost, const char * iaddr,
unsigned short eport, unsigned short iport,
int proto, const char * desc,unsigned int timestamp)
{
UNUSED(ifname);
int r=add_filter_rule(proto, rhost, iaddr, iport);
if(r>=0)
add_redirect_desc(eport,proto,desc,timestamp);
return r
} |
The last thing I have done was to change the line in netfilter/iptcrdr.c from
Code: | e->ip.smsk.s_addr = INADDR_NONE; |
to
Code: | e->ip.smsk.s_addr = INADDR_ANY; |
please don't hit me, but I needed it and it was the fastest solution. I will implement it in another method for the long run.
My question is now, what I have to do that the iptables filter rule will be deleted after the activation time expired?
I thought the programm would do it by its own when I called add_redirect_desc() like done in other methods. In iptpinhole.c exists the method clean_pinhole_list() is there an equivalent in iptcrdr.c ? |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Wed Feb 11, 2015 4:49 pm Post subject: |
|
|
Quote: | My question is now, what I have to do that the iptables filter rule will be deleted after the activation time expired?
|
The program should delete them automatically. But your modification may have broken something _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
© 2007 Thomas Bernard, author of MiniUPNP.
|