miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

WANIPv6Firewallcontrol support for IPv4-mapped-IPv6 address

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request
View previous topic :: View next topic  
Author Message
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Wed Feb 11, 2015 9:23 am    Post subject: WANIPv6Firewallcontrol support for IPv4-mapped-IPv6 address Reply with quote

Hi me again,

I would like to see a support for IPv4-mapped-IPv6 addresses like defined in RFC 4291 Section 2.5.5.2. This should be an extension of the method AddPinhole() because their is no equivalent method in IGD1.

The aim would be to have a same behaviour like PCP described in RFC 6887 Section 5. This feature is very helpful for scenarios where a stateful firewall is present which allows only outbound connections and no NAT44 is present.


I would implement it myself, but I am now quite sure where. I would expect changes in the file upnppinhole.c in the method upnp_add_inboundpinhole_internal() are necesseray but I saw that a lot of code is commented or will not compiled because of #ifdef 0

So I don't know whether this is the right place, but I think only minor changes are required.

1.) Check whether the first 80bit are 0000:0000:0000:0000:FFFF:0000:: of the RemoteHost and Internalclient. OR RemoteHost should also allow the wildcard.

2a) if no, use do same like already implemented.

2b) if yes, replace the ip6tables rules by iptables rules and use the last 32bit of the RemoteHost and InternalClient as IPv4 address. Also here it should be possible that the RemoteHost excepts the wildcard.


Probably the following methods should be changed as well:
UpdatePinhole()
DeletePinhole()
GetOutboundPinholeTimeout()
GetPinholePackets()
CheckPinholeWorking()



Thank you and best regards

Sebastian

EDIT:

I looked a little bit deeper in the code and discovered the files iptcrdr.c and iptpinhole.c.

I think the method add_filter_rule() in iptcrdr.c is what I need.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Wed Feb 11, 2015 10:33 am    Post subject: Reply with quote

I don't think WANIPv6Firewallcontrol supports IPv4 mappings to IPv6

Use PCP standard which supports it.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Wed Feb 11, 2015 12:01 pm    Post subject: Reply with quote

Can you recommend a PCP client?
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Wed Feb 11, 2015 1:28 pm    Post subject: Reply with quote

sseidel wrote:
Can you recommend a PCP client?

https://github.com/libpcp/pcp
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
sseidel



Joined: 10 Feb 2015
Posts: 8

PostPosted: Wed Feb 11, 2015 4:24 pm    Post subject: Reply with quote

This software doesn't really work like I want. The test script produced a lot of Fails. Sad

I tried to implement my idea using ipv4-mapped-ipv6 addresses. Its a quick and dirty solution. At the end I have a question.

I inserted the following lines in upnppinhole.c in method AddPinhole() right after the line
Code:
r=0;

This checks whether InternalClient is an ipv4-mapped-ipv6 Address
Code:
u_int8_t ipv4mappedipv6[12] = {0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xff,0x0,0x0};
   int zaehler;
   int ipv4mappedipv6Address=1;
   for(zaehler=0;zaehler<12;zaehler++){
      if(ipv4mappedipv6[zaehler] != address.s6_addr[zaehler]){
         ipv4mappedipv6Address=0;   
      }   
   }


additionally I changed the following part

Code:
#if defined(USE_PF) || defined(USE_NETFILTER)
//TODO
   static const char ipv4mask[] = "%d.%d.%d.%d";
   char ipv4Address[15];
   snprintf(ipv4Address,sizeof(ipv4Address),ipv4mask,address.s6_addr[12],address.s6_addr[13],address.s6_addr[14],address.s6_addr[15]);
   
   if(ipv4mappedipv6Address!=0){
//forget the next line, it is rubbish but works if rhost is empty string
//the rest I will do later
      const char * rhost=raddr+12;
      *uid = add_filter_rule3(0/*ext_if_name*/,rhost,ipv4Address,
                 rport,iport,proto,desc,timestamp);
   }
   else{   
      *uid = add_pinhole (0/*ext_if_name*/, raddr, rport,
                       iaddr, iport, proto, desc, timestamp);
   }
   return *uid >= 0 ? 1 : -1;
#else
   return -42;   /* not implemented */
#endif


I added the method add_filter_rule3 in netfilter/iptcrdr.c and the signatur in netfilter/iptcrdr.h

Code:
int
add_filter_rule3(const char * ifname,
                 const char * rhost, const char * iaddr,
                 unsigned short eport, unsigned short iport,
                 int proto, const char * desc,unsigned int timestamp)
{
   UNUSED(ifname);
   int r=add_filter_rule(proto, rhost, iaddr, iport);
   if(r>=0)
      add_redirect_desc(eport,proto,desc,timestamp);
   return r
}


The last thing I have done was to change the line in netfilter/iptcrdr.c from
Code:
e->ip.smsk.s_addr = INADDR_NONE;

to
Code:
e->ip.smsk.s_addr = INADDR_ANY;


please don't hit me, but I needed it and it was the fastest solution. I will implement it in another method for the long run.

My question is now, what I have to do that the iptables filter rule will be deleted after the activation time expired?

I thought the programm would do it by its own when I called add_redirect_desc() like done in other methods. In iptpinhole.c exists the method clean_pinhole_list() is there an equivalent in iptcrdr.c ?
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1592

PostPosted: Wed Feb 11, 2015 4:49 pm    Post subject: Reply with quote

Quote:
My question is now, what I have to do that the iptables filter rule will be deleted after the activation time expired?

The program should delete them automatically. But your modification may have broken something
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.