fwknop
fwknop copied to clipboard
mrash
Add IPv6 support to fwknop
This branch adds complete support for IPv6 on fwknop. It still has a few limitations though:
- fwknop must be run with the
-6command-line parameter - when using IPTables, fwknop supports either IPv4 or IPv6 but not both at the same time
- IPv6 is supported in UDP, TCP, and HTTP modes (both client and server) This should close #1.
Wow, tons of work. I have a local ipv6 branch to track this. I'm going to add some test suite support for IPv6 so I can work into what you've done, and then push this branch to github so we can collaborate. Let's target the next release of fwknop to merge your changes into master.
That's indeed some epic work. Well done @khorben! Now if only the world could finally move to IPv6 ;)
This was sponsored by Asahi Net, Inc. by the way, https://asahi-net.co.jp/en/corporate/ (as mentioned in #1)
Diving into this finally, sorry for the delay. I've opened a new issue based on a start on IPv6 test suite support.
I do not know. The reviewer (@bastien-roucaries) seems to have approved the changes 3 years ago; on my side I haven't had the opportunity to comment on the proposed changes.
Maybe the remaining limitations are considered unsuitable for merge into master; @mrash?
@mrash Could you comment please? Without IPv6 support, it looks mostly as abandon-ware these days, so it makes sense to clarify the project status..
@damienstuart @bastien-roucaries #344 #309
Hi all,
Apologies for the long delays. Generally I need to get a maintenance release out for fwknop to get grounded in the latest Linux distributions and account for drift over the past few years. This should happen before any large feature additions like IPv6 support. On the IPv6 support itself, there are a couple of observations. First, if we can get nft support into fwknop, then v6 support becomes a lot easier. Either way though, how many combinations of v4/v6 should be supported? If a v6 request is made, should an ACCEPT rule go into both the iptables and ip6tables rules? If a v6 request is made, should the assumption be that the access will come over v6? Or v4? How about the other way, so using v4 to gain access to a service that is only advertised via v6? Maybe we start with some advertised assumptions that @khorben makes at the start - such as the fact that v4+v6 are not supported simultaneously and work up from there if user demand asks for additions. This would allow for iterative releases of this feature. Also, for a feature like this, we definitely need to add comprehensive test suite support, and that is not there yet.
Let me get a maintenance release out of fwknop in the next week or so, and then look at this for a major release.
Thanks,
--Mike
On Tue, Jun 6, 2023 at 6:13 AM Andrey Butirsky @.***> wrote:
@mrash https://github.com/mrash Could you comment please? Without IPv6 support, it looks mostly as abandon-ware these days, so it makes sense to clarify the project status..
— Reply to this email directly, view it on GitHub https://github.com/mrash/fwknop/pull/285#issuecomment-1578354035, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC42RENIJ6RP3II2WLUPGLXJ37DLANCNFSM4FQONLOQ . You are receiving this because you were mentioned.Message ID: @.***>
-- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
Thank you for the update Michael.
First, if we can get nft support into fwknop, then v6 support becomes a lot easier.
Yeah, that is the other blocker: #107. Without it we can't even run the daemon on recent popular router firmware: #352 https://forum.openwrt.org/t/fwknop-on-x86-64-22-03-2/143855 So should be probably addressed first indeed.
There seems to be a lot of work ahead but I hope we will get there eventually!