luci icon indicating copy to clipboard operation
luci copied to clipboard
verified publisher icon openwrt

luci-app-firewall: add support for ipv6 setup

Open ptpt52 opened this issue 3 years ago • 4 comments

Allow setup ipv6 for Port Forwards and NAT Rules

ptpt52 avatar Oct 19 '22 10:10 ptpt52

@jow- ping

ptpt52 avatar Oct 19 '22 10:10 ptpt52

update:

  1. Allow setup ipv6 for Port Forwards and NAT Rules if firewall4 is used.
  2. Add 'Restrict to address family' option for NAT Rules, if family is any/empty , assume it is ipv4. this allow setup NAT6 rules in web ui.

ptpt52 avatar Oct 19 '22 11:10 ptpt52

updated

@jow- how to validate the datatype in the validate() function? I want to check src_ip and dst_ip input the same family value.

ptpt52 avatar Oct 19 '22 13:10 ptpt52

Hmm, you can query the valid state of the input fields to see if a valid IP address is present to begin with, then simply check that either both src and dest addrs contain colons or both do not contain colons. Something like that:

o.validate = function(section_id, value) {
    fwtool.updateHostHints(this.map, section_id, 'src_ip', value, hosts);
    fwtool.updateHostHints(this.map, section_id, 'dest_ip', value, hosts);
    
    var sopt = this.section.getOption('src_ip'),
        dopt = this.section.getOption('dest_ip');

    if (!sopt.isValid(section_id) || !dopt.isValid(section_id))
        return true; // stop validating here, the other field will show an error already

    var sip = sopt.formvalue(section_id) || '',
        dip = dopt.formvalue(section_id) || '',
        sv6 = (sip.indexOf(':') != -1),
        dv6 = (dip.indexOf(':') != -1);

    if (!sip || !dip)
        return true; // if either or both are empty then fine

    if (sv6 ^ dv6)
        return _('Address family of source and destination IPs must match');    

    return true;
};

However I would not do this validation in the family dropdown option but in both the src_ip and dest_ip ones. (Also do not forget about snat_ip, that one must match the address family as well). Best is to make a shared validator function for src_ip, dest_ip and snat_ip, then assign it to all three options.

jow- avatar Oct 19 '22 14:10 jow-

update: luci-app-firewall: snats: validate address family

ptpt52 avatar Oct 20 '22 00:10 ptpt52

there may be some bug on firewall backend, I am trying setup this SNAT rule:

config nat 'nat6'
	option name 'nat6'
	option src 'wan'
	option target 'MASQUERADE'
	list proto 'all'

expecting MASQ for ipv4 and ipv6, but only ipv4 was set:

nft list table inet fw4 | grep nat6
meta nfproto ipv4 masquerade comment "!fw4: nat6"

ptpt52 avatar Oct 20 '22 01:10 ptpt52

Yes, for backwards compatibility with fw3, only IPv4 is assumed if no explicit option family '*' or option family any or option family all is given.

jow- avatar Oct 20 '22 21:10 jow-

ready to merge?

ptpt52 avatar Oct 25 '22 02:10 ptpt52

is there any one others review on this? to make it get merged, maybe ping @feckert

ptpt52 avatar Nov 14 '22 20:11 ptpt52

Line 38 in forwards.js still has that hard-coded 'IPv4' label. I think it needs the same treatment that the 'rule_proto_txt' function in snats.js got.

efahl avatar Dec 14 '22 02:12 efahl

I tested the new changes in https://github.com/openwrt/luci/commit/9ca915ebc943fc7f248bc0100e061d547a189142 forwards.js and it worked for me.

efahl avatar Jan 12 '23 16:01 efahl

@jow- You initially reviewed this a few months ago (and you are the firewall expert). Ready to merge?

hnyman avatar Jan 21 '23 20:01 hnyman

Sorry for the long delay, I managed to runtime test this only now. Merged via 9c55500fe8efa309d55f34c21d5ae2bf69fabf06 - thank you for your work @ptpt52 !

jow- avatar Mar 15 '23 22:03 jow-