Dynamic Ipv6 fw rules handling

IPv6 Prefix changes by the ISP cause any fw rules created for specific clients on the LAN interface(s) to become invalid. Update AliasNameField.php Remove fieldtype
2026-03-15 00:54:41 +00:00 · 2021-04-24 17:00:14 +01:00 · 2021-04-24 17:00:14 +01:00 · 7311b413f6
commit 7311b413f6
parent eb1c6b800d
4 changed files with 64 additions and 0 deletions
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.xml
@ -37,6 +37,7 @@
                        <networkgroup>Network group</networkgroup>
                        <mac>MAC address</mac>
                        <external>External (advanced)</external>
+                        <dynipv6host>IPv6 Dynamic Host</dynipv6host>                                            
                    </OptionValues>
                </type>
                <proto type="OptionField">
@ -46,6 +47,8 @@
                        <IPv6>IPv6</IPv6>
                    </OptionValues>
                </proto>
+                <dyninterface type="InterfaceField">                                     
+                </dyninterface>
                <counters type="BooleanField">
                    <default>0</default>
                </counters>
--- a/src/opnsense/mvc/app/views/OPNsense/Firewall/alias.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Firewall/alias.volt
@ -215,6 +215,11 @@
                    $("#copy-paste").show();
                    break;
            }
+            if ($(this).val() === 'dynipv6host') {
+                $("#row_alias\\.dyninterface").show();
+            } else {
+                $("#row_alias\\.dyninterface").hide();
+            }
            if ($(this).val() === 'port') {
                $("#row_alias\\.counters").hide();
            } else {
@ -472,6 +477,7 @@
                                <option value="urltable">{{ lang._('URL Table (IPs)') }}</option>
                                <option value="geoip">{{ lang._('GeoIP') }}</option>
                                <option value="networkgroup">{{ lang._('Network group') }}</option>
+                                <option value="dynipv6host">{{ lang._('Dynamic IPv6 Host') }}</option>                                                                      
                                <option value="external">{{ lang._('External (advanced)') }}</option>
                            </select>
                        </div>
@ -691,6 +697,23 @@
                                        <span class="help-block" id="help_block_alias.content"></span>
                                    </td>
                                </tr>
+                                <tr id="row_alias.dyninterface">
+                                    <td>
+                                        <div class="alias dyninterface" id="alias_dyninterface">
+                                            <a id="help_for_alias.dyninterface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>
+                                            <b>{{lang._('dyninterface')}}</b>
+                                        </div>
+                                    </td>
+                                    <td>
+                                        <select  class="selectpicker" id="alias.dyninterface" data-width="200px"></select>                                       
+                                        <div class="hidden" data-for="help_for_alias.dyninterface">
+                                            <small>{{lang._('Select the dyninterface for the V6 dynamic IP')}}</small>
+                                        </div>
+                                    </td>
+                                    <td>
+                                        <span class="help-block" id="help_block_alias.enabled"></span>
+                                    </td>
+                                </tr>
                                <tr id="row_alias.counters">
                                    <td>
                                        <div class="control-label" id="control_label_alias.counters">
--- a/src/opnsense/scripts/filter/lib/alias.py
+++ b/src/opnsense/scripts/filter/lib/alias.py
@ -26,6 +26,9 @@
    --------------------------------------------------------------------------------------
    Alias representation
 """
+import socket
+import fcntl
+import struct        
 import os
 import re
 import time
@ -33,6 +36,7 @@ import requests
 import ipaddress
 import dns.resolver
 import syslog
+import subprocess                 
 from hashlib import md5
 from . import geoip
 from .arpcache import ArpCache
@ -57,6 +61,7 @@ class Alias(object):
        self._timeout = timeout
        self._name = None
        self._type = None
+        self._dyninterface = None
        self._proto = 'IPv4,IPv6'
        self._items = list()
        self._resolve_content = set()
@ -67,6 +72,8 @@ class Alias(object):
                self._proto = subelem.text
            elif subelem.tag == 'name':
                self._name = subelem.text
+            elif subelem.tag == 'dyninterface':
+                self._dyninterface = subelem.text        
            elif subelem.tag == 'ttl':
                tmp = subelem.text.strip()
                if len(tmp.split('.')) <= 2 and tmp.replace('.', '').isdigit():
@ -259,6 +266,31 @@ class Alias(object):
        # return the addresses and networks of this alias
        return list(self._resolve_content)

+    def _fetch_dynipv6(self, address):
+           
+        #get the interface /64 address   
+        address = address.strip()
+        sp = subprocess.run(['/sbin/ifconfig', self._dyninterface,'inet6'], capture_output=True, text=True)
+        for line in sp.stdout.split('\n'):
+            if line.find('prefixlen 64') > -1:
+                i_address = line.split(' ')[1]
+                if i_address[0] == '1' or i_address[0] == '2' or i_address[0] == 3:
+                    break
+        # split the mask - if no mask it's a /64
+        if address.find('/') > -1:
+            l_address,l_mask = address.split('/')
+        else:
+            l_mask = '64' 
+            l_address = address
+
+        base_mask = int(l_mask)
+        base_address = ipaddress.ip_address(i_address)
+        base_size=int((128-base_mask)/16)
+        combine_address='0'+l_address
+        ipv6_addr  = ipaddress.ip_address(combine_address)
+        calculated_address = ':'.join(base_address.exploded.split(':')[:8-base_size] + ipv6_addr.exploded.split(':')[8-base_size:])
+        for address in self._parse_address(calculated_address):
+             yield address
    def get_parser(self):
        """ fetch address parser to use, None if alias type is not handled here
            :return: function or None
@ -269,6 +301,8 @@ class Alias(object):
            return self._fetch_url
        elif self._type == 'geoip':
            return self._fetch_geo
+        elif self._type == 'dynipv6host':
+            return self._fetch_dynipv6
        elif self._type == 'mac':
            return ArpCache().iter_addresses
        else:
--- a/src/opnsense/service/templates/OPNsense/Filter/filter_tables.conf
+++ b/src/opnsense/service/templates/OPNsense/Filter/filter_tables.conf
@ -5,6 +5,8 @@
 {% endif %}
    </general>
 {% set new_style_aliases = 0 %}
+{# Macro import #}
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}                   
 {%  if helpers.exists('OPNsense.Firewall.Alias.aliases.alias') %}
 {% set new_style_aliases = OPNsense.Firewall.Alias.aliases.alias|length %}
 {%    for alias in helpers.toList('OPNsense.Firewall.Alias.aliases.alias') %}
@ -21,6 +23,8 @@
      <aliasurl>{{ alias.content|e|encode_idna }}</aliasurl>
 {%      elif alias.content %}
      <address>{{ alias.content|e|encode_idna }}</address>
+{%      endif %}{% if alias.dyninterface %}
+      <dyninterface>{{ physical_interface(alias.dyninterface)|default('LAN')                                                       
 {%      endif %}{% if alias.proto %}
      <proto>{{ alias.proto|e }}</proto>
 {%      endif %}{% if alias.updatefreq %}