lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 16:44:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

interfaces: move sysctls to system requirements related to #5630

Browse Source 
Tie them to the IPv6 allow setting which is used by more things
than just the filter, so also move the IPv6 allow to the general
settings for consistency.

There is not much point to tie these sysctls to their former
condition of something set in SLAAC or DHCPv6 connectivity mode
because "ifdisabled" is used and because prior you couldn't turn
it off without a reboot after having tried the IPv6 connetivity.

To make thus super effective refuse to configure IPv6 on interfaces
in these instances by forcing the individual IPv6 interface modes
to 'none'.
This commit is contained in:
Franco Fichtner 2024-05-30 08:48:14 +02:00
parent 35dc38c2fb
commit f5b298ec6c
7 changed files with 42 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/etc/config.xml.sample
View File

@ -227,7 +227,7 @@
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<ipv6allow/>
<ipv6allow>1</ipv6allow>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>

10
src/etc/inc/filter.lib.inc
View File

@ -209,13 +209,13 @@ function filter_core_rules_system($fw, $defaults)
$fw->registerFilterRule(
1,
array('interface' => 'lo0', 'ipprotocol' => 'inet6', 'disabled' => isset($config['system']['ipv6allow']),
'descr' => 'Pass all loopback IPv6', '#ref' => 'system_advanced_firewall.php#ipv6allow'),
'descr' => 'Pass all loopback IPv6', '#ref' => 'system_advanced_network.php#ipv6allow'),
$defaults['pass']
);
$fw->registerFilterRule(
1,
array('ipprotocol' => 'inet6','descr' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow']),
'#ref' => 'system_advanced_firewall.php#ipv6allow'),
'#ref' => 'system_advanced_network.php#ipv6allow'),
$defaults['block']
);
@ -351,19 +351,19 @@ function filter_core_rules_system($fw, $defaults)
1,
array('protocol' => 'udp', 'from' => 'fe80::/10', 'from_port' => 546, 'to' => 'fe80::/10',
'interface' => $intf, 'to_port' => 546, 'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'],
'#ref' => 'system_advanced_firewall.php#ipv6allow'),
'#ref' => 'system_advanced_network.php#ipv6allow'),
$defaults['pass']
);
$fw->registerFilterRule(
1,
array('protocol' => 'udp', 'from_port' => 547,'to_port' => 546, 'direction' => 'in',
'interface' => $intf, 'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'],
'#ref' => 'system_advanced_firewall.php#ipv6allow'),
'#ref' => 'system_advanced_network.php#ipv6allow'),
$defaults['pass']
);
$dhcpv6_opts = array(
'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'],
'#ref' => 'system_advanced_firewall.php#ipv6allow',
'#ref' => 'system_advanced_network.php#ipv6allow',
'direction' => 'out',
'interface' => $intf,
'protocol' => 'udp',

7
src/etc/inc/interfaces.inc
View File

@ -2314,15 +2314,12 @@ function interface_configure($verbose = false, $interface = 'wan', $reload = fal
* already does that so at this point try to be more consistent.
*/
$interface_descr = sprintf('%s (%s)', !empty($wancfg['descr']) ? $wancfg['descr'] : strtoupper($interface), $interface);
/* XXX we should maybe set "ifdisabled" but it could be dangerous for assigned tunnel devices */
mwexecf('/sbin/ifconfig %s inet6 -accept_rtadv -no_dad description %s up', [$realif, $interface_descr]);
switch ($wancfg['ipaddrv6'] ?? 'none') {
switch (isset($config['system']['ipv6allow']) ? ($wancfg['ipaddrv6'] ?? 'none') : 'none') {
case 'slaac':
case 'dhcp6':
/* XXX move these to tunables maybe as they are global anyway */
set_single_sysctl('net.inet6.ip6.accept_rtadv', '1');
set_single_sysctl('net.inet6.ip6.rfc6204w3', '1');
mwexecf('/sbin/ifconfig %s inet6 %saccept_rtadv -ifdisabled up', [$realifv6, isset($wancfg['dhcp6deny_rtadv']) ? '-' : '']);
if (!isset($wancfg['dhcp6usev4iface'])) {

4
src/etc/inc/system.inc
View File

@ -74,8 +74,8 @@ function system_sysctl_defaults()
'hw.ixl.enable_head_writeback' => [ 'default' => '0', 'required' => true ],
'hw.syscons.kbd_reboot' => [ 'default' => '0' ],
'hw.uart.console' => [ 'default' => 'io:0x3f8,br:' . system_console_speed(), 'type' => 't' ], /* XXX support comconsole_port if needed */
'kern.ipc.maxsockbuf' => [ 'default' => '4262144' ],
'kern.coredump' => [ 'default' => '0', 'required' => true ],
'kern.ipc.maxsockbuf' => [ 'default' => '4262144' ],
'kern.randompid' => [ 'default' => '1' ],
'net.enc.in.ipsec_bpf_mask' => [ 'default' => '2', 'required' => true ], /* after processing */
'net.enc.in.ipsec_filter_mask' => [ 'default' => '2', 'required' => true ], /* after processing */
@ -103,10 +103,12 @@ function system_sysctl_defaults()
'net.inet.udp.blackhole' => [ 'default' => '1' ],
'net.inet.udp.checksum' => [ 'default' => 1 ],
'net.inet.udp.maxdgram' => [ 'default' => '57344' ],
'net.inet6.ip6.accept_rtadv' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0', 'required' => true ],
'net.inet6.ip6.forwarding' => [ 'default' => '1', 'required' => true ],
'net.inet6.ip6.intr_queue_maxlen' => [ 'default' => '1000', 'required' => true ],
'net.inet6.ip6.prefer_tempaddr' => [ 'default' => '0' ],
'net.inet6.ip6.redirect' => [ 'default' => '0' ],
'net.inet6.ip6.rfc6204w3' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0', 'required' => true ],
'net.inet6.ip6.use_tempaddr' => [ 'default' => '0' ],
'net.link.bridge.pfil_bridge' => [ 'default' => '0' ],
'net.link.bridge.pfil_local_phys' => [ 'default' => '0' ],

2
src/etc/rc.newwanip
View File

@ -82,7 +82,7 @@ interfaces_vips_configure($interface, 4);
$greifs = link_interface_to_gre($interface, true, 4);
$gififs = link_interface_to_gif($interface, true, 4);
switch ($config['interfaces'][$interface]['ipaddrv6'] ?? 'none') {
switch (isset($config['system']['ipv6allow']) ? ($config['interfaces'][$interface]['ipaddrv6'] ?? 'none') : 'none') {
case '6to4':
interface_6to4_configure($interface, $config['interfaces'][$interface], true);
system_routing_configure(false, $interface); /* XXX interface recreation breaks attached routes */

31
src/www/system_advanced_firewall.php
View File

@ -35,7 +35,6 @@ require_once("system.inc");
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
$pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
$pconfig['disablefilter'] = !empty($config['system']['disablefilter']);
$pconfig['optimization'] = isset($config['system']['optimization']) ? $config['system']['optimization'] : "normal";
$pconfig['state-policy'] = isset($config['system']['state-policy']) ;
@ -151,12 +150,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['srctrack']);
}
if (!empty($pconfig['ipv6allow'])) {
$config['system']['ipv6allow'] = true;
} elseif (isset($config['system']['ipv6allow'])) {
unset($config['system']['ipv6allow']);
}
if (!empty($pconfig['disablefilter'])) {
$config['system']['disablefilter'] = "enabled";
} elseif (isset($config['system']['disablefilter'])) {
@ -305,29 +298,6 @@ include("head.inc");
?>
<section class="col-xs-12">
<form method="post" name="iform" id="iform">
<div class="content-box tab-content table-responsive __mb">
<table class="table table-striped opnsense_standard_table_form">
<tr>
<td style="width:22%"><strong><?= gettext('IPv6 Options') ?></strong></td>
<td style="width:78%; text-align:right">
<small><?=gettext("full help"); ?> </small>
<i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_page"></i>
</td>
</tr>
<tr>
<td><a id="help_for_ipv6allow" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow IPv6"); ?></td>
<td>
<input name="ipv6allow" type="checkbox" value="yes" <?= !empty($pconfig['ipv6allow']) ? "checked=\"checked\"" :"";?> onclick="enable_change(false)" />
<?=gettext("Allow IPv6"); ?>
<div class="hidden" data-for="help_for_ipv6allow">
<?=gettext("All IPv6 traffic will be blocked by the firewall unless this box is checked."); ?><br />
<?=gettext("NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic."); ?><br />
</div>
</td>
</tr>
<?php if (count($config['interfaces']) > 1): ?>
</table>
</div>
<div class="content-box tab-content table-responsive __mb">
<table class="table table-striped opnsense_standard_table_form">
<tr>
@ -363,7 +333,6 @@ include("head.inc");
</div>
</td>
</tr>
<?php endif; ?>
</table>
</div>
<div class="content-box tab-content table-responsive __mb">

35
src/www/system_advanced_network.php
View File

@ -171,6 +171,7 @@ $duid = read_duid();
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = [];
$pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
$pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksumoffloading']);
$pconfig['disablesegmentationoffloading'] = isset($config['system']['disablesegmentationoffloading']);
$pconfig['disablelargereceiveoffloading'] = isset($config['system']['disablelargereceiveoffloading']);
@ -198,6 +199,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['sharednet']);
}
if (!empty($pconfig['ipv6allow'])) {
$config['system']['ipv6allow'] = true;
} elseif (isset($config['system']['ipv6allow'])) {
unset($config['system']['ipv6allow']);
}
if (!empty($pconfig['disablechecksumoffloading'])) {
$config['system']['disablechecksumoffloading'] = true;
} elseif (isset($config['system']['disablechecksumoffloading'])) {
@ -248,6 +255,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
interface_dhcpv6_configure('duidonly', null); /* XXX refactor */
system_sysctl_configure();
interfaces_hardware();
/* XXX interfaces IPv6 mode is forced to disable maybe but we are not reconfiguring here */
filter_configure();
}
}
@ -257,6 +266,12 @@ include("head.inc");
?>
<script>
$( document ).ready(function () {
window_highlight_table_option();
});
</script>
<body>
<?php include("fbegin.inc"); ?>
<section class="page-content-main">
@ -285,7 +300,7 @@ include("head.inc");
<td><a id="help_for_disablechecksumoffloading" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hardware CRC"); ?></td>
<td>
<input name="disablechecksumoffloading" type="checkbox" id="disablechecksumoffloading" value="yes" <?= !empty($pconfig['disablechecksumoffloading']) ? "checked=\"checked\"" :"";?> />
<strong><?=gettext("Disable hardware checksum offload"); ?></strong>
<?=gettext("Disable hardware checksum offload"); ?>
<div class="hidden" data-for="help_for_disablechecksumoffloading">
<?=gettext("Checking this option will disable hardware checksum offloading. Checksum offloading is broken in some hardware, particularly some Realtek cards. Rarely, drivers may have problems with checksum offloading and some specific NICs."); ?>
</div>
@ -295,7 +310,7 @@ include("head.inc");
<td><a id="help_for_disablesegmentationoffloading" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hardware TSO"); ?></td>
<td>
<input name="disablesegmentationoffloading" type="checkbox" id="disablesegmentationoffloading" value="yes" <?= !empty($pconfig['disablesegmentationoffloading']) ? "checked=\"checked\"" :"";?>/>
<strong><?=gettext("Disable hardware TCP segmentation offload"); ?></strong><br />
<?=gettext("Disable hardware TCP segmentation offload"); ?>
<div class="hidden" data-for="help_for_disablesegmentationoffloading">
<?=gettext("Checking this option will disable hardware TCP segmentation offloading (TSO, TSO4, TSO6). This offloading is broken in some hardware drivers, and may impact performance with some specific NICs."); ?>
</div>
@ -305,7 +320,7 @@ include("head.inc");
<td><a id="help_for_disablelargereceiveoffloading" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hardware LRO"); ?></td>
<td>
<input name="disablelargereceiveoffloading" type="checkbox" id="disablelargereceiveoffloading" value="yes" <?= !empty($pconfig['disablelargereceiveoffloading']) ? "checked=\"checked\"" :"";?>/>
<strong><?=gettext("Disable hardware large receive offload"); ?></strong><br />
<?=gettext("Disable hardware large receive offload"); ?>
<div class="hidden" data-for="help_for_disablelargereceiveoffloading">
<?=gettext("Checking this option will disable hardware large receive offloading (LRO). This offloading is broken in some hardware drivers, and may impact performance with some specific NICs."); ?>
</div>
@ -333,13 +348,23 @@ include("head.inc");
<tr>
<td><a id="help_for_sharednet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("ARP Handling"); ?></td>
<td>
<input name="sharednet" type="checkbox" id="sharednet" value="yes" <?= !empty($pconfig['sharednet']) ? "checked=\"checked\"" :"";?>/>
<strong><?=gettext("Suppress ARP messages"); ?></strong><br />
<input name="sharednet" type="checkbox" id="sharednet" value="yes" <?= !empty($pconfig['sharednet']) ? 'checked="checked"' : '' ?>/>
<?=gettext("Suppress ARP messages"); ?>
<div class="hidden" data-for="help_for_sharednet">
<?=gettext("This option will suppress ARP log messages when multiple interfaces reside on the same broadcast domain"); ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_ipv6allow" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Allow IPv6') ?></td>
<td>
<input name="ipv6allow" id="ipv6allow" type="checkbox" value="yes" <?= !empty($pconfig['ipv6allow']) ? 'checked="checked"' : '' ?>/>
<?= gettext('Allow IPv6') ?>
<div class="hidden" data-for="help_for_ipv6allow">
<?= gettext('If unchecked, IPv6 interface configuration will be ignored and all forwarding traffic will be blocked. Use with care.') ?>
</div>
</td>
</tr>
</table>
</div>
<div class="content-box tab-content table-responsive __mb">