From f5b298ec6cbfea7ee526d3eef2ebe12b49abc803 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 30 May 2024 08:48:14 +0200
Subject: [PATCH] interfaces: move sysctls to system requirements related to
 #5630

Tie them to the IPv6 allow setting which is used by more things
than just the filter, so also move the IPv6 allow to the general
settings for consistency.

There is not much point to tie these sysctls to their former
condition of something set in SLAAC or DHCPv6 connectivity mode
because "ifdisabled" is used and because prior you couldn't turn
it off without a reboot after having tried the IPv6 connetivity.

To make thus super effective refuse to configure IPv6 on interfaces
in these instances by forcing the individual IPv6 interface modes
to 'none'.
---
 src/etc/config.xml.sample            |  2 +-
 src/etc/inc/filter.lib.inc           | 10 ++++----
 src/etc/inc/interfaces.inc           |  7 ++----
 src/etc/inc/system.inc               |  4 +++-
 src/etc/rc.newwanip                  |  2 +-
 src/www/system_advanced_firewall.php | 31 ------------------------
 src/www/system_advanced_network.php  | 35 ++++++++++++++++++++++++----
 7 files changed, 42 insertions(+), 49 deletions(-)

diff --git a/src/etc/config.xml.sample b/src/etc/config.xml.sample
index dff25b283..f75130262 100644
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
@@ -227,7 +227,7 @@
     <disablechecksumoffloading>1</disablechecksumoffloading>
     <disablesegmentationoffloading>1</disablesegmentationoffloading>
     <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
-    <ipv6allow/>
+    <ipv6allow>1</ipv6allow>
     <powerd_ac_mode>hadp</powerd_ac_mode>
     <powerd_battery_mode>hadp</powerd_battery_mode>
     <powerd_normal_mode>hadp</powerd_normal_mode>
diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
index 01f83651f..3c5923202 100644
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -209,13 +209,13 @@ function filter_core_rules_system($fw, $defaults)
     $fw->registerFilterRule(
         1,
         array('interface' => 'lo0', 'ipprotocol' => 'inet6', 'disabled' => isset($config['system']['ipv6allow']),
-          'descr' => 'Pass all loopback IPv6', '#ref' => 'system_advanced_firewall.php#ipv6allow'),
+          'descr' => 'Pass all loopback IPv6', '#ref' => 'system_advanced_network.php#ipv6allow'),
         $defaults['pass']
     );
     $fw->registerFilterRule(
         1,
         array('ipprotocol' => 'inet6','descr' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow']),
-            '#ref' => 'system_advanced_firewall.php#ipv6allow'),
+            '#ref' => 'system_advanced_network.php#ipv6allow'),
         $defaults['block']
     );
 
@@ -351,19 +351,19 @@ function filter_core_rules_system($fw, $defaults)
                 1,
                 array('protocol' => 'udp', 'from' => 'fe80::/10', 'from_port' => 546, 'to' => 'fe80::/10',
                     'interface' => $intf, 'to_port' => 546, 'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'],
-                    '#ref' => 'system_advanced_firewall.php#ipv6allow'),
+                    '#ref' => 'system_advanced_network.php#ipv6allow'),
                 $defaults['pass']
             );
             $fw->registerFilterRule(
                 1,
                 array('protocol' => 'udp', 'from_port' => 547,'to_port' => 546, 'direction' => 'in',
                     'interface' => $intf, 'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'],
-                    '#ref' => 'system_advanced_firewall.php#ipv6allow'),
+                    '#ref' => 'system_advanced_network.php#ipv6allow'),
                 $defaults['pass']
             );
             $dhcpv6_opts = array(
                 'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'],
-                '#ref' => 'system_advanced_firewall.php#ipv6allow',
+                '#ref' => 'system_advanced_network.php#ipv6allow',
                 'direction' => 'out',
                 'interface' => $intf,
                 'protocol' => 'udp',
diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
index a49599689..bbbdc7485 100644
--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -2314,15 +2314,12 @@ function interface_configure($verbose = false, $interface = 'wan', $reload = fal
      *    already does that so at this point try to be more consistent.
      */
     $interface_descr = sprintf('%s (%s)', !empty($wancfg['descr']) ? $wancfg['descr'] : strtoupper($interface), $interface);
+    /* XXX we should maybe set "ifdisabled" but it could be dangerous for assigned tunnel devices */
     mwexecf('/sbin/ifconfig %s inet6 -accept_rtadv -no_dad description %s up', [$realif, $interface_descr]);
 
-    switch ($wancfg['ipaddrv6'] ?? 'none') {
+    switch (isset($config['system']['ipv6allow']) ? ($wancfg['ipaddrv6'] ?? 'none') : 'none') {
         case 'slaac':
         case 'dhcp6':
-            /* XXX move these to tunables maybe as they are global anyway */
-            set_single_sysctl('net.inet6.ip6.accept_rtadv', '1');
-            set_single_sysctl('net.inet6.ip6.rfc6204w3', '1');
-
             mwexecf('/sbin/ifconfig %s inet6 %saccept_rtadv -ifdisabled up', [$realifv6, isset($wancfg['dhcp6deny_rtadv']) ? '-' : '']);
 
             if (!isset($wancfg['dhcp6usev4iface'])) {
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 804509626..c3fa13052 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -74,8 +74,8 @@ function system_sysctl_defaults()
         'hw.ixl.enable_head_writeback' => [ 'default' => '0', 'required' => true ],
         'hw.syscons.kbd_reboot' => [ 'default' => '0' ],
         'hw.uart.console' => [ 'default' => 'io:0x3f8,br:' . system_console_speed(), 'type' => 't' ], /* XXX support comconsole_port if needed */
-        'kern.ipc.maxsockbuf' => [ 'default' => '4262144' ],
         'kern.coredump' => [ 'default' => '0', 'required' => true ],
+        'kern.ipc.maxsockbuf' => [ 'default' => '4262144' ],
         'kern.randompid' => [ 'default' => '1' ],
         'net.enc.in.ipsec_bpf_mask' => [ 'default' => '2', 'required' => true ], /* after processing */
         'net.enc.in.ipsec_filter_mask' => [ 'default' => '2', 'required' => true ], /* after processing */
@@ -103,10 +103,12 @@ function system_sysctl_defaults()
         'net.inet.udp.blackhole' => [ 'default' => '1' ],
         'net.inet.udp.checksum' => [ 'default' => 1 ],
         'net.inet.udp.maxdgram' => [ 'default' => '57344' ],
+        'net.inet6.ip6.accept_rtadv' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0', 'required' => true ],
         'net.inet6.ip6.forwarding' => [ 'default' => '1', 'required' => true ],
         'net.inet6.ip6.intr_queue_maxlen' => [ 'default' => '1000', 'required' => true ],
         'net.inet6.ip6.prefer_tempaddr' => [ 'default' => '0' ],
         'net.inet6.ip6.redirect' => [ 'default' => '0' ],
+        'net.inet6.ip6.rfc6204w3' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0', 'required' => true ],
         'net.inet6.ip6.use_tempaddr' => [ 'default' => '0' ],
         'net.link.bridge.pfil_bridge' => [ 'default' => '0' ],
         'net.link.bridge.pfil_local_phys' => [ 'default' => '0' ],
diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip
index cb6ec5af2..88fc123dd 100755
--- a/src/etc/rc.newwanip
+++ b/src/etc/rc.newwanip
@@ -82,7 +82,7 @@ interfaces_vips_configure($interface, 4);
 $greifs = link_interface_to_gre($interface, true, 4);
 $gififs = link_interface_to_gif($interface, true, 4);
 
-switch ($config['interfaces'][$interface]['ipaddrv6'] ?? 'none') {
+switch (isset($config['system']['ipv6allow']) ? ($config['interfaces'][$interface]['ipaddrv6'] ?? 'none') : 'none') {
     case '6to4':
         interface_6to4_configure($interface, $config['interfaces'][$interface], true);
         system_routing_configure(false, $interface); /* XXX interface recreation breaks attached routes */
diff --git a/src/www/system_advanced_firewall.php b/src/www/system_advanced_firewall.php
index 05b51a9ae..8f49f01cb 100644
--- a/src/www/system_advanced_firewall.php
+++ b/src/www/system_advanced_firewall.php
@@ -35,7 +35,6 @@ require_once("system.inc");
 
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig = array();
-    $pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
     $pconfig['disablefilter'] = !empty($config['system']['disablefilter']);
     $pconfig['optimization'] = isset($config['system']['optimization']) ? $config['system']['optimization'] : "normal";
     $pconfig['state-policy'] = isset($config['system']['state-policy']) ;
@@ -151,12 +150,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['srctrack']);
         }
 
-        if (!empty($pconfig['ipv6allow'])) {
-            $config['system']['ipv6allow'] = true;
-        } elseif (isset($config['system']['ipv6allow'])) {
-            unset($config['system']['ipv6allow']);
-        }
-
         if (!empty($pconfig['disablefilter'])) {
             $config['system']['disablefilter'] = "enabled";
         } elseif (isset($config['system']['disablefilter'])) {
@@ -305,29 +298,6 @@ include("head.inc");
 ?>
       <section class="col-xs-12">
         <form method="post" name="iform" id="iform">
-          <div class="content-box tab-content table-responsive __mb">
-            <table class="table table-striped opnsense_standard_table_form">
-              <tr>
-                <td style="width:22%"><strong><?= gettext('IPv6 Options') ?></strong></td>
-                <td style="width:78%; text-align:right">
-                  <small><?=gettext("full help"); ?> </small>
-                  <i class="fa fa-toggle-off text-danger" style="cursor: pointer;" id="show_all_help_page"></i>
-                </td>
-              </tr>
-              <tr>
-                <td><a id="help_for_ipv6allow" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow IPv6"); ?></td>
-                <td>
-                  <input name="ipv6allow" type="checkbox" value="yes" <?= !empty($pconfig['ipv6allow']) ? "checked=\"checked\"" :"";?> onclick="enable_change(false)" />
-                  <?=gettext("Allow IPv6"); ?>
-                  <div class="hidden" data-for="help_for_ipv6allow">
-                    <?=gettext("All IPv6 traffic will be blocked by the firewall unless this box is checked."); ?><br />
-                    <?=gettext("NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic."); ?><br />
-                  </div>
-                </td>
-              </tr>
-<?php           if (count($config['interfaces']) > 1): ?>
-            </table>
-          </div>
           <div class="content-box tab-content table-responsive __mb">
             <table class="table table-striped opnsense_standard_table_form">
               <tr>
@@ -363,7 +333,6 @@ include("head.inc");
                   </div>
                 </td>
               </tr>
-<?php           endif; ?>
             </table>
           </div>
           <div class="content-box tab-content table-responsive __mb">
diff --git a/src/www/system_advanced_network.php b/src/www/system_advanced_network.php
index fdcef8ced..44e075727 100644
--- a/src/www/system_advanced_network.php
+++ b/src/www/system_advanced_network.php
@@ -171,6 +171,7 @@ $duid = read_duid();
 
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig = [];
+    $pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
     $pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksumoffloading']);
     $pconfig['disablesegmentationoffloading'] = isset($config['system']['disablesegmentationoffloading']);
     $pconfig['disablelargereceiveoffloading'] = isset($config['system']['disablelargereceiveoffloading']);
@@ -198,6 +199,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             unset($config['system']['sharednet']);
         }
 
+        if (!empty($pconfig['ipv6allow'])) {
+            $config['system']['ipv6allow'] = true;
+        } elseif (isset($config['system']['ipv6allow'])) {
+            unset($config['system']['ipv6allow']);
+        }
+
         if (!empty($pconfig['disablechecksumoffloading'])) {
             $config['system']['disablechecksumoffloading'] = true;
         } elseif (isset($config['system']['disablechecksumoffloading'])) {
@@ -248,6 +255,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         interface_dhcpv6_configure('duidonly', null); /* XXX refactor */
         system_sysctl_configure();
         interfaces_hardware();
+        /* XXX interfaces IPv6 mode is forced to disable maybe but we are not reconfiguring here */
+        filter_configure();
     }
 }
 
@@ -257,6 +266,12 @@ include("head.inc");
 
 ?>
 
+<script>
+    $( document ).ready(function () {
+        window_highlight_table_option();
+    });
+</script>
+
 <body>
 <?php include("fbegin.inc"); ?>
 <section class="page-content-main">
@@ -285,7 +300,7 @@ include("head.inc");
                 <td><a id="help_for_disablechecksumoffloading" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hardware CRC"); ?></td>
                 <td>
                   <input name="disablechecksumoffloading" type="checkbox" id="disablechecksumoffloading" value="yes" <?= !empty($pconfig['disablechecksumoffloading']) ? "checked=\"checked\"" :"";?> />
-                  <strong><?=gettext("Disable hardware checksum offload"); ?></strong>
+                  <?=gettext("Disable hardware checksum offload"); ?>
                   <div class="hidden" data-for="help_for_disablechecksumoffloading">
                     <?=gettext("Checking this option will disable hardware checksum offloading. Checksum offloading is broken in some hardware, particularly some Realtek cards. Rarely, drivers may have problems with checksum offloading and some specific NICs."); ?>
                   </div>
@@ -295,7 +310,7 @@ include("head.inc");
                 <td><a id="help_for_disablesegmentationoffloading" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hardware TSO"); ?></td>
                 <td>
                   <input name="disablesegmentationoffloading" type="checkbox" id="disablesegmentationoffloading" value="yes" <?= !empty($pconfig['disablesegmentationoffloading']) ? "checked=\"checked\"" :"";?>/>
-                  <strong><?=gettext("Disable hardware TCP segmentation offload"); ?></strong><br />
+                  <?=gettext("Disable hardware TCP segmentation offload"); ?>
                   <div class="hidden" data-for="help_for_disablesegmentationoffloading">
                     <?=gettext("Checking this option will disable hardware TCP segmentation offloading (TSO, TSO4, TSO6). This offloading is broken in some hardware drivers, and may impact performance with some specific NICs."); ?>
                   </div>
@@ -305,7 +320,7 @@ include("head.inc");
                 <td><a id="help_for_disablelargereceiveoffloading" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hardware LRO"); ?></td>
                 <td>
                   <input name="disablelargereceiveoffloading" type="checkbox" id="disablelargereceiveoffloading" value="yes" <?= !empty($pconfig['disablelargereceiveoffloading']) ? "checked=\"checked\"" :"";?>/>
-                  <strong><?=gettext("Disable hardware large receive offload"); ?></strong><br />
+                  <?=gettext("Disable hardware large receive offload"); ?>
                   <div class="hidden" data-for="help_for_disablelargereceiveoffloading">
                     <?=gettext("Checking this option will disable hardware large receive offloading (LRO). This offloading is broken in some hardware drivers, and may impact performance with some specific NICs."); ?>
                   </div>
@@ -333,13 +348,23 @@ include("head.inc");
               <tr>
                 <td><a id="help_for_sharednet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("ARP Handling"); ?></td>
                 <td>
-                  <input name="sharednet" type="checkbox" id="sharednet" value="yes" <?= !empty($pconfig['sharednet']) ? "checked=\"checked\"" :"";?>/>
-                  <strong><?=gettext("Suppress ARP messages"); ?></strong><br />
+                  <input name="sharednet" type="checkbox" id="sharednet" value="yes" <?= !empty($pconfig['sharednet']) ? 'checked="checked"' : '' ?>/>
+                  <?=gettext("Suppress ARP messages"); ?>
                   <div class="hidden" data-for="help_for_sharednet">
                     <?=gettext("This option will suppress ARP log messages when multiple interfaces reside on the same broadcast domain"); ?>
                   </div>
                 </td>
               </tr>
+              <tr>
+                <td><a id="help_for_ipv6allow" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Allow IPv6') ?></td>
+                <td>
+                  <input name="ipv6allow" id="ipv6allow" type="checkbox" value="yes" <?= !empty($pconfig['ipv6allow']) ? 'checked="checked"' : '' ?>/>
+                  <?= gettext('Allow IPv6') ?>
+                  <div class="hidden" data-for="help_for_ipv6allow">
+                    <?= gettext('If unchecked, IPv6 interface configuration will be ignored and all forwarding traffic will be blocked. Use with care.') ?>
+                  </div>
+                </td>
+              </tr>
             </table>
           </div>
           <div class="content-box tab-content table-responsive __mb">