feat(network): enable ipv6 connection and tunneling (#1114)
Co-authored-by: Quentin McGaw <quentin.mcgaw@gmail.com>
This commit is contained in:
EkilDeew
@@ -101,6 +101,9 @@ func (c *Config) enable(ctx context.Context) (err error) {
|
|||||||
if err := c.acceptOutputFromIPToSubnet(ctx, network.InterfaceName, network.IP, *network.IPNet, remove); err != nil {
|
if err := c.acceptOutputFromIPToSubnet(ctx, network.InterfaceName, network.IP, *network.IPNet, remove); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if err = c.acceptIpv6MulticastOutput(ctx, network.InterfaceName, remove); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = c.allowOutboundSubnets(ctx); err != nil {
|
if err = c.allowOutboundSubnets(ctx); err != nil {
|
||||||
|
|||||||
@@ -179,6 +179,18 @@ func (c *Config) acceptOutputFromIPToSubnet(ctx context.Context,
|
|||||||
return c.runIP6tablesInstruction(ctx, instruction)
|
return c.runIP6tablesInstruction(ctx, instruction)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NDP uses multicast address (theres no broadcast in IPv6 like ARP uses in IPv4).
|
||||||
|
func (c *Config) acceptIpv6MulticastOutput(ctx context.Context,
|
||||||
|
intf string, remove bool) error {
|
||||||
|
interfaceFlag := "-o " + intf
|
||||||
|
if intf == "*" { // all interfaces
|
||||||
|
interfaceFlag = ""
|
||||||
|
}
|
||||||
|
instruction := fmt.Sprintf("%s OUTPUT %s -d ff02::1:ff/104 -j ACCEPT",
|
||||||
|
appendOrDelete(remove), interfaceFlag)
|
||||||
|
return c.runIP6tablesInstruction(ctx, instruction)
|
||||||
|
}
|
||||||
|
|
||||||
// Used for port forwarding, with intf set to tun.
|
// Used for port forwarding, with intf set to tun.
|
||||||
func (c *Config) acceptInputToPort(ctx context.Context, intf string, port uint16, remove bool) error {
|
func (c *Config) acceptInputToPort(ctx context.Context, intf string, port uint16, remove bool) error {
|
||||||
interfaceFlag := "-i " + intf
|
interfaceFlag := "-i " + intf
|
||||||
|
|||||||
@@ -43,8 +43,11 @@ func (r *Routing) DefaultRoutes() (defaultRoutes []DefaultRoute, err error) {
|
|||||||
}
|
}
|
||||||
attributes := link.Attrs()
|
attributes := link.Attrs()
|
||||||
defaultRoute.NetInterface = attributes.Name
|
defaultRoute.NetInterface = attributes.Name
|
||||||
|
family := netlink.FAMILY_V6
|
||||||
defaultRoute.AssignedIP, err = r.assignedIP(defaultRoute.NetInterface)
|
if route.Gw.To4() != nil {
|
||||||
|
family = netlink.FAMILY_V4
|
||||||
|
}
|
||||||
|
defaultRoute.AssignedIP, err = r.assignedIP(defaultRoute.NetInterface, family)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("cannot get assigned IP of %s: %w", defaultRoute.NetInterface, err)
|
return nil, fmt.Errorf("cannot get assigned IP of %s: %w", defaultRoute.NetInterface, err)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,6 +4,8 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
|
||||||
|
"github.com/qdm12/gluetun/internal/netlink"
|
||||||
)
|
)
|
||||||
|
|
||||||
func IPIsPrivate(ip net.IP) bool {
|
func IPIsPrivate(ip net.IP) bool {
|
||||||
@@ -15,7 +17,12 @@ var (
|
|||||||
errInterfaceIPNotFound = errors.New("IP address not found for interface")
|
errInterfaceIPNotFound = errors.New("IP address not found for interface")
|
||||||
)
|
)
|
||||||
|
|
||||||
func (r *Routing) assignedIP(interfaceName string) (ip net.IP, err error) {
|
func ipMatchesFamily(ip net.IP, family int) bool {
|
||||||
|
return (family == netlink.FAMILY_V6 && ip.To4() == nil) ||
|
||||||
|
(family == netlink.FAMILY_V4 && ip.To4() != nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *Routing) assignedIP(interfaceName string, family int) (ip net.IP, err error) {
|
||||||
iface, err := net.InterfaceByName(interfaceName)
|
iface, err := net.InterfaceByName(interfaceName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("network interface %s not found: %w", interfaceName, err)
|
return nil, fmt.Errorf("network interface %s not found: %w", interfaceName, err)
|
||||||
@@ -27,9 +34,13 @@ func (r *Routing) assignedIP(interfaceName string) (ip net.IP, err error) {
|
|||||||
for _, address := range addresses {
|
for _, address := range addresses {
|
||||||
switch value := address.(type) {
|
switch value := address.(type) {
|
||||||
case *net.IPAddr:
|
case *net.IPAddr:
|
||||||
return value.IP, nil
|
if ipMatchesFamily(value.IP, family) {
|
||||||
|
return value.IP, nil
|
||||||
|
}
|
||||||
case *net.IPNet:
|
case *net.IPNet:
|
||||||
return value.IP, nil
|
if ipMatchesFamily(value.IP, family) {
|
||||||
|
return value.IP, nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return nil, fmt.Errorf("%w: interface %s in %d addresses",
|
return nil, fmt.Errorf("%w: interface %s in %d addresses",
|
||||||
|
|||||||
@@ -41,7 +41,7 @@ func (r *Routing) LocalNetworks() (localNetworks []LocalNetwork, err error) {
|
|||||||
return localNetworks, fmt.Errorf("%w: in %d links", ErrLinkLocalNotFound, len(links))
|
return localNetworks, fmt.Errorf("%w: in %d links", ErrLinkLocalNotFound, len(links))
|
||||||
}
|
}
|
||||||
|
|
||||||
routes, err := r.netLinker.RouteList(nil, netlink.FAMILY_V4)
|
routes, err := r.netLinker.RouteList(nil, netlink.FAMILY_ALL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return localNetworks, fmt.Errorf("cannot list routes: %w", err)
|
return localNetworks, fmt.Errorf("cannot list routes: %w", err)
|
||||||
}
|
}
|
||||||
@@ -65,7 +65,11 @@ func (r *Routing) LocalNetworks() (localNetworks []LocalNetwork, err error) {
|
|||||||
|
|
||||||
localNet.InterfaceName = link.Attrs().Name
|
localNet.InterfaceName = link.Attrs().Name
|
||||||
|
|
||||||
ip, err := r.assignedIP(localNet.InterfaceName)
|
family := netlink.FAMILY_V6
|
||||||
|
if localNet.IPNet.IP.To4() != nil {
|
||||||
|
family = netlink.FAMILY_V4
|
||||||
|
}
|
||||||
|
ip, err := r.assignedIP(localNet.InterfaceName, family)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return localNetworks, err
|
return localNetworks, err
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ import (
|
|||||||
"github.com/qdm12/gluetun/internal/netlink"
|
"github.com/qdm12/gluetun/internal/netlink"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Test_netlink_Wireguard_addAddresses(t *testing.T) {
|
func Test_netlink_Wireguard_addAddresses(t *testing.T) {
|
||||||
@@ -75,15 +76,17 @@ func Test_netlink_Wireguard_addRule(t *testing.T) {
|
|||||||
|
|
||||||
rulePriority := 10000
|
rulePriority := 10000
|
||||||
const firewallMark = 999
|
const firewallMark = 999
|
||||||
|
const family = unix.AF_INET // ipv4
|
||||||
|
|
||||||
cleanup, err := wg.addRule(rulePriority, firewallMark)
|
cleanup, err := wg.addRule(rulePriority,
|
||||||
|
firewallMark, family)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
defer func() {
|
defer func() {
|
||||||
err := cleanup()
|
err := cleanup()
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
}()
|
}()
|
||||||
|
|
||||||
rules, err := netlinker.RuleList(netlink.FAMILY_ALL)
|
rules, err := netlinker.RuleList(netlink.FAMILY_V4)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
var rule netlink.Rule
|
var rule netlink.Rule
|
||||||
var ruleFound bool
|
var ruleFound bool
|
||||||
@@ -108,7 +111,8 @@ func Test_netlink_Wireguard_addRule(t *testing.T) {
|
|||||||
assert.Equal(t, expectedRule, rule)
|
assert.Equal(t, expectedRule, rule)
|
||||||
|
|
||||||
// Existing rule cannot be added
|
// Existing rule cannot be added
|
||||||
nilCleanup, err := wg.addRule(rulePriority, firewallMark)
|
nilCleanup, err := wg.addRule(rulePriority,
|
||||||
|
firewallMark, family)
|
||||||
if nilCleanup != nil {
|
if nilCleanup != nil {
|
||||||
_ = nilCleanup() // in case it succeeds
|
_ = nilCleanup() // in case it succeeds
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,13 +6,14 @@ import (
|
|||||||
"github.com/qdm12/gluetun/internal/netlink"
|
"github.com/qdm12/gluetun/internal/netlink"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (w *Wireguard) addRule(rulePriority, firewallMark int) (
|
func (w *Wireguard) addRule(rulePriority, firewallMark, family int) (
|
||||||
cleanup func() error, err error) {
|
cleanup func() error, err error) {
|
||||||
rule := netlink.NewRule()
|
rule := netlink.NewRule()
|
||||||
rule.Invert = true
|
rule.Invert = true
|
||||||
rule.Priority = rulePriority
|
rule.Priority = rulePriority
|
||||||
rule.Mark = firewallMark
|
rule.Mark = firewallMark
|
||||||
rule.Table = firewallMark
|
rule.Table = firewallMark
|
||||||
|
rule.Family = family
|
||||||
if err := w.netlink.RuleAdd(rule); err != nil {
|
if err := w.netlink.RuleAdd(rule); err != nil {
|
||||||
return nil, fmt.Errorf("cannot add rule %s: %w", rule, err)
|
return nil, fmt.Errorf("cannot add rule %s: %w", rule, err)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ import (
|
|||||||
"github.com/qdm12/gluetun/internal/netlink"
|
"github.com/qdm12/gluetun/internal/netlink"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Test_Wireguard_addRule(t *testing.T) {
|
func Test_Wireguard_addRule(t *testing.T) {
|
||||||
@@ -15,6 +16,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
|||||||
|
|
||||||
const rulePriority = 987
|
const rulePriority = 987
|
||||||
const firewallMark = 456
|
const firewallMark = 456
|
||||||
|
const family = unix.AF_INET
|
||||||
|
|
||||||
errDummy := errors.New("dummy")
|
errDummy := errors.New("dummy")
|
||||||
|
|
||||||
@@ -36,6 +38,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
|||||||
Flow: -1,
|
Flow: -1,
|
||||||
SuppressIfgroup: -1,
|
SuppressIfgroup: -1,
|
||||||
SuppressPrefixlen: -1,
|
SuppressPrefixlen: -1,
|
||||||
|
Family: family,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"rule add error": {
|
"rule add error": {
|
||||||
@@ -49,6 +52,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
|||||||
Flow: -1,
|
Flow: -1,
|
||||||
SuppressIfgroup: -1,
|
SuppressIfgroup: -1,
|
||||||
SuppressPrefixlen: -1,
|
SuppressPrefixlen: -1,
|
||||||
|
Family: family,
|
||||||
},
|
},
|
||||||
ruleAddErr: errDummy,
|
ruleAddErr: errDummy,
|
||||||
err: errors.New("cannot add rule ip rule 987: from all to all table 456: dummy"),
|
err: errors.New("cannot add rule ip rule 987: from all to all table 456: dummy"),
|
||||||
@@ -64,6 +68,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
|||||||
Flow: -1,
|
Flow: -1,
|
||||||
SuppressIfgroup: -1,
|
SuppressIfgroup: -1,
|
||||||
SuppressPrefixlen: -1,
|
SuppressPrefixlen: -1,
|
||||||
|
Family: family,
|
||||||
},
|
},
|
||||||
ruleDelErr: errDummy,
|
ruleDelErr: errDummy,
|
||||||
cleanupErr: errors.New("cannot delete rule ip rule 987: from all to all table 456: dummy"),
|
cleanupErr: errors.New("cannot delete rule ip rule 987: from all to all table 456: dummy"),
|
||||||
@@ -83,7 +88,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
|||||||
|
|
||||||
netLinker.EXPECT().RuleAdd(testCase.expectedRule).
|
netLinker.EXPECT().RuleAdd(testCase.expectedRule).
|
||||||
Return(testCase.ruleAddErr)
|
Return(testCase.ruleAddErr)
|
||||||
cleanup, err := wg.addRule(rulePriority, firewallMark)
|
cleanup, err := wg.addRule(rulePriority, firewallMark, family)
|
||||||
if testCase.err != nil {
|
if testCase.err != nil {
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
assert.Equal(t, testCase.err.Error(), err.Error())
|
assert.Equal(t, testCase.err.Error(), err.Error())
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/qdm12/gluetun/internal/netlink"
|
"github.com/qdm12/gluetun/internal/netlink"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
"golang.zx2c4.com/wireguard/conn"
|
"golang.zx2c4.com/wireguard/conn"
|
||||||
"golang.zx2c4.com/wireguard/device"
|
"golang.zx2c4.com/wireguard/device"
|
||||||
"golang.zx2c4.com/wireguard/ipc"
|
"golang.zx2c4.com/wireguard/ipc"
|
||||||
@@ -29,7 +30,6 @@ var (
|
|||||||
ErrDeviceInfo = errors.New("cannot get wireguard device information")
|
ErrDeviceInfo = errors.New("cannot get wireguard device information")
|
||||||
ErrIfaceUp = errors.New("cannot set the interface to UP")
|
ErrIfaceUp = errors.New("cannot set the interface to UP")
|
||||||
ErrRouteAdd = errors.New("cannot add route for interface")
|
ErrRouteAdd = errors.New("cannot add route for interface")
|
||||||
ErrRuleAdd = errors.New("cannot add rule for interface")
|
|
||||||
ErrDeviceWaited = errors.New("device waited for")
|
ErrDeviceWaited = errors.New("device waited for")
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -96,34 +96,52 @@ func (w *Wireguard) Run(ctx context.Context, waitError chan<- error, ready chan<
|
|||||||
|
|
||||||
if *w.settings.IPv6 {
|
if *w.settings.IPv6 {
|
||||||
// requires net.ipv6.conf.all.disable_ipv6=0
|
// requires net.ipv6.conf.all.disable_ipv6=0
|
||||||
err = w.addRoute(link, allIPv6(), w.settings.FirewallMark)
|
err = w.setupIPv6(link, &closers)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if strings.Contains(err.Error(), "permission denied") {
|
waitError <- fmt.Errorf("setting up IPv6: %w", err)
|
||||||
w.logger.Errorf("cannot add route for IPv6 due to a permission denial. "+
|
return
|
||||||
"Ignoring and continuing execution; "+
|
|
||||||
"Please report to https://github.com/qdm12/gluetun/issues/998 if you find a fix. "+
|
|
||||||
"Full error string: %s", err)
|
|
||||||
} else {
|
|
||||||
waitError <- fmt.Errorf("%w: %s", ErrRouteAdd, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ruleCleanup, err := w.addRule(
|
ruleCleanup, err := w.addRule(w.settings.RulePriority,
|
||||||
w.settings.RulePriority, w.settings.FirewallMark)
|
w.settings.FirewallMark, unix.AF_INET)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
waitError <- fmt.Errorf("%w: %s", ErrRuleAdd, err)
|
waitError <- fmt.Errorf("adding IPv4 rule: %w", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
closers.add("removing rule", stepOne, ruleCleanup)
|
|
||||||
|
|
||||||
|
closers.add("removing IPv4 rule", stepOne, ruleCleanup)
|
||||||
w.logger.Info("Wireguard is up")
|
w.logger.Info("Wireguard is up")
|
||||||
ready <- struct{}{}
|
ready <- struct{}{}
|
||||||
|
|
||||||
waitError <- waitAndCleanup()
|
waitError <- waitAndCleanup()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (w *Wireguard) setupIPv6(link netlink.Link, closers *closers) (err error) {
|
||||||
|
// requires net.ipv6.conf.all.disable_ipv6=0
|
||||||
|
err = w.addRoute(link, allIPv6(), w.settings.FirewallMark)
|
||||||
|
if err != nil {
|
||||||
|
if strings.Contains(err.Error(), "permission denied") {
|
||||||
|
w.logger.Errorf("cannot add route for IPv6 due to a permission denial. "+
|
||||||
|
"Ignoring and continuing execution; "+
|
||||||
|
"Please report to https://github.com/qdm12/gluetun/issues/998 if you find a fix. "+
|
||||||
|
"Full error string: %s", err)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return fmt.Errorf("%w: %s", ErrRouteAdd, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ruleCleanup6, ruleErr := w.addRule(
|
||||||
|
w.settings.RulePriority, w.settings.FirewallMark,
|
||||||
|
unix.AF_INET6)
|
||||||
|
if ruleErr != nil {
|
||||||
|
return fmt.Errorf("adding IPv6 rule: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
closers.add("removing IPv6 rule", stepOne, ruleCleanup6)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
type waitAndCleanupFunc func() error
|
type waitAndCleanupFunc func() error
|
||||||
|
|
||||||
func setupKernelSpace(ctx context.Context,
|
func setupKernelSpace(ctx context.Context,
|
||||||
|
|||||||
Reference in New Issue
Block a user