Project

General

Profile

Bug #9405

IPsec IPv6 dynamic FQDN Remote Gateways / util.inc resolve_retry() IPv6 support

Added by Firstname Surname about 1 year ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
03/17/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Here is one I have been manually patching for years. Since ever, resolve_retry() which is used to resolve an IPSec remote gateway, never supported IPv6, making it impossible to use IPv6 FQDNs as IPSec tunnel endpoints.

Here is an example fix:

// could be used as resolve_retry() replacement today
function resolve46_retry($hostname, $protocol = 'any', $retries = 5) {

        for ($i = 0; $i < $retries; $i++) {

                // IPv4 or any, return IPv4 address if resolved
                if($protocol != 'inet6') {

                        // asked for IPv4 or any, was given an IPv4 address, return it
                        if (is_ipaddrv4($hostname)) {
                                return $hostname;
                        }
                        $ip = gethostbyname($hostname);
                        if ($ip && $ip != $hostname) {
                                return $ip;
                        }

                }

                // IPv6 or any (and no IPv4 found), return IPv6 address if resolved
                if($protocol != 'inet') {

                        // asked for IPv6 or any, was given an IPv6 address, return it
                        if (is_ipaddrv6($hostname)) {
                                return $hostname;
                        }

                        $ip = dns_get_record($hostname, DNS_AAAA)[0]['ipv6'];
                        if ($ip && is_ipaddrv6($ip)) {
                                return $ip;
                        }
                }

                sleep(1);
        }

        return false;
}

When 'protocol' is specified as 'inet', it will return IPv4 or nothing, if it's 'inet6', it's IPv6 or nothing, otherwise it will return any (v4 first). The 'protocol' field from Phase 1 config can readily be passed as second argument. No invocations of resolve_retry() use the retries parameter today from what I can see, unless some packages do it.

Caveat: gethostbyname() will read the hosts file, gns_get_record will not, probably should be getaddrinfo() but can't remember if PHP has that. This is better than the current situation anyway, and many people have dnsmasq on localhost.

Not much time on my hands these days so if github is the preferred vehicle for this, it may take me from days to infinity to get this up there.

Thanks

Associated revisions

Revision d3ac1cea (diff)
Added by Viktor Gurov 2 months ago

IPsec IPv6 dynamic FQDN Remote Gateways, resolve_retry() IPv6 support. Issue #9405

Revision 8f85087b (diff)
Added by Viktor Gurov about 2 months ago

Suppress dns_get_record() errors. Issue #9405

History

#1 Updated by Jim Pingle 3 months ago

  • Subject changed from util.inc resolve_retry() IPv6 support to IPsec IPv6 dynamic FQDN Remote Gateways / util.inc resolve_retry() IPv6 support
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

#3 Updated by Jim Pingle 3 months ago

  • Status changed from New to Pull Request Review

#4 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

Pull request has been merged. Thanks!

#5 Updated by Viktor Gurov about 2 months ago

  • Status changed from Feedback to Resolved

ipv4/ipv6/both - works as expected on 2.5.0.a.20200207.2007

#6 Updated by Viktor Gurov about 2 months ago

There is only one problem
after loosing internet connection:

PHP Errors:
[08-Feb-2020 14:06:19 Europe/Moscow] PHP Warning:  dns_get_record(): DNS Query failed in /etc/inc/util.inc on line 1961
[08-Feb-2020 14:06:19 Europe/Moscow] PHP Warning:  Invalid argument supplied for foreach() in /etc/inc/util.inc on line 1962

long crash report

#7 Updated by Jim Pingle about 2 months ago

  • Status changed from Resolved to In Progress

#8 Updated by Viktor Gurov about 2 months ago

Suppress dns_get_record() errors fix:
https://github.com/pfsense/pfsense/pull/4189

#9 Updated by Jim Pingle about 2 months ago

  • Status changed from In Progress to Pull Request Review

#10 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

#11 Updated by Viktor Gurov about 2 months ago

  • Status changed from Feedback to Resolved

now it's ok - no any crash reports

tested on 2.5.0.a.20200213.1525

Also available in: Atom PDF