Project

General

Profile

Actions

Bug #9405

closed

IPsec IPv6 dynamic FQDN Remote Gateways / util.inc resolve_retry() IPv6 support

Added by Firstname Surname over 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
03/17/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Here is one I have been manually patching for years. Since ever, resolve_retry() which is used to resolve an IPSec remote gateway, never supported IPv6, making it impossible to use IPv6 FQDNs as IPSec tunnel endpoints.

Here is an example fix:

// could be used as resolve_retry() replacement today
function resolve46_retry($hostname, $protocol = 'any', $retries = 5) {

        for ($i = 0; $i < $retries; $i++) {

                // IPv4 or any, return IPv4 address if resolved
                if($protocol != 'inet6') {

                        // asked for IPv4 or any, was given an IPv4 address, return it
                        if (is_ipaddrv4($hostname)) {
                                return $hostname;
                        }
                        $ip = gethostbyname($hostname);
                        if ($ip && $ip != $hostname) {
                                return $ip;
                        }

                }

                // IPv6 or any (and no IPv4 found), return IPv6 address if resolved
                if($protocol != 'inet') {

                        // asked for IPv6 or any, was given an IPv6 address, return it
                        if (is_ipaddrv6($hostname)) {
                                return $hostname;
                        }

                        $ip = dns_get_record($hostname, DNS_AAAA)[0]['ipv6'];
                        if ($ip && is_ipaddrv6($ip)) {
                                return $ip;
                        }
                }

                sleep(1);
        }

        return false;
}

When 'protocol' is specified as 'inet', it will return IPv4 or nothing, if it's 'inet6', it's IPv6 or nothing, otherwise it will return any (v4 first). The 'protocol' field from Phase 1 config can readily be passed as second argument. No invocations of resolve_retry() use the retries parameter today from what I can see, unless some packages do it.

Caveat: gethostbyname() will read the hosts file, gns_get_record will not, probably should be getaddrinfo() but can't remember if PHP has that. This is better than the current situation anyway, and many people have dnsmasq on localhost.

Not much time on my hands these days so if github is the preferred vehicle for this, it may take me from days to infinity to get this up there.

Thanks

Actions #1

Updated by Jim Pingle over 4 years ago

  • Subject changed from util.inc resolve_retry() IPv6 support to IPsec IPv6 dynamic FQDN Remote Gateways / util.inc resolve_retry() IPv6 support
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0
Actions #3

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

Pull request has been merged. Thanks!

Actions #5

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

ipv4/ipv6/both - works as expected on 2.5.0.a.20200207.2007

Actions #6

Updated by Viktor Gurov over 4 years ago

There is only one problem
after loosing internet connection:

PHP Errors:
[08-Feb-2020 14:06:19 Europe/Moscow] PHP Warning:  dns_get_record(): DNS Query failed in /etc/inc/util.inc on line 1961
[08-Feb-2020 14:06:19 Europe/Moscow] PHP Warning:  Invalid argument supplied for foreach() in /etc/inc/util.inc on line 1962

long crash report

Actions #7

Updated by Jim Pingle over 4 years ago

  • Status changed from Resolved to In Progress
Actions #8

Updated by Viktor Gurov over 4 years ago

Suppress dns_get_record() errors fix:
https://github.com/pfsense/pfsense/pull/4189

Actions #9

Updated by Jim Pingle over 4 years ago

  • Status changed from In Progress to Pull Request Review
Actions #10

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #11

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

now it's ok - no any crash reports

tested on 2.5.0.a.20200213.1525

Actions

Also available in: Atom PDF