Project

General

Profile

Bug #9405

util.inc resolve_retry() IPv6 support

Added by Firstname Surname about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
03/17/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Here is one I have been manually patching for years. Since ever, resolve_retry() which is used to resolve an IPSec remote gateway, never supported IPv6, making it impossible to use IPv6 FQDNs as IPSec tunnel endpoints.

Here is an example fix:

// could be used as resolve_retry() replacement today
function resolve46_retry($hostname, $protocol = 'any', $retries = 5) {

        for ($i = 0; $i < $retries; $i++) {

                // IPv4 or any, return IPv4 address if resolved
                if($protocol != 'inet6') {

                        // asked for IPv4 or any, was given an IPv4 address, return it
                        if (is_ipaddrv4($hostname)) {
                                return $hostname;
                        }
                        $ip = gethostbyname($hostname);
                        if ($ip && $ip != $hostname) {
                                return $ip;
                        }

                }

                // IPv6 or any (and no IPv4 found), return IPv6 address if resolved
                if($protocol != 'inet') {

                        // asked for IPv6 or any, was given an IPv6 address, return it
                        if (is_ipaddrv6($hostname)) {
                                return $hostname;
                        }

                        $ip = dns_get_record($hostname, DNS_AAAA)[0]['ipv6'];
                        if ($ip && is_ipaddrv6($ip)) {
                                return $ip;
                        }
                }

                sleep(1);
        }

        return false;
}

When 'protocol' is specified as 'inet', it will return IPv4 or nothing, if it's 'inet6', it's IPv6 or nothing, otherwise it will return any (v4 first). The 'protocol' field from Phase 1 config can readily be passed as second argument. No invocations of resolve_retry() use the retries parameter today from what I can see, unless some packages do it.

Caveat: gethostbyname() will read the hosts file, gns_get_record will not, probably should be getaddrinfo() but can't remember if PHP has that. This is better than the current situation anyway, and many people have dnsmasq on localhost.

Not much time on my hands these days so if github is the preferred vehicle for this, it may take me from days to infinity to get this up there.

Thanks

Also available in: Atom PDF