The ip6tables frameworks has been deprecated for quite a while now, as
it has been replaced by nftables. On modern distributions, rules added
with ip6tables are just converted to nftables rules and are added to an
ip6tables compatibility table there. This changed the name of the kernel
modules, breaking ip6tables auto-detection (cf. issues #42 and #44).
Unfortunately, due to the way nftables works, these rules can no longer
be relied upon to ensure the CLAT traffic is allowed. This is due to the
fact that in nftables, *all* chains that hook into a packet's path must
return an «accept» verdict in order for the packet to be ultimately
accepted, while it is enough for a single chain to return a «drop»
verdict in order for the packet to be dropped.
That means that the rules that accepts CLAT traffic might be overridden
by a «default drop» rule added to another chain in another table, e.g.,
by firewalld or similar local firewall frameworks. See #23 for an
example of this.
On the other hand, if there is no drop rule anywhere, the rules added by
clatd are superfluous to begin with, as the default kernel behaviour is
to accept the packages.
Therefore just remove support for ip6tables entirely. Users of
firewalld, ufw, or similar local firewall frameworks will need to make
sure that rules are added in those frameworks that permit the CLAT
traffic, e.g., by using `script-up`, like so for ufw:
```
script-up=ufw route allow in on $clat_dev out on $plat_dev
```
Native support for adding rules to the most common local firewall
frameworks might be added in the future.
Closes#44 (no longer applicable).
The following commits changed only clatd.systemd, but it makes sense to
applt them to clatd@.systemd as well.
eb27dd5 clatd.systemd: pull inn network-online.target
00fa0f3 SystemD service: ensure service starts after DNS queries (e.g. ipv4only.arpa) can be resolved.
According to systemd.special(7):
> Units that strictly require a configured network connection should
> pull in network-online.target (via a Wants= type dependency) and
> order themselves after it.
The Wants= dependency was missing, add it.
This allows clatd to use [nat46](https://github.com/ayourtch/nat46)
kernel translator instead of TAYGA. It uses automatic detection - if
`nat46` module is loaded, it will get used, otherwise the application
falls back to using TAYGA.
Signed-off-by: Ondřej Caletka <ondrej@caletka.cz>
This fixed the following dependency loop that could occur when the
system was booting up:
1. NetworkManager configures a network interface and fires off the clatd
dispatcher script.
2. The dispatcher scripts tries to restart `clatd.service`.
3. However, `clatd.service` cannot be (re)started at this point because
its dependency `network-online.target` has not yet been reached.
4. Therefore, the `systemctl restart clatd.service` command in the
dispatcher script blocks, waiting for `network-online.target` to be
reached.
5. But that won't happen until the dispatcher scripts finishes...
Adding `--no-block` allows the dispatcher script to finish immediately
without waiting for the restart to complete (instead, systemd will do it
in the background once `network-online.target` has been reached).
Furthermore, since `clatd.service` may end up being restarted several
times during a boot process (especially on a system with many network
interfaces handled by NetworkManager), it is also at risk of
inadvertently triggering the restart rate-limiting feature in systemd,
so disable that while we're at it.
Closes#22. Thanks to @patrakov for the report!
Perl module IO::Socket::INET6 is obsolete and recomended one is
IO::Socket::IP, which has compatibility to old one.
btw: Net::DNS was rewrited to use IO::Socket::IP.
The previous code would fail to detect PLAT prefix if ipv4only.arpa resolved to
an address such as 2001:db8:c000:aa::c000:aa. It would get confused as to
whether the prefix was 2001:db8::/32 (incorrect) or 2001:db8:c000:aa::/96
(correct).
Bug reported by Kasper Dupont - thanks!
Now that TAYGA is avaiable in EPEL, it is better to point people at that
instead of building TAYGA from source. In commit 18dca08 the build from source
functionality was removed. Update documentation accordingly.
Don't assume that utilities such as systemctl or initctl is found in a certain
specific path. Instead look for them in $PATH. This applies to both the
Makefile and the NetworkManager dispatcher script.
Resolves#11.
The three I-Ds that describe SIIT-DC and SIIT-EAM have been published as
RFCs, so update the references accordingly. Also update once occurrence
of old terminology ("Host Agent") with the new and final one ("Edge
Relay").
Change "2014-2015" with "2014-2016". Also, I had forgotten to update the
licence comment in the clatd script itself in b5725c0, so fix that too.
Thanks to @ingvarha for noticing!
Just pass the entire supplied command line, be it a single scalar or an array,
to system(). It'll do the right thing with it. This gets rid of a spurious
trailing space in debugging output when cmd() was called with a single scalar
as the command argument (leaving @cmdline undefined).
This ensures that TCP connections terminated through the CLAT gets a sensible
TCP MSS value negotiated. By default, the value is set to the MTU of the
defaultroute minus 40. There should be no reason to change this in the vast
majority of cases, but it can be overridden with the "v4-defaultroute-advmss"
setting.
Adds "v4-defaultroute-replace" config/command-line setting (default disabled).
When enabled, it will unconditionally disable the pre-flight IPv4 connectivity
check, and ensure that any pre-existing IPv4 default routes are removed during
startup (and presumably replaced with the one pointing to the CLAT, unless
"v4-defaultroute-enable" has been disabled). Any IPv4 default routes that were
removed in this manner are restored when clatd is shutting down.
Newer NetworkManager versions will run the dispatcher scripts when new
unknown interfaces show up, including 'clat'. That will cause a clatd
restart right after startup, and we'll never get to fully initialise. So
ensure the dispatcher script does nothing if the device in question is
our own 'clat' to prevent this.
This allows clatd to work correctly on 3GPP mobile networks, where the
IID is assigned from the network, rather than being generated using
EUI-64. We still prefer the old method, though, the random one is only
used if no EUI-64 address exists on the PLAT device. Update docs
accordingly.
Also upgrade docs to better describe usage as a SIIT-DC Host Agent.
get_clat_v6_addr() didn't actually check if it saw any Modified EUI-64
based addresses on the PLAT device before proceeding. This caused it to
return a bogus CLAT address (::c1:a700:0) instead of failing with a
useful error message.
In the case of there being more than one EUI-64 based IPv6 address on
the PLAT device, clatd will now pick the one which share the longest
common prefix length with the PLAT prefix when deciding which one to
base the auto-generated CLAT IPv6 address on. This should avoid
accidentally ending up with a ULA-based CLAT IPv6 address when better
alternatives exist.
Resolves#1.
