Page MenuHomeVyOS Platform

[IPV6-SSH/DNS} enable IPv6 link local adresses as listen-address %eth0
Closed, ResolvedPublicFEATURE REQUEST

Description

Hi

It is not possible by VyOS-cli to adds ssh ipv6 services that it can be listening with link local addresses wildcard (ipv6-linklocal%ethX) , it should be work as service ping:

vyos@vyos:~$ ping fe80::5200:ff:fe08:0%eth0
PING fe80::5200:ff:fe08:0%eth0(fe80::5200:ff:fe08:0%eth0) 56 data bytes
64 bytes from fe80::5200:ff:fe08:0%eth0: icmp_seq=1 ttl=64 time=1.16 ms
64 bytes from fe80::5200:ff:fe08:0%eth0: icmp_seq=2 ttl=64 time=0.136 ms

but when we wants to add on VyOS-cli, it shows the following :

vyos@vyos# set service ssh listen-address fe80::5200:ff:fe08:0%eth0

  Invalid value
  Value validation failed
  Set failed

it should be support the wildcard %eth0 on DNS /ssh services . another comment regarding this behavior :

https://forum.vyos.io/t/using-ipv6-link-local-adresses-as-bind-listen-address/8251

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

PR https://github.com/vyos/vyos-1x/pull/1124

set service ssh disable-host-validation
set service ssh listen-address '192.168.122.11'
set service ssh listen-address 'fe80::5054:ff:fe48:a0c6%eth0'

Chek service and listen-addresses:

vyos@r11-roll# cat /run/sshd/sshd_config | grep List
ListenAddress 192.168.122.11
ListenAddress fe80::5054:ff:fe48:a0c6%eth0

vyos@r11-roll# sudo netstat -tulpn | grep ":22"
tcp        0      0 192.168.122.11:22       0.0.0.0:*               LISTEN      11376/sshd: /usr/sb 
tcp6       0      0 fe80::5054:ff:fe48:a:22 :::*                    LISTEN      11376/sshd: /usr/sb 
[edit]
vyos@r11-roll#

Example DNS:

vyos@r11-roll# run show conf com | match dns
set service dns forwarding allow-from 'fe80::/64'
set service dns forwarding listen-address 'fe80::5054:ff:fe48:a0c6%eth0'
set service dns forwarding system
[edit]
vyos@r11-roll# cat /run/powerdns/recursor.conf | grep "local"
non-local-bind=yes
query-local-address=0.0.0.0,::
local-address=fe80::5054:ff:fe48:a0c6%eth0
Viacheslav changed the task status from Open to In progress.Dec 28 2021, 4:02 PM

At the moment I am testing the patch with some common services and found a tiny issue inside the auto completion feature.

vyos@vyos# show service ssh listen-address <TAB>
Possible completions:
   10.10.18.6
   fe80::abc20.000000e+00th0
[edit]

Config:

vyos@vyos# run show configuration commands |grep ssh
set service ssh listen-address 'fe80::abc2%eth0'

It looks like the "%eth0" got interpreted as some kind of format-string.

Maybe "is_addr_assigned" on "python/vyos/validate.py" needs to be patched too.
When I set "listen-address fe80::abc2%eth0" to service tftp-server then "is_addr_assigned" got called and run into an error:

vyos@vyos# show service tftp-server
 directory /tftp
+listen-address fe80::abc2%eth0 {
+}
[edit]
[ service tftp-server ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
  https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
  https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
  https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report time:      2021-12-29 13:02:45
Image version:    VyOS 1.4-rolling-202112281820
Release train:    sagitta

Built by:         [email protected]
Built on:         Tue 28 Dec 2021 18:20 UTC
Build UUID:       b082ab9a-6426-4040-9e28-e45a67a2cbd6
Build commit ID:  4ccdaf58fc7b9b

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    68aa120b-7a78-45b3-b6aa-9433b1a487c6

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/tftp_server.py", line 140, in <module>
    verify(c)
  File "/usr/libexec/vyos/conf_mode/tftp_server.py", line 70, in verify
    if not is_addr_assigned(address):
  File "/usr/lib/python3/dist-packages/vyos/validate.py", line 108, in is_addr_assigned
    tmp = is_intf_addr_assigned(intf, addr)
  File "/usr/lib/python3/dist-packages/vyos/validate.py", line 50, in is_intf_addr_assigned
    return _is_intf_addr_assigned(intf, addr)
  File "/usr/lib/python3/dist-packages/vyos/validate.py", line 84, in _is_intf_addr_assigned
    if not _are_same_ip(address, ip_addr):
  File "/usr/lib/python3/dist-packages/vyos/validate.py", line 44, in _are_same_ip
    return inet_pton(f_one, one) == inet_pton(f_one, two)
OSError: illegal IP address string passed to inet_pton



[[service tftp-server]] failed
Commit failed

Same thing with "service snmp".

This two services don't accept IPv6 at all:

service conntrack-sync
service dhcp-server

And Webproxy has another problem with IPv6 (T4116).

Other services are working fine:

set service https virtual-host example.com listen-address fe80::abc2%eth0
set system ntp listen-address fe80::abc2%eth0
set service dns forwarding listen-address fe80::abc2%eth0
set service ssh listen-address fe80::abc2%eth0
Viacheslav changed the task status from In progress to Needs testing.Jan 3 2022, 3:10 PM

@aha As I see tftp can't bind ipv6 link local address:

set service tftp-server listen-address fe80::5054:ff:fe48:a0c6

Jan 09 17:52:41 r11-roll in.tftpd[32395]: cannot bind to local IPv6 socket: Invalid argumen

Are you sure that it should work?

vyos@r11-roll# cat /etc/default/tftpd2
### Autogenerated by tftp_server.py ###
DAEMON_ARGS="--listen --user tftp --address [fe80::5054:ff:fe48:a0c6]:69 -6  --secure /config/tftp"
VRF_ARGS=""

@Viacheslav Yes, You're right.
in.tftpd got started (but only a few seconds).

I also tried it on ubuntu 20.10 with the same version of tftp-hpa (5.2) because the latest commit is more than 7 years ago.

tftp-hpa 5.2, with remap, with tcpwrappers

root@ubuntutest:~# in.tftpd -6 -l -a [fe80::1%eth0] -vvvv /
Jan  9 18:01:46 ubuntutest in.tftpd[643]: cannot resolve local IPv6 bind address: [fe80:(Temporary failure in name resolution)

root@ubuntutest:~# in.tftpd -6 -l -a [fe80::1] -vvvv /
Jan  9 18:02:04 ubuntutest in.tftpd[658]: cannot bind to local IPv6 socket: Invalid argument

I can try to ask H. Peter Anvin if there is a solution. But I do not expect an answer.
Most people may use inetd/xinetd and may not have such problems :/

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.