[isf-wifidog] Implementing ipv6 support on wifidog

[Andrew Niemantsverdriet]

Hi,

2011/2/12 Jean-Philippe Menil <jean-philippe.menil at univ-nantes.fr>:
> Le 11/02/2011 20:30, Geneviève Bastien a écrit :
>>
>> ip6tables uses filtering, based on the ip address, instead of nat, and you
>> can still build firewall and routing rules with it.
>>
>> But I'll take a look at tproxy and ipset and see if it would work best for
>> wifidog.
>>
>> Geneviève
>>
>>
>>> Le 11/02/2011 17:01, Geneviève Bastien a écrit :
>>>>
>>>> Hi all,
>>>>
>>>> We'll soon start working on implementing the ipv6 support on the wifidog
>>>> client.  One of the problematic will be to port to ip6tables the actual
>>>> iptables that wifidog creates at startup, so that all the redirects
>>>> still
>>>> work on ipv6.
>>>>
>>>> Can anyone help with that?
>>>>
>>>> Thanks,
>>>> Geneviève

>>> Hi,
>>>
>>> there's no nat on ipv6.
>>> So it's hard to port it to ipv6.
>>> Maybe you can look on the tproxy target, or maybe ipset, but i'm not
>>> sure for ipset.
>>>
>>> Regards.
>>>
>>
>>
> Hi,
>
> i know what ip6tables do.
> But today, the redirection is made with a nat rule.
> You can't do the same with ip6tables.
>
> Regards.

I agree that making the IPTables rules as a shell script(s) would be
ideal. You can still do a transparent proxy with IPv6 so the operation
would be similar to how wifidog works now.

The iptables would be similar to what is working now. Except rather
than relying on NAT a transparent box would the work. TinyProxy is a
program that I have had good luck with. TinyProxy would work with both
IPv6 and IPv4 the exact same way so the overhead of maintaining two
separate systems would be greatly reduced. The other thing that
TinyProxy supports is whitelisting sites so a "walled garden" would be
easy to implement.

The bad thing about this approach is you lose the gateway code
maturity / stability. However as Jean Philippe has stated there is no
way for the existing code to just be ported a new mechanism needs to
be used because IPv6 does not use NAT.

The part I understand the least is how the gateway communicates with
the auth server. So I don't know what would need to be changed with
that to enable this new system. However it would be nice to device a
protocol that would allow things like "whitelisted" MAC's to be passed
to the gateway and things like per client speed control information.

I would be interested to hear a overview of how the gateway talks to
the auth server. I think moving to a proxy based system makes a lot of
sense so that two separate wifidog gateways do not have to be
maintained. I also think that abstracting the iptables rules to shell
scripts makes a lot of sense.

Thanks,
 _
/-\ ndrew