[isf-wifidog] Implementing ipv6 support on wifidog
Andrew Niemantsverdriet
andrewniemants at gmail.com
Lun 14 Fév 10:19:07 EST 2011
Hi.
2011/2/14 Jean-Philippe Menil <jean-philippe.menil at univ-nantes.fr>:
> Le 14/02/2011 15:49, Andrew Niemantsverdriet a écrit :
>>
>> Hi
>>
>> 2011/2/14 Jean-Philippe Menil<jean-philippe.menil at univ-nantes.fr>:
>>>
>>> Le 14/02/2011 14:03, Marc Blanchet a écrit :
>>>>
>>>> sorry to be late on this thread.
>>>> - nat is not what a captive portal does. captive portal intercepts dns
>>>> request and then after authentication modify firewall rules to let it go
>>>> through. so ipv6 will be no different.
>>>> - however, something really different in IPv6 is the fact that the
>>>> gateway
>>>> receives a prefix from the DHCPv6 server. The prefix is then used for
>>>> the
>>>> internal network using router advertisements sent by the gateway. And
>>>> the
>>>> gateway does not do any NAT, only forwarding. So in the design, you must
>>>> consider that.
>>>>
>>>> Marc.
>>>>> On 2011-02-12 13:02, Andrew Niemantsverdriet wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 2011/2/12 Jean-Philippe Menil<jean-philippe.menil at univ-nantes.fr>:
>>>>>>>
>>>>>>> Le 11/02/2011 20:30, Geneviève Bastien a écrit :
>>>>>>>>
>>>>>>>> ip6tables uses filtering, based on the ip address, instead of nat,
>>>>>>>> and you
>>>>>>>> can still build firewall and routing rules with it.
>>>>>>>>
>>>>>>>> But I'll take a look at tproxy and ipset and see if it would work
>>>>>>>> best for
>>>>>>>> wifidog.
>>>>>>>>
>>>>>>>> Geneviève
>>>>>>>>
>>>>>>>>
>>>>>>>>> Le 11/02/2011 17:01, Geneviève Bastien a écrit :
>>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> We'll soon start working on implementing the ipv6 support on the
>>>>>>>>>> wifidog
>>>>>>>>>> client. One of the problematic will be to port to ip6tables the
>>>>>>>>>> actual
>>>>>>>>>> iptables that wifidog creates at startup, so that all the
>>>>>>>>>> redirects
>>>>>>>>>> still
>>>>>>>>>> work on ipv6.
>>>>>>>>>>
>>>>>>>>>> Can anyone help with that?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Geneviève
>>
>> <snip>
>>>
>>> Hi,
>>>
>>> maybe i'm misunderstood.
>>> But with the actual wifidog, a client do a http request, request which is
>>> "natted" to the 2060 port, port on wich the wifidog daemon is listen to.
>>> Without this nat rule, you don't have any redirection.
>>>
>>> Regards.
>>
>> Jean Philippe,
>>
>> You are correct. IPv6 has no concept of NAT so the current way wifidog
>> works is not possible. However (correct me if I am wrong) ipv6tables
>> do support the queue mechanism. That would allow us to mark the
>> packets and pass them into user space. From there a proxy of some sort
>> could be used to implement the actual captive portal and when the user
>> authenticates the queue rule could be removed. Similar to what
>> wifidog does now.
>>
>> Thanks,
>> _
>> /-\ ndrew
>
> Yes,
>
> but if you do that, there will be two mechanism of redirection, one for ipv4
> (wifidog dameon listen on port 2060), another for ipv6 (local proxy or
> whatever).
>
> It will be good to have an unique mechanism working with both ipv4/ipv6.
> Maybe it will a good idea to look at the tproxy target.
>
> I've see a interesting feature with rahunas (see rahunas.org). It's working
> with ipset.
> Maybe another way to do it.
>
> In fact, i'm very interesting to work on ipv6 support.
>
>
> Regards.
Jean Philippe,
ipv4 iptables contains the queue target as well. So the same mechanism
would work for both, I think. However that being said after having
researched the TPROXY target more I agree that it might be the way to
go. I have not heard of ipset however it looks very interesting. I too
would be interested in working on IPv6 support and have one other
person that works for me who would be too.
I would be interested in seeing what the design goals.
Thanks,
_
/-\ ndrew
Plus d'informations sur la liste de diffusion WiFiDog