-
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow hwaddr
and ipaddr
metadata fields
#232
Labels
documentation
Improvements or additions to documentation
Feature request
Additional new feature
help wanted
Extra attention is needed
Solution applied
This issue has been solved
Testing welcome
Milestone
Comments
TinCanTech
added
Solution applied
This issue has been solved
Testing welcome
documentation
Improvements or additions to documentation
labels
Dec 2, 2021
Currently, only matches host IP, would be nice to have subnet.. |
TinCanTech
referenced
this issue
Dec 7, 2021
This patch also exposes the functions to validate IP addresses. * ./easytls v4ip 11.22.33.0/24 * ./easytls v6ip 12fc:1918::10:1:101:0/64 Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
added
help wanted
Extra attention is needed
and removed
Solution applied
This issue has been solved
Testing welcome
labels
Dec 7, 2021
TinCanTech
referenced
this issue
Dec 8, 2021
In IPv6, Easy-TLS uses simple string matching, not methematical techniques. This is due to the 128bit binary involved. (IPv4 is mathematically evaluated) To match an IPv6 address to a client address, it is recommanded to use a subnet/mask (mask <= 124), not a host/128. Examples: * Correct: 2000:1:2:3::/64, 2000:1:2:3:abcd::/80, 2000::1:2:3:4/128(+) (+: Not recommended) * Incorrect: 2000:1:2:3:abcd::/64, 2000::1:2:3:4/80, :2000:1:2:3:4::/64 Easy-TLS also has some new functions for checking valid IPv4/6: * v4ip: Validate IPv4 address * v6ip: Validate IPv6 address * x6ip: Expand a compressed IPv6 address Examples: * ./easytls v4ip 1.2.3.4/24 * ./easytls v6ip 2000::c0ff:ee/64 * ./easytls x6ip 2000::c0ff:ee/64 Note: When expanding an IPv6 address, easytls also verifies that this is a valid subnet, for use in TLS-Crypt-V2 metadata, according to the rules outlined here. Thus, some valid IPv6 addresses are not valid in Easy-TLS. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
referenced
this issue
Dec 9, 2021
TLS-Crypt-V2 metadata for IPv6 filtering is done by simple pattern matching. Save only the required network portion of `$IPv6/$mask`. To filter client IPv6 source IP to `2000:1:2:3:4::/80` the following data is saved to metadata: `2000:0001:0002:0003:0004`. The full IPv6 address bits must not exceed the required mask-length. To filter a unique host specify a `/128` mask. (Not recommended) Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
referenced
this issue
Dec 11, 2021
Allow all scripts, which process IP addresses, to use common code. If not present then the script falls back to built-in code. The built-in code is currently duplicated library code. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
referenced
this issue
Dec 11, 2021
If found, the library is sourced and used. Otherwise, the built-in code is used. This patch also duplicated the lib within the scripts. Signed-off-by: Richard T Bonhomme <[email protected]>
Now,
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
documentation
Improvements or additions to documentation
Feature request
Additional new feature
help wanted
Extra attention is needed
Solution applied
This issue has been solved
Testing welcome
ipaddr
can be appended to metadata, in the same manner ashwaddr
, and verified during client-connect phase.The text was updated successfully, but these errors were encountered: