Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embed v4 address in v6 as alternative to proxy_protocol #371

Open
candlerb opened this issue Mar 4, 2021 · 1 comment
Open

Embed v4 address in v6 as alternative to proxy_protocol #371

candlerb opened this issue Mar 4, 2021 · 1 comment

Comments

@candlerb
Copy link

candlerb commented Mar 4, 2021

This is a feature suggestion:

  • Configure an IPv6 /96 pool in sniproxy.conf, e.g. fd46:1::/96
  • If the inbound connection is v4 and the outbound is v6, then sniproxy can bind the source address of the outbound connection to one of the pool addresses, embedding the source v4 address of the inbound connection in the lower 32 bits
    • This can be done via AnyIP and IP_FREEBIND or sysctl net.ipv6.ip_nonlocal_bind
    • The upstream router also needs to static-route the block to the proxy host, of course

This would give a transparent way to keep the v4 source address visible in logs, without having to deal with proxy_protocol - so local connections and remote connections can be treated identically.

Demonstration proof-of-concept:

# Source machine (XXXX::11)
root@nuc1:~# ip -6 route add local fd46:1::/96 dev lo
root@nuc1:~# sysctl net.ipv6.ip_nonlocal_bind=1
net.ipv6.ip_nonlocal_bind = 1
root@nuc1:~# nc -s fd46:1::1.2.3.4 XXXX::36 80
GET / HTTP/1.0
....

# Target machine (XXXX::36)
root@netbox:~# ip -6 route add fd46:1::/96 via XXXX::11
root@netbox:~# tail -1 /var/log/apache2/other_vhosts_access.log
netbox.example.net:80 fd46:1::102:304 - - [04/Mar/2021:13:52:00 +0000] "GET / HTTP/1.0\n" 400 0 "-" "-"
                              ^^^^^^^
candlerb added a commit to candlerb/sniproxy that referenced this issue Mar 5, 2021
@candlerb
Proof-of-concept for dlundquist#371
3660b57 
Usage:

listen 0.0.0.0 443 {
    proto tls
    source fd46:1::
    ipv6_embed on
}

If the inbound connection is IPv4, and the outbound connection is IPv6,
then the IPv4 address is embedded in the low 32 bits of the source.

TODO:
- better choice of option name
- better parsing/validation (e.g. reject ipv6_embed configuration
  if source is missing or source is not IPv6)
candlerb added a commit to candlerb/sniproxy that referenced this issue Mar 5, 2021
@candlerb
Proof-of-concept for dlundquist#371
9288de1 
Usage:

listen 0.0.0.0 443 {
    proto tls
    embed fd46:1::
}

If the inbound connection is IPv4, and the outbound connection is IPv6,
then the IPv4 address is embedded in the low 32 bits of the source.
@candlerb candlerb mentioned this issue Mar 5, 2021
Open
candlerb added a commit to candlerb/sniproxy that referenced this issue Mar 5, 2021
@candlerb
Proof-of-concept for dlundquist#371
c63ea91 
Usage:

listen 0.0.0.0 443 {
    proto tls
    embed fd46:1::
}

If the inbound connection is IPv4, and the outbound connection is IPv6,
then the IPv4 address is embedded in the low 32 bits of the source.
@synnack
Copy link

synnack commented Jan 6, 2022

Nice concept. More elegant than transparent proxying too I think, if you're certain you'll be contacting IPv6 destinations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@candlerb @synnack