You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow one to simultaneously have two instances of dhcpd running for DHCPv4 and DHCPv6 respectively, with separate configuration;
(controversial, needs review from someone who understands risks of IPv6 better!) Allow DHCPv6 client incoming traffic in the firewall by default (without this DHCPv6 client won't work);
Test radvd+dhcpd6 as part of our networking tests. Client discovers a router, gets an address from the pool and pings itself and the server;
Update radvd to the latest version.
Things done
Tested using sandboxing
(nix.useSandbox on NixOS,
or option build-use-sandbox in nix.conf
on non-NixOS)
Built on platform(s)
NixOS
macOS
Linux
Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
Tested execution of all binary files (usually in ./result/bin/)
@abbradar, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @wkennington and @fpletz to be potential reviewers.
The reason will be displayed to describe this comment to others. Learn more.
I'm not using the ISC dhcpd much these days and didn't test this myself but the code looks good and there is a test. And more support for IPv6 is always nice. Awesome! 👍
@fpletz Do you think it's okay to allow DHCPv6 client traffic in firewall unconditionally? I don't see any immediate security problems (it's also enabled in Red Hat by default it seems, not sure about others) but I'm a newcomer to IPv6...
@abbradar I agree that this shouldn't be a security issue. The rule strict enough so only packets from hosts in the same broadcast domain will be accepted (link-local addresses). And the allowed destination port is reserved for dhcpv6-client only and is restriced to UDP. It's the job of the DHCPv6 client to listen to the correct interface or check for plausible responses.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
abbradar
force-pushed
the
dhcp6
branch
3 times, most recently
from
Motivation for this change
dhcpdrunning for DHCPv4 and DHCPv6 respectively, with separate configuration;Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)