Using IPv6 link local adresses as bind-/listen-address

Bugs
1

Hi,

I often use IPv6 Link Local addresses for transit networks and I would like to use them as listen-address for ssh, dns forwarding and so on…

But the gateway uses the same address (fe80::1) on more than one interface.
So i had to set something like that:

set service ssh listen-address 'fe80::1%eth0'
set service dns forwarding listen-address 'fe80::1%eth0'

Unfortunately vyos (or “/usr/bin/ipaddrcheck”) do not allow such addresses.

  Invalid value
  Value validation failed
  Set failed

The only workaround I found was renaming /usr/bin/ipaddrcheck to /usr/bin/ipaddrcheck.orig and using this wrapper:

#!/bin/bash
PARAMS=
for arg in "$@"
do
~       PARAMS+=" `echo $arg | cut -d % -f1`"
done
/usr/bin/ipaddrcheck.orig $PARAMS
exit $?

Its working but it also excepts some crap like “fe80::1%somethingwrong”.
Is there any better way?
Is it a bug or some kind of feature request?

Andreas

PS:
there is also a posting issuing this @ubnt-forum:
https://community.ui.com/questions/v1-8-5-ssh-listen-address-IPv6-link-local-does-not-work/d9f79d9a-af9a-41db-b709-3ca65edd71f9

2

Hi

thanks for your comments , I created a task on phabricator with this behavior . If you want to add an extra comment , I leave the link below :

https://phabricator.vyos.net/T4110

if there is something wrong , you are free to leave a comment.

regards

1 Like
3

Thank you very much! :+1: :+1:
Wow, that was really fast! :grinning_face_with_smiling_eyes:
I’ll try to compile the pullrequest and test it with all known services.
Maybe some services (like squid proxy) do require the address in brackets like
[fe80::1%eth1]:3128

1 Like
4

Okay, after some hours (installed fresh debian, learned how to use docker, learned how to use git, learned how to build vyos, etc.) of self studying I managed to fetch the pull-request 1124 and build a deb-package from vyos-1x repository. :sweat_smile:
I still had to learn how to build an iso with a patched vyos-1x but for now its sufficient to get a deb-file for installing.

Already found a small issue with auto completion and posted it to phabricator.
I hope thats okay.

Another question: should the patch get expanded to some other fields than listen-address?
For example:

vyos@vyos# set system name-server fe80::1%eth0

It is good to be able to bind a link-local addresses to dns forwarder but thats only half the battle.
You also should also be able to use it as name-server on the other side :wink:

Adding “<validator name=“ipv6-link-local”/>” to “interface-definitions/dns-domain-name.xml.in” does not work because “fe80::1” is not on this host.
Without a check the result works:

vyos@vyos# cat /etc/resolv.conf
### Autogenerated by VyOS ###
### Do not edit, your changes will get overwritten ###


# system
nameserver fe80::1%eth0

Maybe the ipv6-address check could be a bit more common to allow the “%interface” extension to specify the interface to use (the “scope”).

BTW: not supporting scopes is not a bug. :shushing_face: RFC4007 says:
> […] an implementation SHOULD support the following format: <address>%<zone_id> […]
It is not “required” or “must”.
But it would be awesome to support it :wink: