Merge pull request #54 from netfoundry/v0.8.2-release-candidate

V0.8.2 release candidate

CHANGELOG.md

@@ -3,6 +3,16 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+# [0.8.2] - 2024-07-01
+
+###
+
+- Added support for ipv6 inbound filtering rules. Currently only destination filtering is allowed.
+  Rules are entered exactly the same as IPv4 rules and zfw will detect whether the address is ipv4 
+  or ipv6 based on the addresses. This now allows for trusted filtered IPv6 traffic to be forwarded 
+  to an External Interface with outbound tracking.
+  e.g. sudo zfw -I -c 2001:db9:: -m 64 -l 443 -h 443 -t 0 -p tcp
+
 # [0.8.1] - 2024-06-23
 
 ###

README.md

@@ -7,18 +7,44 @@ filtering.  It can be used in conjunction with ufw's masquerade feature on a Wan
 the zfw_outbound_track.o is activated in the egress direction. It can also be used in conjunction with OpenZiti
 edge-routers.
 
-## New in release 0.8.0 - Initial support for ipv6
-- *Enabled via sudo zfw -6 <ifname | all> 
-  Note: Router discovery is always enabled even if ipv6 is disabled in order to ensure the ifindex_ip6_map gets populated.
+## New features - Initial support for ipv6
+- *Enabled via ```sudo zfw -6 <ifname | all>``` 
+   Note: Router discovery / DHCPv6 are always enabled even if ipv6 is disabled in order to ensure the ifindex_ip6_map gets populated.
 - Supports ipv6 neighbor discovery (redirects not supported)
 - *Supports inbound ipv6 echo (disabled by default can be enabled via zfw -e)/ echo reply 
-- *Supports inbound ssh (Can be disabled via zfw -x <ifname | all>) (Care should be taken as this affects IPv4 as well)
+- *Supports inbound ssh (Can be disabled via ```sudo zfw -x <ifname | all>```) (Care should be taken as this affects IPv4 as well)
 - Supports outbound stateful host connections (Inbound only if outbound initiated)
-- Supports outbound passthrough tracking.  Sessions initiated from non-ebpf enabled interfaces out through interface(s) defined as ExternalInterface or with
-  "OutboundPassThroughTrack": true in /opt/openziti/etc/ebpf_config.json or manually applied with sudo zfw -X <ifname> -O /opt/openziti/zfw_outbound_track.o 
-   -z egress with allow stateful udp and tcp session traffic back in.
+- Supports outbound passthrough tracking.  Sessions initiated from non-ebpf enabled and ebpf enabled  internal interfaces out 
+  through interface(s) defined as ExternalInterface or with "OutboundPassThroughTrack": true in /opt/openziti/etc/ebpf_config.json
+  or manually applied with sudo ```zfw -X <ifname> -O /opt/openziti/zfw_outbound_track.o -z egress``` 
+  will allow stateful udp and tcp session traffic back in.
+- Support for inbound IPv6 filter destination rules. Currently only destination filtering is allowed.
+  e.g. 
+  ```
+    sudo zfw -I -c 2001:db9:: -m 64 -l 443 -h 443 -t 0 -p tcp
+  ```
+- IPv6 Rules can be listed with the following command:
+  ```
+    sudo zfw -L -6 all
+  ```
+- IPv6 rules can be individually deleted or flushed 
+  e.g.
+  ```
+    sudo zfw -F
+    sudo zfw -D -c 2001:db9:: -m 64 -l 443 -h 443 -p tcp
+  ```
 - Monitor connection state via -M, --monitor <ifname> when -v verbose <ifname> enabled  
-*These setting need to be in /opt/openziti/bin/user_rules.sh to be persistent across reboots
+*These setting need to be in /opt/openziti/bin/user_rules.sh to be persistent across reboots.
+
+Note: Some of the above IPv6 features are not fully supported with OpenZiti yet. Features like
+tproxy and ziti0 forwarding will not work completely till updates are released in OpenZiti.
+OpenZiti routers do support IPv6 fabric connections using DNS names in the config with corresponding
+AAAA records defined.  ziti-edge-tunnel supports ipv6 interception but the IPC events channel does
+not include the intercept IPv6 addresses, so currently IPv6 services would require manual zfw rule
+entry. Similarly to IPv4, IPv6 rules can be used to forward packets to the host OS by setting 
+```-t, --tproxy-port 0``` in the insert command.  
+
+
 
 ## Build