Add ipv6_link_local option

Author: davesteele

comitup/config.py

@@ -73,6 +73,7 @@ def load_data() -> Tuple[Config, persist.persist]:
                 "enable_appliance_mode": "1",
                 "primary_wifi_device": "",
                 "enable_nuke": "0",
+                "ipv6_link_local": 1,
             },
         )
 

comitup/nm.py

@@ -274,7 +274,10 @@ def make_hotspot(name="comitup", device=None, password="", hash="0000"):
 
 
 def make_connection_for(
-    ssid: str, password: str = None, interface: Optional[str] = None
+    ssid: str,
+    password: str = None,
+    interface: Optional[str] = None,
+    link_local: bool = True,
 ) -> None:
     settings = dbus.Dictionary(
         {
@@ -299,12 +302,15 @@ def make_connection_for(
             ),
             "ipv6": dbus.Dictionary(
                 {
-                    "method": "auto",
+                    "method": "link-local",
                 }
             ),
         }
     )
 
+    if not link_local:
+        settings["ipv6"]["method"] = "auto"
+
     if interface:
         settings["connection"]["interface-name"] = interface
 

comitup/statemgr.py

@@ -90,7 +90,9 @@ def to_fn(ssid, password):
             if nm.get_connection_by_ssid(ssid):
                 nm.del_connection_by_ssid(ssid)
 
-            nm.make_connection_for(ssid, password)
+            nm.make_connection_for(
+                ssid, password, link_local=conf.getboolean("ipv6_link_local")
+            )
 
             states.set_state("CONNECTING", [ssid, ssid])
             return False

conf/comitup.conf

@@ -82,3 +82,15 @@
 # defined WiFi connections, flash the board LED 3 times, and restart Comitup.
 #
 # enable_nuke: 0
+
+# ipv6_link_local
+#
+# Typically, IPv4 addresses assigned by ISPs involve Network Address
+# Translation. This offers some protection to devices, since such addresses are
+# not routable from the Internet by default. This is not the case for IPv6. In
+# this case, extra steps often need to be taken to protect the device. This
+# option can force Comitup to configure IPv6 on upstream WiFi connections to be
+# configured only with link-local IPv6 addresses, making them inaccessible from
+# the Internet for that protocol.
+#
+# ipv6_link_local: 1

doc/comitup-conf.5.md

@@ -1,6 +1,6 @@
 % comitup-conf(5)
 %
-% June 2021
+% July 2021
 
 # NAME
 
@@ -13,7 +13,7 @@ It is located in the _/etc/_ directory.
 
 ## PARAMETERS
 
-  * _ap_name_:
+  * _ap\_name_:
     By default, comitup will create a hotspot named **comitup-<nnn>**,
     publish an avahi-daemon(8) host entry for **comitup-<nnn>**, and establish
     an mdns identity for **comitup-<nnn>.local**.  Setting this parameter will
@@ -22,33 +22,33 @@ It is located in the _/etc/_ directory.
     will be replaced with a persistent, random number. Similarly, the string
     <hostname> is replaced with the computer's hostname.
 
-  * _ap_password_:
+  * _ap\_password_:
     If this parameter is defined in the configuration file, then the comitup hotspot will
     require that any connection to the hotspot be authenticated, using this password.
 
-  * _web_service_:
+  * _web\_service_:
     This defines a user web service to be controlled by **comitup**. This service will be
     disabled in the **HOTSPOT** state in preference of the comitup web service, and will be
     enabled in the **CONNECTED** state. This should be the name of the systemd web service,
     such as _apache2.service_ or _nginx.service_. This defaults to a null string,
     meaning no service is controlled.
 
-  * _service_name_:
+  * _service\_name_:
     This defines the mdns service name advertised by **comitup**. This defaults to "comitup",
     and will be advertised as "_comitup._tcp".
 
-  * _enable_appliance_mode_:
+  * _enable\_appliance\_mode_:
     By default, comitup will use multiple wifi interfaces, if available, to connect to the
     local hotspot and to the internet simultaneously. Setting this to something other than
     "true" will limit comitup to the first wifi interface.
 
-  * _external_callback_:
+  * _external\_callback_:
 
     The path to an external script that is called on comitup state changes. It will include
     a single argument, either 'HOTSPOT', 'CONNECTING', or 'CONNECTED'. The script will run
     as the owning user and group.
 
-  * _primary_wifi_device_;
+  * _primary\_wifi\_device_;
 
     Override the default choice for the primary WiFi device to use.
 
@@ -65,9 +65,16 @@ It is located in the _/etc/_ directory.
 
     This capability is also availble via _comitup-cli_ and the D-BUS interface.
 
+  * _ipv6\_link\_local_;
+
+    Set to '1' to force Comitup to create only "link-local" IPv6 addresses for
+    the upstream WiFi connection, affording a higher level of protection for
+    that link. "link-local" addresses cannot route to the Internet. Delete
+    existing connections after changing the value of this parameter.
+
 ## COPYRIGHT
 
-Comitup is Copyright (C) 2016-2019 David Steele <steele@debian.org>
+Comitup is Copyright (C) 2016-2021 David Steele <steele@debian.org>
 
 ## SEE ALSO