Services: Kea DHCPv6: Dynamic prefix delegation#10252
Services: Kea DHCPv6: Dynamic prefix delegation#10252
Conversation
… should be enriched in a post apply hook later
…alue and reservations for a dynamic prefix subnet. The subnet must be empty since it is auto configured, the pool is auto configured as ::1000-::2000 and seeded with initial prefix, reservations cannot be created because that would blow up as there is no concept like partial IPv6 addresses in KEA. We always want to bootstrap KEA with an initial working configuration.
…age once per unique constraint
…e largets possible prefix that does not include the IA_NA generated address pool. Validation ensures the user can only change the delegated prefix length, but not anything about the pool itself. KEA is very strict about validations, auto generation is required here to ensure the model stays sane.
…re is nothing we can do if we offer both IA_NA and IA_PD, at least /63 would be required for one IA_NA and one IA_PD pool.
…refix delegation. Cannot be cleanly solved, and if somebody doesn't use identity associaton in interface configurations it does not make sense to arbitrary reduce the size here.
…_pool are dynamic.
fichtner
left a comment
fichtner
left a comment
There was a problem hiding this comment.
this looks nice! my only worries here are:
- Validation of "track interface" relationship between subnet and prefix is not well-defined. In the old days you'd select a PD to be on a specific interface in which case it would already know which prefix to use (by looking up LAN -> WAN).
- Only one dynamic PD with the current enforcement, but need to check the old code and the GUI workflow in order to judge.
|
The main constraint here is that a subnet in kea must be unique. So you cannot attach the same prefix to multiple interfaces. If we want to have that we would need more GUI magic that allows the WAN prefix to be splitted into smaller prefixes, or implement some partial address logic. Both would be fragile. The current state that allows at least one network to host dynamic PD is a good start I think. Im open for ideas here. |
|
If that's the constraint we want to go forward with I don't mind. It also limits the scope and one PD is better than none :) |
|
I try really hard to limit the scope with this one. Expanding scope later should be doable if users have needs that cannot be met with this model. EG adding a new prefix ID field or something the like. But since providers also like playing switcheroo with delegated prefix sizes for single customers all flexibility will bite someone at some point. EDIT: All of these concerns to not apply anymore to the new model we use now that allows full flexibility. |
…wall util that can split a prefix into two children.
fichtner
left a comment
fichtner
left a comment
There was a problem hiding this comment.
tentative approval for the draft. looks snappy.
|
@fichtner Now the hook script will be easy. It doesnt need to know or calculate anything :)
|
… per interface. Fix some other small details
…r any reason do not offer a real prefix yet
…oubleshooting help
…ing leases as long as the subnet has a temporary placeholder prefix
…t's cheap and essentially side effect free
…e some of the kea_prefix_renew logging. Streamline the STDOUT result as well.
…is deprecated. Use 'only-in-additional-list' instead
|
Please be gentle Copilot |
There was a problem hiding this comment.
Pull request overview
Adds dynamic IPv6 prefix delegation support to the Kea DHCPv6 service by deriving subnets/pools from tracked identity-association (idassoc6) prefixes and automatically regenerating/reloading Kea when the WAN IPv6 prefix changes (Issue #9941).
Changes:
- Add an Idassoc helper to compute per-interface on-link and allocatable IPv6 prefixes from tracked PD state.
- Extend Kea DHCPv6 model/GUI/config generation to support “dynamic prefix” subnets and auto-generated pools/PD pools.
- Add a hook script + plugin entry to wipe leases, regenerate config, and reload Kea on WAN IPv6 changes.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/opnsense/scripts/kea/kea_prefix_renew.py | Hook script to wipe dynamic-prefix leases, regenerate dhcp6 config, and reload Kea |
| src/opnsense/mvc/app/views/OPNsense/Kea/dhcpv6.volt | UI grid formatting + hide/show fields for dynamic prefix mode |
| src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.xml | Model updates for dynamic_prefix field and related UI/display tweaks |
| src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.php | Validation + config generation for dynamic-prefix subnets and PD pools |
| src/opnsense/mvc/app/library/OPNsense/Interface/Idassoc.php | New library to compute identity-association prefixes (on-link/allocated/associated) |
| src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php | Add IPv6 prefix splitting helper for deriving non-overlapping child prefixes |
| src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/dialogSubnet6.xml | Add Dynamic Prefix toggle and grid formatting for subnet/pools |
| src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/dialogPDPool6.xml | Add grid formatting and styling for PD pool prefix fields |
| src/etc/inc/plugins.inc.d/kea.inc | Add pluginctl action for dhcpv6 config generation + newwanip(inet6) hook |
| plist | Install new Idassoc library and kea_prefix_renew script |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
No, bad copilot, don't commit changes! Now I have to clean up. Meh. |
| $client_classes[] = [ | ||
| 'name' => 'NO_LEASES_PLEASE', | ||
| 'test' => "not member('ALL')", | ||
| 'only-in-additional-list' => true, |
There was a problem hiding this comment.
This is wrong here after all. KEA documentation:
The only-in-additional-list flag is not mandatory; when its value is set to false (the default), membership is determined during classification and is available for subnet selection, for instance. When the value is set to true, membership is evaluated only if the class appears in an evaluate-additional-classes list and is usable only for option configuration.
| $record['user-context']['prefix_source'] = $idassoc['prefix_source'] ?? $if; | ||
| // If the prefix is temporary placeholder, we will not send leases to any client | ||
| if (empty($idassoc['prefix_valid'])) { | ||
| $record['evaluate-client-classes'] = ['NO_LEASES_PLEASE']; |
There was a problem hiding this comment.
this should also just become client-classes
…y the user, but the KEA config is not adjusted accordingly.
Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:
If AI was used, please disclose:
Describe the problem
Fixes: #9941
Describe the proposed solution
The scope is intentionally limited. Validations prevent interactions we do not want. Things that can make KEA crash are auto generated. The user cannot decide much to protect from hard to troubleshoot issues.
The design revolves around two steps:
To allow KEA to always start, even without any valid prefixes on interfaces, placeholder prefixes are emitted to the subnet, and a client-classes test prevents clients from getting leases from such subnets.
The hook script is indempodent and very cheap to execute. A failure or a wrong configuration file cannot crash the running KEA daemon.
A concept for 1 is in POC phase and finished
A concept for 2 is in POC phase and finished
Generated Configuration file example
Placeholder prefix:
"Real" prefix: