Services: Kea DHCPv6: Dynamic prefix delegation

plist

@@ -555,6 +555,7 @@
 /usr/local/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Firewall/Util.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Interface/Autoconf.php
+/usr/local/opnsense/mvc/app/library/OPNsense/Interface/Idassoc.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Controller.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Dispatcher.php
 /usr/local/opnsense/mvc/app/library/OPNsense/Mvc/Exceptions/ClassNotFoundException.php
@@ -1307,6 +1308,7 @@
 /usr/local/opnsense/scripts/kea/del_kea_leases.py
 /usr/local/opnsense/scripts/kea/get_kea_leases.py
 /usr/local/opnsense/scripts/kea/kea_dhcp_options.py
+/usr/local/opnsense/scripts/kea/kea_prefix_renew.py
 /usr/local/opnsense/scripts/kea/kea_prefix_watcher.py
 /usr/local/opnsense/scripts/kea/lib/__init__.py
 /usr/local/opnsense/scripts/kea/lib/kea_ctrl.py

src/etc/inc/plugins.inc.d/kea.inc

@@ -146,10 +146,26 @@ function kea_staticmap($proto = null, $valid_addresses = true, $ifconfig_details
 function kea_configure()
 {
     return [
-        'kea_sync' => ['kea_configure_do']
+        'kea_generate_dhcpv6' => ['kea_generate_dhcpv6_do'],
+        'kea_sync' => ['kea_configure_do'],
+        'newwanip' => ['kea_newwanip'],
     ];
 }
 
+// used by kea_prefix_renew hook script to regenerate config when dynamic IPv6 prefix changes
+function kea_generate_dhcpv6_do($verbose = false)
+{
+    kea_generate_dhcpv6(new \OPNsense\Kea\KeaDhcpv6());
+}
+
+function kea_generate_dhcpv6($keaDhcpv6)
+{
+    if ($keaDhcpv6->isEnabled() && $keaDhcpv6->general->manual_config->isEmpty()) {
+        /* skip kea-dhcp6.conf when configured manually */
+        $keaDhcpv6->generateConfig();
+    }
+}
+
 function kea_configure_do($verbose = false)
 {
     $keaDhcpv4 = new \OPNsense\Kea\KeaDhcpv4();
@@ -164,10 +180,7 @@ function kea_configure_do($verbose = false)
             /* skip kea-dhcp4.conf when configured manually */
             $keaDhcpv4->generateConfig();
         }
-        if ($keaDhcpv6->isEnabled() && $keaDhcpv6->general->manual_config->isEmpty()) {
-            /* skip kea-dhcp6.conf when configured manually */
-            $keaDhcpv6->generateConfig();
-        }
+        kea_generate_dhcpv6($keaDhcpv6);
         if ($keaDdns->isEnabled() && $keaDdns->general->manual_config->isEmpty()) {
             /* skip kea-dhcp-ddns.conf when configured manually */
             $keaDdns->generateConfig();
@@ -187,6 +200,20 @@ function kea_configure_do($verbose = false)
     }
 }
 
+function kea_newwanip($interfaces, $family)
+{
+    if ($family === 'inet6') {
+        $keaDhcpv6 = new \OPNsense\Kea\KeaDhcpv6();
+        if (
+            $keaDhcpv6->isEnabled() &&
+            $keaDhcpv6->general->manual_config->isEmpty() &&
+            $keaDhcpv6->pd_pools->pd_pool->count() > 0
+        ) {
+            mwexecf('/usr/local/opnsense/scripts/kea/kea_prefix_renew.py');
+        }
+    }
+}
+
 function kea_syslog()
 {
     return ['kea' => ['facility' => [

src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/dialogPDPool6.xml

@@ -9,13 +9,21 @@
         <id>pd_pool.prefix</id>
         <label>Prefix</label>
         <type>text</type>
+        <style>static_prefix</style>
         <help></help>
+        <grid_view>
+            <formatter>pd_pool</formatter>
+        </grid_view>
     </field>
     <field>
         <id>pd_pool.prefix_len</id>
         <label>Prefix length</label>
         <type>text</type>
+        <style>static_prefix</style>
         <help></help>
+        <grid_view>
+            <formatter>pd_pool</formatter>
+        </grid_view>
     </field>
     <field>
         <id>pd_pool.delegated_len</id>

src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/dialogSubnet6.xml

@@ -3,39 +3,58 @@
         <id>subnet6.subnet</id>
         <label>Subnet</label>
         <type>text</type>
+        <style>static_prefix</style>
         <help>Subnet to use, should be large enough to hold the specified pools and reservations</help>
+        <grid_view>
+            <formatter>subnet</formatter>
+        </grid_view>
     </field>
     <field>
         <id>subnet6.interface</id>
         <label>Interface</label>
         <type>dropdown</type>
         <help>Select which interface this subnet belongs too.</help>
     </field>
+    <field>
+        <id>subnet6.dynamic_prefix</id>
+        <label>Dynamic Prefix</label>
+        <type>checkbox</type>
+        <help>Use the identity association prefix allocated to this interface and generate subnet and pools automatically. DHCP options or DDNS settings that use IPv6 addresses are unaffected by prefix changes, they remain static.</help>
+        <grid_view>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+            <visible>false</visible>
+        </grid_view>
+    </field>
     <field>
         <id>subnet6.allocator</id>
         <label>Allocator</label>
         <type>dropdown</type>
         <advanced>true</advanced>
         <help>Select allocator method to use when offering leases to clients.</help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>subnet6.pd-allocator</id>
         <label>PD Allocator</label>
         <type>dropdown</type>
         <advanced>true</advanced>
         <help>Select allocator method to use when offering prefix delegations to clients</help>
-    </field>
-    <field>
-        <id>subnet6.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help>You may enter a description here for your reference (not parsed).</help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>subnet6.pools</id>
         <label>Pools</label>
         <type>textbox</type>
+        <style>static_prefix</style>
         <help>List of pools, one per line in range or subnet format (e.g. 2001:db8:1::-2001:db8:1::100, 2001:db8:1::/80</help>
+        <grid_view>
+            <formatter>subnet</formatter>
+        </grid_view>
     </field>
     <field>
         <id>subnet6.valid_lifetime</id>
@@ -46,6 +65,12 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>subnet6.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>You may enter a description here for your reference (not parsed).</help>
+    </field>
     <field>
         <type>header</type>
         <label>DHCP option data</label>

src/opnsense/mvc/app/library/OPNsense/Firewall/Util.php

@@ -505,6 +505,40 @@ public static function isIPv6PrefixInPrefix(string $childPrefix, string $parentP
         return self::isIPInCIDR($childAddress, $parentPrefix);
     }
 
+    /**
+     * Split an IPv6 parent prefix (e.g., /56) into two child prefixes (e.g., 2x /57).
+     *
+     * @param string $prefix IPv6 CIDR prefix
+     * @return array two child prefixes or empty array
+     */
+    public static function splitIPv6Prefix($prefix): array
+    {
+        if (!self::isSubnetStrict($prefix)) {
+            return [];
+        }
+
+        [$address, $prefix_len] = explode('/', $prefix, 2);
+        if (!self::isIpv6Address($address)) {
+            return [];
+        }
+
+        $child_prefix_len = (int)$prefix_len + 1;
+        if ($child_prefix_len > 128) {
+            return [];
+        }
+
+        $bytes = array_values(unpack('C*', inet_pton($address)));
+        $second = $bytes;
+
+        $bit = $child_prefix_len - 1;
+        $second[intdiv($bit, 8)] |= 1 << (7 - ($bit % 8));
+
+        return [
+            inet_ntop(pack('C*', ...$bytes)) . '/' . $child_prefix_len,
+            inet_ntop(pack('C*', ...$second)) . '/' . $child_prefix_len,
+        ];
+    }
+
     /**
      * convert ipv4 cidr to netmask e.g. 24 --> 255.255.255.0
      * @param int $bits ipv4 bits