Black & White listing expression - npd6/npd6 GitHub Wiki

Introduction

This covers the enhancement from Kert Jans to extend the white/blacklisting capability of npd6. Previously individual addresses had to be explicitly configured into the config file. The idea back then was that you'd only want to handle a few.

Turns out some folks have much different requirements! This new feature allows white/blacklists to be defined using powerful expressions, which can cover thousands (in fact many millions!) of addresses in a single line of config.

Quite apart from the obvious use of this (i.e. having very large effective lists) the way it is implemented also brings a portability to lists also, since one can define what are in effect prefix-independent lists.

Below are some details as kindly written by Kurt.

I'm going to try and add to this and offer some examples - the parser is powerful but slightly cryptic!

The sort of person who wants this functionality is likely also the sort of person who can get their head around the syntax, so don't be put off. :-)

Details

This adds another keyword to the configuration file: exprlist

It works in addition to addrlist :all existing functionality in npd6 is preserved/unchanged.

How it works

Two expression variables are made available to the expression parser at runtime:

_HOST_    the lower 64-bits of the 128-bit IPv6 address

_PREFIX_    the upper 64-bits of the 128-bit IPv6 address

For example, you can do:

  • Match a specific Netgear card
    • exprlist=HOST==0x02184dfffe01020304;
  • All Netgear cards
    • exprlist=(HOST>>40)==0x02184d;
  • This would match all cards from: Netgear, Cisco, and Apple:
    • exprlist=(HOST>>40)==0x02184d;
    • exprlist=(HOST>>40)==0x020196;
    • exprlist=(HOST>>40)==0x020a95;

Some of the power of the expression parser can be seen here:

exprlist=OUI=(HOST>>40);ID=(HOST&0xffffffff);(OUI==0x020a95)&&((ID>0)&&(ID<10000000));

This matches an Apple OUI with further restriction that the lower 32-bit value must be in the range of 0-10,000,000

  • Another example of a specific match:
    • exprlist=OUI=(HOST>>40);ID=(HOST&0xffffffff);(OUI==0x02051a)&&((ID==9999021));

Some additional info

In the examples above, there is nothing special about the variable names OUI, ID, etc. The only special names are PREFIX and HOST. Everything else is user-defined.

I tested with a blacklist and the following expression:

exprlist=(HOST);SEAN=(HOST&0xffff);((SEAN>0x99)&&(SEAN<0x124))

To understand this, it helps to break the lines at the ';' marker. So let's read it as:

(HOST);
SEAN=(HOST&0xffff);
((SEAN>0x99)&&(SEAN<0x124))

The first item says "We're looking at the last 64-bits of the full address in the Neighbor Solicitation (i.e. the bottom-half, if we have a typical 64-bit prefix)

The second item does two things: "Create a variable we're going to call SEAN and store in it the last 4 digits from the IPv6 address, and replace all other digits with zeroes."

Finally we check to see if the value we now have in SEAN if >= 100 AND <= 123. if it is, it's considered a match in our listing (and if we're blacklisting will be blocked, or if we're whitelisting will be allowed)

Assuming we were blacklisting, the following addresses would be blocked:

  • 0x::100
  • 0x2::100
  • 0x::1:0:0:123

While these would be allowed:

  • 0x::99
  • 0x2::124
  • 0x::1:0:0:1123