Unable to use ipv6 intercept address

If you want to replace the original network with the ziti network in the existing network connection, in order not to affect the data transmission of the original business, you can add Linux Tunneller to control the access, but the access domain name and port are fixed and cannot be modified, so you need to write the same address to hostv1 and interceptv1. I have tried ipv4 success, and the ipv6 address is not available.Unable to access the service through the set ipv6 address

I'm not sure I understand what you mean. It sounds like you'd like to intercept an IPv6 address?

For example, if the previous service is an ipv6 access service, and I want to access it through the ziti network, but still use the original ipv6 access service method, then the name of interceptv1 needs to be set to the ipv6 address

It can be after intercepting the ipv6 address, it reaches the ipv6 service through the ziti network


There is an issue to support intercepting ipv6 addresses, but we haven't gotten to it yet. Once intercepting ipv6 is possible, the intercepted ipv6 address would be forwarded to the hosting tunneler if the service enables address forwarding.

Does the issue I mentioned here describe the capability that you're looking for?

Hi scarething,
You mentioned not handling AAAA requests, but I can access the service through the Ziti network using the domain name. When I attempted to access the service using the IPv6 address mentioned by McGonagall666, it failed. Is this a problem with the DNS server? How can I resolve this?

Intercepting by hostname is actually just a layer on top of ipv4 intercept. The tunneler’s dns server resolves any hostnames in the intercept.v1 address list to ipv4 addresses in the dns ip range (100.64/10 by default). Those ipv4 addresses are internally mapped to the associated services as they are assigned, and the routing table is set up to send those ips to the tunneler’s tun device.

DEBUG tunnel-sdk:ziti_tunnel.c:320 ziti_tunneler_intercept() intercepting address [tcp:2768:8631:c02:ffc9::1308/128:9000] service [svc] shows successful interception, followed by a 'File exists' error and update failure. Finally, accessing via the IPv6 domain name works fine, but accessing through http://[2768:8631:c02:ffc9::1308]:9000/ results in a timeout, while using the IPv4 domain name and address works normally. What could be the reason? Is there a failure in storing the IPv6 address in the tunneler’s tun device?

The tunnelers do not currently support intercepting ipv6 addresses. Parts of the code path are able to understand and handle ipv6 addresses, but other parts are not.

What are the errors that you mention (file exists and update)? Can you share more complete logs and your service configurations?

Thank you for your insights. Is "parts of the code path are able to handle IPv6 addresses" the reason why I can access the service via domain names? If I directly access using the IP address to bypass the DNS resolver, the logs above mention successfully intercepting the IPv6 address. Was the interception really successful? If I want to access the service using http://[2768:8631:c02:ffc9::1308]:9000/ , where in the code should I make changes to enable IPv6 address interception?

No, as I described above the hostnames in the intercept.v1 address list are resolved to ipv4 addresses by the tunneler's DNS server. You can see this for yourself if you ping the hostname. The tunneler then intercepts the ipv4 connection that the client application initiates after it resolves the hostname.

There are many places that are subtly affected by ip6, I think it would be too hard to explain everything in a discourse post. I'm guessing you'd need to start with lookup_intercept_by_address in intercept.c to get it working for ipv6 addresses.