1 /*-
2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4 * Copyright (c) 1994 Ugen J.S.Antsilevich
5 *
6 * Idea and grammar partially left from:
7 * Copyright (c) 1993 Daniel Boulet
8 *
9 * Redistribution and use in source forms, with and without modification,
10 * are permitted provided that this entire comment appears intact.
11 *
12 * Redistribution in binary form may occur without any restrictions.
13 * Obviously, it would be nice if you gave credit where credit is due
14 * but requiring it would be too onerous.
15 *
16 * This software is provided ``AS IS'' without any warranties of any kind.
17 *
18 * NEW command line interface for IP firewall facility
19 *
20 * ipv6 support
21 */
22
23 #include <sys/types.h>
24 #include <sys/socket.h>
25
26 #include "ipfw2.h"
27
28 #include <err.h>
29 #include <netdb.h>
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <sysexits.h>
34
35 #include <net/if.h>
36 #include <netinet/in.h>
37 #include <netinet/in_systm.h>
38 #include <netinet/ip.h>
39 #include <netinet/icmp6.h>
40 #include <netinet/ip_fw.h>
41 #include <arpa/inet.h>
42
43 #define CHECK_LENGTH(v, len) do { \
44 if ((v) < (len)) \
45 errx(EX_DATAERR, "Rule too long"); \
46 } while (0)
47
48 static struct _s_x icmp6codes[] = {
49 { "no-route", ICMP6_DST_UNREACH_NOROUTE },
50 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN },
51 { "address", ICMP6_DST_UNREACH_ADDR },
52 { "port", ICMP6_DST_UNREACH_NOPORT },
53 { NULL, 0 }
54 };
55
56 uint16_t
get_unreach6_code(const char * str)57 get_unreach6_code(const char *str)
58 {
59 int val;
60 char *s;
61
62 val = strtoul(str, &s, 0);
63 if (s == str || *s != '\0' || val >= 0x100)
64 val = match_token(icmp6codes, str);
65 if (val < 0)
66 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
67 return (val);
68 }
69
70 void
print_unreach6_code(struct buf_pr * bp,uint16_t code)71 print_unreach6_code(struct buf_pr *bp, uint16_t code)
72 {
73 char const *s = match_value(icmp6codes, code);
74
75 if (s != NULL)
76 bprintf(bp, "unreach6 %s", s);
77 else
78 bprintf(bp, "unreach6 %u", code);
79 }
80
81 /*
82 * Print the ip address contained in a command.
83 */
84 void
print_ip6(struct buf_pr * bp,const ipfw_insn_ip6 * cmd)85 print_ip6(struct buf_pr *bp, const ipfw_insn_ip6 *cmd)
86 {
87 char trad[255];
88 struct hostent *he = NULL;
89 const struct in6_addr *a = &(cmd->addr6);
90 int len, mb;
91
92 len = F_LEN((const ipfw_insn *)cmd) - 1;
93 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
94 bprintf(bp, " me6");
95 return;
96 }
97 if (cmd->o.opcode == O_IP6) {
98 bprintf(bp, " ip6");
99 return;
100 }
101
102 /*
103 * len == 4 indicates a single IP, whereas lists of 1 or more
104 * addr/mask pairs have len = (2n+1). We convert len to n so we
105 * use that to count the number of entries.
106 */
107 bprintf(bp, " ");
108 for (len = len / 4; len > 0; len -= 2, a += 2) {
109 /* mask length */
110 mb = (cmd->o.opcode == O_IP6_SRC ||
111 cmd->o.opcode == O_IP6_DST) ? 128:
112 contigmask((const uint8_t *)&(a[1]), 128);
113
114 if (mb == 128 && g_co.do_resolv)
115 he = gethostbyaddr((const char *)a, sizeof(*a),
116 AF_INET6);
117
118 if (he != NULL) /* resolved to name */
119 bprintf(bp, "%s", he->h_name);
120 else if (mb == 0) /* any */
121 bprintf(bp, "any");
122 else { /* numeric IP followed by some kind of mask */
123 if (inet_ntop(AF_INET6, a, trad,
124 sizeof(trad)) == NULL)
125 bprintf(bp, "Error ntop in print_ip6\n");
126 bprintf(bp, "%s", trad );
127 if (mb < 0) /* mask not contiguous */
128 bprintf(bp, "/%s", inet_ntop(AF_INET6, &a[1],
129 trad, sizeof(trad)));
130 else if (mb < 128)
131 bprintf(bp, "/%d", mb);
132 }
133 if (len > 2)
134 bprintf(bp, ",");
135 }
136 }
137
138 void
fill_icmp6types(ipfw_insn_icmp6 * cmd,char * av,int cblen)139 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
140 {
141 uint8_t type;
142
143 CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn_icmp6));
144 memset(cmd, 0, sizeof(*cmd));
145 while (*av) {
146 if (*av == ',')
147 av++;
148 type = strtoul(av, &av, 0);
149 if (*av != ',' && *av != '\0')
150 errx(EX_DATAERR, "invalid ICMP6 type");
151 /*
152 * XXX: shouldn't this be 0xFF? I can't see any reason why
153 * we shouldn't be able to filter all possiable values
154 * regardless of the ability of the rest of the kernel to do
155 * anything useful with them.
156 */
157 if (type > ICMP6_MAXTYPE)
158 errx(EX_DATAERR, "ICMP6 type out of range");
159 cmd->d[type / 32] |= ( 1 << (type % 32));
160 }
161 cmd->o.opcode = O_ICMP6TYPE;
162 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
163 }
164
165 void
print_icmp6types(struct buf_pr * bp,const ipfw_insn_u32 * cmd)166 print_icmp6types(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
167 {
168 int i, j;
169 char sep= ' ';
170
171 bprintf(bp, " icmp6types");
172 for (i = 0; i < 7; i++)
173 for (j=0; j < 32; ++j) {
174 if ( (cmd->d[i] & (1 << (j))) == 0)
175 continue;
176 bprintf(bp, "%c%d", sep, (i*32 + j));
177 sep = ',';
178 }
179 }
180
181 void
print_flow6id(struct buf_pr * bp,const ipfw_insn_u32 * cmd)182 print_flow6id(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
183 {
184 uint16_t i, limit = cmd->o.arg1;
185 char sep = ',';
186
187 bprintf(bp, " flow-id ");
188 for( i=0; i < limit; ++i) {
189 if (i == limit - 1)
190 sep = ' ';
191 bprintf(bp, "%d%c", cmd->d[i], sep);
192 }
193 }
194
195 /* structure and define for the extension header in ipv6 */
196 static struct _s_x ext6hdrcodes[] = {
197 { "frag", EXT_FRAGMENT },
198 { "hopopt", EXT_HOPOPTS },
199 { "route", EXT_ROUTING },
200 { "dstopt", EXT_DSTOPTS },
201 { "ah", EXT_AH },
202 { "esp", EXT_ESP },
203 { "rthdr0", EXT_RTHDR0 },
204 { "rthdr2", EXT_RTHDR2 },
205 { NULL, 0 }
206 };
207
208 /* fills command for the extension header filtering */
209 int
fill_ext6hdr(ipfw_insn * cmd,char * av)210 fill_ext6hdr( ipfw_insn *cmd, char *av)
211 {
212 int tok;
213 char *s = av;
214
215 cmd->arg1 = 0;
216 while(s) {
217 av = strsep( &s, ",") ;
218 tok = match_token(ext6hdrcodes, av);
219 switch (tok) {
220 case EXT_FRAGMENT:
221 cmd->arg1 |= EXT_FRAGMENT;
222 break;
223 case EXT_HOPOPTS:
224 cmd->arg1 |= EXT_HOPOPTS;
225 break;
226 case EXT_ROUTING:
227 cmd->arg1 |= EXT_ROUTING;
228 break;
229 case EXT_DSTOPTS:
230 cmd->arg1 |= EXT_DSTOPTS;
231 break;
232 case EXT_AH:
233 cmd->arg1 |= EXT_AH;
234 break;
235 case EXT_ESP:
236 cmd->arg1 |= EXT_ESP;
237 break;
238 case EXT_RTHDR0:
239 cmd->arg1 |= EXT_RTHDR0;
240 break;
241 case EXT_RTHDR2:
242 cmd->arg1 |= EXT_RTHDR2;
243 break;
244 default:
245 errx(EX_DATAERR,
246 "invalid option for ipv6 exten header");
247 break;
248 }
249 }
250 if (cmd->arg1 == 0)
251 return (0);
252 cmd->opcode = O_EXT_HDR;
253 cmd->len |= F_INSN_SIZE(ipfw_insn);
254 return (1);
255 }
256
257 void
print_ext6hdr(struct buf_pr * bp,const ipfw_insn * cmd)258 print_ext6hdr(struct buf_pr *bp, const ipfw_insn *cmd )
259 {
260 char sep = ' ';
261
262 bprintf(bp, " extension header:");
263 if (cmd->arg1 & EXT_FRAGMENT) {
264 bprintf(bp, "%cfragmentation", sep);
265 sep = ',';
266 }
267 if (cmd->arg1 & EXT_HOPOPTS) {
268 bprintf(bp, "%chop options", sep);
269 sep = ',';
270 }
271 if (cmd->arg1 & EXT_ROUTING) {
272 bprintf(bp, "%crouting options", sep);
273 sep = ',';
274 }
275 if (cmd->arg1 & EXT_RTHDR0) {
276 bprintf(bp, "%crthdr0", sep);
277 sep = ',';
278 }
279 if (cmd->arg1 & EXT_RTHDR2) {
280 bprintf(bp, "%crthdr2", sep);
281 sep = ',';
282 }
283 if (cmd->arg1 & EXT_DSTOPTS) {
284 bprintf(bp, "%cdestination options", sep);
285 sep = ',';
286 }
287 if (cmd->arg1 & EXT_AH) {
288 bprintf(bp, "%cauthentication header", sep);
289 sep = ',';
290 }
291 if (cmd->arg1 & EXT_ESP) {
292 bprintf(bp, "%cencapsulated security payload", sep);
293 }
294 }
295
296 /* Try to find ipv6 address by hostname */
297 static int
lookup_host6(char * host,struct in6_addr * ip6addr)298 lookup_host6 (char *host, struct in6_addr *ip6addr)
299 {
300 struct hostent *he;
301
302 if (!inet_pton(AF_INET6, host, ip6addr)) {
303 if ((he = gethostbyname2(host, AF_INET6)) == NULL)
304 return(-1);
305 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
306 }
307 return (0);
308 }
309
310
311 /*
312 * fill the addr and mask fields in the instruction as appropriate from av.
313 * Update length as appropriate.
314 * The following formats are allowed:
315 * any matches any IP6. Actually returns an empty instruction.
316 * me returns O_IP6_*_ME
317 *
318 * 03f1::234:123:0342 single IP6 address
319 * 03f1::234:123:0342/24 address/masklen
320 * 03f1::234:123:0342/ffff::ffff:ffff address/mask
321 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address
322 *
323 * Set of address (as in ipv6) not supported because ipv6 address
324 * are typically random past the initial prefix.
325 * Return 1 on success, 0 on failure.
326 */
327 static int
fill_ip6(ipfw_insn_ip6 * cmd,char * av,int cblen,struct tidx * tstate)328 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
329 {
330 int len = 0;
331 struct in6_addr *d = &(cmd->addr6);
332 char *oav;
333 /*
334 * Needed for multiple address.
335 * Note d[1] points to struct in6_add r mask6 of cmd
336 */
337
338 cmd->o.len &= ~F_LEN_MASK; /* zero len */
339
340 if (strcmp(av, "any") == 0)
341 return (1);
342
343 /* Set the data for "me" opt */
344 if (strcmp(av, "me") == 0 || strcmp(av, "me6") == 0) {
345 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
346 return (1);
347 }
348
349 if (strncmp(av, "table(", 6) == 0) {
350 fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
351 return (1);
352 }
353
354 oav = av = strdup(av);
355 while (av) {
356 /*
357 * After the address we can have '/' indicating a mask,
358 * or ',' indicating another address follows.
359 */
360
361 char *p, *q;
362 int masklen;
363 char md = '\0';
364
365 CHECK_LENGTH(cblen,
366 1 + len + 2 * (int)F_INSN_SIZE(struct in6_addr));
367
368 if ((q = strchr(av, ',')) ) {
369 *q = '\0';
370 q++;
371 }
372
373 if ((p = strchr(av, '/')) ) {
374 md = *p; /* save the separator */
375 *p = '\0'; /* terminate address string */
376 p++; /* and skip past it */
377 }
378 /* now p points to NULL, mask or next entry */
379
380 /* lookup stores address in *d as a side effect */
381 if (lookup_host6(av, d) != 0) {
382 /* XXX: failed. Free memory and go */
383 errx(EX_DATAERR, "bad address \"%s\"", av);
384 }
385 /* next, look at the mask, if any */
386 if (md == '/' && strchr(p, ':')) {
387 if (!inet_pton(AF_INET6, p, &d[1]))
388 errx(EX_DATAERR, "bad mask \"%s\"", p);
389
390 masklen = contigmask((uint8_t *)&(d[1]), 128);
391 } else {
392 masklen = (md == '/') ? atoi(p) : 128;
393 if (masklen > 128 || masklen < 0)
394 errx(EX_DATAERR, "bad width \"%s\''", p);
395 else
396 n2mask(&d[1], masklen);
397 }
398
399 APPLY_MASK(d, &d[1]); /* mask base address with mask */
400
401 av = q;
402
403 /* Check this entry */
404 if (masklen == 0) {
405 /*
406 * 'any' turns the entire list into a NOP.
407 * 'not any' never matches, so it is removed from the
408 * list unless it is the only item, in which case we
409 * report an error.
410 */
411 if (cmd->o.len & F_NOT && av == NULL && len == 0)
412 errx(EX_DATAERR, "not any never matches");
413 continue;
414 }
415
416 /*
417 * A single IP can be stored alone
418 */
419 if (masklen == 128 && av == NULL && len == 0) {
420 len = F_INSN_SIZE(struct in6_addr);
421 break;
422 }
423
424 /* Update length and pointer to arguments */
425 len += F_INSN_SIZE(struct in6_addr)*2;
426 d += 2;
427 } /* end while */
428
429 /*
430 * Total length of the command, remember that 1 is the size of
431 * the base command.
432 */
433 if (len + 1 > F_LEN_MASK)
434 errx(EX_DATAERR, "address list too long");
435 cmd->o.len |= len+1;
436 free(oav);
437 return (1);
438 }
439
440 /*
441 * fills command for ipv6 flow-id filtering
442 * note that the 20 bit flow number is stored in a array of u_int32_t
443 * it's supported lists of flow-id, so in the o.arg1 we store how many
444 * additional flow-id we want to filter, the basic is 1
445 */
446 void
fill_flow6(ipfw_insn_u32 * cmd,char * av,int cblen)447 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)
448 {
449 u_int32_t type; /* Current flow number */
450 u_int16_t nflow = 0; /* Current flow index */
451 char *s = av;
452 cmd->d[0] = 0; /* Initializing the base number*/
453
454 while (s) {
455 CHECK_LENGTH(cblen,
456 (int)F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
457
458 av = strsep( &s, ",") ;
459 type = strtoul(av, &av, 0);
460 if (*av != ',' && *av != '\0')
461 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
462 if (type > 0xfffff)
463 errx(EX_DATAERR, "flow number out of range %s", av);
464 cmd->d[nflow] |= type;
465 nflow++;
466 }
467 if( nflow > 0 ) {
468 cmd->o.opcode = O_FLOW6ID;
469 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
470 cmd->o.arg1 = nflow;
471 }
472 else {
473 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
474 }
475 }
476
477 ipfw_insn *
add_srcip6(ipfw_insn * cmd,char * av,int cblen,struct tidx * tstate)478 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
479 {
480
481 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
482 if (cmd->opcode == O_IP_DST_SET) /* set */
483 cmd->opcode = O_IP_SRC_SET;
484 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
485 cmd->opcode = O_IP_SRC_LOOKUP;
486 else if (F_LEN(cmd) == 0) { /* any */
487 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
488 cmd->opcode = O_IP6_SRC_ME;
489 } else if (F_LEN(cmd) ==
490 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
491 /* single IP, no mask*/
492 cmd->opcode = O_IP6_SRC;
493 } else { /* addr/mask opt */
494 cmd->opcode = O_IP6_SRC_MASK;
495 }
496 return cmd;
497 }
498
499 ipfw_insn *
add_dstip6(ipfw_insn * cmd,char * av,int cblen,struct tidx * tstate)500 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
501 {
502
503 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
504 if (cmd->opcode == O_IP_DST_SET) /* set */
505 ;
506 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
507 ;
508 else if (F_LEN(cmd) == 0) { /* any */
509 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
510 cmd->opcode = O_IP6_DST_ME;
511 } else if (F_LEN(cmd) ==
512 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
513 /* single IP, no mask*/
514 cmd->opcode = O_IP6_DST;
515 } else { /* addr/mask opt */
516 cmd->opcode = O_IP6_DST_MASK;
517 }
518 return cmd;
519 }
520