1 /*- 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD$ 21 * 22 * ipv6 support 23 */ 24 25 #include <sys/types.h> 26 #include <sys/socket.h> 27 28 #include "ipfw2.h" 29 30 #include <err.h> 31 #include <netdb.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <sysexits.h> 36 37 #include <net/if.h> 38 #include <netinet/in.h> 39 #include <netinet/in_systm.h> 40 #include <netinet/ip.h> 41 #include <netinet/icmp6.h> 42 #include <netinet/ip_fw.h> 43 #include <arpa/inet.h> 44 45 #define CHECK_LENGTH(v, len) do { \ 46 if ((v) < (len)) \ 47 errx(EX_DATAERR, "Rule too long"); \ 48 } while (0) 49 50 static struct _s_x icmp6codes[] = { 51 { "no-route", ICMP6_DST_UNREACH_NOROUTE }, 52 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN }, 53 { "address", ICMP6_DST_UNREACH_ADDR }, 54 { "port", ICMP6_DST_UNREACH_NOPORT }, 55 { NULL, 0 } 56 }; 57 58 void 59 fill_unreach6_code(u_short *codep, char *str) 60 { 61 int val; 62 char *s; 63 64 val = strtoul(str, &s, 0); 65 if (s == str || *s != '\0' || val >= 0x100) 66 val = match_token(icmp6codes, str); 67 if (val < 0) 68 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str); 69 *codep = val; 70 return; 71 } 72 73 void 74 print_unreach6_code(struct buf_pr *bp, uint16_t code) 75 { 76 char const *s = match_value(icmp6codes, code); 77 78 if (s != NULL) 79 bprintf(bp, "unreach6 %s", s); 80 else 81 bprintf(bp, "unreach6 %u", code); 82 } 83 84 /* 85 * Print the ip address contained in a command. 86 */ 87 void 88 print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd) 89 { 90 char trad[255]; 91 struct hostent *he = NULL; 92 struct in6_addr *a = &(cmd->addr6); 93 int len, mb; 94 95 len = F_LEN((ipfw_insn *) cmd) - 1; 96 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { 97 bprintf(bp, " me6"); 98 return; 99 } 100 if (cmd->o.opcode == O_IP6) { 101 bprintf(bp, " ip6"); 102 return; 103 } 104 105 /* 106 * len == 4 indicates a single IP, whereas lists of 1 or more 107 * addr/mask pairs have len = (2n+1). We convert len to n so we 108 * use that to count the number of entries. 109 */ 110 bprintf(bp, " "); 111 for (len = len / 4; len > 0; len -= 2, a += 2) { 112 /* mask length */ 113 mb = (cmd->o.opcode == O_IP6_SRC || 114 cmd->o.opcode == O_IP6_DST) ? 128: 115 contigmask((uint8_t *)&(a[1]), 128); 116 117 if (mb == 128 && co.do_resolv) 118 he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6); 119 120 if (he != NULL) /* resolved to name */ 121 bprintf(bp, "%s", he->h_name); 122 else if (mb == 0) /* any */ 123 bprintf(bp, "any"); 124 else { /* numeric IP followed by some kind of mask */ 125 if (inet_ntop(AF_INET6, a, trad, 126 sizeof(trad)) == NULL) 127 bprintf(bp, "Error ntop in print_ip6\n"); 128 bprintf(bp, "%s", trad ); 129 if (mb < 0) /* mask not contiguous */ 130 bprintf(bp, "/%s", inet_ntop(AF_INET6, &a[1], 131 trad, sizeof(trad))); 132 else if (mb < 128) 133 bprintf(bp, "/%d", mb); 134 } 135 if (len > 2) 136 bprintf(bp, ","); 137 } 138 } 139 140 void 141 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen) 142 { 143 uint8_t type; 144 145 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6)); 146 while (*av) { 147 if (*av == ',') 148 av++; 149 type = strtoul(av, &av, 0); 150 if (*av != ',' && *av != '\0') 151 errx(EX_DATAERR, "invalid ICMP6 type"); 152 /* 153 * XXX: shouldn't this be 0xFF? I can't see any reason why 154 * we shouldn't be able to filter all possiable values 155 * regardless of the ability of the rest of the kernel to do 156 * anything useful with them. 157 */ 158 if (type > ICMP6_MAXTYPE) 159 errx(EX_DATAERR, "ICMP6 type out of range"); 160 cmd->d[type / 32] |= ( 1 << (type % 32)); 161 } 162 cmd->o.opcode = O_ICMP6TYPE; 163 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6); 164 } 165 166 void 167 print_icmp6types(struct buf_pr *bp, ipfw_insn_u32 *cmd) 168 { 169 int i, j; 170 char sep= ' '; 171 172 bprintf(bp, " icmp6types"); 173 for (i = 0; i < 7; i++) 174 for (j=0; j < 32; ++j) { 175 if ( (cmd->d[i] & (1 << (j))) == 0) 176 continue; 177 bprintf(bp, "%c%d", sep, (i*32 + j)); 178 sep = ','; 179 } 180 } 181 182 void 183 print_flow6id(struct buf_pr *bp, ipfw_insn_u32 *cmd) 184 { 185 uint16_t i, limit = cmd->o.arg1; 186 char sep = ','; 187 188 bprintf(bp, " flow-id "); 189 for( i=0; i < limit; ++i) { 190 if (i == limit - 1) 191 sep = ' '; 192 bprintf(bp, "%d%c", cmd->d[i], sep); 193 } 194 } 195 196 /* structure and define for the extension header in ipv6 */ 197 static struct _s_x ext6hdrcodes[] = { 198 { "frag", EXT_FRAGMENT }, 199 { "hopopt", EXT_HOPOPTS }, 200 { "route", EXT_ROUTING }, 201 { "dstopt", EXT_DSTOPTS }, 202 { "ah", EXT_AH }, 203 { "esp", EXT_ESP }, 204 { "rthdr0", EXT_RTHDR0 }, 205 { "rthdr2", EXT_RTHDR2 }, 206 { NULL, 0 } 207 }; 208 209 /* fills command for the extension header filtering */ 210 int 211 fill_ext6hdr( ipfw_insn *cmd, char *av) 212 { 213 int tok; 214 char *s = av; 215 216 cmd->arg1 = 0; 217 while(s) { 218 av = strsep( &s, ",") ; 219 tok = match_token(ext6hdrcodes, av); 220 switch (tok) { 221 case EXT_FRAGMENT: 222 cmd->arg1 |= EXT_FRAGMENT; 223 break; 224 case EXT_HOPOPTS: 225 cmd->arg1 |= EXT_HOPOPTS; 226 break; 227 case EXT_ROUTING: 228 cmd->arg1 |= EXT_ROUTING; 229 break; 230 case EXT_DSTOPTS: 231 cmd->arg1 |= EXT_DSTOPTS; 232 break; 233 case EXT_AH: 234 cmd->arg1 |= EXT_AH; 235 break; 236 case EXT_ESP: 237 cmd->arg1 |= EXT_ESP; 238 break; 239 case EXT_RTHDR0: 240 cmd->arg1 |= EXT_RTHDR0; 241 break; 242 case EXT_RTHDR2: 243 cmd->arg1 |= EXT_RTHDR2; 244 break; 245 default: 246 errx(EX_DATAERR, 247 "invalid option for ipv6 exten header"); 248 break; 249 } 250 } 251 if (cmd->arg1 == 0) 252 return (0); 253 cmd->opcode = O_EXT_HDR; 254 cmd->len |= F_INSN_SIZE(ipfw_insn); 255 return (1); 256 } 257 258 void 259 print_ext6hdr(struct buf_pr *bp, ipfw_insn *cmd ) 260 { 261 char sep = ' '; 262 263 bprintf(bp, " extension header:"); 264 if (cmd->arg1 & EXT_FRAGMENT) { 265 bprintf(bp, "%cfragmentation", sep); 266 sep = ','; 267 } 268 if (cmd->arg1 & EXT_HOPOPTS) { 269 bprintf(bp, "%chop options", sep); 270 sep = ','; 271 } 272 if (cmd->arg1 & EXT_ROUTING) { 273 bprintf(bp, "%crouting options", sep); 274 sep = ','; 275 } 276 if (cmd->arg1 & EXT_RTHDR0) { 277 bprintf(bp, "%crthdr0", sep); 278 sep = ','; 279 } 280 if (cmd->arg1 & EXT_RTHDR2) { 281 bprintf(bp, "%crthdr2", sep); 282 sep = ','; 283 } 284 if (cmd->arg1 & EXT_DSTOPTS) { 285 bprintf(bp, "%cdestination options", sep); 286 sep = ','; 287 } 288 if (cmd->arg1 & EXT_AH) { 289 bprintf(bp, "%cauthentication header", sep); 290 sep = ','; 291 } 292 if (cmd->arg1 & EXT_ESP) { 293 bprintf(bp, "%cencapsulated security payload", sep); 294 } 295 } 296 297 /* Try to find ipv6 address by hostname */ 298 static int 299 lookup_host6 (char *host, struct in6_addr *ip6addr) 300 { 301 struct hostent *he; 302 303 if (!inet_pton(AF_INET6, host, ip6addr)) { 304 if ((he = gethostbyname2(host, AF_INET6)) == NULL) 305 return(-1); 306 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); 307 } 308 return (0); 309 } 310 311 312 /* 313 * fill the addr and mask fields in the instruction as appropriate from av. 314 * Update length as appropriate. 315 * The following formats are allowed: 316 * any matches any IP6. Actually returns an empty instruction. 317 * me returns O_IP6_*_ME 318 * 319 * 03f1::234:123:0342 single IP6 address 320 * 03f1::234:123:0342/24 address/masklen 321 * 03f1::234:123:0342/ffff::ffff:ffff address/mask 322 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address 323 * 324 * Set of address (as in ipv6) not supported because ipv6 address 325 * are typically random past the initial prefix. 326 * Return 1 on success, 0 on failure. 327 */ 328 static int 329 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate) 330 { 331 int len = 0; 332 struct in6_addr *d = &(cmd->addr6); 333 char *oav; 334 /* 335 * Needed for multiple address. 336 * Note d[1] points to struct in6_add r mask6 of cmd 337 */ 338 339 cmd->o.len &= ~F_LEN_MASK; /* zero len */ 340 341 if (strcmp(av, "any") == 0) 342 return (1); 343 344 345 if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/ 346 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 347 return (1); 348 } 349 350 if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/ 351 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 352 return (1); 353 } 354 355 if (strncmp(av, "table(", 6) == 0) { 356 fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate); 357 return (1); 358 } 359 360 oav = av = strdup(av); 361 while (av) { 362 /* 363 * After the address we can have '/' indicating a mask, 364 * or ',' indicating another address follows. 365 */ 366 367 char *p, *q; 368 int masklen; 369 char md = '\0'; 370 371 CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr)); 372 373 if ((q = strchr(av, ',')) ) { 374 *q = '\0'; 375 q++; 376 } 377 378 if ((p = strchr(av, '/')) ) { 379 md = *p; /* save the separator */ 380 *p = '\0'; /* terminate address string */ 381 p++; /* and skip past it */ 382 } 383 /* now p points to NULL, mask or next entry */ 384 385 /* lookup stores address in *d as a side effect */ 386 if (lookup_host6(av, d) != 0) { 387 /* XXX: failed. Free memory and go */ 388 errx(EX_DATAERR, "bad address \"%s\"", av); 389 } 390 /* next, look at the mask, if any */ 391 if (md == '/' && strchr(p, ':')) { 392 if (!inet_pton(AF_INET6, p, &d[1])) 393 errx(EX_DATAERR, "bad mask \"%s\"", p); 394 395 masklen = contigmask((uint8_t *)&(d[1]), 128); 396 } else { 397 masklen = (md == '/') ? atoi(p) : 128; 398 if (masklen > 128 || masklen < 0) 399 errx(EX_DATAERR, "bad width \"%s\''", p); 400 else 401 n2mask(&d[1], masklen); 402 } 403 404 APPLY_MASK(d, &d[1]); /* mask base address with mask */ 405 406 av = q; 407 408 /* Check this entry */ 409 if (masklen == 0) { 410 /* 411 * 'any' turns the entire list into a NOP. 412 * 'not any' never matches, so it is removed from the 413 * list unless it is the only item, in which case we 414 * report an error. 415 */ 416 if (cmd->o.len & F_NOT && av == NULL && len == 0) 417 errx(EX_DATAERR, "not any never matches"); 418 continue; 419 } 420 421 /* 422 * A single IP can be stored alone 423 */ 424 if (masklen == 128 && av == NULL && len == 0) { 425 len = F_INSN_SIZE(struct in6_addr); 426 break; 427 } 428 429 /* Update length and pointer to arguments */ 430 len += F_INSN_SIZE(struct in6_addr)*2; 431 d += 2; 432 } /* end while */ 433 434 /* 435 * Total length of the command, remember that 1 is the size of 436 * the base command. 437 */ 438 if (len + 1 > F_LEN_MASK) 439 errx(EX_DATAERR, "address list too long"); 440 cmd->o.len |= len+1; 441 free(oav); 442 return (1); 443 } 444 445 /* 446 * fills command for ipv6 flow-id filtering 447 * note that the 20 bit flow number is stored in a array of u_int32_t 448 * it's supported lists of flow-id, so in the o.arg1 we store how many 449 * additional flow-id we want to filter, the basic is 1 450 */ 451 void 452 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen) 453 { 454 u_int32_t type; /* Current flow number */ 455 u_int16_t nflow = 0; /* Current flow index */ 456 char *s = av; 457 cmd->d[0] = 0; /* Initializing the base number*/ 458 459 while (s) { 460 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_u32) + nflow + 1); 461 462 av = strsep( &s, ",") ; 463 type = strtoul(av, &av, 0); 464 if (*av != ',' && *av != '\0') 465 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 466 if (type > 0xfffff) 467 errx(EX_DATAERR, "flow number out of range %s", av); 468 cmd->d[nflow] |= type; 469 nflow++; 470 } 471 if( nflow > 0 ) { 472 cmd->o.opcode = O_FLOW6ID; 473 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow; 474 cmd->o.arg1 = nflow; 475 } 476 else { 477 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 478 } 479 } 480 481 ipfw_insn * 482 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate) 483 { 484 485 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate); 486 if (cmd->opcode == O_IP_DST_SET) /* set */ 487 cmd->opcode = O_IP_SRC_SET; 488 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 489 cmd->opcode = O_IP_SRC_LOOKUP; 490 else if (F_LEN(cmd) == 0) { /* any */ 491 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 492 cmd->opcode = O_IP6_SRC_ME; 493 } else if (F_LEN(cmd) == 494 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 495 /* single IP, no mask*/ 496 cmd->opcode = O_IP6_SRC; 497 } else { /* addr/mask opt */ 498 cmd->opcode = O_IP6_SRC_MASK; 499 } 500 return cmd; 501 } 502 503 ipfw_insn * 504 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate) 505 { 506 507 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate); 508 if (cmd->opcode == O_IP_DST_SET) /* set */ 509 ; 510 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 511 ; 512 else if (F_LEN(cmd) == 0) { /* any */ 513 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 514 cmd->opcode = O_IP6_DST_ME; 515 } else if (F_LEN(cmd) == 516 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 517 /* single IP, no mask*/ 518 cmd->opcode = O_IP6_DST; 519 } else { /* addr/mask opt */ 520 cmd->opcode = O_IP6_DST_MASK; 521 } 522 return cmd; 523 } 524