1 /* 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD$ 21 * 22 * ipv6 support 23 */ 24 25 #include <sys/types.h> 26 #include <sys/socket.h> 27 28 #include "ipfw2.h" 29 30 #include <err.h> 31 #include <netdb.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <sysexits.h> 36 37 #include <net/if.h> 38 #include <netinet/in.h> 39 #include <netinet/in_systm.h> 40 #include <netinet/ip.h> 41 #include <netinet/icmp6.h> 42 #include <netinet/ip_fw.h> 43 #include <arpa/inet.h> 44 45 static struct _s_x icmp6codes[] = { 46 { "no-route", ICMP6_DST_UNREACH_NOROUTE }, 47 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN }, 48 { "address", ICMP6_DST_UNREACH_ADDR }, 49 { "port", ICMP6_DST_UNREACH_NOPORT }, 50 { NULL, 0 } 51 }; 52 53 void 54 fill_unreach6_code(u_short *codep, char *str) 55 { 56 int val; 57 char *s; 58 59 val = strtoul(str, &s, 0); 60 if (s == str || *s != '\0' || val >= 0x100) 61 val = match_token(icmp6codes, str); 62 if (val < 0) 63 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str); 64 *codep = val; 65 return; 66 } 67 68 void 69 print_unreach6_code(uint16_t code) 70 { 71 char const *s = match_value(icmp6codes, code); 72 73 if (s != NULL) 74 printf("unreach6 %s", s); 75 else 76 printf("unreach6 %u", code); 77 } 78 79 /* 80 * Print the ip address contained in a command. 81 */ 82 void 83 print_ip6(ipfw_insn_ip6 *cmd, char const *s) 84 { 85 struct hostent *he = NULL; 86 int len = F_LEN((ipfw_insn *) cmd) - 1; 87 struct in6_addr *a = &(cmd->addr6); 88 char trad[255]; 89 90 printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s); 91 92 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { 93 printf("me6"); 94 return; 95 } 96 if (cmd->o.opcode == O_IP6) { 97 printf(" ip6"); 98 return; 99 } 100 101 /* 102 * len == 4 indicates a single IP, whereas lists of 1 or more 103 * addr/mask pairs have len = (2n+1). We convert len to n so we 104 * use that to count the number of entries. 105 */ 106 107 for (len = len / 4; len > 0; len -= 2, a += 2) { 108 int mb = /* mask length */ 109 (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ? 110 128 : contigmask((uint8_t *)&(a[1]), 128); 111 112 if (mb == 128 && co.do_resolv) 113 he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6); 114 if (he != NULL) /* resolved to name */ 115 printf("%s", he->h_name); 116 else if (mb == 0) /* any */ 117 printf("any"); 118 else { /* numeric IP followed by some kind of mask */ 119 if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL) 120 printf("Error ntop in print_ip6\n"); 121 printf("%s", trad ); 122 if (mb < 0) /* XXX not really legal... */ 123 printf(":%s", 124 inet_ntop(AF_INET6, &a[1], trad, sizeof(trad))); 125 else if (mb < 128) 126 printf("/%d", mb); 127 } 128 if (len > 2) 129 printf(","); 130 } 131 } 132 133 void 134 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av) 135 { 136 uint8_t type; 137 138 bzero(cmd, sizeof(*cmd)); 139 while (*av) { 140 if (*av == ',') 141 av++; 142 type = strtoul(av, &av, 0); 143 if (*av != ',' && *av != '\0') 144 errx(EX_DATAERR, "invalid ICMP6 type"); 145 /* 146 * XXX: shouldn't this be 0xFF? I can't see any reason why 147 * we shouldn't be able to filter all possiable values 148 * regardless of the ability of the rest of the kernel to do 149 * anything useful with them. 150 */ 151 if (type > ICMP6_MAXTYPE) 152 errx(EX_DATAERR, "ICMP6 type out of range"); 153 cmd->d[type / 32] |= ( 1 << (type % 32)); 154 } 155 cmd->o.opcode = O_ICMP6TYPE; 156 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6); 157 } 158 159 160 void 161 print_icmp6types(ipfw_insn_u32 *cmd) 162 { 163 int i, j; 164 char sep= ' '; 165 166 printf(" ip6 icmp6types"); 167 for (i = 0; i < 7; i++) 168 for (j=0; j < 32; ++j) { 169 if ( (cmd->d[i] & (1 << (j))) == 0) 170 continue; 171 printf("%c%d", sep, (i*32 + j)); 172 sep = ','; 173 } 174 } 175 176 void 177 print_flow6id( ipfw_insn_u32 *cmd) 178 { 179 uint16_t i, limit = cmd->o.arg1; 180 char sep = ','; 181 182 printf(" flow-id "); 183 for( i=0; i < limit; ++i) { 184 if (i == limit - 1) 185 sep = ' '; 186 printf("%d%c", cmd->d[i], sep); 187 } 188 } 189 190 /* structure and define for the extension header in ipv6 */ 191 static struct _s_x ext6hdrcodes[] = { 192 { "frag", EXT_FRAGMENT }, 193 { "hopopt", EXT_HOPOPTS }, 194 { "route", EXT_ROUTING }, 195 { "dstopt", EXT_DSTOPTS }, 196 { "ah", EXT_AH }, 197 { "esp", EXT_ESP }, 198 { "rthdr0", EXT_RTHDR0 }, 199 { "rthdr2", EXT_RTHDR2 }, 200 { NULL, 0 } 201 }; 202 203 /* fills command for the extension header filtering */ 204 int 205 fill_ext6hdr( ipfw_insn *cmd, char *av) 206 { 207 int tok; 208 char *s = av; 209 210 cmd->arg1 = 0; 211 212 while(s) { 213 av = strsep( &s, ",") ; 214 tok = match_token(ext6hdrcodes, av); 215 switch (tok) { 216 case EXT_FRAGMENT: 217 cmd->arg1 |= EXT_FRAGMENT; 218 break; 219 220 case EXT_HOPOPTS: 221 cmd->arg1 |= EXT_HOPOPTS; 222 break; 223 224 case EXT_ROUTING: 225 cmd->arg1 |= EXT_ROUTING; 226 break; 227 228 case EXT_DSTOPTS: 229 cmd->arg1 |= EXT_DSTOPTS; 230 break; 231 232 case EXT_AH: 233 cmd->arg1 |= EXT_AH; 234 break; 235 236 case EXT_ESP: 237 cmd->arg1 |= EXT_ESP; 238 break; 239 240 case EXT_RTHDR0: 241 cmd->arg1 |= EXT_RTHDR0; 242 break; 243 244 case EXT_RTHDR2: 245 cmd->arg1 |= EXT_RTHDR2; 246 break; 247 248 default: 249 errx( EX_DATAERR, "invalid option for ipv6 exten header" ); 250 break; 251 } 252 } 253 if (cmd->arg1 == 0 ) 254 return 0; 255 cmd->opcode = O_EXT_HDR; 256 cmd->len |= F_INSN_SIZE( ipfw_insn ); 257 return 1; 258 } 259 260 void 261 print_ext6hdr( ipfw_insn *cmd ) 262 { 263 char sep = ' '; 264 265 printf(" extension header:"); 266 if (cmd->arg1 & EXT_FRAGMENT ) { 267 printf("%cfragmentation", sep); 268 sep = ','; 269 } 270 if (cmd->arg1 & EXT_HOPOPTS ) { 271 printf("%chop options", sep); 272 sep = ','; 273 } 274 if (cmd->arg1 & EXT_ROUTING ) { 275 printf("%crouting options", sep); 276 sep = ','; 277 } 278 if (cmd->arg1 & EXT_RTHDR0 ) { 279 printf("%crthdr0", sep); 280 sep = ','; 281 } 282 if (cmd->arg1 & EXT_RTHDR2 ) { 283 printf("%crthdr2", sep); 284 sep = ','; 285 } 286 if (cmd->arg1 & EXT_DSTOPTS ) { 287 printf("%cdestination options", sep); 288 sep = ','; 289 } 290 if (cmd->arg1 & EXT_AH ) { 291 printf("%cauthentication header", sep); 292 sep = ','; 293 } 294 if (cmd->arg1 & EXT_ESP ) { 295 printf("%cencapsulated security payload", sep); 296 } 297 } 298 299 /* Try to find ipv6 address by hostname */ 300 static int 301 lookup_host6 (char *host, struct in6_addr *ip6addr) 302 { 303 struct hostent *he; 304 305 if (!inet_pton(AF_INET6, host, ip6addr)) { 306 if ((he = gethostbyname2(host, AF_INET6)) == NULL) 307 return(-1); 308 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); 309 } 310 return(0); 311 } 312 313 314 /* 315 * fill the addr and mask fields in the instruction as appropriate from av. 316 * Update length as appropriate. 317 * The following formats are allowed: 318 * any matches any IP6. Actually returns an empty instruction. 319 * me returns O_IP6_*_ME 320 * 321 * 03f1::234:123:0342 single IP6 addres 322 * 03f1::234:123:0342/24 address/mask 323 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address 324 * 325 * Set of address (as in ipv6) not supported because ipv6 address 326 * are typically random past the initial prefix. 327 * Return 1 on success, 0 on failure. 328 */ 329 static int 330 fill_ip6(ipfw_insn_ip6 *cmd, char *av) 331 { 332 int len = 0; 333 struct in6_addr *d = &(cmd->addr6); 334 /* 335 * Needed for multiple address. 336 * Note d[1] points to struct in6_add r mask6 of cmd 337 */ 338 339 cmd->o.len &= ~F_LEN_MASK; /* zero len */ 340 341 if (strcmp(av, "any") == 0) 342 return (1); 343 344 345 if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/ 346 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 347 return (1); 348 } 349 350 if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/ 351 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 352 return (1); 353 } 354 355 if (strncmp(av, "table(", 6) == 0) { 356 char *p = strchr(av + 6, ','); 357 uint32_t *dm = ((ipfw_insn_u32 *)cmd)->d; 358 359 if (p) 360 *p++ = '\0'; 361 cmd->o.opcode = O_IP_DST_LOOKUP; 362 cmd->o.arg1 = strtoul(av + 6, NULL, 0); 363 if (p) { 364 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32); 365 dm[0] = strtoul(p, NULL, 0); 366 } else 367 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 368 return (1); 369 } 370 371 av = strdup(av); 372 while (av) { 373 /* 374 * After the address we can have '/' indicating a mask, 375 * or ',' indicating another address follows. 376 */ 377 378 char *p; 379 int masklen; 380 char md = '\0'; 381 382 if ((p = strpbrk(av, "/,")) ) { 383 md = *p; /* save the separator */ 384 *p = '\0'; /* terminate address string */ 385 p++; /* and skip past it */ 386 } 387 /* now p points to NULL, mask or next entry */ 388 389 /* lookup stores address in *d as a side effect */ 390 if (lookup_host6(av, d) != 0) { 391 /* XXX: failed. Free memory and go */ 392 errx(EX_DATAERR, "bad address \"%s\"", av); 393 } 394 /* next, look at the mask, if any */ 395 masklen = (md == '/') ? atoi(p) : 128; 396 if (masklen > 128 || masklen < 0) 397 errx(EX_DATAERR, "bad width \"%s\''", p); 398 else 399 n2mask(&d[1], masklen); 400 401 APPLY_MASK(d, &d[1]) /* mask base address with mask */ 402 403 /* find next separator */ 404 405 if (md == '/') { /* find separator past the mask */ 406 p = strpbrk(p, ","); 407 if (p != NULL) 408 p++; 409 } 410 av = p; 411 412 /* Check this entry */ 413 if (masklen == 0) { 414 /* 415 * 'any' turns the entire list into a NOP. 416 * 'not any' never matches, so it is removed from the 417 * list unless it is the only item, in which case we 418 * report an error. 419 */ 420 if (cmd->o.len & F_NOT && av == NULL && len == 0) 421 errx(EX_DATAERR, "not any never matches"); 422 continue; 423 } 424 425 /* 426 * A single IP can be stored alone 427 */ 428 if (masklen == 128 && av == NULL && len == 0) { 429 len = F_INSN_SIZE(struct in6_addr); 430 break; 431 } 432 433 /* Update length and pointer to arguments */ 434 len += F_INSN_SIZE(struct in6_addr)*2; 435 d += 2; 436 } /* end while */ 437 438 /* 439 * Total length of the command, remember that 1 is the size of 440 * the base command. 441 */ 442 if (len + 1 > F_LEN_MASK) 443 errx(EX_DATAERR, "address list too long"); 444 cmd->o.len |= len+1; 445 free(av); 446 return (1); 447 } 448 449 /* 450 * fills command for ipv6 flow-id filtering 451 * note that the 20 bit flow number is stored in a array of u_int32_t 452 * it's supported lists of flow-id, so in the o.arg1 we store how many 453 * additional flow-id we want to filter, the basic is 1 454 */ 455 void 456 fill_flow6( ipfw_insn_u32 *cmd, char *av ) 457 { 458 u_int32_t type; /* Current flow number */ 459 u_int16_t nflow = 0; /* Current flow index */ 460 char *s = av; 461 cmd->d[0] = 0; /* Initializing the base number*/ 462 463 while (s) { 464 av = strsep( &s, ",") ; 465 type = strtoul(av, &av, 0); 466 if (*av != ',' && *av != '\0') 467 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 468 if (type > 0xfffff) 469 errx(EX_DATAERR, "flow number out of range %s", av); 470 cmd->d[nflow] |= type; 471 nflow++; 472 } 473 if( nflow > 0 ) { 474 cmd->o.opcode = O_FLOW6ID; 475 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow; 476 cmd->o.arg1 = nflow; 477 } 478 else { 479 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 480 } 481 } 482 483 ipfw_insn * 484 add_srcip6(ipfw_insn *cmd, char *av) 485 { 486 487 fill_ip6((ipfw_insn_ip6 *)cmd, av); 488 if (cmd->opcode == O_IP_DST_SET) /* set */ 489 cmd->opcode = O_IP_SRC_SET; 490 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 491 cmd->opcode = O_IP_SRC_LOOKUP; 492 else if (F_LEN(cmd) == 0) { /* any */ 493 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 494 cmd->opcode = O_IP6_SRC_ME; 495 } else if (F_LEN(cmd) == 496 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 497 /* single IP, no mask*/ 498 cmd->opcode = O_IP6_SRC; 499 } else { /* addr/mask opt */ 500 cmd->opcode = O_IP6_SRC_MASK; 501 } 502 return cmd; 503 } 504 505 ipfw_insn * 506 add_dstip6(ipfw_insn *cmd, char *av) 507 { 508 509 fill_ip6((ipfw_insn_ip6 *)cmd, av); 510 if (cmd->opcode == O_IP_DST_SET) /* set */ 511 ; 512 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 513 ; 514 else if (F_LEN(cmd) == 0) { /* any */ 515 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 516 cmd->opcode = O_IP6_DST_ME; 517 } else if (F_LEN(cmd) == 518 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 519 /* single IP, no mask*/ 520 cmd->opcode = O_IP6_DST; 521 } else { /* addr/mask opt */ 522 cmd->opcode = O_IP6_DST_MASK; 523 } 524 return cmd; 525 } 526