1 /*- 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * ipv6 support 21 */ 22 23 #include <sys/types.h> 24 #include <sys/socket.h> 25 26 #include "ipfw2.h" 27 28 #include <err.h> 29 #include <netdb.h> 30 #include <stdio.h> 31 #include <stdlib.h> 32 #include <string.h> 33 #include <sysexits.h> 34 35 #include <net/if.h> 36 #include <netinet/in.h> 37 #include <netinet/in_systm.h> 38 #include <netinet/ip.h> 39 #include <netinet/icmp6.h> 40 #include <netinet/ip_fw.h> 41 #include <arpa/inet.h> 42 43 #define CHECK_LENGTH(v, len) do { \ 44 if ((v) < (len)) \ 45 errx(EX_DATAERR, "Rule too long"); \ 46 } while (0) 47 48 static struct _s_x icmp6codes[] = { 49 { "no-route", ICMP6_DST_UNREACH_NOROUTE }, 50 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN }, 51 { "address", ICMP6_DST_UNREACH_ADDR }, 52 { "port", ICMP6_DST_UNREACH_NOPORT }, 53 { NULL, 0 } 54 }; 55 56 uint16_t 57 get_unreach6_code(const char *str) 58 { 59 int val; 60 char *s; 61 62 val = strtoul(str, &s, 0); 63 if (s == str || *s != '\0' || val >= 0x100) 64 val = match_token(icmp6codes, str); 65 if (val < 0) 66 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str); 67 return (val); 68 } 69 70 void 71 print_unreach6_code(struct buf_pr *bp, uint16_t code) 72 { 73 char const *s = match_value(icmp6codes, code); 74 75 if (s != NULL) 76 bprintf(bp, "unreach6 %s", s); 77 else 78 bprintf(bp, "unreach6 %u", code); 79 } 80 81 /* 82 * Print the ip address contained in a command. 83 */ 84 void 85 print_ip6(struct buf_pr *bp, const ipfw_insn_ip6 *cmd) 86 { 87 char trad[255]; 88 struct hostent *he = NULL; 89 const struct in6_addr *a = &(cmd->addr6); 90 int len, mb; 91 92 len = F_LEN((const ipfw_insn *)cmd) - 1; 93 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { 94 bprintf(bp, " me6"); 95 return; 96 } 97 if (cmd->o.opcode == O_IP6) { 98 bprintf(bp, " ip6"); 99 return; 100 } 101 102 /* 103 * len == 4 indicates a single IP, whereas lists of 1 or more 104 * addr/mask pairs have len = (2n+1). We convert len to n so we 105 * use that to count the number of entries. 106 */ 107 bprintf(bp, " "); 108 for (len = len / 4; len > 0; len -= 2, a += 2) { 109 /* mask length */ 110 mb = (cmd->o.opcode == O_IP6_SRC || 111 cmd->o.opcode == O_IP6_DST) ? 128: 112 contigmask((const uint8_t *)&(a[1]), 128); 113 114 if (mb == 128 && g_co.do_resolv) 115 he = gethostbyaddr((const char *)a, sizeof(*a), 116 AF_INET6); 117 118 if (he != NULL) /* resolved to name */ 119 bprintf(bp, "%s", he->h_name); 120 else if (mb == 0) /* any */ 121 bprintf(bp, "any"); 122 else { /* numeric IP followed by some kind of mask */ 123 if (inet_ntop(AF_INET6, a, trad, 124 sizeof(trad)) == NULL) 125 bprintf(bp, "Error ntop in print_ip6\n"); 126 bprintf(bp, "%s", trad ); 127 if (mb < 0) /* mask not contiguous */ 128 bprintf(bp, "/%s", inet_ntop(AF_INET6, &a[1], 129 trad, sizeof(trad))); 130 else if (mb < 128) 131 bprintf(bp, "/%d", mb); 132 } 133 if (len > 2) 134 bprintf(bp, ","); 135 } 136 } 137 138 void 139 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen) 140 { 141 uint8_t type; 142 143 CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn_icmp6)); 144 memset(cmd, 0, sizeof(*cmd)); 145 while (*av) { 146 if (*av == ',') 147 av++; 148 type = strtoul(av, &av, 0); 149 if (*av != ',' && *av != '\0') 150 errx(EX_DATAERR, "invalid ICMP6 type"); 151 /* 152 * XXX: shouldn't this be 0xFF? I can't see any reason why 153 * we shouldn't be able to filter all possiable values 154 * regardless of the ability of the rest of the kernel to do 155 * anything useful with them. 156 */ 157 if (type > ICMP6_MAXTYPE) 158 errx(EX_DATAERR, "ICMP6 type out of range"); 159 cmd->d[type / 32] |= ( 1 << (type % 32)); 160 } 161 cmd->o.opcode = O_ICMP6TYPE; 162 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6); 163 } 164 165 void 166 print_icmp6types(struct buf_pr *bp, const ipfw_insn_u32 *cmd) 167 { 168 int i, j; 169 char sep= ' '; 170 171 bprintf(bp, " icmp6types"); 172 for (i = 0; i < 7; i++) 173 for (j=0; j < 32; ++j) { 174 if ( (cmd->d[i] & (1 << (j))) == 0) 175 continue; 176 bprintf(bp, "%c%d", sep, (i*32 + j)); 177 sep = ','; 178 } 179 } 180 181 void 182 print_flow6id(struct buf_pr *bp, const ipfw_insn_u32 *cmd) 183 { 184 uint16_t i, limit = cmd->o.arg1; 185 char sep = ','; 186 187 bprintf(bp, " flow-id "); 188 for( i=0; i < limit; ++i) { 189 if (i == limit - 1) 190 sep = ' '; 191 bprintf(bp, "%d%c", cmd->d[i], sep); 192 } 193 } 194 195 /* structure and define for the extension header in ipv6 */ 196 static struct _s_x ext6hdrcodes[] = { 197 { "frag", EXT_FRAGMENT }, 198 { "hopopt", EXT_HOPOPTS }, 199 { "route", EXT_ROUTING }, 200 { "dstopt", EXT_DSTOPTS }, 201 { "ah", EXT_AH }, 202 { "esp", EXT_ESP }, 203 { "rthdr0", EXT_RTHDR0 }, 204 { "rthdr2", EXT_RTHDR2 }, 205 { NULL, 0 } 206 }; 207 208 /* fills command for the extension header filtering */ 209 int 210 fill_ext6hdr( ipfw_insn *cmd, char *av) 211 { 212 int tok; 213 char *s = av; 214 215 cmd->arg1 = 0; 216 while(s) { 217 av = strsep( &s, ",") ; 218 tok = match_token(ext6hdrcodes, av); 219 switch (tok) { 220 case EXT_FRAGMENT: 221 cmd->arg1 |= EXT_FRAGMENT; 222 break; 223 case EXT_HOPOPTS: 224 cmd->arg1 |= EXT_HOPOPTS; 225 break; 226 case EXT_ROUTING: 227 cmd->arg1 |= EXT_ROUTING; 228 break; 229 case EXT_DSTOPTS: 230 cmd->arg1 |= EXT_DSTOPTS; 231 break; 232 case EXT_AH: 233 cmd->arg1 |= EXT_AH; 234 break; 235 case EXT_ESP: 236 cmd->arg1 |= EXT_ESP; 237 break; 238 case EXT_RTHDR0: 239 cmd->arg1 |= EXT_RTHDR0; 240 break; 241 case EXT_RTHDR2: 242 cmd->arg1 |= EXT_RTHDR2; 243 break; 244 default: 245 errx(EX_DATAERR, 246 "invalid option for ipv6 exten header"); 247 break; 248 } 249 } 250 if (cmd->arg1 == 0) 251 return (0); 252 cmd->opcode = O_EXT_HDR; 253 cmd->len |= F_INSN_SIZE(ipfw_insn); 254 return (1); 255 } 256 257 void 258 print_ext6hdr(struct buf_pr *bp, const ipfw_insn *cmd ) 259 { 260 char sep = ' '; 261 262 bprintf(bp, " extension header:"); 263 if (cmd->arg1 & EXT_FRAGMENT) { 264 bprintf(bp, "%cfragmentation", sep); 265 sep = ','; 266 } 267 if (cmd->arg1 & EXT_HOPOPTS) { 268 bprintf(bp, "%chop options", sep); 269 sep = ','; 270 } 271 if (cmd->arg1 & EXT_ROUTING) { 272 bprintf(bp, "%crouting options", sep); 273 sep = ','; 274 } 275 if (cmd->arg1 & EXT_RTHDR0) { 276 bprintf(bp, "%crthdr0", sep); 277 sep = ','; 278 } 279 if (cmd->arg1 & EXT_RTHDR2) { 280 bprintf(bp, "%crthdr2", sep); 281 sep = ','; 282 } 283 if (cmd->arg1 & EXT_DSTOPTS) { 284 bprintf(bp, "%cdestination options", sep); 285 sep = ','; 286 } 287 if (cmd->arg1 & EXT_AH) { 288 bprintf(bp, "%cauthentication header", sep); 289 sep = ','; 290 } 291 if (cmd->arg1 & EXT_ESP) { 292 bprintf(bp, "%cencapsulated security payload", sep); 293 } 294 } 295 296 /* Try to find ipv6 address by hostname */ 297 static int 298 lookup_host6 (char *host, struct in6_addr *ip6addr) 299 { 300 struct hostent *he; 301 302 if (!inet_pton(AF_INET6, host, ip6addr)) { 303 if ((he = gethostbyname2(host, AF_INET6)) == NULL) 304 return(-1); 305 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); 306 } 307 return (0); 308 } 309 310 311 /* 312 * fill the addr and mask fields in the instruction as appropriate from av. 313 * Update length as appropriate. 314 * The following formats are allowed: 315 * any matches any IP6. Actually returns an empty instruction. 316 * me returns O_IP6_*_ME 317 * 318 * 03f1::234:123:0342 single IP6 address 319 * 03f1::234:123:0342/24 address/masklen 320 * 03f1::234:123:0342/ffff::ffff:ffff address/mask 321 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address 322 * 323 * Set of address (as in ipv6) not supported because ipv6 address 324 * are typically random past the initial prefix. 325 * Return 1 on success, 0 on failure. 326 */ 327 static int 328 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate) 329 { 330 int len = 0; 331 struct in6_addr *d = &(cmd->addr6); 332 char *oav; 333 /* 334 * Needed for multiple address. 335 * Note d[1] points to struct in6_add r mask6 of cmd 336 */ 337 338 cmd->o.len &= ~F_LEN_MASK; /* zero len */ 339 340 if (strcmp(av, "any") == 0) 341 return (1); 342 343 /* Set the data for "me" opt */ 344 if (strcmp(av, "me") == 0 || strcmp(av, "me6") == 0) { 345 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 346 return (1); 347 } 348 349 if (strncmp(av, "table(", 6) == 0) { 350 fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate); 351 return (1); 352 } 353 354 oav = av = strdup(av); 355 while (av) { 356 /* 357 * After the address we can have '/' indicating a mask, 358 * or ',' indicating another address follows. 359 */ 360 361 char *p, *q; 362 int masklen; 363 char md = '\0'; 364 365 CHECK_LENGTH(cblen, 366 1 + len + 2 * (int)F_INSN_SIZE(struct in6_addr)); 367 368 if ((q = strchr(av, ',')) ) { 369 *q = '\0'; 370 q++; 371 } 372 373 if ((p = strchr(av, '/')) ) { 374 md = *p; /* save the separator */ 375 *p = '\0'; /* terminate address string */ 376 p++; /* and skip past it */ 377 } 378 /* now p points to NULL, mask or next entry */ 379 380 /* lookup stores address in *d as a side effect */ 381 if (lookup_host6(av, d) != 0) { 382 /* XXX: failed. Free memory and go */ 383 errx(EX_DATAERR, "bad address \"%s\"", av); 384 } 385 /* next, look at the mask, if any */ 386 if (md == '/' && strchr(p, ':')) { 387 if (!inet_pton(AF_INET6, p, &d[1])) 388 errx(EX_DATAERR, "bad mask \"%s\"", p); 389 390 masklen = contigmask((uint8_t *)&(d[1]), 128); 391 } else { 392 masklen = (md == '/') ? atoi(p) : 128; 393 if (masklen > 128 || masklen < 0) 394 errx(EX_DATAERR, "bad width \"%s\''", p); 395 else 396 n2mask(&d[1], masklen); 397 } 398 399 APPLY_MASK(d, &d[1]); /* mask base address with mask */ 400 401 av = q; 402 403 /* Check this entry */ 404 if (masklen == 0) { 405 /* 406 * 'any' turns the entire list into a NOP. 407 * 'not any' never matches, so it is removed from the 408 * list unless it is the only item, in which case we 409 * report an error. 410 */ 411 if (cmd->o.len & F_NOT && av == NULL && len == 0) 412 errx(EX_DATAERR, "not any never matches"); 413 continue; 414 } 415 416 /* 417 * A single IP can be stored alone 418 */ 419 if (masklen == 128 && av == NULL && len == 0) { 420 len = F_INSN_SIZE(struct in6_addr); 421 break; 422 } 423 424 /* Update length and pointer to arguments */ 425 len += F_INSN_SIZE(struct in6_addr)*2; 426 d += 2; 427 } /* end while */ 428 429 /* 430 * Total length of the command, remember that 1 is the size of 431 * the base command. 432 */ 433 if (len + 1 > F_LEN_MASK) 434 errx(EX_DATAERR, "address list too long"); 435 cmd->o.len |= len+1; 436 free(oav); 437 return (1); 438 } 439 440 /* 441 * fills command for ipv6 flow-id filtering 442 * note that the 20 bit flow number is stored in a array of u_int32_t 443 * it's supported lists of flow-id, so in the o.arg1 we store how many 444 * additional flow-id we want to filter, the basic is 1 445 */ 446 void 447 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen) 448 { 449 u_int32_t type; /* Current flow number */ 450 u_int16_t nflow = 0; /* Current flow index */ 451 char *s = av; 452 cmd->d[0] = 0; /* Initializing the base number*/ 453 454 while (s) { 455 CHECK_LENGTH(cblen, 456 (int)F_INSN_SIZE(ipfw_insn_u32) + nflow + 1); 457 458 av = strsep( &s, ",") ; 459 type = strtoul(av, &av, 0); 460 if (*av != ',' && *av != '\0') 461 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 462 if (type > 0xfffff) 463 errx(EX_DATAERR, "flow number out of range %s", av); 464 cmd->d[nflow] |= type; 465 nflow++; 466 } 467 if( nflow > 0 ) { 468 cmd->o.opcode = O_FLOW6ID; 469 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow; 470 cmd->o.arg1 = nflow; 471 } 472 else { 473 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 474 } 475 } 476 477 ipfw_insn * 478 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate) 479 { 480 481 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate); 482 if (cmd->opcode == O_IP_DST_SET) /* set */ 483 cmd->opcode = O_IP_SRC_SET; 484 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 485 cmd->opcode = O_IP_SRC_LOOKUP; 486 else if (F_LEN(cmd) == 0) { /* any */ 487 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 488 cmd->opcode = O_IP6_SRC_ME; 489 } else if (F_LEN(cmd) == 490 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 491 /* single IP, no mask*/ 492 cmd->opcode = O_IP6_SRC; 493 } else { /* addr/mask opt */ 494 cmd->opcode = O_IP6_SRC_MASK; 495 } 496 return cmd; 497 } 498 499 ipfw_insn * 500 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate) 501 { 502 503 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate); 504 if (cmd->opcode == O_IP_DST_SET) /* set */ 505 ; 506 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 507 ; 508 else if (F_LEN(cmd) == 0) { /* any */ 509 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 510 cmd->opcode = O_IP6_DST_ME; 511 } else if (F_LEN(cmd) == 512 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 513 /* single IP, no mask*/ 514 cmd->opcode = O_IP6_DST; 515 } else { /* addr/mask opt */ 516 cmd->opcode = O_IP6_DST_MASK; 517 } 518 return cmd; 519 } 520