xref: /freebsd/sbin/ipfw/ipv6.c (revision 3c5ba95ad12285ad37c182a4bfc1b240ec6d18a7)
1 /*-
2  * Copyright (c) 2002-2003 Luigi Rizzo
3  * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4  * Copyright (c) 1994 Ugen J.S.Antsilevich
5  *
6  * Idea and grammar partially left from:
7  * Copyright (c) 1993 Daniel Boulet
8  *
9  * Redistribution and use in source forms, with and without modification,
10  * are permitted provided that this entire comment appears intact.
11  *
12  * Redistribution in binary form may occur without any restrictions.
13  * Obviously, it would be nice if you gave credit where credit is due
14  * but requiring it would be too onerous.
15  *
16  * This software is provided ``AS IS'' without any warranties of any kind.
17  *
18  * NEW command line interface for IP firewall facility
19  *
20  * $FreeBSD$
21  *
22  * ipv6 support
23  */
24 
25 #include <sys/types.h>
26 #include <sys/socket.h>
27 
28 #include "ipfw2.h"
29 
30 #include <err.h>
31 #include <netdb.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <sysexits.h>
36 
37 #include <net/if.h>
38 #include <netinet/in.h>
39 #include <netinet/in_systm.h>
40 #include <netinet/ip.h>
41 #include <netinet/icmp6.h>
42 #include <netinet/ip_fw.h>
43 #include <arpa/inet.h>
44 
45 #define	CHECK_LENGTH(v, len) do {			\
46 	if ((v) < (len))				\
47 		errx(EX_DATAERR, "Rule too long");	\
48 	} while (0)
49 
50 static struct _s_x icmp6codes[] = {
51 	{ "no-route",		ICMP6_DST_UNREACH_NOROUTE },
52 	{ "admin-prohib",		ICMP6_DST_UNREACH_ADMIN },
53 	{ "address",		ICMP6_DST_UNREACH_ADDR },
54 	{ "port",			ICMP6_DST_UNREACH_NOPORT },
55 	{ NULL, 0 }
56 };
57 
58 void
59 fill_unreach6_code(u_short *codep, char *str)
60 {
61 	int val;
62 	char *s;
63 
64 	val = strtoul(str, &s, 0);
65 	if (s == str || *s != '\0' || val >= 0x100)
66 		val = match_token(icmp6codes, str);
67 	if (val < 0)
68 		errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
69 	*codep = val;
70 	return;
71 }
72 
73 void
74 print_unreach6_code(struct buf_pr *bp, uint16_t code)
75 {
76 	char const *s = match_value(icmp6codes, code);
77 
78 	if (s != NULL)
79 		bprintf(bp, "unreach6 %s", s);
80 	else
81 		bprintf(bp, "unreach6 %u", code);
82 }
83 
84 /*
85  * Print the ip address contained in a command.
86  */
87 void
88 print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd)
89 {
90 	char trad[255];
91 	struct hostent *he = NULL;
92 	struct in6_addr *a = &(cmd->addr6);
93 	int len, mb;
94 
95 	len = F_LEN((ipfw_insn *) cmd) - 1;
96 	if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
97 		bprintf(bp, " me6");
98 		return;
99 	}
100 	if (cmd->o.opcode == O_IP6) {
101 		bprintf(bp, " ip6");
102 		return;
103 	}
104 
105 	/*
106 	 * len == 4 indicates a single IP, whereas lists of 1 or more
107 	 * addr/mask pairs have len = (2n+1). We convert len to n so we
108 	 * use that to count the number of entries.
109 	 */
110 	bprintf(bp, " ");
111 	for (len = len / 4; len > 0; len -= 2, a += 2) {
112 		/* mask length */
113 		mb = (cmd->o.opcode == O_IP6_SRC ||
114 		    cmd->o.opcode == O_IP6_DST) ?  128:
115 		    contigmask((uint8_t *)&(a[1]), 128);
116 
117 		if (mb == 128 && co.do_resolv)
118 			he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6);
119 
120 		if (he != NULL)	     /* resolved to name */
121 			bprintf(bp, "%s", he->h_name);
122 		else if (mb == 0)	   /* any */
123 			bprintf(bp, "any");
124 		else {	  /* numeric IP followed by some kind of mask */
125 			if (inet_ntop(AF_INET6,  a, trad,
126 			    sizeof(trad)) == NULL)
127 				bprintf(bp, "Error ntop in print_ip6\n");
128 			bprintf(bp, "%s",  trad );
129 			if (mb < 0) /* mask not contiguous */
130 				bprintf(bp, "/%s", inet_ntop(AF_INET6, &a[1],
131 				    trad, sizeof(trad)));
132 			else if (mb < 128)
133 				bprintf(bp, "/%d", mb);
134 		}
135 		if (len > 2)
136 			bprintf(bp, ",");
137 	}
138 }
139 
140 void
141 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
142 {
143        uint8_t type;
144 
145        CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6));
146 
147        bzero(cmd, sizeof(*cmd));
148        while (*av) {
149 	       if (*av == ',')
150 		       av++;
151 	       type = strtoul(av, &av, 0);
152 	       if (*av != ',' && *av != '\0')
153 		       errx(EX_DATAERR, "invalid ICMP6 type");
154 	       /*
155 		* XXX: shouldn't this be 0xFF?  I can't see any reason why
156 		* we shouldn't be able to filter all possiable values
157 		* regardless of the ability of the rest of the kernel to do
158 		* anything useful with them.
159 		*/
160 	       if (type > ICMP6_MAXTYPE)
161 		       errx(EX_DATAERR, "ICMP6 type out of range");
162 	       cmd->d[type / 32] |= ( 1 << (type % 32));
163        }
164        cmd->o.opcode = O_ICMP6TYPE;
165        cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
166 }
167 
168 void
169 print_icmp6types(struct buf_pr *bp, ipfw_insn_u32 *cmd)
170 {
171 	int i, j;
172 	char sep= ' ';
173 
174 	bprintf(bp, " ip6 icmp6types");
175 	for (i = 0; i < 7; i++)
176 		for (j=0; j < 32; ++j) {
177 			if ( (cmd->d[i] & (1 << (j))) == 0)
178 				continue;
179 			bprintf(bp, "%c%d", sep, (i*32 + j));
180 			sep = ',';
181 		}
182 }
183 
184 void
185 print_flow6id(struct buf_pr *bp, ipfw_insn_u32 *cmd)
186 {
187 	uint16_t i, limit = cmd->o.arg1;
188 	char sep = ',';
189 
190 	bprintf(bp, " flow-id ");
191 	for( i=0; i < limit; ++i) {
192 		if (i == limit - 1)
193 			sep = ' ';
194 		bprintf(bp, "%d%c", cmd->d[i], sep);
195 	}
196 }
197 
198 /* structure and define for the extension header in ipv6 */
199 static struct _s_x ext6hdrcodes[] = {
200 	{ "frag",       EXT_FRAGMENT },
201 	{ "hopopt",     EXT_HOPOPTS },
202 	{ "route",      EXT_ROUTING },
203 	{ "dstopt",     EXT_DSTOPTS },
204 	{ "ah",	 EXT_AH },
205 	{ "esp",	EXT_ESP },
206 	{ "rthdr0",     EXT_RTHDR0 },
207 	{ "rthdr2",     EXT_RTHDR2 },
208 	{ NULL,	 0 }
209 };
210 
211 /* fills command for the extension header filtering */
212 int
213 fill_ext6hdr( ipfw_insn *cmd, char *av)
214 {
215 	int tok;
216 	char *s = av;
217 
218 	cmd->arg1 = 0;
219 	while(s) {
220 		av = strsep( &s, ",") ;
221 		tok = match_token(ext6hdrcodes, av);
222 		switch (tok) {
223 		case EXT_FRAGMENT:
224 			cmd->arg1 |= EXT_FRAGMENT;
225 			break;
226 		case EXT_HOPOPTS:
227 			cmd->arg1 |= EXT_HOPOPTS;
228 			break;
229 		case EXT_ROUTING:
230 			cmd->arg1 |= EXT_ROUTING;
231 			break;
232 		case EXT_DSTOPTS:
233 			cmd->arg1 |= EXT_DSTOPTS;
234 			break;
235 		case EXT_AH:
236 			cmd->arg1 |= EXT_AH;
237 			break;
238 		case EXT_ESP:
239 			cmd->arg1 |= EXT_ESP;
240 			break;
241 		case EXT_RTHDR0:
242 			cmd->arg1 |= EXT_RTHDR0;
243 			break;
244 		case EXT_RTHDR2:
245 			cmd->arg1 |= EXT_RTHDR2;
246 			break;
247 		default:
248 			errx(EX_DATAERR,
249 			    "invalid option for ipv6 exten header");
250 			break;
251 		}
252 	}
253 	if (cmd->arg1 == 0)
254 		return (0);
255 	cmd->opcode = O_EXT_HDR;
256 	cmd->len |= F_INSN_SIZE(ipfw_insn);
257 	return (1);
258 }
259 
260 void
261 print_ext6hdr(struct buf_pr *bp, ipfw_insn *cmd )
262 {
263 	char sep = ' ';
264 
265 	bprintf(bp, " extension header:");
266 	if (cmd->arg1 & EXT_FRAGMENT) {
267 		bprintf(bp, "%cfragmentation", sep);
268 		sep = ',';
269 	}
270 	if (cmd->arg1 & EXT_HOPOPTS) {
271 		bprintf(bp, "%chop options", sep);
272 		sep = ',';
273 	}
274 	if (cmd->arg1 & EXT_ROUTING) {
275 		bprintf(bp, "%crouting options", sep);
276 		sep = ',';
277 	}
278 	if (cmd->arg1 & EXT_RTHDR0) {
279 		bprintf(bp, "%crthdr0", sep);
280 		sep = ',';
281 	}
282 	if (cmd->arg1 & EXT_RTHDR2) {
283 		bprintf(bp, "%crthdr2", sep);
284 		sep = ',';
285 	}
286 	if (cmd->arg1 & EXT_DSTOPTS) {
287 		bprintf(bp, "%cdestination options", sep);
288 		sep = ',';
289 	}
290 	if (cmd->arg1 & EXT_AH) {
291 		bprintf(bp, "%cauthentication header", sep);
292 		sep = ',';
293 	}
294 	if (cmd->arg1 & EXT_ESP) {
295 		bprintf(bp, "%cencapsulated security payload", sep);
296 	}
297 }
298 
299 /* Try to find ipv6 address by hostname */
300 static int
301 lookup_host6 (char *host, struct in6_addr *ip6addr)
302 {
303 	struct hostent *he;
304 
305 	if (!inet_pton(AF_INET6, host, ip6addr)) {
306 		if ((he = gethostbyname2(host, AF_INET6)) == NULL)
307 			return(-1);
308 		memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
309 	}
310 	return (0);
311 }
312 
313 
314 /*
315  * fill the addr and mask fields in the instruction as appropriate from av.
316  * Update length as appropriate.
317  * The following formats are allowed:
318  *     any     matches any IP6. Actually returns an empty instruction.
319  *     me      returns O_IP6_*_ME
320  *
321  *     03f1::234:123:0342			single IP6 address
322  *     03f1::234:123:0342/24			address/masklen
323  *     03f1::234:123:0342/ffff::ffff:ffff	address/mask
324  *     03f1::234:123:0342/24,03f1::234:123:0343/	List of address
325  *
326  * Set of address (as in ipv6) not supported because ipv6 address
327  * are typically random past the initial prefix.
328  * Return 1 on success, 0 on failure.
329  */
330 static int
331 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
332 {
333 	int len = 0;
334 	struct in6_addr *d = &(cmd->addr6);
335 	char *oav;
336 	/*
337 	 * Needed for multiple address.
338 	 * Note d[1] points to struct in6_add r mask6 of cmd
339 	 */
340 
341 	cmd->o.len &= ~F_LEN_MASK;	/* zero len */
342 
343 	if (strcmp(av, "any") == 0)
344 		return (1);
345 
346 
347 	if (strcmp(av, "me") == 0) {	/* Set the data for "me" opt*/
348 		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
349 		return (1);
350 	}
351 
352 	if (strcmp(av, "me6") == 0) {	/* Set the data for "me" opt*/
353 		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
354 		return (1);
355 	}
356 
357 	if (strncmp(av, "table(", 6) == 0) {
358 		fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
359 		return (1);
360 	}
361 
362 	oav = av = strdup(av);
363 	while (av) {
364 		/*
365 		 * After the address we can have '/' indicating a mask,
366 		 * or ',' indicating another address follows.
367 		 */
368 
369 		char *p, *q;
370 		int masklen;
371 		char md = '\0';
372 
373 		CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr));
374 
375 		if ((q = strchr(av, ',')) ) {
376 			*q = '\0';
377 			q++;
378 		}
379 
380 		if ((p = strchr(av, '/')) ) {
381 			md = *p;	/* save the separator */
382 			*p = '\0';	/* terminate address string */
383 			p++;		/* and skip past it */
384 		}
385 		/* now p points to NULL, mask or next entry */
386 
387 		/* lookup stores address in *d as a side effect */
388 		if (lookup_host6(av, d) != 0) {
389 			/* XXX: failed. Free memory and go */
390 			errx(EX_DATAERR, "bad address \"%s\"", av);
391 		}
392 		/* next, look at the mask, if any */
393 		if (md == '/' && strchr(p, ':')) {
394 			if (!inet_pton(AF_INET6, p, &d[1]))
395 				errx(EX_DATAERR, "bad mask \"%s\"", p);
396 
397 			masklen = contigmask((uint8_t *)&(d[1]), 128);
398 		} else {
399 			masklen = (md == '/') ? atoi(p) : 128;
400 			if (masklen > 128 || masklen < 0)
401 				errx(EX_DATAERR, "bad width \"%s\''", p);
402 			else
403 				n2mask(&d[1], masklen);
404 		}
405 
406 		APPLY_MASK(d, &d[1])   /* mask base address with mask */
407 
408 		av = q;
409 
410 		/* Check this entry */
411 		if (masklen == 0) {
412 			/*
413 			 * 'any' turns the entire list into a NOP.
414 			 * 'not any' never matches, so it is removed from the
415 			 * list unless it is the only item, in which case we
416 			 * report an error.
417 			 */
418 			if (cmd->o.len & F_NOT && av == NULL && len == 0)
419 				errx(EX_DATAERR, "not any never matches");
420 			continue;
421 		}
422 
423 		/*
424 		 * A single IP can be stored alone
425 		 */
426 		if (masklen == 128 && av == NULL && len == 0) {
427 			len = F_INSN_SIZE(struct in6_addr);
428 			break;
429 		}
430 
431 		/* Update length and pointer to arguments */
432 		len += F_INSN_SIZE(struct in6_addr)*2;
433 		d += 2;
434 	} /* end while */
435 
436 	/*
437 	 * Total length of the command, remember that 1 is the size of
438 	 * the base command.
439 	 */
440 	if (len + 1 > F_LEN_MASK)
441 		errx(EX_DATAERR, "address list too long");
442 	cmd->o.len |= len+1;
443 	free(oav);
444 	return (1);
445 }
446 
447 /*
448  * fills command for ipv6 flow-id filtering
449  * note that the 20 bit flow number is stored in a array of u_int32_t
450  * it's supported lists of flow-id, so in the o.arg1 we store how many
451  * additional flow-id we want to filter, the basic is 1
452  */
453 void
454 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)
455 {
456 	u_int32_t type;	 /* Current flow number */
457 	u_int16_t nflow = 0;    /* Current flow index */
458 	char *s = av;
459 	cmd->d[0] = 0;	  /* Initializing the base number*/
460 
461 	while (s) {
462 		CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
463 
464 		av = strsep( &s, ",") ;
465 		type = strtoul(av, &av, 0);
466 		if (*av != ',' && *av != '\0')
467 			errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
468 		if (type > 0xfffff)
469 			errx(EX_DATAERR, "flow number out of range %s", av);
470 		cmd->d[nflow] |= type;
471 		nflow++;
472 	}
473 	if( nflow > 0 ) {
474 		cmd->o.opcode = O_FLOW6ID;
475 		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
476 		cmd->o.arg1 = nflow;
477 	}
478 	else {
479 		errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
480 	}
481 }
482 
483 ipfw_insn *
484 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
485 {
486 
487 	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
488 	if (cmd->opcode == O_IP_DST_SET)			/* set */
489 		cmd->opcode = O_IP_SRC_SET;
490 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
491 		cmd->opcode = O_IP_SRC_LOOKUP;
492 	else if (F_LEN(cmd) == 0) {				/* any */
493 	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
494 		cmd->opcode = O_IP6_SRC_ME;
495 	} else if (F_LEN(cmd) ==
496 	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
497 		/* single IP, no mask*/
498 		cmd->opcode = O_IP6_SRC;
499 	} else {					/* addr/mask opt */
500 		cmd->opcode = O_IP6_SRC_MASK;
501 	}
502 	return cmd;
503 }
504 
505 ipfw_insn *
506 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
507 {
508 
509 	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
510 	if (cmd->opcode == O_IP_DST_SET)			/* set */
511 		;
512 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
513 		;
514 	else if (F_LEN(cmd) == 0) {				/* any */
515 	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
516 		cmd->opcode = O_IP6_DST_ME;
517 	} else if (F_LEN(cmd) ==
518 	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
519 		/* single IP, no mask*/
520 		cmd->opcode = O_IP6_DST;
521 	} else {					/* addr/mask opt */
522 		cmd->opcode = O_IP6_DST_MASK;
523 	}
524 	return cmd;
525 }
526