xref: /freebsd/sbin/ipfw/ipv6.c (revision 7899f917b1c0ea178f1d2be0cfb452086d079d23)
1 /*-
2  * Copyright (c) 2002-2003 Luigi Rizzo
3  * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4  * Copyright (c) 1994 Ugen J.S.Antsilevich
5  *
6  * Idea and grammar partially left from:
7  * Copyright (c) 1993 Daniel Boulet
8  *
9  * Redistribution and use in source forms, with and without modification,
10  * are permitted provided that this entire comment appears intact.
11  *
12  * Redistribution in binary form may occur without any restrictions.
13  * Obviously, it would be nice if you gave credit where credit is due
14  * but requiring it would be too onerous.
15  *
16  * This software is provided ``AS IS'' without any warranties of any kind.
17  *
18  * NEW command line interface for IP firewall facility
19  *
20  * ipv6 support
21  */
22 
23 #include <sys/types.h>
24 #include <sys/socket.h>
25 
26 #include "ipfw2.h"
27 
28 #include <err.h>
29 #include <netdb.h>
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <sysexits.h>
34 
35 #include <net/if.h>
36 #include <netinet/in.h>
37 #include <netinet/in_systm.h>
38 #include <netinet/ip.h>
39 #include <netinet/icmp6.h>
40 #include <netinet/ip_fw.h>
41 #include <arpa/inet.h>
42 
43 #define	CHECK_LENGTH(v, len) do {			\
44 	if ((v) < (len))				\
45 		errx(EX_DATAERR, "Rule too long");	\
46 	} while (0)
47 
48 static struct _s_x icmp6codes[] = {
49 	{ "no-route",		ICMP6_DST_UNREACH_NOROUTE },
50 	{ "admin-prohib",		ICMP6_DST_UNREACH_ADMIN },
51 	{ "address",		ICMP6_DST_UNREACH_ADDR },
52 	{ "port",			ICMP6_DST_UNREACH_NOPORT },
53 	{ NULL, 0 }
54 };
55 
56 uint16_t
57 get_unreach6_code(const char *str)
58 {
59 	int val;
60 	char *s;
61 
62 	val = strtoul(str, &s, 0);
63 	if (s == str || *s != '\0' || val >= 0x100)
64 		val = match_token(icmp6codes, str);
65 	if (val < 0)
66 		errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
67 	return (val);
68 }
69 
70 void
71 print_unreach6_code(struct buf_pr *bp, uint16_t code)
72 {
73 	char const *s = match_value(icmp6codes, code);
74 
75 	if (s != NULL)
76 		bprintf(bp, "unreach6 %s", s);
77 	else
78 		bprintf(bp, "unreach6 %u", code);
79 }
80 
81 /*
82  * Print the ip address contained in a command.
83  */
84 void
85 print_ip6(struct buf_pr *bp, const ipfw_insn_ip6 *cmd)
86 {
87 	char trad[255];
88 	struct hostent *he = NULL;
89 	const struct in6_addr *a = &(cmd->addr6);
90 	int len, mb;
91 
92 	len = F_LEN((const ipfw_insn *)cmd) - 1;
93 	if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
94 		bprintf(bp, " me6");
95 		return;
96 	}
97 	if (cmd->o.opcode == O_IP6) {
98 		bprintf(bp, " ip6");
99 		return;
100 	}
101 
102 	/*
103 	 * len == 4 indicates a single IP, whereas lists of 1 or more
104 	 * addr/mask pairs have len = (2n+1). We convert len to n so we
105 	 * use that to count the number of entries.
106 	 */
107 	bprintf(bp, " ");
108 	for (len = len / 4; len > 0; len -= 2, a += 2) {
109 		/* mask length */
110 		mb = (cmd->o.opcode == O_IP6_SRC ||
111 		    cmd->o.opcode == O_IP6_DST) ?  128:
112 		    contigmask((const uint8_t *)&(a[1]), 128);
113 
114 		if (mb == 128 && g_co.do_resolv)
115 			he = gethostbyaddr((const char *)a, sizeof(*a),
116 			    AF_INET6);
117 
118 		if (he != NULL)	     /* resolved to name */
119 			bprintf(bp, "%s", he->h_name);
120 		else if (mb == 0)	   /* any */
121 			bprintf(bp, "any");
122 		else {	  /* numeric IP followed by some kind of mask */
123 			if (inet_ntop(AF_INET6,  a, trad,
124 			    sizeof(trad)) == NULL)
125 				bprintf(bp, "Error ntop in print_ip6\n");
126 			bprintf(bp, "%s",  trad );
127 			if (mb < 0) /* mask not contiguous */
128 				bprintf(bp, "/%s", inet_ntop(AF_INET6, &a[1],
129 				    trad, sizeof(trad)));
130 			else if (mb < 128)
131 				bprintf(bp, "/%d", mb);
132 		}
133 		if (len > 2)
134 			bprintf(bp, ",");
135 	}
136 }
137 
138 void
139 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
140 {
141        uint8_t type;
142 
143        CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn_icmp6));
144        memset(cmd, 0, sizeof(*cmd));
145        while (*av) {
146 	       if (*av == ',')
147 		       av++;
148 	       type = strtoul(av, &av, 0);
149 	       if (*av != ',' && *av != '\0')
150 		       errx(EX_DATAERR, "invalid ICMP6 type");
151 	       /*
152 		* XXX: shouldn't this be 0xFF?  I can't see any reason why
153 		* we shouldn't be able to filter all possiable values
154 		* regardless of the ability of the rest of the kernel to do
155 		* anything useful with them.
156 		*/
157 	       if (type > ICMP6_MAXTYPE)
158 		       errx(EX_DATAERR, "ICMP6 type out of range");
159 	       cmd->d[type / 32] |= ( 1 << (type % 32));
160        }
161        cmd->o.opcode = O_ICMP6TYPE;
162        cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
163 }
164 
165 void
166 print_icmp6types(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
167 {
168 	int i, j;
169 	char sep= ' ';
170 
171 	bprintf(bp, " icmp6types");
172 	for (i = 0; i < 7; i++)
173 		for (j=0; j < 32; ++j) {
174 			if ( (cmd->d[i] & (1 << (j))) == 0)
175 				continue;
176 			bprintf(bp, "%c%d", sep, (i*32 + j));
177 			sep = ',';
178 		}
179 }
180 
181 void
182 print_flow6id(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
183 {
184 	uint16_t i, limit = cmd->o.arg1;
185 	char sep = ',';
186 
187 	bprintf(bp, " flow-id ");
188 	for( i=0; i < limit; ++i) {
189 		if (i == limit - 1)
190 			sep = ' ';
191 		bprintf(bp, "%d%c", cmd->d[i], sep);
192 	}
193 }
194 
195 /* structure and define for the extension header in ipv6 */
196 static struct _s_x ext6hdrcodes[] = {
197 	{ "frag",       EXT_FRAGMENT },
198 	{ "hopopt",     EXT_HOPOPTS },
199 	{ "route",      EXT_ROUTING },
200 	{ "dstopt",     EXT_DSTOPTS },
201 	{ "ah",	 EXT_AH },
202 	{ "esp",	EXT_ESP },
203 	{ "rthdr0",     EXT_RTHDR0 },
204 	{ "rthdr2",     EXT_RTHDR2 },
205 	{ NULL,	 0 }
206 };
207 
208 /* fills command for the extension header filtering */
209 int
210 fill_ext6hdr( ipfw_insn *cmd, char *av)
211 {
212 	int tok;
213 	char *s = av;
214 
215 	cmd->arg1 = 0;
216 	while(s) {
217 		av = strsep( &s, ",") ;
218 		tok = match_token(ext6hdrcodes, av);
219 		switch (tok) {
220 		case EXT_FRAGMENT:
221 			cmd->arg1 |= EXT_FRAGMENT;
222 			break;
223 		case EXT_HOPOPTS:
224 			cmd->arg1 |= EXT_HOPOPTS;
225 			break;
226 		case EXT_ROUTING:
227 			cmd->arg1 |= EXT_ROUTING;
228 			break;
229 		case EXT_DSTOPTS:
230 			cmd->arg1 |= EXT_DSTOPTS;
231 			break;
232 		case EXT_AH:
233 			cmd->arg1 |= EXT_AH;
234 			break;
235 		case EXT_ESP:
236 			cmd->arg1 |= EXT_ESP;
237 			break;
238 		case EXT_RTHDR0:
239 			cmd->arg1 |= EXT_RTHDR0;
240 			break;
241 		case EXT_RTHDR2:
242 			cmd->arg1 |= EXT_RTHDR2;
243 			break;
244 		default:
245 			errx(EX_DATAERR,
246 			    "invalid option for ipv6 exten header");
247 			break;
248 		}
249 	}
250 	if (cmd->arg1 == 0)
251 		return (0);
252 	cmd->opcode = O_EXT_HDR;
253 	cmd->len |= F_INSN_SIZE(ipfw_insn);
254 	return (1);
255 }
256 
257 void
258 print_ext6hdr(struct buf_pr *bp, const ipfw_insn *cmd )
259 {
260 	char sep = ' ';
261 
262 	bprintf(bp, " extension header:");
263 	if (cmd->arg1 & EXT_FRAGMENT) {
264 		bprintf(bp, "%cfragmentation", sep);
265 		sep = ',';
266 	}
267 	if (cmd->arg1 & EXT_HOPOPTS) {
268 		bprintf(bp, "%chop options", sep);
269 		sep = ',';
270 	}
271 	if (cmd->arg1 & EXT_ROUTING) {
272 		bprintf(bp, "%crouting options", sep);
273 		sep = ',';
274 	}
275 	if (cmd->arg1 & EXT_RTHDR0) {
276 		bprintf(bp, "%crthdr0", sep);
277 		sep = ',';
278 	}
279 	if (cmd->arg1 & EXT_RTHDR2) {
280 		bprintf(bp, "%crthdr2", sep);
281 		sep = ',';
282 	}
283 	if (cmd->arg1 & EXT_DSTOPTS) {
284 		bprintf(bp, "%cdestination options", sep);
285 		sep = ',';
286 	}
287 	if (cmd->arg1 & EXT_AH) {
288 		bprintf(bp, "%cauthentication header", sep);
289 		sep = ',';
290 	}
291 	if (cmd->arg1 & EXT_ESP) {
292 		bprintf(bp, "%cencapsulated security payload", sep);
293 	}
294 }
295 
296 /* Try to find ipv6 address by hostname */
297 static int
298 lookup_host6 (char *host, struct in6_addr *ip6addr)
299 {
300 	struct hostent *he;
301 
302 	if (!inet_pton(AF_INET6, host, ip6addr)) {
303 		if ((he = gethostbyname2(host, AF_INET6)) == NULL)
304 			return(-1);
305 		memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
306 	}
307 	return (0);
308 }
309 
310 
311 /*
312  * fill the addr and mask fields in the instruction as appropriate from av.
313  * Update length as appropriate.
314  * The following formats are allowed:
315  *     any     matches any IP6. Actually returns an empty instruction.
316  *     me      returns O_IP6_*_ME
317  *
318  *     03f1::234:123:0342			single IP6 address
319  *     03f1::234:123:0342/24			address/masklen
320  *     03f1::234:123:0342/ffff::ffff:ffff	address/mask
321  *     03f1::234:123:0342/24,03f1::234:123:0343/	List of address
322  *
323  * Set of address (as in ipv6) not supported because ipv6 address
324  * are typically random past the initial prefix.
325  * Return 1 on success, 0 on failure.
326  */
327 static int
328 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
329 {
330 	int len = 0;
331 	struct in6_addr *d = &(cmd->addr6);
332 	char *oav;
333 	/*
334 	 * Needed for multiple address.
335 	 * Note d[1] points to struct in6_add r mask6 of cmd
336 	 */
337 
338 	cmd->o.len &= ~F_LEN_MASK;	/* zero len */
339 
340 	if (strcmp(av, "any") == 0)
341 		return (1);
342 
343 	/* Set the data for "me" opt */
344 	if (strcmp(av, "me") == 0 || strcmp(av, "me6") == 0) {
345 		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
346 		return (1);
347 	}
348 
349 	if (strncmp(av, "table(", 6) == 0) {
350 		fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
351 		return (1);
352 	}
353 
354 	oav = av = strdup(av);
355 	while (av) {
356 		/*
357 		 * After the address we can have '/' indicating a mask,
358 		 * or ',' indicating another address follows.
359 		 */
360 
361 		char *p, *q;
362 		int masklen;
363 		char md = '\0';
364 
365 		CHECK_LENGTH(cblen,
366 		    1 + len + 2 * (int)F_INSN_SIZE(struct in6_addr));
367 
368 		if ((q = strchr(av, ',')) ) {
369 			*q = '\0';
370 			q++;
371 		}
372 
373 		if ((p = strchr(av, '/')) ) {
374 			md = *p;	/* save the separator */
375 			*p = '\0';	/* terminate address string */
376 			p++;		/* and skip past it */
377 		}
378 		/* now p points to NULL, mask or next entry */
379 
380 		/* lookup stores address in *d as a side effect */
381 		if (lookup_host6(av, d) != 0) {
382 			/* XXX: failed. Free memory and go */
383 			errx(EX_DATAERR, "bad address \"%s\"", av);
384 		}
385 		/* next, look at the mask, if any */
386 		if (md == '/' && strchr(p, ':')) {
387 			if (!inet_pton(AF_INET6, p, &d[1]))
388 				errx(EX_DATAERR, "bad mask \"%s\"", p);
389 
390 			masklen = contigmask((uint8_t *)&(d[1]), 128);
391 		} else {
392 			masklen = (md == '/') ? atoi(p) : 128;
393 			if (masklen > 128 || masklen < 0)
394 				errx(EX_DATAERR, "bad width \"%s\''", p);
395 			else
396 				n2mask(&d[1], masklen);
397 		}
398 
399 		APPLY_MASK(d, &d[1]);   /* mask base address with mask */
400 
401 		av = q;
402 
403 		/* Check this entry */
404 		if (masklen == 0) {
405 			/*
406 			 * 'any' turns the entire list into a NOP.
407 			 * 'not any' never matches, so it is removed from the
408 			 * list unless it is the only item, in which case we
409 			 * report an error.
410 			 */
411 			if (cmd->o.len & F_NOT && av == NULL && len == 0)
412 				errx(EX_DATAERR, "not any never matches");
413 			continue;
414 		}
415 
416 		/*
417 		 * A single IP can be stored alone
418 		 */
419 		if (masklen == 128 && av == NULL && len == 0) {
420 			len = F_INSN_SIZE(struct in6_addr);
421 			break;
422 		}
423 
424 		/* Update length and pointer to arguments */
425 		len += F_INSN_SIZE(struct in6_addr)*2;
426 		d += 2;
427 	} /* end while */
428 
429 	/*
430 	 * Total length of the command, remember that 1 is the size of
431 	 * the base command.
432 	 */
433 	if (len + 1 > F_LEN_MASK)
434 		errx(EX_DATAERR, "address list too long");
435 	cmd->o.len |= len+1;
436 	free(oav);
437 	return (1);
438 }
439 
440 /*
441  * fills command for ipv6 flow-id filtering
442  * note that the 20 bit flow number is stored in a array of u_int32_t
443  * it's supported lists of flow-id, so in the o.arg1 we store how many
444  * additional flow-id we want to filter, the basic is 1
445  */
446 void
447 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)
448 {
449 	u_int32_t type;	 /* Current flow number */
450 	u_int16_t nflow = 0;    /* Current flow index */
451 	char *s = av;
452 	cmd->d[0] = 0;	  /* Initializing the base number*/
453 
454 	while (s) {
455 		CHECK_LENGTH(cblen,
456 		    (int)F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
457 
458 		av = strsep( &s, ",") ;
459 		type = strtoul(av, &av, 0);
460 		if (*av != ',' && *av != '\0')
461 			errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
462 		if (type > 0xfffff)
463 			errx(EX_DATAERR, "flow number out of range %s", av);
464 		cmd->d[nflow] |= type;
465 		nflow++;
466 	}
467 	if( nflow > 0 ) {
468 		cmd->o.opcode = O_FLOW6ID;
469 		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
470 		cmd->o.arg1 = nflow;
471 	}
472 	else {
473 		errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
474 	}
475 }
476 
477 ipfw_insn *
478 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
479 {
480 
481 	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
482 	if (cmd->opcode == O_IP_DST_SET)			/* set */
483 		cmd->opcode = O_IP_SRC_SET;
484 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
485 		cmd->opcode = O_IP_SRC_LOOKUP;
486 	else if (F_LEN(cmd) == 0) {				/* any */
487 	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
488 		cmd->opcode = O_IP6_SRC_ME;
489 	} else if (F_LEN(cmd) ==
490 	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
491 		/* single IP, no mask*/
492 		cmd->opcode = O_IP6_SRC;
493 	} else {					/* addr/mask opt */
494 		cmd->opcode = O_IP6_SRC_MASK;
495 	}
496 	return cmd;
497 }
498 
499 ipfw_insn *
500 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
501 {
502 
503 	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
504 	if (cmd->opcode == O_IP_DST_SET)			/* set */
505 		;
506 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
507 		;
508 	else if (F_LEN(cmd) == 0) {				/* any */
509 	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
510 		cmd->opcode = O_IP6_DST_ME;
511 	} else if (F_LEN(cmd) ==
512 	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
513 		/* single IP, no mask*/
514 		cmd->opcode = O_IP6_DST;
515 	} else {					/* addr/mask opt */
516 		cmd->opcode = O_IP6_DST_MASK;
517 	}
518 	return cmd;
519 }
520