xref: /freebsd/sbin/ipfw/ipv6.c (revision 792bbaba989533a1fc93823df1720c8c4aaf0442)
1 /*
2  * Copyright (c) 2002-2003 Luigi Rizzo
3  * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4  * Copyright (c) 1994 Ugen J.S.Antsilevich
5  *
6  * Idea and grammar partially left from:
7  * Copyright (c) 1993 Daniel Boulet
8  *
9  * Redistribution and use in source forms, with and without modification,
10  * are permitted provided that this entire comment appears intact.
11  *
12  * Redistribution in binary form may occur without any restrictions.
13  * Obviously, it would be nice if you gave credit where credit is due
14  * but requiring it would be too onerous.
15  *
16  * This software is provided ``AS IS'' without any warranties of any kind.
17  *
18  * NEW command line interface for IP firewall facility
19  *
20  * $FreeBSD$
21  *
22  * ipv6 support
23  */
24 
25 #include <sys/types.h>
26 #include <sys/socket.h>
27 
28 #include "ipfw2.h"
29 
30 #include <err.h>
31 #include <netdb.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <sysexits.h>
36 
37 #include <net/if.h>
38 #include <netinet/in.h>
39 #include <netinet/in_systm.h>
40 #include <netinet/ip.h>
41 #include <netinet/icmp6.h>
42 #include <netinet/ip_fw.h>
43 #include <arpa/inet.h>
44 
45 #define	CHECK_LENGTH(v, len) do {			\
46 	if ((v) < (len))				\
47 		errx(EX_DATAERR, "Rule too long");	\
48 	} while (0)
49 
50 static struct _s_x icmp6codes[] = {
51       { "no-route",		ICMP6_DST_UNREACH_NOROUTE },
52       { "admin-prohib",		ICMP6_DST_UNREACH_ADMIN },
53       { "address",		ICMP6_DST_UNREACH_ADDR },
54       { "port",			ICMP6_DST_UNREACH_NOPORT },
55       { NULL, 0 }
56 };
57 
58 void
59 fill_unreach6_code(u_short *codep, char *str)
60 {
61 	int val;
62 	char *s;
63 
64 	val = strtoul(str, &s, 0);
65 	if (s == str || *s != '\0' || val >= 0x100)
66 		val = match_token(icmp6codes, str);
67 	if (val < 0)
68 		errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
69 	*codep = val;
70 	return;
71 }
72 
73 void
74 print_unreach6_code(struct buf_pr *bp, uint16_t code)
75 {
76 	char const *s = match_value(icmp6codes, code);
77 
78 	if (s != NULL)
79 		bprintf(bp, "unreach6 %s", s);
80 	else
81 		bprintf(bp, "unreach6 %u", code);
82 }
83 
84 /*
85  * Print the ip address contained in a command.
86  */
87 void
88 print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd, char const *s)
89 {
90        struct hostent *he = NULL;
91        int len = F_LEN((ipfw_insn *) cmd) - 1;
92        struct in6_addr *a = &(cmd->addr6);
93        char trad[255];
94 
95        bprintf(bp, "%s%s ", cmd->o.len & F_NOT ? " not": "", s);
96 
97        if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
98 	       bprintf(bp, "me6");
99 	       return;
100        }
101        if (cmd->o.opcode == O_IP6) {
102 	       bprintf(bp, " ip6");
103 	       return;
104        }
105 
106        /*
107 	* len == 4 indicates a single IP, whereas lists of 1 or more
108 	* addr/mask pairs have len = (2n+1). We convert len to n so we
109 	* use that to count the number of entries.
110 	*/
111 
112        for (len = len / 4; len > 0; len -= 2, a += 2) {
113 	   int mb =	/* mask length */
114 	       (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ?
115 	       128 : contigmask((uint8_t *)&(a[1]), 128);
116 
117 	   if (mb == 128 && co.do_resolv)
118 	       he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6);
119 	   if (he != NULL)	     /* resolved to name */
120 	       bprintf(bp, "%s", he->h_name);
121 	   else if (mb == 0)	   /* any */
122 	       bprintf(bp, "any");
123 	   else {	  /* numeric IP followed by some kind of mask */
124 	       if (inet_ntop(AF_INET6,  a, trad, sizeof( trad ) ) == NULL)
125 		   bprintf(bp, "Error ntop in print_ip6\n");
126 	       bprintf(bp, "%s",  trad );
127 	       if (mb < 0) /* mask not contiguous */
128 		   bprintf(bp, "/%s",
129 		       inet_ntop(AF_INET6, &a[1], trad, sizeof(trad)));
130 	       else if (mb < 128)
131 		   bprintf(bp, "/%d", mb);
132 	   }
133 	   if (len > 2)
134 	       bprintf(bp, ",");
135        }
136 }
137 
138 void
139 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
140 {
141        uint8_t type;
142 
143        CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6));
144 
145        bzero(cmd, sizeof(*cmd));
146        while (*av) {
147 	   if (*av == ',')
148 	       av++;
149 	   type = strtoul(av, &av, 0);
150 	   if (*av != ',' && *av != '\0')
151 	       errx(EX_DATAERR, "invalid ICMP6 type");
152 	   /*
153 	    * XXX: shouldn't this be 0xFF?  I can't see any reason why
154 	    * we shouldn't be able to filter all possiable values
155 	    * regardless of the ability of the rest of the kernel to do
156 	    * anything useful with them.
157 	    */
158 	   if (type > ICMP6_MAXTYPE)
159 	       errx(EX_DATAERR, "ICMP6 type out of range");
160 	   cmd->d[type / 32] |= ( 1 << (type % 32));
161        }
162        cmd->o.opcode = O_ICMP6TYPE;
163        cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
164 }
165 
166 
167 void
168 print_icmp6types(struct buf_pr *bp, ipfw_insn_u32 *cmd)
169 {
170        int i, j;
171        char sep= ' ';
172 
173        bprintf(bp, " ip6 icmp6types");
174        for (i = 0; i < 7; i++)
175 	       for (j=0; j < 32; ++j) {
176 		       if ( (cmd->d[i] & (1 << (j))) == 0)
177 			       continue;
178 		       bprintf(bp, "%c%d", sep, (i*32 + j));
179 		       sep = ',';
180 	       }
181 }
182 
183 void
184 print_flow6id(struct buf_pr *bp, ipfw_insn_u32 *cmd)
185 {
186        uint16_t i, limit = cmd->o.arg1;
187        char sep = ',';
188 
189        bprintf(bp, " flow-id ");
190        for( i=0; i < limit; ++i) {
191 	       if (i == limit - 1)
192 		       sep = ' ';
193 	       bprintf(bp, "%d%c", cmd->d[i], sep);
194        }
195 }
196 
197 /* structure and define for the extension header in ipv6 */
198 static struct _s_x ext6hdrcodes[] = {
199        { "frag",       EXT_FRAGMENT },
200        { "hopopt",     EXT_HOPOPTS },
201        { "route",      EXT_ROUTING },
202        { "dstopt",     EXT_DSTOPTS },
203        { "ah",	 EXT_AH },
204        { "esp",	EXT_ESP },
205        { "rthdr0",     EXT_RTHDR0 },
206        { "rthdr2",     EXT_RTHDR2 },
207        { NULL,	 0 }
208 };
209 
210 /* fills command for the extension header filtering */
211 int
212 fill_ext6hdr( ipfw_insn *cmd, char *av)
213 {
214        int tok;
215        char *s = av;
216 
217        cmd->arg1 = 0;
218 
219        while(s) {
220 	   av = strsep( &s, ",") ;
221 	   tok = match_token(ext6hdrcodes, av);
222 	   switch (tok) {
223 	   case EXT_FRAGMENT:
224 	       cmd->arg1 |= EXT_FRAGMENT;
225 	       break;
226 
227 	   case EXT_HOPOPTS:
228 	       cmd->arg1 |= EXT_HOPOPTS;
229 	       break;
230 
231 	   case EXT_ROUTING:
232 	       cmd->arg1 |= EXT_ROUTING;
233 	       break;
234 
235 	   case EXT_DSTOPTS:
236 	       cmd->arg1 |= EXT_DSTOPTS;
237 	       break;
238 
239 	   case EXT_AH:
240 	       cmd->arg1 |= EXT_AH;
241 	       break;
242 
243 	   case EXT_ESP:
244 	       cmd->arg1 |= EXT_ESP;
245 	       break;
246 
247 	   case EXT_RTHDR0:
248 	       cmd->arg1 |= EXT_RTHDR0;
249 	       break;
250 
251 	   case EXT_RTHDR2:
252 	       cmd->arg1 |= EXT_RTHDR2;
253 	       break;
254 
255 	   default:
256 	       errx( EX_DATAERR, "invalid option for ipv6 exten header" );
257 	       break;
258 	   }
259        }
260        if (cmd->arg1 == 0 )
261 	   return 0;
262        cmd->opcode = O_EXT_HDR;
263        cmd->len |= F_INSN_SIZE( ipfw_insn );
264        return 1;
265 }
266 
267 void
268 print_ext6hdr(struct buf_pr *bp, ipfw_insn *cmd )
269 {
270        char sep = ' ';
271 
272        bprintf(bp, " extension header:");
273        if (cmd->arg1 & EXT_FRAGMENT ) {
274 	   bprintf(bp, "%cfragmentation", sep);
275 	   sep = ',';
276        }
277        if (cmd->arg1 & EXT_HOPOPTS ) {
278 	   bprintf(bp, "%chop options", sep);
279 	   sep = ',';
280        }
281        if (cmd->arg1 & EXT_ROUTING ) {
282 	   bprintf(bp, "%crouting options", sep);
283 	   sep = ',';
284        }
285        if (cmd->arg1 & EXT_RTHDR0 ) {
286 	   bprintf(bp, "%crthdr0", sep);
287 	   sep = ',';
288        }
289        if (cmd->arg1 & EXT_RTHDR2 ) {
290 	   bprintf(bp, "%crthdr2", sep);
291 	   sep = ',';
292        }
293        if (cmd->arg1 & EXT_DSTOPTS ) {
294 	   bprintf(bp, "%cdestination options", sep);
295 	   sep = ',';
296        }
297        if (cmd->arg1 & EXT_AH ) {
298 	   bprintf(bp, "%cauthentication header", sep);
299 	   sep = ',';
300        }
301        if (cmd->arg1 & EXT_ESP ) {
302 	   bprintf(bp, "%cencapsulated security payload", sep);
303        }
304 }
305 
306 /* Try to find ipv6 address by hostname */
307 static int
308 lookup_host6 (char *host, struct in6_addr *ip6addr)
309 {
310 	struct hostent *he;
311 
312 	if (!inet_pton(AF_INET6, host, ip6addr)) {
313 		if ((he = gethostbyname2(host, AF_INET6)) == NULL)
314 			return(-1);
315 		memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
316 	}
317 	return(0);
318 }
319 
320 
321 /*
322  * fill the addr and mask fields in the instruction as appropriate from av.
323  * Update length as appropriate.
324  * The following formats are allowed:
325  *     any     matches any IP6. Actually returns an empty instruction.
326  *     me      returns O_IP6_*_ME
327  *
328  *     03f1::234:123:0342			single IP6 address
329  *     03f1::234:123:0342/24			address/masklen
330  *     03f1::234:123:0342/ffff::ffff:ffff	address/mask
331  *     03f1::234:123:0342/24,03f1::234:123:0343/	List of address
332  *
333  * Set of address (as in ipv6) not supported because ipv6 address
334  * are typically random past the initial prefix.
335  * Return 1 on success, 0 on failure.
336  */
337 static int
338 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
339 {
340 	int len = 0;
341 	struct in6_addr *d = &(cmd->addr6);
342 	/*
343 	 * Needed for multiple address.
344 	 * Note d[1] points to struct in6_add r mask6 of cmd
345 	 */
346 
347 	cmd->o.len &= ~F_LEN_MASK;	/* zero len */
348 
349 	if (strcmp(av, "any") == 0)
350 		return (1);
351 
352 
353 	if (strcmp(av, "me") == 0) {	/* Set the data for "me" opt*/
354 		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
355 		return (1);
356 	}
357 
358 	if (strcmp(av, "me6") == 0) {	/* Set the data for "me" opt*/
359 		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
360 		return (1);
361 	}
362 
363 	if (strncmp(av, "table(", 6) == 0) {
364 		fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
365 		return (1);
366 	}
367 
368 	av = strdup(av);
369 	while (av) {
370 		/*
371 		 * After the address we can have '/' indicating a mask,
372 		 * or ',' indicating another address follows.
373 		 */
374 
375 		char *p, *q;
376 		int masklen;
377 		char md = '\0';
378 
379 		CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr));
380 
381 		if ((q = strchr(av, ',')) ) {
382 			*q = '\0';
383 			q++;
384 		}
385 
386 		if ((p = strchr(av, '/')) ) {
387 			md = *p;	/* save the separator */
388 			*p = '\0';	/* terminate address string */
389 			p++;		/* and skip past it */
390 		}
391 		/* now p points to NULL, mask or next entry */
392 
393 		/* lookup stores address in *d as a side effect */
394 		if (lookup_host6(av, d) != 0) {
395 			/* XXX: failed. Free memory and go */
396 			errx(EX_DATAERR, "bad address \"%s\"", av);
397 		}
398 		/* next, look at the mask, if any */
399 		if (md == '/' && strchr(p, ':')) {
400 			if (!inet_pton(AF_INET6, p, &d[1]))
401 				errx(EX_DATAERR, "bad mask \"%s\"", p);
402 
403 			masklen = contigmask((uint8_t *)&(d[1]), 128);
404 		} else {
405 			masklen = (md == '/') ? atoi(p) : 128;
406 			if (masklen > 128 || masklen < 0)
407 				errx(EX_DATAERR, "bad width \"%s\''", p);
408 			else
409 				n2mask(&d[1], masklen);
410 		}
411 
412 		APPLY_MASK(d, &d[1])   /* mask base address with mask */
413 
414 		av = q;
415 
416 		/* Check this entry */
417 		if (masklen == 0) {
418 			/*
419 			 * 'any' turns the entire list into a NOP.
420 			 * 'not any' never matches, so it is removed from the
421 			 * list unless it is the only item, in which case we
422 			 * report an error.
423 			 */
424 			if (cmd->o.len & F_NOT && av == NULL && len == 0)
425 				errx(EX_DATAERR, "not any never matches");
426 			continue;
427 		}
428 
429 		/*
430 		 * A single IP can be stored alone
431 		 */
432 		if (masklen == 128 && av == NULL && len == 0) {
433 			len = F_INSN_SIZE(struct in6_addr);
434 			break;
435 		}
436 
437 		/* Update length and pointer to arguments */
438 		len += F_INSN_SIZE(struct in6_addr)*2;
439 		d += 2;
440 	} /* end while */
441 
442 	/*
443 	 * Total length of the command, remember that 1 is the size of
444 	 * the base command.
445 	 */
446 	if (len + 1 > F_LEN_MASK)
447 		errx(EX_DATAERR, "address list too long");
448 	cmd->o.len |= len+1;
449 	free(av);
450 	return (1);
451 }
452 
453 /*
454  * fills command for ipv6 flow-id filtering
455  * note that the 20 bit flow number is stored in a array of u_int32_t
456  * it's supported lists of flow-id, so in the o.arg1 we store how many
457  * additional flow-id we want to filter, the basic is 1
458  */
459 void
460 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)
461 {
462 	u_int32_t type;	 /* Current flow number */
463 	u_int16_t nflow = 0;    /* Current flow index */
464 	char *s = av;
465 	cmd->d[0] = 0;	  /* Initializing the base number*/
466 
467 	while (s) {
468 		CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
469 
470 		av = strsep( &s, ",") ;
471 		type = strtoul(av, &av, 0);
472 		if (*av != ',' && *av != '\0')
473 			errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
474 		if (type > 0xfffff)
475 			errx(EX_DATAERR, "flow number out of range %s", av);
476 		cmd->d[nflow] |= type;
477 		nflow++;
478 	}
479 	if( nflow > 0 ) {
480 		cmd->o.opcode = O_FLOW6ID;
481 		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
482 		cmd->o.arg1 = nflow;
483 	}
484 	else {
485 		errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
486 	}
487 }
488 
489 ipfw_insn *
490 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
491 {
492 
493 	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
494 	if (cmd->opcode == O_IP_DST_SET)			/* set */
495 		cmd->opcode = O_IP_SRC_SET;
496 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
497 		cmd->opcode = O_IP_SRC_LOOKUP;
498 	else if (F_LEN(cmd) == 0) {				/* any */
499 	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
500 		cmd->opcode = O_IP6_SRC_ME;
501 	} else if (F_LEN(cmd) ==
502 	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
503 		/* single IP, no mask*/
504 		cmd->opcode = O_IP6_SRC;
505 	} else {					/* addr/mask opt */
506 		cmd->opcode = O_IP6_SRC_MASK;
507 	}
508 	return cmd;
509 }
510 
511 ipfw_insn *
512 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
513 {
514 
515 	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
516 	if (cmd->opcode == O_IP_DST_SET)			/* set */
517 		;
518 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
519 		;
520 	else if (F_LEN(cmd) == 0) {				/* any */
521 	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
522 		cmd->opcode = O_IP6_DST_ME;
523 	} else if (F_LEN(cmd) ==
524 	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
525 		/* single IP, no mask*/
526 		cmd->opcode = O_IP6_DST;
527 	} else {					/* addr/mask opt */
528 		cmd->opcode = O_IP6_DST_MASK;
529 	}
530 	return cmd;
531 }
532