xref: /freebsd/share/man/man4/mac_ipacl.4 (revision 535af610a4fdace6d50960c0ad9be0597eea7a1b)
1.\" Copyright (c) 2019, 2023 Shivank Garg <shivank@FreeBSD.org>
2.\"
3.\" This code was developed as a Google Summer of Code 2019 project
4.\" under the guidance of Bjoern A. Zeeb.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd July 25, 2023
30.Dt MAC_IPACL 4
31.Os
32.Sh NAME
33.Nm mac_ipacl
34.Nd "IP Address access control policy"
35.Sh SYNOPSIS
36Add the following lines in your kernel configuration file to compile the
37IP address access control policy into your kernel:
38.Bd -ragged -offset indent
39.Cd "options MAC"
40.Cd "options MAC_IPACL"
41.Ed
42.Pp
43To load the mac_ipacl policy module at boot time, add the
44following line in your kernel configuration file:
45.Bd -ragged -offset indent
46.Cd "options MAC"
47.Ed
48.Pp
49and in
50.Xr loader.conf 5 add:
51.Pp
52.Dl "mac_ipacl_load=""YES"""
53.Sh DESCRIPTION
54The
55.Nm
56policy allows the root of the host to use the
57.Xr sysctl 8
58interface to limit the
59.Xr VNET 9
60jail's ability to set IPv4 and IPv6 addresses.
61So, the host can
62define rules for jails and their interfaces about IP addresses
63with
64.Xr sysctl 8
65MIBs.
66.Pp
67Its default behavior is to deny all IP addresses for the jail if
68.Nm
69policy is enforced and allow/deny IP (or subnets) according to the
70.Va security.mac.ipacl.rules
71string specified with
72.Xr sysctl 8
73.Ss Runtime Configuration
74The following
75.Xr sysctl 8
76MIBs are used to control enforcement and behavior of this MAC Policy.
77.Bl -tag -width indent
78.It Va security.mac.ipacl.ipv4
79Enforce
80.Nm
81for IPv4 addresses.
82(Default: 1).
83.It Va security.mac.ipacl.ipv6
84Enforce
85.Nm
86for IPv6 addresses.
87(Default: 1).
88.It Va security.mac.ipacl.rules
89The IP address access control list is specified in the following format:
90.Pp
91.Sm off
92.D1 jid , allow , interface , addr_family , IP_addr / prefix Op @ jid , ...
93.Sm on
94.Bl -tag -width "interface"
95.It jid
96Describe the jail id of the jail for which the rule is written.
97.It allow
981 for allow and 0 for deny.
99Decides action performed for the rule.
100.It interface
101Name of the interface the rule is enforced for.
102If the interface is left empty then it is a wildcard to enforce the
103rule for all interfaces.
104.It addr_family
105Address family of the IP_addr.
106The input to be given as AF_INET or AF_INET6
107string only.
108.It IP_addr
109IP address (or subnet) to be allowed/denied.
110Action depends on the prefix length.
111.It prefix
112Prefix length of the subnet to be enforced by the policy.
113-1 implies the policy is enforced for the individual IP address.
114For a non-negative value, a range of IP addresses (present in subnet)
115which is calculated as subnet = IP_addr & mask.
116.El
117.El
118.Sh EXAMPLES
119Behavior of the
120.Nm
121policy module for different inputs of sysctl variable:
122.Bl -tag -width "1."
123.It 1.
124Assign ipv4=1, ipv6=0 and rules="1,1,,AF_INET,169.254.123.123/-1"
125.Pp
126It allow only 169.254.123.123 IPv4 address for all interfaces (wildcard) of jail 1.
127It allows all IPv6 addresses since the policy is not enforced for IPv6.
128.It 2.
129Assign ipv4=1, ipv6=1 and rules="1,1,epair0b,AF_INET6,fe80::/32@1,0,epair0b,AF_INET6,fe80::abcd/-1"
130.Pp
131It denies all IPv4 addresses as the policy is enforced but no rules are specified
132about it.
133It allows all IPv6 addresses in subnet fe80::/32 except
134fe80::abcd for interface epair0b only.
135.It 3.
136Assign ipv4=1, ipv6=1, rules="2,1,,AF_INET6,fc00::/7@2,0,,AF_INET6,fc00::1111:2200/120@2,1,,AF_INET6,fc00::1111:2299/-1@1,1,,AF_INET,198.51.100.0/24"
137.Pp
138It allows IPv4 in subnet 198.51.100.0/24 for jail 2 and
139all interfaces.
140It allows IPv6 addresses in subnet fc00::/7 but
141denies subnet fc00::1111:2200/120, and allows individual IP
142fc00::1111:2299 from the denied subnet for all interfaces in jail 2.
143.El
144Please refer to mac/ipacl tests-framework for wide variety of examples on using
145the ipacl module.
146.Sh LIMITATIONS/PRECAUTIONS
147In the case where multiple rules are applicable to an IP address or
148a set of IP addresses, the rule that is defined later in the list
149determines the outcome, disregarding any previous rule for that IP
150address.
151.Sh FUTURE WORKS
152Rules are given with sysctl interface which gets very complex to give them
153all in command line.
154It has to be simplified with a better way to input those rules.
155.Sh SEE ALSO
156.Xr mac 4 ,
157.Xr mac 9
158.Sh AUTHORS
159The
160.Nm
161policy module was developed as a Google Summer of Code Project in 2019
162by
163.An -nosplit
164.An "Shivank Garg" Aq Mt shivank@FreeBSD.org
165under the guidance of
166.An "Bjoern A. Zeeb" Aq Mt bz@FreeBSD.org .
167