1.\" Copyright (c) 2019, 2023 Shivank Garg <shivank@FreeBSD.org> 2.\" 3.\" This code was developed as a Google Summer of Code 2019 project 4.\" under the guidance of Bjoern A. Zeeb. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.Dd July 25, 2023 28.Dt MAC_IPACL 4 29.Os 30.Sh NAME 31.Nm mac_ipacl 32.Nd "IP Address access control policy" 33.Sh SYNOPSIS 34Add the following lines in your kernel configuration file to compile the 35IP address access control policy into your kernel: 36.Bd -ragged -offset indent 37.Cd "options MAC" 38.Cd "options MAC_IPACL" 39.Ed 40.Pp 41To load the mac_ipacl policy module at boot time, add the 42following line in your kernel configuration file: 43.Bd -ragged -offset indent 44.Cd "options MAC" 45.Ed 46.Pp 47and in 48.Xr loader.conf 5 add: 49.Pp 50.Dl "mac_ipacl_load=""YES""" 51.Sh DESCRIPTION 52The 53.Nm 54policy allows the root of the host to use the 55.Xr sysctl 8 56interface to limit the 57.Xr VNET 9 58jail's ability to set IPv4 and IPv6 addresses. 59So, the host can 60define rules for jails and their interfaces about IP addresses 61with 62.Xr sysctl 8 63MIBs. 64.Pp 65Its default behavior is to deny all IP addresses for the jail if 66.Nm 67policy is enforced and allow/deny IP (or subnets) according to the 68.Va security.mac.ipacl.rules 69string specified with 70.Xr sysctl 8 71.Ss Runtime Configuration 72The following 73.Xr sysctl 8 74MIBs are used to control enforcement and behavior of this MAC Policy. 75.Bl -tag -width indent 76.It Va security.mac.ipacl.ipv4 77Enforce 78.Nm 79for IPv4 addresses. 80(Default: 1). 81.It Va security.mac.ipacl.ipv6 82Enforce 83.Nm 84for IPv6 addresses. 85(Default: 1). 86.It Va security.mac.ipacl.rules 87The IP address access control list is specified in the following format: 88.Pp 89.Sm off 90.D1 jid , allow , interface , addr_family , IP_addr / prefix Op @ jid , ... 91.Sm on 92.Bl -tag -width "interface" 93.It jid 94Describe the jail id of the jail for which the rule is written. 95.It allow 961 for allow and 0 for deny. 97Decides action performed for the rule. 98.It interface 99Name of the interface the rule is enforced for. 100If the interface is left empty then it is a wildcard to enforce the 101rule for all interfaces. 102.It addr_family 103Address family of the IP_addr. 104The input to be given as AF_INET or AF_INET6 105string only. 106.It IP_addr 107IP address (or subnet) to be allowed/denied. 108Action depends on the prefix length. 109.It prefix 110Prefix length of the subnet to be enforced by the policy. 111-1 implies the policy is enforced for the individual IP address. 112For a non-negative value, a range of IP addresses (present in subnet) 113which is calculated as subnet = IP_addr & mask. 114.El 115.El 116.Sh EXAMPLES 117Behavior of the 118.Nm 119policy module for different inputs of sysctl variable: 120.Bl -tag -width "1." 121.It 1. 122Assign ipv4=1, ipv6=0 and rules="1,1,,AF_INET,169.254.123.123/-1" 123.Pp 124It allow only 169.254.123.123 IPv4 address for all interfaces (wildcard) of jail 1. 125It allows all IPv6 addresses since the policy is not enforced for IPv6. 126.It 2. 127Assign ipv4=1, ipv6=1 and rules="1,1,epair0b,AF_INET6,fe80::/32@1,0,epair0b,AF_INET6,fe80::abcd/-1" 128.Pp 129It denies all IPv4 addresses as the policy is enforced but no rules are specified 130about it. 131It allows all IPv6 addresses in subnet fe80::/32 except 132fe80::abcd for interface epair0b only. 133.It 3. 134Assign ipv4=1, ipv6=1, rules="2,1,,AF_INET6,fc00::/7@2,0,,AF_INET6,fc00::1111:2200/120@2,1,,AF_INET6,fc00::1111:2299/-1@1,1,,AF_INET,198.51.100.0/24" 135.Pp 136It allows IPv4 in subnet 198.51.100.0/24 for jail 2 and 137all interfaces. 138It allows IPv6 addresses in subnet fc00::/7 but 139denies subnet fc00::1111:2200/120, and allows individual IP 140fc00::1111:2299 from the denied subnet for all interfaces in jail 2. 141.El 142Please refer to mac/ipacl tests-framework for wide variety of examples on using 143the ipacl module. 144.Sh LIMITATIONS/PRECAUTIONS 145In the case where multiple rules are applicable to an IP address or 146a set of IP addresses, the rule that is defined later in the list 147determines the outcome, disregarding any previous rule for that IP 148address. 149.Sh FUTURE WORKS 150Rules are given with sysctl interface which gets very complex to give them 151all in command line. 152It has to be simplified with a better way to input those rules. 153.Sh SEE ALSO 154.Xr mac 4 , 155.Xr mac 9 156.Sh AUTHORS 157The 158.Nm 159policy module was developed as a Google Summer of Code Project in 2019 160by 161.An -nosplit 162.An "Shivank Garg" Aq Mt shivank@FreeBSD.org 163under the guidance of 164.An "Bjoern A. Zeeb" Aq Mt bz@FreeBSD.org . 165