2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4 * Copyright (c) 1994 Ugen J.S.Antsilevich
6 * Idea and grammar partially left from:
7 * Copyright (c) 1993 Daniel Boulet
9 * Redistribution and use in source forms, with and without modification,
10 * are permitted provided that this entire comment appears intact.
12 * Redistribution in binary form may occur without any restrictions.
13 * Obviously, it would be nice if you gave credit where credit is due
14 * but requiring it would be too onerous.
16 * This software is provided ``AS IS'' without any warranties of any kind.
18 * NEW command line interface for IP firewall facility
20 * $FreeBSD: head/sbin/ipfw/ipv6.c 187770 2009-01-27 12:01:30Z luigi $
25 #include <sys/types.h>
26 #include <sys/socket.h>
38 #include <netinet/in.h>
39 #include <netinet/in_systm.h>
40 #include <netinet/ip.h>
41 #include <netinet/icmp6.h>
42 #include <netinet/ip_fw.h>
43 #include <arpa/inet.h>
45 static struct _s_x icmp6codes[] = {
46 { "no-route", ICMP6_DST_UNREACH_NOROUTE },
47 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN },
48 { "address", ICMP6_DST_UNREACH_ADDR },
49 { "port", ICMP6_DST_UNREACH_NOPORT },
54 fill_unreach6_code(u_short *codep, char *str)
59 val = strtoul(str, &s, 0);
60 if (s == str || *s != '\0' || val >= 0x100)
61 val = match_token(icmp6codes, str);
63 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
69 print_unreach6_code(uint16_t code)
71 char const *s = match_value(icmp6codes, code);
74 printf("unreach6 %s", s);
76 printf("unreach6 %u", code);
80 * Print the ip address contained in a command.
83 print_ip6(ipfw_insn_ip6 *cmd, char const *s)
85 struct hostent *he = NULL;
86 int len = F_LEN((ipfw_insn *) cmd) - 1;
87 struct in6_addr *a = &(cmd->addr6);
90 printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
92 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
96 if (cmd->o.opcode == O_IP6) {
102 * len == 4 indicates a single IP, whereas lists of 1 or more
103 * addr/mask pairs have len = (2n+1). We convert len to n so we
104 * use that to count the number of entries.
107 for (len = len / 4; len > 0; len -= 2, a += 2) {
108 int mb = /* mask length */
109 (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ?
110 128 : contigmask((uint8_t *)&(a[1]), 128);
112 if (mb == 128 && co.do_resolv)
113 he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6);
114 if (he != NULL) /* resolved to name */
115 printf("%s", he->h_name);
116 else if (mb == 0) /* any */
118 else { /* numeric IP followed by some kind of mask */
119 if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL)
120 printf("Error ntop in print_ip6\n");
122 if (mb < 0) /* XXX not really legal... */
124 inet_ntop(AF_INET6, &a[1], trad, sizeof(trad)));
134 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av)
138 bzero(cmd, sizeof(*cmd));
142 type = strtoul(av, &av, 0);
143 if (*av != ',' && *av != '\0')
144 errx(EX_DATAERR, "invalid ICMP6 type");
146 * XXX: shouldn't this be 0xFF? I can't see any reason why
147 * we shouldn't be able to filter all possiable values
148 * regardless of the ability of the rest of the kernel to do
149 * anything useful with them.
151 if (type > ICMP6_MAXTYPE)
152 errx(EX_DATAERR, "ICMP6 type out of range");
153 cmd->d[type / 32] |= ( 1 << (type % 32));
155 cmd->o.opcode = O_ICMP6TYPE;
156 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
161 print_icmp6types(ipfw_insn_u32 *cmd)
166 printf(" ip6 icmp6types");
167 for (i = 0; i < 7; i++)
168 for (j=0; j < 32; ++j) {
169 if ( (cmd->d[i] & (1 << (j))) == 0)
171 printf("%c%d", sep, (i*32 + j));
177 print_flow6id( ipfw_insn_u32 *cmd)
179 uint16_t i, limit = cmd->o.arg1;
183 for( i=0; i < limit; ++i) {
186 printf("%d%c", cmd->d[i], sep);
190 /* structure and define for the extension header in ipv6 */
191 static struct _s_x ext6hdrcodes[] = {
192 { "frag", EXT_FRAGMENT },
193 { "hopopt", EXT_HOPOPTS },
194 { "route", EXT_ROUTING },
195 { "dstopt", EXT_DSTOPTS },
198 { "rthdr0", EXT_RTHDR0 },
199 { "rthdr2", EXT_RTHDR2 },
203 /* fills command for the extension header filtering */
205 fill_ext6hdr( ipfw_insn *cmd, char *av)
213 av = strsep( &s, ",") ;
214 tok = match_token(ext6hdrcodes, av);
217 cmd->arg1 |= EXT_FRAGMENT;
221 cmd->arg1 |= EXT_HOPOPTS;
225 cmd->arg1 |= EXT_ROUTING;
229 cmd->arg1 |= EXT_DSTOPTS;
237 cmd->arg1 |= EXT_ESP;
241 cmd->arg1 |= EXT_RTHDR0;
245 cmd->arg1 |= EXT_RTHDR2;
249 errx( EX_DATAERR, "invalid option for ipv6 exten header" );
255 cmd->opcode = O_EXT_HDR;
256 cmd->len |= F_INSN_SIZE( ipfw_insn );
261 print_ext6hdr( ipfw_insn *cmd )
265 printf(" extension header:");
266 if (cmd->arg1 & EXT_FRAGMENT ) {
267 printf("%cfragmentation", sep);
270 if (cmd->arg1 & EXT_HOPOPTS ) {
271 printf("%chop options", sep);
274 if (cmd->arg1 & EXT_ROUTING ) {
275 printf("%crouting options", sep);
278 if (cmd->arg1 & EXT_RTHDR0 ) {
279 printf("%crthdr0", sep);
282 if (cmd->arg1 & EXT_RTHDR2 ) {
283 printf("%crthdr2", sep);
286 if (cmd->arg1 & EXT_DSTOPTS ) {
287 printf("%cdestination options", sep);
290 if (cmd->arg1 & EXT_AH ) {
291 printf("%cauthentication header", sep);
294 if (cmd->arg1 & EXT_ESP ) {
295 printf("%cencapsulated security payload", sep);
299 /* Try to find ipv6 address by hostname */
301 lookup_host6 (char *host, struct in6_addr *ip6addr)
305 if (!inet_pton(AF_INET6, host, ip6addr)) {
306 if ((he = gethostbyname2(host, AF_INET6)) == NULL)
308 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
315 * fill the addr and mask fields in the instruction as appropriate from av.
316 * Update length as appropriate.
317 * The following formats are allowed:
318 * any matches any IP6. Actually returns an empty instruction.
319 * me returns O_IP6_*_ME
321 * 03f1::234:123:0342 single IP6 addres
322 * 03f1::234:123:0342/24 address/mask
323 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address
325 * Set of address (as in ipv6) not supported because ipv6 address
326 * are typically random past the initial prefix.
327 * Return 1 on success, 0 on failure.
330 fill_ip6(ipfw_insn_ip6 *cmd, char *av)
333 struct in6_addr *d = &(cmd->addr6);
335 * Needed for multiple address.
336 * Note d[1] points to struct in6_add r mask6 of cmd
339 cmd->o.len &= ~F_LEN_MASK; /* zero len */
341 if (strcmp(av, "any") == 0)
345 if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/
346 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
350 if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/
351 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
358 * After the address we can have '/' indicating a mask,
359 * or ',' indicating another address follows.
366 if ((p = strpbrk(av, "/,")) ) {
367 md = *p; /* save the separator */
368 *p = '\0'; /* terminate address string */
369 p++; /* and skip past it */
371 /* now p points to NULL, mask or next entry */
373 /* lookup stores address in *d as a side effect */
374 if (lookup_host6(av, d) != 0) {
375 /* XXX: failed. Free memory and go */
376 errx(EX_DATAERR, "bad address \"%s\"", av);
378 /* next, look at the mask, if any */
379 masklen = (md == '/') ? atoi(p) : 128;
380 if (masklen > 128 || masklen < 0)
381 errx(EX_DATAERR, "bad width \"%s\''", p);
383 n2mask(&d[1], masklen);
385 APPLY_MASK(d, &d[1]) /* mask base address with mask */
387 /* find next separator */
389 if (md == '/') { /* find separator past the mask */
396 /* Check this entry */
399 * 'any' turns the entire list into a NOP.
400 * 'not any' never matches, so it is removed from the
401 * list unless it is the only item, in which case we
404 if (cmd->o.len & F_NOT && av == NULL && len == 0)
405 errx(EX_DATAERR, "not any never matches");
410 * A single IP can be stored alone
412 if (masklen == 128 && av == NULL && len == 0) {
413 len = F_INSN_SIZE(struct in6_addr);
417 /* Update length and pointer to arguments */
418 len += F_INSN_SIZE(struct in6_addr)*2;
423 * Total length of the command, remember that 1 is the size of
426 if (len + 1 > F_LEN_MASK)
427 errx(EX_DATAERR, "address list too long");
434 * fills command for ipv6 flow-id filtering
435 * note that the 20 bit flow number is stored in a array of u_int32_t
436 * it's supported lists of flow-id, so in the o.arg1 we store how many
437 * additional flow-id we want to filter, the basic is 1
440 fill_flow6( ipfw_insn_u32 *cmd, char *av )
442 u_int32_t type; /* Current flow number */
443 u_int16_t nflow = 0; /* Current flow index */
445 cmd->d[0] = 0; /* Initializing the base number*/
448 av = strsep( &s, ",") ;
449 type = strtoul(av, &av, 0);
450 if (*av != ',' && *av != '\0')
451 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
453 errx(EX_DATAERR, "flow number out of range %s", av);
454 cmd->d[nflow] |= type;
458 cmd->o.opcode = O_FLOW6ID;
459 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
463 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
468 add_srcip6(ipfw_insn *cmd, char *av)
471 fill_ip6((ipfw_insn_ip6 *)cmd, av);
472 if (F_LEN(cmd) == 0) { /* any */
473 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
474 cmd->opcode = O_IP6_SRC_ME;
475 } else if (F_LEN(cmd) ==
476 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
477 /* single IP, no mask*/
478 cmd->opcode = O_IP6_SRC;
479 } else { /* addr/mask opt */
480 cmd->opcode = O_IP6_SRC_MASK;
486 add_dstip6(ipfw_insn *cmd, char *av)
489 fill_ip6((ipfw_insn_ip6 *)cmd, av);
490 if (F_LEN(cmd) == 0) { /* any */
491 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
492 cmd->opcode = O_IP6_DST_ME;
493 } else if (F_LEN(cmd) ==
494 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
495 /* single IP, no mask*/
496 cmd->opcode = O_IP6_DST;
497 } else { /* addr/mask opt */
498 cmd->opcode = O_IP6_DST_MASK;