1 /*-
2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4 * Copyright (c) 1994 Ugen J.S.Antsilevich
5 *
6 * Idea and grammar partially left from:
7 * Copyright (c) 1993 Daniel Boulet
8 *
9 * Redistribution and use in source forms, with and without modification,
10 * are permitted provided that this entire comment appears intact.
11 *
12 * Redistribution in binary form may occur without any restrictions.
13 * Obviously, it would be nice if you gave credit where credit is due
14 * but requiring it would be too onerous.
15 *
16 * This software is provided ``AS IS'' without any warranties of any kind.
17 *
18 * NEW command line interface for IP firewall facility
19 *
20 * $FreeBSD$
21 *
22 * ipv6 support
23 */
24
25 #include <sys/types.h>
26 #include <sys/socket.h>
27
28 #include "ipfw2.h"
29
30 #include <err.h>
31 #include <netdb.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <sysexits.h>
36
37 #include <net/if.h>
38 #include <netinet/in.h>
39 #include <netinet/in_systm.h>
40 #include <netinet/ip.h>
41 #include <netinet/icmp6.h>
42 #include <netinet/ip_fw.h>
43 #include <arpa/inet.h>
44
45 #ifdef FSTACK
46 #include "compat.h"
47 #endif
48
49 #define CHECK_LENGTH(v, len) do { \
50 if ((v) < (len)) \
51 errx(EX_DATAERR, "Rule too long"); \
52 } while (0)
53
54 static struct _s_x icmp6codes[] = {
55 { "no-route", ICMP6_DST_UNREACH_NOROUTE },
56 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN },
57 { "address", ICMP6_DST_UNREACH_ADDR },
58 { "port", ICMP6_DST_UNREACH_NOPORT },
59 { NULL, 0 }
60 };
61
62 void
fill_unreach6_code(u_short * codep,char * str)63 fill_unreach6_code(u_short *codep, char *str)
64 {
65 int val;
66 char *s;
67
68 val = strtoul(str, &s, 0);
69 if (s == str || *s != '\0' || val >= 0x100)
70 val = match_token(icmp6codes, str);
71 if (val < 0)
72 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
73 *codep = val;
74 return;
75 }
76
77 void
print_unreach6_code(struct buf_pr * bp,uint16_t code)78 print_unreach6_code(struct buf_pr *bp, uint16_t code)
79 {
80 char const *s = match_value(icmp6codes, code);
81
82 if (s != NULL)
83 bprintf(bp, "unreach6 %s", s);
84 else
85 bprintf(bp, "unreach6 %u", code);
86 }
87
88 /*
89 * Print the ip address contained in a command.
90 */
91 void
print_ip6(struct buf_pr * bp,const ipfw_insn_ip6 * cmd)92 print_ip6(struct buf_pr *bp, const ipfw_insn_ip6 *cmd)
93 {
94 char trad[255];
95 struct hostent *he = NULL;
96 const struct in6_addr *a = &(cmd->addr6);
97 int len, mb;
98
99 len = F_LEN((const ipfw_insn *)cmd) - 1;
100 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
101 bprintf(bp, " me6");
102 return;
103 }
104 if (cmd->o.opcode == O_IP6) {
105 bprintf(bp, " ip6");
106 return;
107 }
108
109 /*
110 * len == 4 indicates a single IP, whereas lists of 1 or more
111 * addr/mask pairs have len = (2n+1). We convert len to n so we
112 * use that to count the number of entries.
113 */
114 bprintf(bp, " ");
115 for (len = len / 4; len > 0; len -= 2, a += 2) {
116 /* mask length */
117 mb = (cmd->o.opcode == O_IP6_SRC ||
118 cmd->o.opcode == O_IP6_DST) ? 128:
119 contigmask((const uint8_t *)&(a[1]), 128);
120
121 #ifndef FSTACK
122 if (mb == 128 && g_co.do_resolv)
123 he = gethostbyaddr((const char *)a, sizeof(*a),
124 AF_INET6);
125
126 if (he != NULL) /* resolved to name */
127 bprintf(bp, "%s", he->h_name);
128 else if (mb == 0) /* any */
129 #else
130 if (mb == 0) /* any */
131 #endif
132 bprintf(bp, "any");
133 else { /* numeric IP followed by some kind of mask */
134 if (inet_ntop(AF_INET6_LINUX, a, trad,
135 sizeof(trad)) == NULL)
136 bprintf(bp, "Error ntop in print_ip6\n");
137 bprintf(bp, "%s", trad );
138 if (mb < 0) /* mask not contiguous */
139 bprintf(bp, "/%s", inet_ntop(AF_INET6_LINUX, &a[1],
140 trad, sizeof(trad)));
141 else if (mb < 128)
142 bprintf(bp, "/%d", mb);
143 }
144 if (len > 2)
145 bprintf(bp, ",");
146 }
147 }
148
149 void
fill_icmp6types(ipfw_insn_icmp6 * cmd,char * av,int cblen)150 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
151 {
152 uint8_t type;
153
154 CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn_icmp6));
155 memset(cmd, 0, sizeof(*cmd));
156 while (*av) {
157 if (*av == ',')
158 av++;
159 type = strtoul(av, &av, 0);
160 if (*av != ',' && *av != '\0')
161 errx(EX_DATAERR, "invalid ICMP6 type");
162 /*
163 * XXX: shouldn't this be 0xFF? I can't see any reason why
164 * we shouldn't be able to filter all possiable values
165 * regardless of the ability of the rest of the kernel to do
166 * anything useful with them.
167 */
168 if (type > ICMP6_MAXTYPE)
169 errx(EX_DATAERR, "ICMP6 type out of range");
170 cmd->d[type / 32] |= ( 1 << (type % 32));
171 }
172 cmd->o.opcode = O_ICMP6TYPE;
173 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
174 }
175
176 void
print_icmp6types(struct buf_pr * bp,const ipfw_insn_u32 * cmd)177 print_icmp6types(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
178 {
179 int i, j;
180 char sep= ' ';
181
182 bprintf(bp, " icmp6types");
183 for (i = 0; i < 7; i++)
184 for (j=0; j < 32; ++j) {
185 if ( (cmd->d[i] & (1 << (j))) == 0)
186 continue;
187 bprintf(bp, "%c%d", sep, (i*32 + j));
188 sep = ',';
189 }
190 }
191
192 void
print_flow6id(struct buf_pr * bp,const ipfw_insn_u32 * cmd)193 print_flow6id(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
194 {
195 uint16_t i, limit = cmd->o.arg1;
196 char sep = ',';
197
198 bprintf(bp, " flow-id ");
199 for( i=0; i < limit; ++i) {
200 if (i == limit - 1)
201 sep = ' ';
202 bprintf(bp, "%d%c", cmd->d[i], sep);
203 }
204 }
205
206 /* structure and define for the extension header in ipv6 */
207 static struct _s_x ext6hdrcodes[] = {
208 { "frag", EXT_FRAGMENT },
209 { "hopopt", EXT_HOPOPTS },
210 { "route", EXT_ROUTING },
211 { "dstopt", EXT_DSTOPTS },
212 { "ah", EXT_AH },
213 { "esp", EXT_ESP },
214 { "rthdr0", EXT_RTHDR0 },
215 { "rthdr2", EXT_RTHDR2 },
216 { NULL, 0 }
217 };
218
219 /* fills command for the extension header filtering */
220 int
fill_ext6hdr(ipfw_insn * cmd,char * av)221 fill_ext6hdr( ipfw_insn *cmd, char *av)
222 {
223 int tok;
224 char *s = av;
225
226 cmd->arg1 = 0;
227 while(s) {
228 av = strsep( &s, ",") ;
229 tok = match_token(ext6hdrcodes, av);
230 switch (tok) {
231 case EXT_FRAGMENT:
232 cmd->arg1 |= EXT_FRAGMENT;
233 break;
234 case EXT_HOPOPTS:
235 cmd->arg1 |= EXT_HOPOPTS;
236 break;
237 case EXT_ROUTING:
238 cmd->arg1 |= EXT_ROUTING;
239 break;
240 case EXT_DSTOPTS:
241 cmd->arg1 |= EXT_DSTOPTS;
242 break;
243 case EXT_AH:
244 cmd->arg1 |= EXT_AH;
245 break;
246 case EXT_ESP:
247 cmd->arg1 |= EXT_ESP;
248 break;
249 case EXT_RTHDR0:
250 cmd->arg1 |= EXT_RTHDR0;
251 break;
252 case EXT_RTHDR2:
253 cmd->arg1 |= EXT_RTHDR2;
254 break;
255 default:
256 errx(EX_DATAERR,
257 "invalid option for ipv6 exten header");
258 break;
259 }
260 }
261 if (cmd->arg1 == 0)
262 return (0);
263 cmd->opcode = O_EXT_HDR;
264 cmd->len |= F_INSN_SIZE(ipfw_insn);
265 return (1);
266 }
267
268 void
print_ext6hdr(struct buf_pr * bp,const ipfw_insn * cmd)269 print_ext6hdr(struct buf_pr *bp, const ipfw_insn *cmd )
270 {
271 char sep = ' ';
272
273 bprintf(bp, " extension header:");
274 if (cmd->arg1 & EXT_FRAGMENT) {
275 bprintf(bp, "%cfragmentation", sep);
276 sep = ',';
277 }
278 if (cmd->arg1 & EXT_HOPOPTS) {
279 bprintf(bp, "%chop options", sep);
280 sep = ',';
281 }
282 if (cmd->arg1 & EXT_ROUTING) {
283 bprintf(bp, "%crouting options", sep);
284 sep = ',';
285 }
286 if (cmd->arg1 & EXT_RTHDR0) {
287 bprintf(bp, "%crthdr0", sep);
288 sep = ',';
289 }
290 if (cmd->arg1 & EXT_RTHDR2) {
291 bprintf(bp, "%crthdr2", sep);
292 sep = ',';
293 }
294 if (cmd->arg1 & EXT_DSTOPTS) {
295 bprintf(bp, "%cdestination options", sep);
296 sep = ',';
297 }
298 if (cmd->arg1 & EXT_AH) {
299 bprintf(bp, "%cauthentication header", sep);
300 sep = ',';
301 }
302 if (cmd->arg1 & EXT_ESP) {
303 bprintf(bp, "%cencapsulated security payload", sep);
304 }
305 }
306
307 /* Try to find ipv6 address by hostname */
308 static int
lookup_host6(char * host,struct in6_addr * ip6addr)309 lookup_host6 (char *host, struct in6_addr *ip6addr)
310 {
311 struct hostent *he;
312
313 if (!inet_pton(AF_INET6_LINUX, host, ip6addr)) {
314 #ifndef FSTACK
315 if ((he = gethostbyname2(host, AF_INET6)) == NULL)
316 #endif
317 return(-1);
318 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
319 }
320 return (0);
321 }
322
323
324 /*
325 * fill the addr and mask fields in the instruction as appropriate from av.
326 * Update length as appropriate.
327 * The following formats are allowed:
328 * any matches any IP6. Actually returns an empty instruction.
329 * me returns O_IP6_*_ME
330 *
331 * 03f1::234:123:0342 single IP6 address
332 * 03f1::234:123:0342/24 address/masklen
333 * 03f1::234:123:0342/ffff::ffff:ffff address/mask
334 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address
335 *
336 * Set of address (as in ipv6) not supported because ipv6 address
337 * are typically random past the initial prefix.
338 * Return 1 on success, 0 on failure.
339 */
340 static int
fill_ip6(ipfw_insn_ip6 * cmd,char * av,int cblen,struct tidx * tstate)341 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
342 {
343 int len = 0;
344 struct in6_addr *d = &(cmd->addr6);
345 char *oav;
346 /*
347 * Needed for multiple address.
348 * Note d[1] points to struct in6_add r mask6 of cmd
349 */
350
351 cmd->o.len &= ~F_LEN_MASK; /* zero len */
352
353 if (strcmp(av, "any") == 0)
354 return (1);
355
356 /* Set the data for "me" opt */
357 if (strcmp(av, "me") == 0 || strcmp(av, "me6") == 0) {
358 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
359 return (1);
360 }
361
362 if (strncmp(av, "table(", 6) == 0) {
363 fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
364 return (1);
365 }
366
367 oav = av = strdup(av);
368 while (av) {
369 /*
370 * After the address we can have '/' indicating a mask,
371 * or ',' indicating another address follows.
372 */
373
374 char *p, *q;
375 int masklen;
376 char md = '\0';
377
378 CHECK_LENGTH(cblen,
379 1 + len + 2 * (int)F_INSN_SIZE(struct in6_addr));
380
381 if ((q = strchr(av, ',')) ) {
382 *q = '\0';
383 q++;
384 }
385
386 if ((p = strchr(av, '/')) ) {
387 md = *p; /* save the separator */
388 *p = '\0'; /* terminate address string */
389 p++; /* and skip past it */
390 }
391 /* now p points to NULL, mask or next entry */
392
393 /* lookup stores address in *d as a side effect */
394 if (lookup_host6(av, d) != 0) {
395 /* XXX: failed. Free memory and go */
396 errx(EX_DATAERR, "bad address \"%s\"", av);
397 }
398 /* next, look at the mask, if any */
399 if (md == '/' && strchr(p, ':')) {
400 if (!inet_pton(AF_INET6_LINUX, p, &d[1]))
401 errx(EX_DATAERR, "bad mask \"%s\"", p);
402
403 masklen = contigmask((uint8_t *)&(d[1]), 128);
404 } else {
405 masklen = (md == '/') ? atoi(p) : 128;
406 if (masklen > 128 || masklen < 0)
407 errx(EX_DATAERR, "bad width \"%s\''", p);
408 else
409 n2mask(&d[1], masklen);
410 }
411
412 APPLY_MASK(d, &d[1]); /* mask base address with mask */
413
414 av = q;
415
416 /* Check this entry */
417 if (masklen == 0) {
418 /*
419 * 'any' turns the entire list into a NOP.
420 * 'not any' never matches, so it is removed from the
421 * list unless it is the only item, in which case we
422 * report an error.
423 */
424 if (cmd->o.len & F_NOT && av == NULL && len == 0)
425 errx(EX_DATAERR, "not any never matches");
426 continue;
427 }
428
429 /*
430 * A single IP can be stored alone
431 */
432 if (masklen == 128 && av == NULL && len == 0) {
433 len = F_INSN_SIZE(struct in6_addr);
434 break;
435 }
436
437 /* Update length and pointer to arguments */
438 len += F_INSN_SIZE(struct in6_addr)*2;
439 d += 2;
440 } /* end while */
441
442 /*
443 * Total length of the command, remember that 1 is the size of
444 * the base command.
445 */
446 if (len + 1 > F_LEN_MASK)
447 errx(EX_DATAERR, "address list too long");
448 cmd->o.len |= len+1;
449 free(oav);
450 return (1);
451 }
452
453 /*
454 * fills command for ipv6 flow-id filtering
455 * note that the 20 bit flow number is stored in a array of u_int32_t
456 * it's supported lists of flow-id, so in the o.arg1 we store how many
457 * additional flow-id we want to filter, the basic is 1
458 */
459 void
fill_flow6(ipfw_insn_u32 * cmd,char * av,int cblen)460 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)
461 {
462 u_int32_t type; /* Current flow number */
463 u_int16_t nflow = 0; /* Current flow index */
464 char *s = av;
465 cmd->d[0] = 0; /* Initializing the base number*/
466
467 while (s) {
468 CHECK_LENGTH(cblen,
469 (int)F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
470
471 av = strsep( &s, ",") ;
472 type = strtoul(av, &av, 0);
473 if (*av != ',' && *av != '\0')
474 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
475 if (type > 0xfffff)
476 errx(EX_DATAERR, "flow number out of range %s", av);
477 cmd->d[nflow] |= type;
478 nflow++;
479 }
480 if( nflow > 0 ) {
481 cmd->o.opcode = O_FLOW6ID;
482 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
483 cmd->o.arg1 = nflow;
484 }
485 else {
486 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
487 }
488 }
489
490 ipfw_insn *
add_srcip6(ipfw_insn * cmd,char * av,int cblen,struct tidx * tstate)491 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
492 {
493
494 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
495 if (cmd->opcode == O_IP_DST_SET) /* set */
496 cmd->opcode = O_IP_SRC_SET;
497 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
498 cmd->opcode = O_IP_SRC_LOOKUP;
499 else if (F_LEN(cmd) == 0) { /* any */
500 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
501 cmd->opcode = O_IP6_SRC_ME;
502 } else if (F_LEN(cmd) ==
503 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
504 /* single IP, no mask*/
505 cmd->opcode = O_IP6_SRC;
506 } else { /* addr/mask opt */
507 cmd->opcode = O_IP6_SRC_MASK;
508 }
509 return cmd;
510 }
511
512 ipfw_insn *
add_dstip6(ipfw_insn * cmd,char * av,int cblen,struct tidx * tstate)513 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
514 {
515
516 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);
517 if (cmd->opcode == O_IP_DST_SET) /* set */
518 ;
519 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
520 ;
521 else if (F_LEN(cmd) == 0) { /* any */
522 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
523 cmd->opcode = O_IP6_DST_ME;
524 } else if (F_LEN(cmd) ==
525 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
526 /* single IP, no mask*/
527 cmd->opcode = O_IP6_DST;
528 } else { /* addr/mask opt */
529 cmd->opcode = O_IP6_DST_MASK;
530 }
531 return cmd;
532 }
533