1 /*- 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD$ 21 * 22 * ipv6 support 23 */ 24 25 #include <sys/types.h> 26 #include <sys/socket.h> 27 28 #include "ipfw2.h" 29 30 #include <err.h> 31 #include <netdb.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <sysexits.h> 36 37 #include <net/if.h> 38 #include <netinet/in.h> 39 #include <netinet/in_systm.h> 40 #include <netinet/ip.h> 41 #include <netinet/icmp6.h> 42 #include <netinet/ip_fw.h> 43 #include <arpa/inet.h> 44 45 #ifdef FSTACK 46 #include "compat.h" 47 #endif 48 49 #define CHECK_LENGTH(v, len) do { \ 50 if ((v) < (len)) \ 51 errx(EX_DATAERR, "Rule too long"); \ 52 } while (0) 53 54 static struct _s_x icmp6codes[] = { 55 { "no-route", ICMP6_DST_UNREACH_NOROUTE }, 56 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN }, 57 { "address", ICMP6_DST_UNREACH_ADDR }, 58 { "port", ICMP6_DST_UNREACH_NOPORT }, 59 { NULL, 0 } 60 }; 61 62 void 63 fill_unreach6_code(u_short *codep, char *str) 64 { 65 int val; 66 char *s; 67 68 val = strtoul(str, &s, 0); 69 if (s == str || *s != '\0' || val >= 0x100) 70 val = match_token(icmp6codes, str); 71 if (val < 0) 72 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str); 73 *codep = val; 74 return; 75 } 76 77 void 78 print_unreach6_code(struct buf_pr *bp, uint16_t code) 79 { 80 char const *s = match_value(icmp6codes, code); 81 82 if (s != NULL) 83 bprintf(bp, "unreach6 %s", s); 84 else 85 bprintf(bp, "unreach6 %u", code); 86 } 87 88 /* 89 * Print the ip address contained in a command. 90 */ 91 void 92 print_ip6(struct buf_pr *bp, const ipfw_insn_ip6 *cmd) 93 { 94 char trad[255]; 95 struct hostent *he = NULL; 96 const struct in6_addr *a = &(cmd->addr6); 97 int len, mb; 98 99 len = F_LEN((const ipfw_insn *)cmd) - 1; 100 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { 101 bprintf(bp, " me6"); 102 return; 103 } 104 if (cmd->o.opcode == O_IP6) { 105 bprintf(bp, " ip6"); 106 return; 107 } 108 109 /* 110 * len == 4 indicates a single IP, whereas lists of 1 or more 111 * addr/mask pairs have len = (2n+1). We convert len to n so we 112 * use that to count the number of entries. 113 */ 114 bprintf(bp, " "); 115 for (len = len / 4; len > 0; len -= 2, a += 2) { 116 /* mask length */ 117 mb = (cmd->o.opcode == O_IP6_SRC || 118 cmd->o.opcode == O_IP6_DST) ? 128: 119 contigmask((const uint8_t *)&(a[1]), 128); 120 121 #ifndef FSTACK 122 if (mb == 128 && g_co.do_resolv) 123 he = gethostbyaddr((const char *)a, sizeof(*a), 124 AF_INET6); 125 126 if (he != NULL) /* resolved to name */ 127 bprintf(bp, "%s", he->h_name); 128 else if (mb == 0) /* any */ 129 #else 130 if (mb == 0) /* any */ 131 #endif 132 bprintf(bp, "any"); 133 else { /* numeric IP followed by some kind of mask */ 134 if (inet_ntop(AF_INET6_LINUX, a, trad, 135 sizeof(trad)) == NULL) 136 bprintf(bp, "Error ntop in print_ip6\n"); 137 bprintf(bp, "%s", trad ); 138 if (mb < 0) /* mask not contiguous */ 139 bprintf(bp, "/%s", inet_ntop(AF_INET6_LINUX, &a[1], 140 trad, sizeof(trad))); 141 else if (mb < 128) 142 bprintf(bp, "/%d", mb); 143 } 144 if (len > 2) 145 bprintf(bp, ","); 146 } 147 } 148 149 void 150 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen) 151 { 152 uint8_t type; 153 154 CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn_icmp6)); 155 memset(cmd, 0, sizeof(*cmd)); 156 while (*av) { 157 if (*av == ',') 158 av++; 159 type = strtoul(av, &av, 0); 160 if (*av != ',' && *av != '\0') 161 errx(EX_DATAERR, "invalid ICMP6 type"); 162 /* 163 * XXX: shouldn't this be 0xFF? I can't see any reason why 164 * we shouldn't be able to filter all possiable values 165 * regardless of the ability of the rest of the kernel to do 166 * anything useful with them. 167 */ 168 if (type > ICMP6_MAXTYPE) 169 errx(EX_DATAERR, "ICMP6 type out of range"); 170 cmd->d[type / 32] |= ( 1 << (type % 32)); 171 } 172 cmd->o.opcode = O_ICMP6TYPE; 173 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6); 174 } 175 176 void 177 print_icmp6types(struct buf_pr *bp, const ipfw_insn_u32 *cmd) 178 { 179 int i, j; 180 char sep= ' '; 181 182 bprintf(bp, " icmp6types"); 183 for (i = 0; i < 7; i++) 184 for (j=0; j < 32; ++j) { 185 if ( (cmd->d[i] & (1 << (j))) == 0) 186 continue; 187 bprintf(bp, "%c%d", sep, (i*32 + j)); 188 sep = ','; 189 } 190 } 191 192 void 193 print_flow6id(struct buf_pr *bp, const ipfw_insn_u32 *cmd) 194 { 195 uint16_t i, limit = cmd->o.arg1; 196 char sep = ','; 197 198 bprintf(bp, " flow-id "); 199 for( i=0; i < limit; ++i) { 200 if (i == limit - 1) 201 sep = ' '; 202 bprintf(bp, "%d%c", cmd->d[i], sep); 203 } 204 } 205 206 /* structure and define for the extension header in ipv6 */ 207 static struct _s_x ext6hdrcodes[] = { 208 { "frag", EXT_FRAGMENT }, 209 { "hopopt", EXT_HOPOPTS }, 210 { "route", EXT_ROUTING }, 211 { "dstopt", EXT_DSTOPTS }, 212 { "ah", EXT_AH }, 213 { "esp", EXT_ESP }, 214 { "rthdr0", EXT_RTHDR0 }, 215 { "rthdr2", EXT_RTHDR2 }, 216 { NULL, 0 } 217 }; 218 219 /* fills command for the extension header filtering */ 220 int 221 fill_ext6hdr( ipfw_insn *cmd, char *av) 222 { 223 int tok; 224 char *s = av; 225 226 cmd->arg1 = 0; 227 while(s) { 228 av = strsep( &s, ",") ; 229 tok = match_token(ext6hdrcodes, av); 230 switch (tok) { 231 case EXT_FRAGMENT: 232 cmd->arg1 |= EXT_FRAGMENT; 233 break; 234 case EXT_HOPOPTS: 235 cmd->arg1 |= EXT_HOPOPTS; 236 break; 237 case EXT_ROUTING: 238 cmd->arg1 |= EXT_ROUTING; 239 break; 240 case EXT_DSTOPTS: 241 cmd->arg1 |= EXT_DSTOPTS; 242 break; 243 case EXT_AH: 244 cmd->arg1 |= EXT_AH; 245 break; 246 case EXT_ESP: 247 cmd->arg1 |= EXT_ESP; 248 break; 249 case EXT_RTHDR0: 250 cmd->arg1 |= EXT_RTHDR0; 251 break; 252 case EXT_RTHDR2: 253 cmd->arg1 |= EXT_RTHDR2; 254 break; 255 default: 256 errx(EX_DATAERR, 257 "invalid option for ipv6 exten header"); 258 break; 259 } 260 } 261 if (cmd->arg1 == 0) 262 return (0); 263 cmd->opcode = O_EXT_HDR; 264 cmd->len |= F_INSN_SIZE(ipfw_insn); 265 return (1); 266 } 267 268 void 269 print_ext6hdr(struct buf_pr *bp, const ipfw_insn *cmd ) 270 { 271 char sep = ' '; 272 273 bprintf(bp, " extension header:"); 274 if (cmd->arg1 & EXT_FRAGMENT) { 275 bprintf(bp, "%cfragmentation", sep); 276 sep = ','; 277 } 278 if (cmd->arg1 & EXT_HOPOPTS) { 279 bprintf(bp, "%chop options", sep); 280 sep = ','; 281 } 282 if (cmd->arg1 & EXT_ROUTING) { 283 bprintf(bp, "%crouting options", sep); 284 sep = ','; 285 } 286 if (cmd->arg1 & EXT_RTHDR0) { 287 bprintf(bp, "%crthdr0", sep); 288 sep = ','; 289 } 290 if (cmd->arg1 & EXT_RTHDR2) { 291 bprintf(bp, "%crthdr2", sep); 292 sep = ','; 293 } 294 if (cmd->arg1 & EXT_DSTOPTS) { 295 bprintf(bp, "%cdestination options", sep); 296 sep = ','; 297 } 298 if (cmd->arg1 & EXT_AH) { 299 bprintf(bp, "%cauthentication header", sep); 300 sep = ','; 301 } 302 if (cmd->arg1 & EXT_ESP) { 303 bprintf(bp, "%cencapsulated security payload", sep); 304 } 305 } 306 307 /* Try to find ipv6 address by hostname */ 308 static int 309 lookup_host6 (char *host, struct in6_addr *ip6addr) 310 { 311 struct hostent *he; 312 313 if (!inet_pton(AF_INET6_LINUX, host, ip6addr)) { 314 #ifndef FSTACK 315 if ((he = gethostbyname2(host, AF_INET6)) == NULL) 316 #endif 317 return(-1); 318 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); 319 } 320 return (0); 321 } 322 323 324 /* 325 * fill the addr and mask fields in the instruction as appropriate from av. 326 * Update length as appropriate. 327 * The following formats are allowed: 328 * any matches any IP6. Actually returns an empty instruction. 329 * me returns O_IP6_*_ME 330 * 331 * 03f1::234:123:0342 single IP6 address 332 * 03f1::234:123:0342/24 address/masklen 333 * 03f1::234:123:0342/ffff::ffff:ffff address/mask 334 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address 335 * 336 * Set of address (as in ipv6) not supported because ipv6 address 337 * are typically random past the initial prefix. 338 * Return 1 on success, 0 on failure. 339 */ 340 static int 341 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate) 342 { 343 int len = 0; 344 struct in6_addr *d = &(cmd->addr6); 345 char *oav; 346 /* 347 * Needed for multiple address. 348 * Note d[1] points to struct in6_add r mask6 of cmd 349 */ 350 351 cmd->o.len &= ~F_LEN_MASK; /* zero len */ 352 353 if (strcmp(av, "any") == 0) 354 return (1); 355 356 /* Set the data for "me" opt */ 357 if (strcmp(av, "me") == 0 || strcmp(av, "me6") == 0) { 358 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 359 return (1); 360 } 361 362 if (strncmp(av, "table(", 6) == 0) { 363 fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate); 364 return (1); 365 } 366 367 oav = av = strdup(av); 368 while (av) { 369 /* 370 * After the address we can have '/' indicating a mask, 371 * or ',' indicating another address follows. 372 */ 373 374 char *p, *q; 375 int masklen; 376 char md = '\0'; 377 378 CHECK_LENGTH(cblen, 379 1 + len + 2 * (int)F_INSN_SIZE(struct in6_addr)); 380 381 if ((q = strchr(av, ',')) ) { 382 *q = '\0'; 383 q++; 384 } 385 386 if ((p = strchr(av, '/')) ) { 387 md = *p; /* save the separator */ 388 *p = '\0'; /* terminate address string */ 389 p++; /* and skip past it */ 390 } 391 /* now p points to NULL, mask or next entry */ 392 393 /* lookup stores address in *d as a side effect */ 394 if (lookup_host6(av, d) != 0) { 395 /* XXX: failed. Free memory and go */ 396 errx(EX_DATAERR, "bad address \"%s\"", av); 397 } 398 /* next, look at the mask, if any */ 399 if (md == '/' && strchr(p, ':')) { 400 if (!inet_pton(AF_INET6_LINUX, p, &d[1])) 401 errx(EX_DATAERR, "bad mask \"%s\"", p); 402 403 masklen = contigmask((uint8_t *)&(d[1]), 128); 404 } else { 405 masklen = (md == '/') ? atoi(p) : 128; 406 if (masklen > 128 || masklen < 0) 407 errx(EX_DATAERR, "bad width \"%s\''", p); 408 else 409 n2mask(&d[1], masklen); 410 } 411 412 APPLY_MASK(d, &d[1]); /* mask base address with mask */ 413 414 av = q; 415 416 /* Check this entry */ 417 if (masklen == 0) { 418 /* 419 * 'any' turns the entire list into a NOP. 420 * 'not any' never matches, so it is removed from the 421 * list unless it is the only item, in which case we 422 * report an error. 423 */ 424 if (cmd->o.len & F_NOT && av == NULL && len == 0) 425 errx(EX_DATAERR, "not any never matches"); 426 continue; 427 } 428 429 /* 430 * A single IP can be stored alone 431 */ 432 if (masklen == 128 && av == NULL && len == 0) { 433 len = F_INSN_SIZE(struct in6_addr); 434 break; 435 } 436 437 /* Update length and pointer to arguments */ 438 len += F_INSN_SIZE(struct in6_addr)*2; 439 d += 2; 440 } /* end while */ 441 442 /* 443 * Total length of the command, remember that 1 is the size of 444 * the base command. 445 */ 446 if (len + 1 > F_LEN_MASK) 447 errx(EX_DATAERR, "address list too long"); 448 cmd->o.len |= len+1; 449 free(oav); 450 return (1); 451 } 452 453 /* 454 * fills command for ipv6 flow-id filtering 455 * note that the 20 bit flow number is stored in a array of u_int32_t 456 * it's supported lists of flow-id, so in the o.arg1 we store how many 457 * additional flow-id we want to filter, the basic is 1 458 */ 459 void 460 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen) 461 { 462 u_int32_t type; /* Current flow number */ 463 u_int16_t nflow = 0; /* Current flow index */ 464 char *s = av; 465 cmd->d[0] = 0; /* Initializing the base number*/ 466 467 while (s) { 468 CHECK_LENGTH(cblen, 469 (int)F_INSN_SIZE(ipfw_insn_u32) + nflow + 1); 470 471 av = strsep( &s, ",") ; 472 type = strtoul(av, &av, 0); 473 if (*av != ',' && *av != '\0') 474 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 475 if (type > 0xfffff) 476 errx(EX_DATAERR, "flow number out of range %s", av); 477 cmd->d[nflow] |= type; 478 nflow++; 479 } 480 if( nflow > 0 ) { 481 cmd->o.opcode = O_FLOW6ID; 482 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow; 483 cmd->o.arg1 = nflow; 484 } 485 else { 486 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 487 } 488 } 489 490 ipfw_insn * 491 add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate) 492 { 493 494 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate); 495 if (cmd->opcode == O_IP_DST_SET) /* set */ 496 cmd->opcode = O_IP_SRC_SET; 497 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 498 cmd->opcode = O_IP_SRC_LOOKUP; 499 else if (F_LEN(cmd) == 0) { /* any */ 500 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 501 cmd->opcode = O_IP6_SRC_ME; 502 } else if (F_LEN(cmd) == 503 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 504 /* single IP, no mask*/ 505 cmd->opcode = O_IP6_SRC; 506 } else { /* addr/mask opt */ 507 cmd->opcode = O_IP6_SRC_MASK; 508 } 509 return cmd; 510 } 511 512 ipfw_insn * 513 add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate) 514 { 515 516 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate); 517 if (cmd->opcode == O_IP_DST_SET) /* set */ 518 ; 519 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 520 ; 521 else if (F_LEN(cmd) == 0) { /* any */ 522 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 523 cmd->opcode = O_IP6_DST_ME; 524 } else if (F_LEN(cmd) == 525 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 526 /* single IP, no mask*/ 527 cmd->opcode = O_IP6_DST; 528 } else { /* addr/mask opt */ 529 cmd->opcode = O_IP6_DST_MASK; 530 } 531 return cmd; 532 } 533