1 /* 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD$ 21 * 22 * ipv6 support 23 */ 24 25 #include <sys/types.h> 26 #include <sys/socket.h> 27 28 #include "ipfw2.h" 29 30 #include <err.h> 31 #include <netdb.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <sysexits.h> 36 37 #include <net/if.h> 38 #include <netinet/in.h> 39 #include <netinet/in_systm.h> 40 #include <netinet/ip.h> 41 #include <netinet/icmp6.h> 42 #include <netinet/ip_fw.h> 43 #include <arpa/inet.h> 44 45 #include "compat.h" 46 47 #define CHECK_LENGTH(v, len) do { \ 48 if ((v) < (len)) \ 49 errx(EX_DATAERR, "Rule too long"); \ 50 } while (0) 51 52 static struct _s_x icmp6codes[] = { 53 { "no-route", ICMP6_DST_UNREACH_NOROUTE }, 54 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN }, 55 { "address", ICMP6_DST_UNREACH_ADDR }, 56 { "port", ICMP6_DST_UNREACH_NOPORT }, 57 { NULL, 0 } 58 }; 59 60 void 61 fill_unreach6_code(u_short *codep, char *str) 62 { 63 int val; 64 char *s; 65 66 val = strtoul(str, &s, 0); 67 if (s == str || *s != '\0' || val >= 0x100) 68 val = match_token(icmp6codes, str); 69 if (val < 0) 70 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str); 71 *codep = val; 72 return; 73 } 74 75 void 76 print_unreach6_code(struct buf_pr *bp, uint16_t code) 77 { 78 char const *s = match_value(icmp6codes, code); 79 80 if (s != NULL) 81 bprintf(bp, "unreach6 %s", s); 82 else 83 bprintf(bp, "unreach6 %u", code); 84 } 85 86 /* 87 * Print the ip address contained in a command. 88 */ 89 void 90 print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd, char const *s) 91 { 92 struct hostent *he = NULL; 93 int len = F_LEN((ipfw_insn *) cmd) - 1; 94 struct in6_addr *a = &(cmd->addr6); 95 char trad[255]; 96 97 bprintf(bp, "%s%s ", cmd->o.len & F_NOT ? " not": "", s); 98 99 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { 100 bprintf(bp, "me6"); 101 return; 102 } 103 if (cmd->o.opcode == O_IP6) { 104 bprintf(bp, " ip6"); 105 return; 106 } 107 108 /* 109 * len == 4 indicates a single IP, whereas lists of 1 or more 110 * addr/mask pairs have len = (2n+1). We convert len to n so we 111 * use that to count the number of entries. 112 */ 113 114 for (len = len / 4; len > 0; len -= 2, a += 2) { 115 int mb = /* mask length */ 116 (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ? 117 128 : contigmask((uint8_t *)&(a[1]), 128); 118 119 if (mb == 128 && co.do_resolv) 120 he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6_LINUX); 121 if (he != NULL) /* resolved to name */ 122 bprintf(bp, "%s", he->h_name); 123 else if (mb == 0) /* any */ 124 bprintf(bp, "any"); 125 else { /* numeric IP followed by some kind of mask */ 126 if (inet_ntop(AF_INET6_LINUX, a, trad, sizeof( trad ) ) == NULL) 127 bprintf(bp, "Error ntop in print_ip6\n"); 128 bprintf(bp, "%s", trad ); 129 if (mb < 0) /* XXX not really legal... */ 130 bprintf(bp, ":%s", 131 inet_ntop(AF_INET6_LINUX, &a[1], trad, sizeof(trad))); 132 else if (mb < 128) 133 bprintf(bp, "/%d", mb); 134 } 135 if (len > 2) 136 bprintf(bp, ","); 137 } 138 } 139 140 void 141 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen) 142 { 143 uint8_t type; 144 145 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6)); 146 147 bzero(cmd, sizeof(*cmd)); 148 while (*av) { 149 if (*av == ',') 150 av++; 151 type = strtoul(av, &av, 0); 152 if (*av != ',' && *av != '\0') 153 errx(EX_DATAERR, "invalid ICMP6 type"); 154 /* 155 * XXX: shouldn't this be 0xFF? I can't see any reason why 156 * we shouldn't be able to filter all possiable values 157 * regardless of the ability of the rest of the kernel to do 158 * anything useful with them. 159 */ 160 if (type > ICMP6_MAXTYPE) 161 errx(EX_DATAERR, "ICMP6 type out of range"); 162 cmd->d[type / 32] |= ( 1 << (type % 32)); 163 } 164 cmd->o.opcode = O_ICMP6TYPE; 165 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6); 166 } 167 168 169 void 170 print_icmp6types(struct buf_pr *bp, ipfw_insn_u32 *cmd) 171 { 172 int i, j; 173 char sep= ' '; 174 175 bprintf(bp, " ip6 icmp6types"); 176 for (i = 0; i < 7; i++) 177 for (j=0; j < 32; ++j) { 178 if ( (cmd->d[i] & (1 << (j))) == 0) 179 continue; 180 bprintf(bp, "%c%d", sep, (i*32 + j)); 181 sep = ','; 182 } 183 } 184 185 void 186 print_flow6id(struct buf_pr *bp, ipfw_insn_u32 *cmd) 187 { 188 uint16_t i, limit = cmd->o.arg1; 189 char sep = ','; 190 191 bprintf(bp, " flow-id "); 192 for( i=0; i < limit; ++i) { 193 if (i == limit - 1) 194 sep = ' '; 195 bprintf(bp, "%d%c", cmd->d[i], sep); 196 } 197 } 198 199 /* structure and define for the extension header in ipv6 */ 200 static struct _s_x ext6hdrcodes[] = { 201 { "frag", EXT_FRAGMENT }, 202 { "hopopt", EXT_HOPOPTS }, 203 { "route", EXT_ROUTING }, 204 { "dstopt", EXT_DSTOPTS }, 205 { "ah", EXT_AH }, 206 { "esp", EXT_ESP }, 207 { "rthdr0", EXT_RTHDR0 }, 208 { "rthdr2", EXT_RTHDR2 }, 209 { NULL, 0 } 210 }; 211 212 /* fills command for the extension header filtering */ 213 int 214 fill_ext6hdr( ipfw_insn *cmd, char *av) 215 { 216 int tok; 217 char *s = av; 218 219 cmd->arg1 = 0; 220 221 while(s) { 222 av = strsep( &s, ",") ; 223 tok = match_token(ext6hdrcodes, av); 224 switch (tok) { 225 case EXT_FRAGMENT: 226 cmd->arg1 |= EXT_FRAGMENT; 227 break; 228 229 case EXT_HOPOPTS: 230 cmd->arg1 |= EXT_HOPOPTS; 231 break; 232 233 case EXT_ROUTING: 234 cmd->arg1 |= EXT_ROUTING; 235 break; 236 237 case EXT_DSTOPTS: 238 cmd->arg1 |= EXT_DSTOPTS; 239 break; 240 241 case EXT_AH: 242 cmd->arg1 |= EXT_AH; 243 break; 244 245 case EXT_ESP: 246 cmd->arg1 |= EXT_ESP; 247 break; 248 249 case EXT_RTHDR0: 250 cmd->arg1 |= EXT_RTHDR0; 251 break; 252 253 case EXT_RTHDR2: 254 cmd->arg1 |= EXT_RTHDR2; 255 break; 256 257 default: 258 errx( EX_DATAERR, "invalid option for ipv6 exten header" ); 259 break; 260 } 261 } 262 if (cmd->arg1 == 0 ) 263 return 0; 264 cmd->opcode = O_EXT_HDR; 265 cmd->len |= F_INSN_SIZE( ipfw_insn ); 266 return 1; 267 } 268 269 void 270 print_ext6hdr(struct buf_pr *bp, ipfw_insn *cmd ) 271 { 272 char sep = ' '; 273 274 bprintf(bp, " extension header:"); 275 if (cmd->arg1 & EXT_FRAGMENT ) { 276 bprintf(bp, "%cfragmentation", sep); 277 sep = ','; 278 } 279 if (cmd->arg1 & EXT_HOPOPTS ) { 280 bprintf(bp, "%chop options", sep); 281 sep = ','; 282 } 283 if (cmd->arg1 & EXT_ROUTING ) { 284 bprintf(bp, "%crouting options", sep); 285 sep = ','; 286 } 287 if (cmd->arg1 & EXT_RTHDR0 ) { 288 bprintf(bp, "%crthdr0", sep); 289 sep = ','; 290 } 291 if (cmd->arg1 & EXT_RTHDR2 ) { 292 bprintf(bp, "%crthdr2", sep); 293 sep = ','; 294 } 295 if (cmd->arg1 & EXT_DSTOPTS ) { 296 bprintf(bp, "%cdestination options", sep); 297 sep = ','; 298 } 299 if (cmd->arg1 & EXT_AH ) { 300 bprintf(bp, "%cauthentication header", sep); 301 sep = ','; 302 } 303 if (cmd->arg1 & EXT_ESP ) { 304 bprintf(bp, "%cencapsulated security payload", sep); 305 } 306 } 307 308 /* Try to find ipv6 address by hostname */ 309 static int 310 lookup_host6 (char *host, struct in6_addr *ip6addr) 311 { 312 struct hostent *he; 313 314 if (!inet_pton(AF_INET6_LINUX, host, ip6addr)) { 315 if ((he = gethostbyname2(host, AF_INET6_LINUX)) == NULL) 316 return(-1); 317 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); 318 } 319 return(0); 320 } 321 322 323 /* 324 * fill the addr and mask fields in the instruction as appropriate from av. 325 * Update length as appropriate. 326 * The following formats are allowed: 327 * any matches any IP6. Actually returns an empty instruction. 328 * me returns O_IP6_*_ME 329 * 330 * 03f1::234:123:0342 single IP6 address 331 * 03f1::234:123:0342/24 address/mask 332 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address 333 * 334 * Set of address (as in ipv6) not supported because ipv6 address 335 * are typically random past the initial prefix. 336 * Return 1 on success, 0 on failure. 337 */ 338 static int 339 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen) 340 { 341 int len = 0; 342 struct in6_addr *d = &(cmd->addr6); 343 /* 344 * Needed for multiple address. 345 * Note d[1] points to struct in6_add r mask6 of cmd 346 */ 347 348 cmd->o.len &= ~F_LEN_MASK; /* zero len */ 349 350 if (strcmp(av, "any") == 0) 351 return (1); 352 353 354 if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/ 355 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 356 return (1); 357 } 358 359 if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/ 360 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 361 return (1); 362 } 363 364 if (strncmp(av, "table(", 6) == 0) { 365 char *p = strchr(av + 6, ','); 366 uint32_t *dm = ((ipfw_insn_u32 *)cmd)->d; 367 368 if (p) 369 *p++ = '\0'; 370 cmd->o.opcode = O_IP_DST_LOOKUP; 371 cmd->o.arg1 = strtoul(av + 6, NULL, 0); 372 if (p) { 373 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32); 374 dm[0] = strtoul(p, NULL, 0); 375 } else 376 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 377 return (1); 378 } 379 380 av = strdup(av); 381 while (av) { 382 /* 383 * After the address we can have '/' indicating a mask, 384 * or ',' indicating another address follows. 385 */ 386 387 char *p; 388 int masklen; 389 char md = '\0'; 390 391 CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr)); 392 393 if ((p = strpbrk(av, "/,")) ) { 394 md = *p; /* save the separator */ 395 *p = '\0'; /* terminate address string */ 396 p++; /* and skip past it */ 397 } 398 /* now p points to NULL, mask or next entry */ 399 400 /* lookup stores address in *d as a side effect */ 401 if (lookup_host6(av, d) != 0) { 402 /* XXX: failed. Free memory and go */ 403 errx(EX_DATAERR, "bad address \"%s\"", av); 404 } 405 /* next, look at the mask, if any */ 406 masklen = (md == '/') ? atoi(p) : 128; 407 if (masklen > 128 || masklen < 0) 408 errx(EX_DATAERR, "bad width \"%s\''", p); 409 else 410 n2mask(&d[1], masklen); 411 412 APPLY_MASK(d, &d[1]) /* mask base address with mask */ 413 414 /* find next separator */ 415 416 if (md == '/') { /* find separator past the mask */ 417 p = strpbrk(p, ","); 418 if (p != NULL) 419 p++; 420 } 421 av = p; 422 423 /* Check this entry */ 424 if (masklen == 0) { 425 /* 426 * 'any' turns the entire list into a NOP. 427 * 'not any' never matches, so it is removed from the 428 * list unless it is the only item, in which case we 429 * report an error. 430 */ 431 if (cmd->o.len & F_NOT && av == NULL && len == 0) 432 errx(EX_DATAERR, "not any never matches"); 433 continue; 434 } 435 436 /* 437 * A single IP can be stored alone 438 */ 439 if (masklen == 128 && av == NULL && len == 0) { 440 len = F_INSN_SIZE(struct in6_addr); 441 break; 442 } 443 444 /* Update length and pointer to arguments */ 445 len += F_INSN_SIZE(struct in6_addr)*2; 446 d += 2; 447 } /* end while */ 448 449 /* 450 * Total length of the command, remember that 1 is the size of 451 * the base command. 452 */ 453 if (len + 1 > F_LEN_MASK) 454 errx(EX_DATAERR, "address list too long"); 455 cmd->o.len |= len+1; 456 free(av); 457 return (1); 458 } 459 460 /* 461 * fills command for ipv6 flow-id filtering 462 * note that the 20 bit flow number is stored in a array of u_int32_t 463 * it's supported lists of flow-id, so in the o.arg1 we store how many 464 * additional flow-id we want to filter, the basic is 1 465 */ 466 void 467 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen) 468 { 469 u_int32_t type; /* Current flow number */ 470 u_int16_t nflow = 0; /* Current flow index */ 471 char *s = av; 472 cmd->d[0] = 0; /* Initializing the base number*/ 473 474 while (s) { 475 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_u32) + nflow + 1); 476 477 av = strsep( &s, ",") ; 478 type = strtoul(av, &av, 0); 479 if (*av != ',' && *av != '\0') 480 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 481 if (type > 0xfffff) 482 errx(EX_DATAERR, "flow number out of range %s", av); 483 cmd->d[nflow] |= type; 484 nflow++; 485 } 486 if( nflow > 0 ) { 487 cmd->o.opcode = O_FLOW6ID; 488 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow; 489 cmd->o.arg1 = nflow; 490 } 491 else { 492 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 493 } 494 } 495 496 ipfw_insn * 497 add_srcip6(ipfw_insn *cmd, char *av, int cblen) 498 { 499 500 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen); 501 if (cmd->opcode == O_IP_DST_SET) /* set */ 502 cmd->opcode = O_IP_SRC_SET; 503 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 504 cmd->opcode = O_IP_SRC_LOOKUP; 505 else if (F_LEN(cmd) == 0) { /* any */ 506 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 507 cmd->opcode = O_IP6_SRC_ME; 508 } else if (F_LEN(cmd) == 509 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 510 /* single IP, no mask*/ 511 cmd->opcode = O_IP6_SRC; 512 } else { /* addr/mask opt */ 513 cmd->opcode = O_IP6_SRC_MASK; 514 } 515 return cmd; 516 } 517 518 ipfw_insn * 519 add_dstip6(ipfw_insn *cmd, char *av, int cblen) 520 { 521 522 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen); 523 if (cmd->opcode == O_IP_DST_SET) /* set */ 524 ; 525 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 526 ; 527 else if (F_LEN(cmd) == 0) { /* any */ 528 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 529 cmd->opcode = O_IP6_DST_ME; 530 } else if (F_LEN(cmd) == 531 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 532 /* single IP, no mask*/ 533 cmd->opcode = O_IP6_DST; 534 } else { /* addr/mask opt */ 535 cmd->opcode = O_IP6_DST_MASK; 536 } 537 return cmd; 538 } 539