Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sbin/ipfw/ipv6.c
39475 views
1
/*-

2
 * Copyright (c) 2002-2003 Luigi Rizzo

3
 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp

4
 * Copyright (c) 1994 Ugen J.S.Antsilevich

5
 *

6
 * Idea and grammar partially left from:

7
 * Copyright (c) 1993 Daniel Boulet

8
 *

9
 * Redistribution and use in source forms, with and without modification,

10
 * are permitted provided that this entire comment appears intact.

11
 *

12
 * Redistribution in binary form may occur without any restrictions.

13
 * Obviously, it would be nice if you gave credit where credit is due

14
 * but requiring it would be too onerous.

15
 *

16
 * This software is provided ``AS IS'' without any warranties of any kind.

17
 *

18
 * NEW command line interface for IP firewall facility

19
 *

20
 * ipv6 support

21
 */

22


23
#include <sys/types.h>

24
#include <sys/socket.h>

25


26
#include "ipfw2.h"

27


28
#include <err.h>

29
#include <netdb.h>

30
#include <stdio.h>

31
#include <stdlib.h>

32
#include <string.h>

33
#include <sysexits.h>

34


35
#include <net/if.h>

36
#include <netinet/in.h>

37
#include <netinet/in_systm.h>

38
#include <netinet/ip.h>

39
#include <netinet/icmp6.h>

40
#include <netinet/ip_fw.h>

41
#include <arpa/inet.h>

42


43
#define	CHECK_LENGTH(v, len) do {			\

44
	if ((v) < (len))				\

45
		errx(EX_DATAERR, "Rule too long");	\

46
	} while (0)

47


48
static struct _s_x icmp6codes[] = {

49
	{ "no-route",		ICMP6_DST_UNREACH_NOROUTE },

50
	{ "admin-prohib",		ICMP6_DST_UNREACH_ADMIN },

51
	{ "address",		ICMP6_DST_UNREACH_ADDR },

52
	{ "port",			ICMP6_DST_UNREACH_NOPORT },

53
	{ NULL, 0 }

54
};

55


56
uint16_t

57
get_unreach6_code(const char *str)

58
{

59
	int val;

60
	char *s;

61


62
	val = strtoul(str, &s, 0);

63
	if (s == str || *s != '\0' || val >= 0x100)

64
		val = match_token(icmp6codes, str);

65
	if (val < 0)

66
		errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);

67
	return (val);

68
}

69


70
void

71
print_unreach6_code(struct buf_pr *bp, uint16_t code)

72
{

73
	char const *s = match_value(icmp6codes, code);

74


75
	if (s != NULL)

76
		bprintf(bp, "unreach6 %s", s);

77
	else

78
		bprintf(bp, "unreach6 %u", code);

79
}

80


81
/*

82
 * Print the ip address contained in a command.

83
 */

84
void

85
print_ip6(struct buf_pr *bp, const ipfw_insn_ip6 *cmd)

86
{

87
	char trad[255];

88
	struct hostent *he = NULL;

89
	const struct in6_addr *a = &(cmd->addr6);

90
	int len, mb;

91


92
	len = F_LEN((const ipfw_insn *)cmd) - 1;

93
	if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {

94
		bprintf(bp, " me6");

95
		return;

96
	}

97
	if (cmd->o.opcode == O_IP6) {

98
		bprintf(bp, " ip6");

99
		return;

100
	}

101


102
	/*

103
	 * len == 4 indicates a single IP, whereas lists of 1 or more

104
	 * addr/mask pairs have len = (2n+1). We convert len to n so we

105
	 * use that to count the number of entries.

106
	 */

107
	bprintf(bp, " ");

108
	for (len = len / 4; len > 0; len -= 2, a += 2) {

109
		/* mask length */

110
		mb = (cmd->o.opcode == O_IP6_SRC ||

111
		    cmd->o.opcode == O_IP6_DST) ?  128:

112
		    contigmask((const uint8_t *)&(a[1]), 128);

113


114
		if (mb == 128 && g_co.do_resolv)

115
			he = gethostbyaddr((const char *)a, sizeof(*a),

116
			    AF_INET6);

117


118
		if (he != NULL)	     /* resolved to name */

119
			bprintf(bp, "%s", he->h_name);

120
		else if (mb == 0)	   /* any */

121
			bprintf(bp, "any");

122
		else {	  /* numeric IP followed by some kind of mask */

123
			if (inet_ntop(AF_INET6,  a, trad,

124
			    sizeof(trad)) == NULL)

125
				bprintf(bp, "Error ntop in print_ip6\n");

126
			bprintf(bp, "%s",  trad );

127
			if (mb < 0) /* mask not contiguous */

128
				bprintf(bp, "/%s", inet_ntop(AF_INET6, &a[1],

129
				    trad, sizeof(trad)));

130
			else if (mb < 128)

131
				bprintf(bp, "/%d", mb);

132
		}

133
		if (len > 2)

134
			bprintf(bp, ",");

135
	}

136
}

137


138
void

139
fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)

140
{

141
       uint8_t type;

142


143
       CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn_icmp6));

144
       memset(cmd, 0, sizeof(*cmd));

145
       while (*av) {

146
	       if (*av == ',')

147
		       av++;

148
	       type = strtoul(av, &av, 0);

149
	       if (*av != ',' && *av != '\0')

150
		       errx(EX_DATAERR, "invalid ICMP6 type");

151
	       /*

152
		* XXX: shouldn't this be 0xFF?  I can't see any reason why

153
		* we shouldn't be able to filter all possiable values

154
		* regardless of the ability of the rest of the kernel to do

155
		* anything useful with them.

156
		*/

157
	       if (type > ICMP6_MAXTYPE)

158
		       errx(EX_DATAERR, "ICMP6 type out of range");

159
	       cmd->d[type / 32] |= ( 1 << (type % 32));

160
       }

161
       cmd->o.opcode = O_ICMP6TYPE;

162
       cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);

163
}

164


165
void

166
print_icmp6types(struct buf_pr *bp, const ipfw_insn_u32 *cmd)

167
{

168
	int i, j;

169
	char sep= ' ';

170


171
	bprintf(bp, " icmp6types");

172
	for (i = 0; i < 7; i++)

173
		for (j=0; j < 32; ++j) {

174
			if ( (cmd->d[i] & (1 << (j))) == 0)

175
				continue;

176
			bprintf(bp, "%c%d", sep, (i*32 + j));

177
			sep = ',';

178
		}

179
}

180


181
void

182
print_flow6id(struct buf_pr *bp, const ipfw_insn_u32 *cmd)

183
{

184
	uint16_t i, limit = cmd->o.arg1;

185
	char sep = ',';

186


187
	bprintf(bp, " flow-id ");

188
	for( i=0; i < limit; ++i) {

189
		if (i == limit - 1)

190
			sep = ' ';

191
		bprintf(bp, "%d%c", cmd->d[i], sep);

192
	}

193
}

194


195
/* structure and define for the extension header in ipv6 */

196
static struct _s_x ext6hdrcodes[] = {

197
	{ "frag",       EXT_FRAGMENT },

198
	{ "hopopt",     EXT_HOPOPTS },

199
	{ "route",      EXT_ROUTING },

200
	{ "dstopt",     EXT_DSTOPTS },

201
	{ "ah",	 EXT_AH },

202
	{ "esp",	EXT_ESP },

203
	{ "rthdr0",     EXT_RTHDR0 },

204
	{ "rthdr2",     EXT_RTHDR2 },

205
	{ NULL,	 0 }

206
};

207


208
/* fills command for the extension header filtering */

209
int

210
fill_ext6hdr( ipfw_insn *cmd, char *av)

211
{

212
	int tok;

213
	char *s = av;

214


215
	cmd->arg1 = 0;

216
	while(s) {

217
		av = strsep( &s, ",") ;

218
		tok = match_token(ext6hdrcodes, av);

219
		switch (tok) {

220
		case EXT_FRAGMENT:

221
			cmd->arg1 |= EXT_FRAGMENT;

222
			break;

223
		case EXT_HOPOPTS:

224
			cmd->arg1 |= EXT_HOPOPTS;

225
			break;

226
		case EXT_ROUTING:

227
			cmd->arg1 |= EXT_ROUTING;

228
			break;

229
		case EXT_DSTOPTS:

230
			cmd->arg1 |= EXT_DSTOPTS;

231
			break;

232
		case EXT_AH:

233
			cmd->arg1 |= EXT_AH;

234
			break;

235
		case EXT_ESP:

236
			cmd->arg1 |= EXT_ESP;

237
			break;

238
		case EXT_RTHDR0:

239
			cmd->arg1 |= EXT_RTHDR0;

240
			break;

241
		case EXT_RTHDR2:

242
			cmd->arg1 |= EXT_RTHDR2;

243
			break;

244
		default:

245
			errx(EX_DATAERR,

246
			    "invalid option for ipv6 exten header");

247
			break;

248
		}

249
	}

250
	if (cmd->arg1 == 0)

251
		return (0);

252
	cmd->opcode = O_EXT_HDR;

253
	cmd->len |= F_INSN_SIZE(ipfw_insn);

254
	return (1);

255
}

256


257
void

258
print_ext6hdr(struct buf_pr *bp, const ipfw_insn *cmd )

259
{

260
	char sep = ' ';

261


262
	bprintf(bp, " extension header:");

263
	if (cmd->arg1 & EXT_FRAGMENT) {

264
		bprintf(bp, "%cfragmentation", sep);

265
		sep = ',';

266
	}

267
	if (cmd->arg1 & EXT_HOPOPTS) {

268
		bprintf(bp, "%chop options", sep);

269
		sep = ',';

270
	}

271
	if (cmd->arg1 & EXT_ROUTING) {

272
		bprintf(bp, "%crouting options", sep);

273
		sep = ',';

274
	}

275
	if (cmd->arg1 & EXT_RTHDR0) {

276
		bprintf(bp, "%crthdr0", sep);

277
		sep = ',';

278
	}

279
	if (cmd->arg1 & EXT_RTHDR2) {

280
		bprintf(bp, "%crthdr2", sep);

281
		sep = ',';

282
	}

283
	if (cmd->arg1 & EXT_DSTOPTS) {

284
		bprintf(bp, "%cdestination options", sep);

285
		sep = ',';

286
	}

287
	if (cmd->arg1 & EXT_AH) {

288
		bprintf(bp, "%cauthentication header", sep);

289
		sep = ',';

290
	}

291
	if (cmd->arg1 & EXT_ESP) {

292
		bprintf(bp, "%cencapsulated security payload", sep);

293
	}

294
}

295


296
/* Try to find ipv6 address by hostname */

297
static int

298
lookup_host6 (char *host, struct in6_addr *ip6addr)

299
{

300
	struct hostent *he;

301


302
	if (!inet_pton(AF_INET6, host, ip6addr)) {

303
		if ((he = gethostbyname2(host, AF_INET6)) == NULL)

304
			return(-1);

305
		memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));

306
	}

307
	return (0);

308
}

309


310


311
/*

312
 * fill the addr and mask fields in the instruction as appropriate from av.

313
 * Update length as appropriate.

314
 * The following formats are allowed:

315
 *     any     matches any IP6. Actually returns an empty instruction.

316
 *     me      returns O_IP6_*_ME

317
 *

318
 *     03f1::234:123:0342			single IP6 address

319
 *     03f1::234:123:0342/24			address/masklen

320
 *     03f1::234:123:0342/ffff::ffff:ffff	address/mask

321
 *     03f1::234:123:0342/24,03f1::234:123:0343/	List of address

322
 *

323
 * Set of address (as in ipv6) not supported because ipv6 address

324
 * are typically random past the initial prefix.

325
 * Return 1 on success, 0 on failure.

326
 */

327
static int

328
fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)

329
{

330
	int len = 0;

331
	struct in6_addr *d = &(cmd->addr6);

332
	char *oav;

333
	/*

334
	 * Needed for multiple address.

335
	 * Note d[1] points to struct in6_add r mask6 of cmd

336
	 */

337


338
	cmd->o.len &= ~F_LEN_MASK;	/* zero len */

339


340
	if (strcmp(av, "any") == 0)

341
		return (1);

342


343
	/* Set the data for "me" opt */

344
	if (strcmp(av, "me") == 0 || strcmp(av, "me6") == 0) {

345
		cmd->o.len |= F_INSN_SIZE(ipfw_insn);

346
		return (1);

347
	}

348


349
	if (strncmp(av, "table(", 6) == 0) {

350
		fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);

351
		return (1);

352
	}

353


354
	oav = av = strdup(av);

355
	while (av) {

356
		/*

357
		 * After the address we can have '/' indicating a mask,

358
		 * or ',' indicating another address follows.

359
		 */

360


361
		char *p, *q;

362
		int masklen;

363
		char md = '\0';

364


365
		CHECK_LENGTH(cblen,

366
		    1 + len + 2 * (int)F_INSN_SIZE(struct in6_addr));

367


368
		if ((q = strchr(av, ',')) ) {

369
			*q = '\0';

370
			q++;

371
		}

372


373
		if ((p = strchr(av, '/')) ) {

374
			md = *p;	/* save the separator */

375
			*p = '\0';	/* terminate address string */

376
			p++;		/* and skip past it */

377
		}

378
		/* now p points to NULL, mask or next entry */

379


380
		/* lookup stores address in *d as a side effect */

381
		if (lookup_host6(av, d) != 0) {

382
			/* XXX: failed. Free memory and go */

383
			errx(EX_DATAERR, "bad address \"%s\"", av);

384
		}

385
		/* next, look at the mask, if any */

386
		if (md == '/' && strchr(p, ':')) {

387
			if (!inet_pton(AF_INET6, p, &d[1]))

388
				errx(EX_DATAERR, "bad mask \"%s\"", p);

389


390
			masklen = contigmask((uint8_t *)&(d[1]), 128);

391
		} else {

392
			masklen = (md == '/') ? atoi(p) : 128;

393
			if (masklen > 128 || masklen < 0)

394
				errx(EX_DATAERR, "bad width \"%s\''", p);

395
			else

396
				n2mask(&d[1], masklen);

397
		}

398


399
		APPLY_MASK(d, &d[1]);   /* mask base address with mask */

400


401
		av = q;

402


403
		/* Check this entry */

404
		if (masklen == 0) {

405
			/*

406
			 * 'any' turns the entire list into a NOP.

407
			 * 'not any' never matches, so it is removed from the

408
			 * list unless it is the only item, in which case we

409
			 * report an error.

410
			 */

411
			if (cmd->o.len & F_NOT && av == NULL && len == 0)

412
				errx(EX_DATAERR, "not any never matches");

413
			continue;

414
		}

415


416
		/*

417
		 * A single IP can be stored alone

418
		 */

419
		if (masklen == 128 && av == NULL && len == 0) {

420
			len = F_INSN_SIZE(struct in6_addr);

421
			break;

422
		}

423


424
		/* Update length and pointer to arguments */

425
		len += F_INSN_SIZE(struct in6_addr)*2;

426
		d += 2;

427
	} /* end while */

428


429
	/*

430
	 * Total length of the command, remember that 1 is the size of

431
	 * the base command.

432
	 */

433
	if (len + 1 > F_LEN_MASK)

434
		errx(EX_DATAERR, "address list too long");

435
	cmd->o.len |= len+1;

436
	free(oav);

437
	return (1);

438
}

439


440
/*

441
 * fills command for ipv6 flow-id filtering

442
 * note that the 20 bit flow number is stored in a array of u_int32_t

443
 * it's supported lists of flow-id, so in the o.arg1 we store how many

444
 * additional flow-id we want to filter, the basic is 1

445
 */

446
void

447
fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)

448
{

449
	u_int32_t type;	 /* Current flow number */

450
	u_int16_t nflow = 0;    /* Current flow index */

451
	char *s = av;

452
	cmd->d[0] = 0;	  /* Initializing the base number*/

453


454
	while (s) {

455
		CHECK_LENGTH(cblen,

456
		    (int)F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);

457


458
		av = strsep( &s, ",") ;

459
		type = strtoul(av, &av, 0);

460
		if (*av != ',' && *av != '\0')

461
			errx(EX_DATAERR, "invalid ipv6 flow number %s", av);

462
		if (type > 0xfffff)

463
			errx(EX_DATAERR, "flow number out of range %s", av);

464
		cmd->d[nflow] |= type;

465
		nflow++;

466
	}

467
	if( nflow > 0 ) {

468
		cmd->o.opcode = O_FLOW6ID;

469
		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;

470
		cmd->o.arg1 = nflow;

471
	}

472
	else {

473
		errx(EX_DATAERR, "invalid ipv6 flow number %s", av);

474
	}

475
}

476


477
ipfw_insn *

478
add_srcip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)

479
{

480


481
	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);

482
	if (cmd->opcode == O_IP_DST_SET)			/* set */

483
		cmd->opcode = O_IP_SRC_SET;

484
	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */

485
		cmd->opcode = O_IP_SRC_LOOKUP;

486
	else if (F_LEN(cmd) == 0) {				/* any */

487
	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */

488
		cmd->opcode = O_IP6_SRC_ME;

489
	} else if (F_LEN(cmd) ==

490
	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {

491
		/* single IP, no mask*/

492
		cmd->opcode = O_IP6_SRC;

493
	} else {					/* addr/mask opt */

494
		cmd->opcode = O_IP6_SRC_MASK;

495
	}

496
	return cmd;

497
}

498


499
ipfw_insn *

500
add_dstip6(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)

501
{

502


503
	fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen, tstate);

504
	if (cmd->opcode == O_IP_DST_SET)			/* set */

505
		;

506
	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */

507
		;

508
	else if (F_LEN(cmd) == 0) {				/* any */

509
	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */

510
		cmd->opcode = O_IP6_DST_ME;

511
	} else if (F_LEN(cmd) ==

512
	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {

513
		/* single IP, no mask*/

514
		cmd->opcode = O_IP6_DST;

515
	} else {					/* addr/mask opt */

516
		cmd->opcode = O_IP6_DST_MASK;

517
	}

518
	return cmd;

519
}

520


521