1/* 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD: stable/10/sbin/ipfw/ipv6.c 318271 2017-05-14 13:59:40Z marius $ 21 * 22 * ipv6 support 23 */ 24 25#include <sys/types.h> 26#include <sys/socket.h> 27 28#include "ipfw2.h" 29 30#include <err.h> 31#include <netdb.h> 32#include <stdio.h> 33#include <stdlib.h> 34#include <string.h> 35#include <sysexits.h> 36 37#include <net/if.h> 38#include <netinet/in.h> 39#include <netinet/in_systm.h> 40#include <netinet/ip.h> 41#include <netinet/icmp6.h> 42#include <netinet/ip_fw.h> 43#include <arpa/inet.h> 44 45#define CHECK_LENGTH(v, len) do { \ 46 if ((v) < (len)) \ 47 errx(EX_DATAERR, "Rule too long"); \ 48 } while (0) 49 50static struct _s_x icmp6codes[] = { 51 { "no-route", ICMP6_DST_UNREACH_NOROUTE }, 52 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN }, 53 { "address", ICMP6_DST_UNREACH_ADDR }, 54 { "port", ICMP6_DST_UNREACH_NOPORT }, 55 { NULL, 0 } 56}; 57 58void 59fill_unreach6_code(u_short *codep, char *str) 60{ 61 int val; 62 char *s; 63 64 val = strtoul(str, &s, 0); 65 if (s == str || *s != '\0' || val >= 0x100) 66 val = match_token(icmp6codes, str); 67 if (val < 0) 68 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str); 69 *codep = val; 70 return; 71} 72 73void 74print_unreach6_code(uint16_t code) 75{ 76 char const *s = match_value(icmp6codes, code); 77 78 if (s != NULL) 79 printf("unreach6 %s", s); 80 else 81 printf("unreach6 %u", code); 82} 83 84/* 85 * Print the ip address contained in a command. 86 */ 87void 88print_ip6(ipfw_insn_ip6 *cmd, char const *s) 89{ 90 struct hostent *he = NULL; 91 int len = F_LEN((ipfw_insn *) cmd) - 1; 92 struct in6_addr *a = &(cmd->addr6); 93 char trad[255]; 94 95 printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s); 96 97 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { 98 printf("me6"); 99 return; 100 } 101 if (cmd->o.opcode == O_IP6) { 102 printf(" ip6"); 103 return; 104 } 105 106 /* 107 * len == 4 indicates a single IP, whereas lists of 1 or more 108 * addr/mask pairs have len = (2n+1). We convert len to n so we 109 * use that to count the number of entries. 110 */ 111 112 for (len = len / 4; len > 0; len -= 2, a += 2) { 113 int mb = /* mask length */ 114 (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ? 115 128 : contigmask((uint8_t *)&(a[1]), 128); 116 117 if (mb == 128 && co.do_resolv) 118 he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6); 119 if (he != NULL) /* resolved to name */ 120 printf("%s", he->h_name); 121 else if (mb == 0) /* any */ 122 printf("any"); 123 else { /* numeric IP followed by some kind of mask */ 124 if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL) 125 printf("Error ntop in print_ip6\n"); 126 printf("%s", trad ); 127 if (mb < 0) /* XXX not really legal... */ 128 printf(":%s", 129 inet_ntop(AF_INET6, &a[1], trad, sizeof(trad))); 130 else if (mb < 128) 131 printf("/%d", mb); 132 } 133 if (len > 2) 134 printf(","); 135 } 136} 137 138void 139fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen) 140{ 141 uint8_t type; 142 143 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6)); 144 145 bzero(cmd, sizeof(*cmd)); 146 while (*av) { 147 if (*av == ',') 148 av++; 149 type = strtoul(av, &av, 0); 150 if (*av != ',' && *av != '\0') 151 errx(EX_DATAERR, "invalid ICMP6 type"); 152 /* 153 * XXX: shouldn't this be 0xFF? I can't see any reason why 154 * we shouldn't be able to filter all possiable values 155 * regardless of the ability of the rest of the kernel to do 156 * anything useful with them. 157 */ 158 if (type > ICMP6_MAXTYPE) 159 errx(EX_DATAERR, "ICMP6 type out of range"); 160 cmd->d[type / 32] |= ( 1 << (type % 32)); 161 } 162 cmd->o.opcode = O_ICMP6TYPE; 163 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6); 164} 165 166 167void 168print_icmp6types(ipfw_insn_u32 *cmd) 169{ 170 int i, j; 171 char sep= ' '; 172 173 printf(" ip6 icmp6types"); 174 for (i = 0; i < 7; i++) 175 for (j=0; j < 32; ++j) { 176 if ( (cmd->d[i] & (1 << (j))) == 0) 177 continue; 178 printf("%c%d", sep, (i*32 + j)); 179 sep = ','; 180 } 181} 182 183void 184print_flow6id( ipfw_insn_u32 *cmd) 185{ 186 uint16_t i, limit = cmd->o.arg1; 187 char sep = ','; 188 189 printf(" flow-id "); 190 for( i=0; i < limit; ++i) { 191 if (i == limit - 1) 192 sep = ' '; 193 printf("%d%c", cmd->d[i], sep); 194 } 195} 196 197/* structure and define for the extension header in ipv6 */ 198static struct _s_x ext6hdrcodes[] = { 199 { "frag", EXT_FRAGMENT }, 200 { "hopopt", EXT_HOPOPTS }, 201 { "route", EXT_ROUTING }, 202 { "dstopt", EXT_DSTOPTS }, 203 { "ah", EXT_AH }, 204 { "esp", EXT_ESP }, 205 { "rthdr0", EXT_RTHDR0 }, 206 { "rthdr2", EXT_RTHDR2 }, 207 { NULL, 0 } 208}; 209 210/* fills command for the extension header filtering */ 211int 212fill_ext6hdr( ipfw_insn *cmd, char *av) 213{ 214 int tok; 215 char *s = av; 216 217 cmd->arg1 = 0; 218 219 while(s) { 220 av = strsep( &s, ",") ; 221 tok = match_token(ext6hdrcodes, av); 222 switch (tok) { 223 case EXT_FRAGMENT: 224 cmd->arg1 |= EXT_FRAGMENT; 225 break; 226 227 case EXT_HOPOPTS: 228 cmd->arg1 |= EXT_HOPOPTS; 229 break; 230 231 case EXT_ROUTING: 232 cmd->arg1 |= EXT_ROUTING; 233 break; 234 235 case EXT_DSTOPTS: 236 cmd->arg1 |= EXT_DSTOPTS; 237 break; 238 239 case EXT_AH: 240 cmd->arg1 |= EXT_AH; 241 break; 242 243 case EXT_ESP: 244 cmd->arg1 |= EXT_ESP; 245 break; 246 247 case EXT_RTHDR0: 248 cmd->arg1 |= EXT_RTHDR0; 249 break; 250 251 case EXT_RTHDR2: 252 cmd->arg1 |= EXT_RTHDR2; 253 break; 254 255 default: 256 errx( EX_DATAERR, "invalid option for ipv6 exten header" ); 257 break; 258 } 259 } 260 if (cmd->arg1 == 0 ) 261 return 0; 262 cmd->opcode = O_EXT_HDR; 263 cmd->len |= F_INSN_SIZE( ipfw_insn ); 264 return 1; 265} 266 267void 268print_ext6hdr( ipfw_insn *cmd ) 269{ 270 char sep = ' '; 271 272 printf(" extension header:"); 273 if (cmd->arg1 & EXT_FRAGMENT ) { 274 printf("%cfragmentation", sep); 275 sep = ','; 276 } 277 if (cmd->arg1 & EXT_HOPOPTS ) { 278 printf("%chop options", sep); 279 sep = ','; 280 } 281 if (cmd->arg1 & EXT_ROUTING ) { 282 printf("%crouting options", sep); 283 sep = ','; 284 } 285 if (cmd->arg1 & EXT_RTHDR0 ) { 286 printf("%crthdr0", sep); 287 sep = ','; 288 } 289 if (cmd->arg1 & EXT_RTHDR2 ) { 290 printf("%crthdr2", sep); 291 sep = ','; 292 } 293 if (cmd->arg1 & EXT_DSTOPTS ) { 294 printf("%cdestination options", sep); 295 sep = ','; 296 } 297 if (cmd->arg1 & EXT_AH ) { 298 printf("%cauthentication header", sep); 299 sep = ','; 300 } 301 if (cmd->arg1 & EXT_ESP ) { 302 printf("%cencapsulated security payload", sep); 303 } 304} 305 306/* Try to find ipv6 address by hostname */ 307static int 308lookup_host6 (char *host, struct in6_addr *ip6addr) 309{ 310 struct hostent *he; 311 312 if (!inet_pton(AF_INET6, host, ip6addr)) { 313 if ((he = gethostbyname2(host, AF_INET6)) == NULL) 314 return(-1); 315 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); 316 } 317 return(0); 318} 319 320 321/* 322 * fill the addr and mask fields in the instruction as appropriate from av. 323 * Update length as appropriate. 324 * The following formats are allowed: 325 * any matches any IP6. Actually returns an empty instruction. 326 * me returns O_IP6_*_ME 327 * 328 * 03f1::234:123:0342 single IP6 addres 329 * 03f1::234:123:0342/24 address/mask 330 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address 331 * 332 * Set of address (as in ipv6) not supported because ipv6 address 333 * are typically random past the initial prefix. 334 * Return 1 on success, 0 on failure. 335 */ 336static int 337fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen) 338{ 339 int len = 0; 340 struct in6_addr *d = &(cmd->addr6); 341 char *oav; 342 /* 343 * Needed for multiple address. 344 * Note d[1] points to struct in6_add r mask6 of cmd 345 */ 346 347 cmd->o.len &= ~F_LEN_MASK; /* zero len */ 348 349 if (strcmp(av, "any") == 0) 350 return (1); 351 352 353 if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/ 354 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 355 return (1); 356 } 357 358 if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/ 359 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 360 return (1); 361 } 362 363 if (strncmp(av, "table(", 6) == 0) { 364 char *p = strchr(av + 6, ','); 365 uint32_t *dm = ((ipfw_insn_u32 *)cmd)->d; 366 367 if (p) 368 *p++ = '\0'; 369 cmd->o.opcode = O_IP_DST_LOOKUP; 370 cmd->o.arg1 = strtoul(av + 6, NULL, 0); 371 if (p) { 372 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32); 373 dm[0] = strtoul(p, NULL, 0); 374 } else 375 cmd->o.len |= F_INSN_SIZE(ipfw_insn); 376 return (1); 377 } 378 379 oav = av = strdup(av); 380 while (av) { 381 /* 382 * After the address we can have '/' indicating a mask, 383 * or ',' indicating another address follows. 384 */ 385 386 char *p; 387 int masklen; 388 char md = '\0'; 389 390 CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr)); 391 392 if ((p = strpbrk(av, "/,")) ) { 393 md = *p; /* save the separator */ 394 *p = '\0'; /* terminate address string */ 395 p++; /* and skip past it */ 396 } 397 /* now p points to NULL, mask or next entry */ 398 399 /* lookup stores address in *d as a side effect */ 400 if (lookup_host6(av, d) != 0) { 401 /* XXX: failed. Free memory and go */ 402 errx(EX_DATAERR, "bad address \"%s\"", av); 403 } 404 /* next, look at the mask, if any */ 405 masklen = (md == '/') ? atoi(p) : 128; 406 if (masklen > 128 || masklen < 0) 407 errx(EX_DATAERR, "bad width \"%s\''", p); 408 else 409 n2mask(&d[1], masklen); 410 411 APPLY_MASK(d, &d[1]) /* mask base address with mask */ 412 413 /* find next separator */ 414 415 if (md == '/') { /* find separator past the mask */ 416 p = strpbrk(p, ","); 417 if (p != NULL) 418 p++; 419 } 420 av = p; 421 422 /* Check this entry */ 423 if (masklen == 0) { 424 /* 425 * 'any' turns the entire list into a NOP. 426 * 'not any' never matches, so it is removed from the 427 * list unless it is the only item, in which case we 428 * report an error. 429 */ 430 if (cmd->o.len & F_NOT && av == NULL && len == 0) 431 errx(EX_DATAERR, "not any never matches"); 432 continue; 433 } 434 435 /* 436 * A single IP can be stored alone 437 */ 438 if (masklen == 128 && av == NULL && len == 0) { 439 len = F_INSN_SIZE(struct in6_addr); 440 break; 441 } 442 443 /* Update length and pointer to arguments */ 444 len += F_INSN_SIZE(struct in6_addr)*2; 445 d += 2; 446 } /* end while */ 447 448 /* 449 * Total length of the command, remember that 1 is the size of 450 * the base command. 451 */ 452 if (len + 1 > F_LEN_MASK) 453 errx(EX_DATAERR, "address list too long"); 454 cmd->o.len |= len+1; 455 free(oav); 456 return (1); 457} 458 459/* 460 * fills command for ipv6 flow-id filtering 461 * note that the 20 bit flow number is stored in a array of u_int32_t 462 * it's supported lists of flow-id, so in the o.arg1 we store how many 463 * additional flow-id we want to filter, the basic is 1 464 */ 465void 466fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen) 467{ 468 u_int32_t type; /* Current flow number */ 469 u_int16_t nflow = 0; /* Current flow index */ 470 char *s = av; 471 cmd->d[0] = 0; /* Initializing the base number*/ 472 473 while (s) { 474 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_u32) + nflow + 1); 475 476 av = strsep( &s, ",") ; 477 type = strtoul(av, &av, 0); 478 if (*av != ',' && *av != '\0') 479 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 480 if (type > 0xfffff) 481 errx(EX_DATAERR, "flow number out of range %s", av); 482 cmd->d[nflow] |= type; 483 nflow++; 484 } 485 if( nflow > 0 ) { 486 cmd->o.opcode = O_FLOW6ID; 487 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow; 488 cmd->o.arg1 = nflow; 489 } 490 else { 491 errx(EX_DATAERR, "invalid ipv6 flow number %s", av); 492 } 493} 494 495ipfw_insn * 496add_srcip6(ipfw_insn *cmd, char *av, int cblen) 497{ 498 499 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen); 500 if (cmd->opcode == O_IP_DST_SET) /* set */ 501 cmd->opcode = O_IP_SRC_SET; 502 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 503 cmd->opcode = O_IP_SRC_LOOKUP; 504 else if (F_LEN(cmd) == 0) { /* any */ 505 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 506 cmd->opcode = O_IP6_SRC_ME; 507 } else if (F_LEN(cmd) == 508 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 509 /* single IP, no mask*/ 510 cmd->opcode = O_IP6_SRC; 511 } else { /* addr/mask opt */ 512 cmd->opcode = O_IP6_SRC_MASK; 513 } 514 return cmd; 515} 516 517ipfw_insn * 518add_dstip6(ipfw_insn *cmd, char *av, int cblen) 519{ 520 521 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen); 522 if (cmd->opcode == O_IP_DST_SET) /* set */ 523 ; 524 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ 525 ; 526 else if (F_LEN(cmd) == 0) { /* any */ 527 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ 528 cmd->opcode = O_IP6_DST_ME; 529 } else if (F_LEN(cmd) == 530 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) { 531 /* single IP, no mask*/ 532 cmd->opcode = O_IP6_DST; 533 } else { /* addr/mask opt */ 534 cmd->opcode = O_IP6_DST_MASK; 535 } 536 return cmd; 537} 538