1 /*
2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4 * Copyright (c) 1994 Ugen J.S.Antsilevich
5 *
6 * Idea and grammar partially left from:
7 * Copyright (c) 1993 Daniel Boulet
8 *
9 * Redistribution and use in source forms, with and without modification,
10 * are permitted provided that this entire comment appears intact.
11 *
12 * Redistribution in binary form may occur without any restrictions.
13 * Obviously, it would be nice if you gave credit where credit is due
14 * but requiring it would be too onerous.
15 *
16 * This software is provided ``AS IS'' without any warranties of any kind.
17 *
18 * NEW command line interface for IP firewall facility
19 *
20 * $FreeBSD$
21 *
22 * ipv6 support
23 */
24
25 #include <sys/types.h>
26 #include <sys/socket.h>
27
28 #include "ipfw2.h"
29
30 #include <err.h>
31 #include <netdb.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <sysexits.h>
36
37 #include <net/if.h>
38 #include <netinet/in.h>
39 #include <netinet/in_systm.h>
40 #include <netinet/ip.h>
41 #include <netinet/icmp6.h>
42 #include <netinet/ip_fw.h>
43 #include <arpa/inet.h>
44
45 #define CHECK_LENGTH(v, len) do { \
46 if ((v) < (len)) \
47 errx(EX_DATAERR, "Rule too long"); \
48 } while (0)
49
50 static struct _s_x icmp6codes[] = {
51 { "no-route", ICMP6_DST_UNREACH_NOROUTE },
52 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN },
53 { "address", ICMP6_DST_UNREACH_ADDR },
54 { "port", ICMP6_DST_UNREACH_NOPORT },
55 { NULL, 0 }
56 };
57
58 void
fill_unreach6_code(u_short * codep,char * str)59 fill_unreach6_code(u_short *codep, char *str)
60 {
61 int val;
62 char *s;
63
64 val = strtoul(str, &s, 0);
65 if (s == str || *s != '\0' || val >= 0x100)
66 val = match_token(icmp6codes, str);
67 if (val < 0)
68 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
69 *codep = val;
70 return;
71 }
72
73 void
print_unreach6_code(uint16_t code)74 print_unreach6_code(uint16_t code)
75 {
76 char const *s = match_value(icmp6codes, code);
77
78 if (s != NULL)
79 printf("unreach6 %s", s);
80 else
81 printf("unreach6 %u", code);
82 }
83
84 /*
85 * Print the ip address contained in a command.
86 */
87 void
print_ip6(struct buf_pr * bp,ipfw_insn_ip6 * cmd,char const * s)88 print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd, char const *s)
89 {
90 struct hostent *he = NULL;
91 int len = F_LEN((ipfw_insn *) cmd) - 1;
92 struct in6_addr *a = &(cmd->addr6);
93 char trad[255];
94
95 bprintf(bp, "%s%s ", cmd->o.len & F_NOT ? " not": "", s);
96
97 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
98 bprintf(bp, "me6");
99 return;
100 }
101 if (cmd->o.opcode == O_IP6) {
102 bprintf(bp, " ip6");
103 return;
104 }
105
106 /*
107 * len == 4 indicates a single IP, whereas lists of 1 or more
108 * addr/mask pairs have len = (2n+1). We convert len to n so we
109 * use that to count the number of entries.
110 */
111
112 for (len = len / 4; len > 0; len -= 2, a += 2) {
113 int mb = /* mask length */
114 (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ?
115 128 : contigmask((uint8_t *)&(a[1]), 128);
116
117 if (mb == 128 && co.do_resolv)
118 he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6);
119 if (he != NULL) /* resolved to name */
120 bprintf(bp, "%s", he->h_name);
121 else if (mb == 0) /* any */
122 bprintf(bp, "any");
123 else { /* numeric IP followed by some kind of mask */
124 if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL)
125 bprintf(bp, "Error ntop in print_ip6\n");
126 bprintf(bp, "%s", trad );
127 if (mb < 0) /* XXX not really legal... */
128 bprintf(bp, ":%s",
129 inet_ntop(AF_INET6, &a[1], trad, sizeof(trad)));
130 else if (mb < 128)
131 bprintf(bp, "/%d", mb);
132 }
133 if (len > 2)
134 bprintf(bp, ",");
135 }
136 }
137
138 void
fill_icmp6types(ipfw_insn_icmp6 * cmd,char * av,int cblen)139 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
140 {
141 uint8_t type;
142
143 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6));
144
145 bzero(cmd, sizeof(*cmd));
146 while (*av) {
147 if (*av == ',')
148 av++;
149 type = strtoul(av, &av, 0);
150 if (*av != ',' && *av != '\0')
151 errx(EX_DATAERR, "invalid ICMP6 type");
152 /*
153 * XXX: shouldn't this be 0xFF? I can't see any reason why
154 * we shouldn't be able to filter all possiable values
155 * regardless of the ability of the rest of the kernel to do
156 * anything useful with them.
157 */
158 if (type > ICMP6_MAXTYPE)
159 errx(EX_DATAERR, "ICMP6 type out of range");
160 cmd->d[type / 32] |= ( 1 << (type % 32));
161 }
162 cmd->o.opcode = O_ICMP6TYPE;
163 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
164 }
165
166
167 void
print_icmp6types(struct buf_pr * bp,ipfw_insn_u32 * cmd)168 print_icmp6types(struct buf_pr *bp, ipfw_insn_u32 *cmd)
169 {
170 int i, j;
171 char sep= ' ';
172
173 bprintf(bp, " ip6 icmp6types");
174 for (i = 0; i < 7; i++)
175 for (j=0; j < 32; ++j) {
176 if ( (cmd->d[i] & (1 << (j))) == 0)
177 continue;
178 bprintf(bp, "%c%d", sep, (i*32 + j));
179 sep = ',';
180 }
181 }
182
183 void
print_flow6id(struct buf_pr * bp,ipfw_insn_u32 * cmd)184 print_flow6id(struct buf_pr *bp, ipfw_insn_u32 *cmd)
185 {
186 uint16_t i, limit = cmd->o.arg1;
187 char sep = ',';
188
189 bprintf(bp, " flow-id ");
190 for( i=0; i < limit; ++i) {
191 if (i == limit - 1)
192 sep = ' ';
193 bprintf(bp, "%d%c", cmd->d[i], sep);
194 }
195 }
196
197 /* structure and define for the extension header in ipv6 */
198 static struct _s_x ext6hdrcodes[] = {
199 { "frag", EXT_FRAGMENT },
200 { "hopopt", EXT_HOPOPTS },
201 { "route", EXT_ROUTING },
202 { "dstopt", EXT_DSTOPTS },
203 { "ah", EXT_AH },
204 { "esp", EXT_ESP },
205 { "rthdr0", EXT_RTHDR0 },
206 { "rthdr2", EXT_RTHDR2 },
207 { NULL, 0 }
208 };
209
210 /* fills command for the extension header filtering */
211 int
fill_ext6hdr(ipfw_insn * cmd,char * av)212 fill_ext6hdr( ipfw_insn *cmd, char *av)
213 {
214 int tok;
215 char *s = av;
216
217 cmd->arg1 = 0;
218
219 while(s) {
220 av = strsep( &s, ",") ;
221 tok = match_token(ext6hdrcodes, av);
222 switch (tok) {
223 case EXT_FRAGMENT:
224 cmd->arg1 |= EXT_FRAGMENT;
225 break;
226
227 case EXT_HOPOPTS:
228 cmd->arg1 |= EXT_HOPOPTS;
229 break;
230
231 case EXT_ROUTING:
232 cmd->arg1 |= EXT_ROUTING;
233 break;
234
235 case EXT_DSTOPTS:
236 cmd->arg1 |= EXT_DSTOPTS;
237 break;
238
239 case EXT_AH:
240 cmd->arg1 |= EXT_AH;
241 break;
242
243 case EXT_ESP:
244 cmd->arg1 |= EXT_ESP;
245 break;
246
247 case EXT_RTHDR0:
248 cmd->arg1 |= EXT_RTHDR0;
249 break;
250
251 case EXT_RTHDR2:
252 cmd->arg1 |= EXT_RTHDR2;
253 break;
254
255 default:
256 errx( EX_DATAERR, "invalid option for ipv6 exten header" );
257 break;
258 }
259 }
260 if (cmd->arg1 == 0 )
261 return 0;
262 cmd->opcode = O_EXT_HDR;
263 cmd->len |= F_INSN_SIZE( ipfw_insn );
264 return 1;
265 }
266
267 void
print_ext6hdr(struct buf_pr * bp,ipfw_insn * cmd)268 print_ext6hdr(struct buf_pr *bp, ipfw_insn *cmd )
269 {
270 char sep = ' ';
271
272 bprintf(bp, " extension header:");
273 if (cmd->arg1 & EXT_FRAGMENT ) {
274 bprintf(bp, "%cfragmentation", sep);
275 sep = ',';
276 }
277 if (cmd->arg1 & EXT_HOPOPTS ) {
278 bprintf(bp, "%chop options", sep);
279 sep = ',';
280 }
281 if (cmd->arg1 & EXT_ROUTING ) {
282 bprintf(bp, "%crouting options", sep);
283 sep = ',';
284 }
285 if (cmd->arg1 & EXT_RTHDR0 ) {
286 bprintf(bp, "%crthdr0", sep);
287 sep = ',';
288 }
289 if (cmd->arg1 & EXT_RTHDR2 ) {
290 bprintf(bp, "%crthdr2", sep);
291 sep = ',';
292 }
293 if (cmd->arg1 & EXT_DSTOPTS ) {
294 bprintf(bp, "%cdestination options", sep);
295 sep = ',';
296 }
297 if (cmd->arg1 & EXT_AH ) {
298 bprintf(bp, "%cauthentication header", sep);
299 sep = ',';
300 }
301 if (cmd->arg1 & EXT_ESP ) {
302 bprintf(bp, "%cencapsulated security payload", sep);
303 }
304 }
305
306 /* Try to find ipv6 address by hostname */
307 static int
lookup_host6(char * host,struct in6_addr * ip6addr)308 lookup_host6 (char *host, struct in6_addr *ip6addr)
309 {
310 struct hostent *he;
311
312 if (!inet_pton(AF_INET6, host, ip6addr)) {
313 if ((he = gethostbyname2(host, AF_INET6)) == NULL)
314 return(-1);
315 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
316 }
317 return(0);
318 }
319
320
321 /*
322 * fill the addr and mask fields in the instruction as appropriate from av.
323 * Update length as appropriate.
324 * The following formats are allowed:
325 * any matches any IP6. Actually returns an empty instruction.
326 * me returns O_IP6_*_ME
327 *
328 * 03f1::234:123:0342 single IP6 addres
329 * 03f1::234:123:0342/24 address/mask
330 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address
331 *
332 * Set of address (as in ipv6) not supported because ipv6 address
333 * are typically random past the initial prefix.
334 * Return 1 on success, 0 on failure.
335 */
336 static int
fill_ip6(ipfw_insn_ip6 * cmd,char * av,int cblen)337 fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen)
338 {
339 int len = 0;
340 struct in6_addr *d = &(cmd->addr6);
341 /*
342 * Needed for multiple address.
343 * Note d[1] points to struct in6_add r mask6 of cmd
344 */
345
346 cmd->o.len &= ~F_LEN_MASK; /* zero len */
347
348 if (strcmp(av, "any") == 0)
349 return (1);
350
351
352 if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/
353 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
354 return (1);
355 }
356
357 if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/
358 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
359 return (1);
360 }
361
362 if (strncmp(av, "table(", 6) == 0) {
363 char *p = strchr(av + 6, ',');
364 uint32_t *dm = ((ipfw_insn_u32 *)cmd)->d;
365
366 if (p)
367 *p++ = '\0';
368 cmd->o.opcode = O_IP_DST_LOOKUP;
369 cmd->o.arg1 = strtoul(av + 6, NULL, 0);
370 if (p) {
371 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
372 dm[0] = strtoul(p, NULL, 0);
373 } else
374 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
375 return (1);
376 }
377
378 av = strdup(av);
379 while (av) {
380 /*
381 * After the address we can have '/' indicating a mask,
382 * or ',' indicating another address follows.
383 */
384
385 char *p;
386 int masklen;
387 char md = '\0';
388
389 CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr));
390
391 if ((p = strpbrk(av, "/,")) ) {
392 md = *p; /* save the separator */
393 *p = '\0'; /* terminate address string */
394 p++; /* and skip past it */
395 }
396 /* now p points to NULL, mask or next entry */
397
398 /* lookup stores address in *d as a side effect */
399 if (lookup_host6(av, d) != 0) {
400 /* XXX: failed. Free memory and go */
401 errx(EX_DATAERR, "bad address \"%s\"", av);
402 }
403 /* next, look at the mask, if any */
404 masklen = (md == '/') ? atoi(p) : 128;
405 if (masklen > 128 || masklen < 0)
406 errx(EX_DATAERR, "bad width \"%s\''", p);
407 else
408 n2mask(&d[1], masklen);
409
410 APPLY_MASK(d, &d[1]) /* mask base address with mask */
411
412 /* find next separator */
413
414 if (md == '/') { /* find separator past the mask */
415 p = strpbrk(p, ",");
416 if (p != NULL)
417 p++;
418 }
419 av = p;
420
421 /* Check this entry */
422 if (masklen == 0) {
423 /*
424 * 'any' turns the entire list into a NOP.
425 * 'not any' never matches, so it is removed from the
426 * list unless it is the only item, in which case we
427 * report an error.
428 */
429 if (cmd->o.len & F_NOT && av == NULL && len == 0)
430 errx(EX_DATAERR, "not any never matches");
431 continue;
432 }
433
434 /*
435 * A single IP can be stored alone
436 */
437 if (masklen == 128 && av == NULL && len == 0) {
438 len = F_INSN_SIZE(struct in6_addr);
439 break;
440 }
441
442 /* Update length and pointer to arguments */
443 len += F_INSN_SIZE(struct in6_addr)*2;
444 d += 2;
445 } /* end while */
446
447 /*
448 * Total length of the command, remember that 1 is the size of
449 * the base command.
450 */
451 if (len + 1 > F_LEN_MASK)
452 errx(EX_DATAERR, "address list too long");
453 cmd->o.len |= len+1;
454 free(av);
455 return (1);
456 }
457
458 /*
459 * fills command for ipv6 flow-id filtering
460 * note that the 20 bit flow number is stored in a array of u_int32_t
461 * it's supported lists of flow-id, so in the o.arg1 we store how many
462 * additional flow-id we want to filter, the basic is 1
463 */
464 void
fill_flow6(ipfw_insn_u32 * cmd,char * av,int cblen)465 fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)
466 {
467 u_int32_t type; /* Current flow number */
468 u_int16_t nflow = 0; /* Current flow index */
469 char *s = av;
470 cmd->d[0] = 0; /* Initializing the base number*/
471
472 while (s) {
473 CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
474
475 av = strsep( &s, ",") ;
476 type = strtoul(av, &av, 0);
477 if (*av != ',' && *av != '\0')
478 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
479 if (type > 0xfffff)
480 errx(EX_DATAERR, "flow number out of range %s", av);
481 cmd->d[nflow] |= type;
482 nflow++;
483 }
484 if( nflow > 0 ) {
485 cmd->o.opcode = O_FLOW6ID;
486 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
487 cmd->o.arg1 = nflow;
488 }
489 else {
490 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
491 }
492 }
493
494 ipfw_insn *
add_srcip6(ipfw_insn * cmd,char * av,int cblen)495 add_srcip6(ipfw_insn *cmd, char *av, int cblen)
496 {
497
498 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen);
499 if (cmd->opcode == O_IP_DST_SET) /* set */
500 cmd->opcode = O_IP_SRC_SET;
501 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
502 cmd->opcode = O_IP_SRC_LOOKUP;
503 else if (F_LEN(cmd) == 0) { /* any */
504 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
505 cmd->opcode = O_IP6_SRC_ME;
506 } else if (F_LEN(cmd) ==
507 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
508 /* single IP, no mask*/
509 cmd->opcode = O_IP6_SRC;
510 } else { /* addr/mask opt */
511 cmd->opcode = O_IP6_SRC_MASK;
512 }
513 return cmd;
514 }
515
516 ipfw_insn *
add_dstip6(ipfw_insn * cmd,char * av,int cblen)517 add_dstip6(ipfw_insn *cmd, char *av, int cblen)
518 {
519
520 fill_ip6((ipfw_insn_ip6 *)cmd, av, cblen);
521 if (cmd->opcode == O_IP_DST_SET) /* set */
522 ;
523 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
524 ;
525 else if (F_LEN(cmd) == 0) { /* any */
526 } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
527 cmd->opcode = O_IP6_DST_ME;
528 } else if (F_LEN(cmd) ==
529 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
530 /* single IP, no mask*/
531 cmd->opcode = O_IP6_DST;
532 } else { /* addr/mask opt */
533 cmd->opcode = O_IP6_DST_MASK;
534 }
535 return cmd;
536 }
537