diff options
author | bz <bz@FreeBSD.org> | 2005-08-13 11:02:34 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2005-08-13 11:02:34 +0000 |
commit | 5434a588080f496f3f78c9b62fcc9bc2993449cb (patch) | |
tree | 6f00a69da3358c57d462226e8f8fb77137db166c /sbin/ipfw | |
parent | 810123c2f688458c9677d8cd08da90460f18926c (diff) | |
download | FreeBSD-src-5434a588080f496f3f78c9b62fcc9bc2993449cb.zip FreeBSD-src-5434a588080f496f3f78c9b62fcc9bc2993449cb.tar.gz |
* Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.
Submitted by: sysctl handling derived from patch from ume needed for ip6fw
Obtained from: is_icmp6_query and send_reject6 derived from similar
functions of netinet6,ip6fw
Reviewed by: ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after: 6 days
Diffstat (limited to 'sbin/ipfw')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 21 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.c | 71 |
2 files changed, 89 insertions, 3 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 5754936..2765f6b 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 30, 2005 +.Dd August 13, 2005 .Dt IPFW 8 .Os .Sh NAME @@ -710,6 +710,10 @@ Synonym for Discard packets that match this rule, and if the packet is a TCP packet, try to send a TCP reset (RST) notice. The search terminates. +.It Cm reset6 +Discard packets that match this rule, and if the +packet is a TCP packet, try to send a TCP reset (RST) notice. +The search terminates. .It Cm skipto Ar number Skip all subsequent rules numbered less than .Ar number . @@ -736,6 +740,17 @@ is a number from 0 to 255, or one of these aliases: or .Cm precedence-cutoff . The search terminates. +.It Cm unreach6 Ar code +Discard packets that match this rule, and try to send an ICMPv6 +unreachable notice with code +.Ar code , +where +.Ar code +is a number from 0, 1, 3 or 4, or one of these aliases: +.Cm no-route, admin-prohib, address +or +.Cm port . +The search terminates. .It Cm netgraph Ar cookie Divert packet into netgraph with given .Ar cookie . @@ -1036,6 +1051,8 @@ Hop-to-hop options .Pq Cm hopopt , Source routing .Pq Cm route , +Destination options +.Pq Cm dstopt , IPSec authentication headers .Pq Cm ah , and IPSec encapsulated security payload headers @@ -2018,6 +2035,8 @@ reinjected into the firewall at the next rule. Enables verbose messages. .It Em net.inet.ip.fw.verbose_limit : No 0 Limits the number of messages produced by a verbose firewall. +.It Em net.inet6.ip6.fw.deny_unknown_exthdrs : No 1 +If enabled packets with unknown IPv6 Extension Headers will be denied. .It Em net.link.ether.ipfw : No 0 Controls whether layer-2 packets are passed to .Nm . diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 686174d..ee1b362 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -277,6 +277,8 @@ enum tokens { TOK_SRCIP6, TOK_IPV4, + TOK_UNREACH6, + TOK_RESET6, }; struct _s_x dummynet_params[] = { @@ -326,7 +328,9 @@ struct _s_x rule_actions[] = { { "deny", TOK_DENY }, { "drop", TOK_DENY }, { "reject", TOK_REJECT }, + { "reset6", TOK_RESET6 }, { "reset", TOK_RESET }, + { "unreach6", TOK_UNREACH6 }, { "unreach", TOK_UNREACH }, { "check-state", TOK_CHECKSTATE }, { "//", TOK_COMMENT }, @@ -851,6 +855,40 @@ print_reject_code(uint16_t code) printf("unreach %u", code); } +static struct _s_x icmp6codes[] = { + { "no-route", ICMP6_DST_UNREACH_NOROUTE }, + { "admin-prohib", ICMP6_DST_UNREACH_ADMIN }, + { "address", ICMP6_DST_UNREACH_ADDR }, + { "port", ICMP6_DST_UNREACH_NOPORT }, + { NULL, 0 } +}; + +static void +fill_unreach6_code(u_short *codep, char *str) +{ + int val; + char *s; + + val = strtoul(str, &s, 0); + if (s == str || *s != '\0' || val >= 0x100) + val = match_token(icmp6codes, str); + if (val < 0) + errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str); + *codep = val; + return; +} + +static void +print_unreach6_code(uint16_t code) +{ + char const *s = match_value(icmp6codes, code); + + if (s != NULL) + printf("unreach6 %s", s); + else + printf("unreach6 %u", code); +} + /* * Returns the number of bits set (from left) in a contiguous bitmask, * or -1 if the mask is not contiguous. @@ -1169,6 +1207,7 @@ static struct _s_x ext6hdrcodes[] = { { "frag", EXT_FRAGMENT }, { "hopopt", EXT_HOPOPTS }, { "route", EXT_ROUTING }, + { "dstopt", EXT_DSTOPTS }, { "ah", EXT_AH }, { "esp", EXT_ESP }, { NULL, 0 } @@ -1199,6 +1238,10 @@ fill_ext6hdr( ipfw_insn *cmd, char *av) cmd->arg1 |= EXT_ROUTING; break; + case EXT_DSTOPTS: + cmd->arg1 |= EXT_DSTOPTS; + break; + case EXT_AH: cmd->arg1 |= EXT_AH; break; @@ -1237,6 +1280,10 @@ print_ext6hdr( ipfw_insn *cmd ) printf("%crouting options", sep); sep = ','; } + if (cmd->arg1 & EXT_DSTOPTS ) { + printf("%cdestination options", sep); + sep = ','; + } if (cmd->arg1 & EXT_AH ) { printf("%cauthentication header", sep); sep = ','; @@ -1406,6 +1453,13 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) print_reject_code(cmd->arg1); break; + case O_UNREACH6: + if (cmd->arg1 == ICMP6_UNREACH_RST) + printf("reset6"); + else + print_unreach6_code(cmd->arg1); + break; + case O_SKIPTO: printf("skipto %u", cmd->arg1); break; @@ -2495,8 +2549,9 @@ help(void) "table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n" "\n" "RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n" -"ACTION: check-state | allow | count | deny | unreach CODE | skipto N |\n" -" {divert|tee} PORT | forward ADDR | pipe N | queue N\n" +"ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n" +" skipto N | {divert|tee} PORT | forward ADDR |\n" +" pipe N | queue N\n" "PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n" "ADDR: [ MAC dst src ether_type ] \n" " [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" @@ -3754,6 +3809,11 @@ add(int ac, char *av[]) action->arg1 = ICMP_REJECT_RST; break; + case TOK_RESET6: + action->opcode = O_UNREACH6; + action->arg1 = ICMP6_UNREACH_RST; + break; + case TOK_UNREACH: action->opcode = O_REJECT; NEED1("missing reject code"); @@ -3761,6 +3821,13 @@ add(int ac, char *av[]) ac--; av++; break; + case TOK_UNREACH6: + action->opcode = O_UNREACH6; + NEED1("missing unreach code"); + fill_unreach6_code(&action->arg1, *av); + ac--; av++; + break; + case TOK_COUNT: action->opcode = O_COUNT; break; |