* Add dynamic sysctl for net.inet6.ip6.fw.

* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.

Submitted by:	sysctl handling derived from patch from ume needed for ip6fw
Obtained from:	is_icmp6_query and send_reject6 derived from similar
		functions of netinet6,ip6fw
Reviewed by:	ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after:	6 days

2 files changed, 89 insertions, 3 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 5754936..2765f6b 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 30, 2005
+.Dd August 13, 2005
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -710,6 +710,10 @@ Synonym for
 Discard packets that match this rule, and if the
 packet is a TCP packet, try to send a TCP reset (RST) notice.
 The search terminates.
+.It Cm reset6
+Discard packets that match this rule, and if the
+packet is a TCP packet, try to send a TCP reset (RST) notice.
+The search terminates.
 .It Cm skipto Ar number
 Skip all subsequent rules numbered less than
 .Ar number .
@@ -736,6 +740,17 @@ is a number from 0 to 255, or one of these aliases:
 or
 .Cm precedence-cutoff .
 The search terminates.
+.It Cm unreach6 Ar code
+Discard packets that match this rule, and try to send an ICMPv6
+unreachable notice with code
+.Ar code ,
+where
+.Ar code
+is a number from 0, 1, 3 or 4, or one of these aliases:
+.Cm no-route, admin-prohib, address
+or
+.Cm port .
+The search terminates.
 .It Cm netgraph Ar cookie
 Divert packet into netgraph with given
 .Ar cookie .
@@ -1036,6 +1051,8 @@ Hop-to-hop options
 .Pq Cm hopopt ,
 Source routing
 .Pq Cm route ,
+Destination options
+.Pq Cm dstopt ,
 IPSec authentication headers
 .Pq Cm ah ,
 and IPSec encapsulated security payload headers
@@ -2018,6 +2035,8 @@ reinjected into the firewall at the next rule.
 Enables verbose messages.
 .It Em net.inet.ip.fw.verbose_limit : No 0
 Limits the number of messages produced by a verbose firewall.
+.It Em net.inet6.ip6.fw.deny_unknown_exthdrs : No 1
+If enabled packets with unknown IPv6 Extension Headers will be denied.
 .It Em net.link.ether.ipfw : No 0
 Controls whether layer-2 packets are passed to
 .Nm .
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index 686174d..ee1b362 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -277,6 +277,8 @@ enum tokens {
 	TOK_SRCIP6,
 
 	TOK_IPV4,
+	TOK_UNREACH6,
+	TOK_RESET6,
 };
 
 struct _s_x dummynet_params[] = {
@@ -326,7 +328,9 @@ struct _s_x rule_actions[] = {
 	{ "deny",		TOK_DENY },
 	{ "drop",		TOK_DENY },
 	{ "reject",		TOK_REJECT },
+	{ "reset6",		TOK_RESET6 },
 	{ "reset",		TOK_RESET },
+	{ "unreach6",		TOK_UNREACH6 },
 	{ "unreach",		TOK_UNREACH },
 	{ "check-state",	TOK_CHECKSTATE },
 	{ "//",			TOK_COMMENT },
@@ -851,6 +855,40 @@ print_reject_code(uint16_t code)
 		printf("unreach %u", code);
 }
 
+static struct _s_x icmp6codes[] = {
+      { "no-route",		ICMP6_DST_UNREACH_NOROUTE },
+      { "admin-prohib",		ICMP6_DST_UNREACH_ADMIN },
+      { "address",		ICMP6_DST_UNREACH_ADDR },
+      { "port",			ICMP6_DST_UNREACH_NOPORT },
+      { NULL, 0 }
+};
+
+static void
+fill_unreach6_code(u_short *codep, char *str)
+{
+	int val;
+	char *s;
+
+	val = strtoul(str, &s, 0);
+	if (s == str || *s != '\0' || val >= 0x100)
+		val = match_token(icmp6codes, str);
+	if (val < 0)
+		errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
+	*codep = val;
+	return;
+}
+
+static void
+print_unreach6_code(uint16_t code)
+{
+	char const *s = match_value(icmp6codes, code);
+
+	if (s != NULL)
+		printf("unreach6 %s", s);
+	else
+		printf("unreach6 %u", code);
+}
+
 /*
  * Returns the number of bits set (from left) in a contiguous bitmask,
  * or -1 if the mask is not contiguous.
@@ -1169,6 +1207,7 @@ static struct _s_x ext6hdrcodes[] = {
        { "frag",       EXT_FRAGMENT },
        { "hopopt",     EXT_HOPOPTS },
        { "route",      EXT_ROUTING },
+       { "dstopt",     EXT_DSTOPTS },
        { "ah",         EXT_AH },
        { "esp",        EXT_ESP },
        { NULL,         0 }
@@ -1199,6 +1238,10 @@ fill_ext6hdr( ipfw_insn *cmd, char *av)
                cmd->arg1 |= EXT_ROUTING;
                break;
 
+           case EXT_DSTOPTS:
+               cmd->arg1 |= EXT_DSTOPTS;
+               break;
+
            case EXT_AH:
                cmd->arg1 |= EXT_AH;
                break;
@@ -1237,6 +1280,10 @@ print_ext6hdr( ipfw_insn *cmd )
            printf("%crouting options", sep);
            sep = ',';
        }
+       if (cmd->arg1 & EXT_DSTOPTS ) {
+           printf("%cdestination options", sep);
+           sep = ',';
+       }
        if (cmd->arg1 & EXT_AH ) {
            printf("%cauthentication header", sep);
            sep = ',';
@@ -1406,6 +1453,13 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
 				print_reject_code(cmd->arg1);
 			break;
 
+		case O_UNREACH6:
+			if (cmd->arg1 == ICMP6_UNREACH_RST)
+				printf("reset6");
+			else
+				print_unreach6_code(cmd->arg1);
+			break;
+
 		case O_SKIPTO:
 			printf("skipto %u", cmd->arg1);
 			break;
@@ -2495,8 +2549,9 @@ help(void)
 "table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n"
 "\n"
 "RULE-BODY:	check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
-"ACTION:	check-state | allow | count | deny | unreach CODE | skipto N |\n"
-"		{divert|tee} PORT | forward ADDR | pipe N | queue N\n"
+"ACTION:	check-state | allow | count | deny | unreach{,6} CODE |\n"
+"               skipto N | {divert|tee} PORT | forward ADDR |\n"
+"               pipe N | queue N\n"
 "PARAMS: 	[log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n"
 "ADDR:		[ MAC dst src ether_type ] \n"
 "		[ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n"
@@ -3754,6 +3809,11 @@ add(int ac, char *av[])
 		action->arg1 = ICMP_REJECT_RST;
 		break;
 
+	case TOK_RESET6:
+		action->opcode = O_UNREACH6;
+		action->arg1 = ICMP6_UNREACH_RST;
+		break;
+
 	case TOK_UNREACH:
 		action->opcode = O_REJECT;
 		NEED1("missing reject code");
@@ -3761,6 +3821,13 @@ add(int ac, char *av[])
 		ac--; av++;
 		break;
 
+	case TOK_UNREACH6:
+		action->opcode = O_UNREACH6;
+		NEED1("missing unreach code");
+		fill_unreach6_code(&action->arg1, *av);
+		ac--; av++;
+		break;
+
 	case TOK_COUNT:
 		action->opcode = O_COUNT;
 		break;