diff options
author | sjg <sjg@FreeBSD.org> | 2015-05-27 01:19:58 +0000 |
---|---|---|
committer | sjg <sjg@FreeBSD.org> | 2015-05-27 01:19:58 +0000 |
commit | 65145fa4c81da358fcbc3b650156dab705dfa34e (patch) | |
tree | 55c065b6730aaac2afb6c29933ee6ec5fa4c4249 /sbin/ipfw | |
parent | 60ff4eb0dff94a04d75d0d52a3957aaaf5f8c693 (diff) | |
parent | e6b664c390af88d4a87208bc042ce503da664c3b (diff) | |
download | FreeBSD-src-65145fa4c81da358fcbc3b650156dab705dfa34e.zip FreeBSD-src-65145fa4c81da358fcbc3b650156dab705dfa34e.tar.gz |
Merge sync of head
Diffstat (limited to 'sbin/ipfw')
-rw-r--r-- | sbin/ipfw/Makefile | 3 | ||||
-rw-r--r-- | sbin/ipfw/ipfw.8 | 15 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.c | 144 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.h | 2 | ||||
-rw-r--r-- | sbin/ipfw/nat.c | 11 | ||||
-rw-r--r-- | sbin/ipfw/tables.c | 203 |
6 files changed, 254 insertions, 124 deletions
diff --git a/sbin/ipfw/Makefile b/sbin/ipfw/Makefile index 9eb4511..efd99fc 100644 --- a/sbin/ipfw/Makefile +++ b/sbin/ipfw/Makefile @@ -11,8 +11,7 @@ SRCS+= altq.c CFLAGS+=-DPF .endif -DPADD= ${LIBUTIL} -LDADD= -lutil +LIBADD= util MAN= ipfw.8 .include <bsd.prog.mk> diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 0c6edb2..63f04cf 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd Aug 13, 2014 +.Dd March 13, 2015 .Dt IPFW 8 .Os .Sh NAME @@ -76,7 +76,7 @@ in-kernel NAT. .Nm .Oo Cm set Ar N Oc Cm table .Brq Ar name | all -.Cm info +.Cm info .Nm .Oo Cm set Ar N Oc Cm table .Brq Ar name | all @@ -1642,7 +1642,6 @@ be specified as: .Pp Note that the ampersand character has a special meaning in many shells and should generally be escaped. -.Pp .El Note that the order of MAC addresses (destination first, source second) is @@ -1873,7 +1872,7 @@ addresses or other search keys (e.g., ports, jail IDs, interface names). In the rest of this section we will use the term ``key''. Table name needs to match the following spec: .Ar table-name . -Tables with the same name can be created in different +Tables with the same name can be created in different .Ar sets . However, rule links to the tables in .Ar set 0 @@ -1973,7 +1972,7 @@ command. Addition of all items are performed atomically. By default, error in addition of one entry does not influence addition of other entries. However, non-zero error code is returned -in that case. +in that case. Special .Cm atomic keyword may be specified before @@ -1985,13 +1984,13 @@ One or more entries can be removed from a table at once using command. By default, error in removal of one entry does not influence removing of other entries. However, non-zero error code is returned -in that case. +in that case. .Pp It may be possible to check what entry will be found on particular .Ar table-key using .Cm lookup -.Ae table-key +.Ar table-key command. This functionality is optional and may be unsupported in some algorithms. .Pp @@ -2079,6 +2078,8 @@ hook number to move packet to. maximum number of connections. .It Cm ipv4 IPv4 nexthop to fwd packets to. +.It Cm ipv6 +IPv6 nexthop to fwd packets to. .El .Pp The diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 2c98466..687d707 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -61,6 +61,7 @@ struct format_opts { int bcwidth; int pcwidth; int show_counters; + int show_time; /* show timestamp */ uint32_t set_mask; /* enabled sets mask */ uint32_t flags; /* request flags */ uint32_t first; /* first rule to request */ @@ -374,6 +375,13 @@ static int ipfw_show_config(struct cmdline_opts *co, struct format_opts *fo, ipfw_cfg_lheader *cfg, size_t sz, int ac, char **av); static void ipfw_list_tifaces(void); +struct tidx; +static uint16_t pack_object(struct tidx *tstate, char *name, int otype); +static uint16_t pack_table(struct tidx *tstate, char *name); + +static char *table_search_ctlv(ipfw_obj_ctlv *ctlv, uint16_t idx); +static void object_sort_ctlv(ipfw_obj_ctlv *ctlv); + /* * Simple string buffer API. * Used to simplify buffer passing between function and for @@ -1524,11 +1532,14 @@ show_static_rule(struct cmdline_opts *co, struct format_opts *fo, case O_FORWARD_IP6: { - char buf[4 + INET6_ADDRSTRLEN + 1]; + char buf[INET6_ADDRSTRLEN + IF_NAMESIZE + 2]; ipfw_insn_sa6 *s = (ipfw_insn_sa6 *)cmd; - bprintf(bp, "fwd %s", inet_ntop(AF_INET6, - &s->sa.sin6_addr, buf, sizeof(buf))); + bprintf(bp, "fwd "); + if (getnameinfo((const struct sockaddr *)&s->sa, + sizeof(struct sockaddr_in6), buf, sizeof(buf), + NULL, 0, NI_NUMERICHOST) == 0) + bprintf(bp, "%s", buf); if (s->sa.sin6_port) bprintf(bp, ",%d", s->sa.sin6_port); } @@ -2402,7 +2413,7 @@ list_static_range(struct cmdline_opts *co, struct format_opts *fo, for (n = seen = 0; n < rcnt; n++, rtlv = (ipfw_obj_tlv *)((caddr_t)rtlv + rtlv->length)) { - if (fo->show_counters != 0) { + if ((fo->show_counters | fo->show_time) != 0) { cntr = (struct ip_fw_bcounter *)(rtlv + 1); r = (struct ip_fw_rule *)((caddr_t)cntr + cntr->size); } else { @@ -2504,10 +2515,11 @@ ipfw_list(int ac, char *av[], int show_counters) /* get configuraion from kernel */ cfg = NULL; sfo.show_counters = show_counters; + sfo.show_time = co.do_time; sfo.flags = IPFW_CFG_GET_STATIC; if (co.do_dynamic != 0) sfo.flags |= IPFW_CFG_GET_STATES; - if (sfo.show_counters != 0) + if ((sfo.show_counters | sfo.show_time) != 0) sfo.flags |= IPFW_CFG_GET_COUNTERS; if (ipfw_get_config(&co, &sfo, &cfg, &sz) != 0) err(EX_OSERR, "retrieving config failed"); @@ -2553,6 +2565,7 @@ ipfw_show_config(struct cmdline_opts *co, struct format_opts *fo, if (cfg->flags & IPFW_CFG_GET_STATIC) { /* We've requested static rules */ if (ctlv->head.type == IPFW_TLV_TBLNAME_LIST) { + object_sort_ctlv(ctlv); fo->tstate = ctlv; readsz += ctlv->head.length; ctlv = (ipfw_obj_ctlv *)((caddr_t)ctlv + @@ -2719,19 +2732,18 @@ struct tidx { }; static uint16_t -pack_table(struct tidx *tstate, char *name) +pack_object(struct tidx *tstate, char *name, int otype) { int i; ipfw_obj_ntlv *ntlv; - if (table_check_name(name) != 0) - return (0); - for (i = 0; i < tstate->count; i++) { if (strcmp(tstate->idx[i].name, name) != 0) continue; if (tstate->idx[i].set != tstate->set) continue; + if (tstate->idx[i].head.type != otype) + continue; return (tstate->idx[i].idx); } @@ -2747,7 +2759,7 @@ pack_table(struct tidx *tstate, char *name) ntlv = &tstate->idx[i]; memset(ntlv, 0, sizeof(ipfw_obj_ntlv)); strlcpy(ntlv->name, name, sizeof(ntlv->name)); - ntlv->head.type = IPFW_TLV_TBL_NAME; + ntlv->head.type = otype; ntlv->head.length = sizeof(ipfw_obj_ntlv); ntlv->set = tstate->set; ntlv->idx = ++tstate->counter; @@ -2756,6 +2768,16 @@ pack_table(struct tidx *tstate, char *name) return (ntlv->idx); } +static uint16_t +pack_table(struct tidx *tstate, char *name) +{ + + if (table_check_name(name) != 0) + return (0); + + return (pack_object(tstate, name, IPFW_TLV_TBL_NAME)); +} + static void fill_table(ipfw_insn *cmd, char *av, uint8_t opcode, struct tidx *tstate) { @@ -3606,7 +3628,6 @@ compile_rule(char *av[], uint32_t *rbuf, int *rbufsize, struct tidx *tstate) break; } else goto chkarg; - case TOK_QUEUE: action->opcode = O_QUEUE; goto chkarg; @@ -3739,8 +3760,8 @@ chkarg: p->sa.sin6_family = AF_INET6; p->sa.sin6_port = port_number; p->sa.sin6_flowinfo = 0; - p->sa.sin6_scope_id = 0; - /* No table support for v6 yet. */ + p->sa.sin6_scope_id = + ((struct sockaddr_in6 *)&result)->sin6_scope_id; bcopy(&((struct sockaddr_in6*)&result)->sin6_addr, &p->sa.sin6_addr, sizeof(p->sa.sin6_addr)); } else { @@ -4651,6 +4672,101 @@ done: *rbufsize = (char *)dst - (char *)rule; } +static int +compare_ntlv(const void *_a, const void *_b) +{ + ipfw_obj_ntlv *a, *b; + + a = (ipfw_obj_ntlv *)_a; + b = (ipfw_obj_ntlv *)_b; + + if (a->set < b->set) + return (-1); + else if (a->set > b->set) + return (1); + + if (a->idx < b->idx) + return (-1); + else if (a->idx > b->idx) + return (1); + + if (a->head.type < b->head.type) + return (-1); + else if (a->head.type > b->head.type) + return (1); + + return (0); +} + +/* + * Provide kernel with sorted list of referenced objects + */ +static void +object_sort_ctlv(ipfw_obj_ctlv *ctlv) +{ + + qsort(ctlv + 1, ctlv->count, ctlv->objsize, compare_ntlv); +} + +struct object_kt { + uint16_t uidx; + uint16_t type; +}; +static int +compare_object_kntlv(const void *k, const void *v) +{ + ipfw_obj_ntlv *ntlv; + struct object_kt key; + + key = *((struct object_kt *)k); + ntlv = (ipfw_obj_ntlv *)v; + + if (key.uidx < ntlv->idx) + return (-1); + else if (key.uidx > ntlv->idx) + return (1); + + if (key.type < ntlv->head.type) + return (-1); + else if (key.type > ntlv->head.type) + return (1); + + return (0); +} + +/* + * Finds object name in @ctlv by @idx and @type. + * Uses the following facts: + * 1) All TLVs are the same size + * 2) Kernel implementation provides already sorted list. + * + * Returns table name or NULL. + */ +static char * +object_search_ctlv(ipfw_obj_ctlv *ctlv, uint16_t idx, uint16_t type) +{ + ipfw_obj_ntlv *ntlv; + struct object_kt key; + + key.uidx = idx; + key.type = type; + + ntlv = bsearch(&key, (ctlv + 1), ctlv->count, ctlv->objsize, + compare_object_kntlv); + + if (ntlv != 0) + return (ntlv->name); + + return (NULL); +} + +static char * +table_search_ctlv(ipfw_obj_ctlv *ctlv, uint16_t idx) +{ + + return (object_search_ctlv(ctlv, idx, IPFW_TLV_TBL_NAME)); +} + /* * Adds one or more rules to ipfw chain. * Data layout: @@ -4719,7 +4835,7 @@ ipfw_add(char *av[]) ctlv->count = ts.count; ctlv->objsize = sizeof(ipfw_obj_ntlv); memcpy(ctlv + 1, ts.idx, tlen); - table_sort_ctlv(ctlv); + object_sort_ctlv(ctlv); tstate = ctlv; /* Rule next */ ctlv = (ipfw_obj_ctlv *)((caddr_t)ctlv + ctlv->head.length); diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h index 80970ef..5a08321 100644 --- a/sbin/ipfw/ipfw2.h +++ b/sbin/ipfw/ipfw2.h @@ -344,8 +344,6 @@ int fill_ext6hdr(struct _ipfw_insn *cmd, char *av); /* tables.c */ struct _ipfw_obj_ctlv; -char *table_search_ctlv(struct _ipfw_obj_ctlv *ctlv, uint16_t idx); -void table_sort_ctlv(struct _ipfw_obj_ctlv *ctlv); int table_check_name(char *tablename); void ipfw_list_ta(int ac, char *av[]); void ipfw_list_values(int ac, char *av[]); diff --git a/sbin/ipfw/nat.c b/sbin/ipfw/nat.c index 3bd0259..184b172 100644 --- a/sbin/ipfw/nat.c +++ b/sbin/ipfw/nat.c @@ -163,9 +163,9 @@ set_addr_dynamic(const char *ifn, struct nat44_cfg_nat *n) } } if (sin == NULL) - errx(1, "%s: cannot get interface address", ifn); - - n->ip = sin->sin_addr; + n->ip.s_addr = htonl(INADDR_ANY); + else + n->ip = sin->sin_addr; strncpy(n->if_name, ifn, IF_NAMESIZE); free(buf); @@ -1008,11 +1008,10 @@ nat_foreach(nat_cb_t *f, void *arg, int sort) olh->size = sz; if (do_get3(IP_FW_NAT44_LIST_NAT, &olh->opheader, &sz) != 0) { + sz = olh->size; free(olh); - if (errno == ENOMEM) { - sz = olh->size; + if (errno == ENOMEM) continue; - } return (errno); } diff --git a/sbin/ipfw/tables.c b/sbin/ipfw/tables.c index 4829fec..b3473fc 100644 --- a/sbin/ipfw/tables.c +++ b/sbin/ipfw/tables.c @@ -35,6 +35,7 @@ #include <netinet/in.h> #include <netinet/ip_fw.h> #include <arpa/inet.h> +#include <netdb.h> #include "ipfw2.h" @@ -714,6 +715,7 @@ table_print_valheader(char *buf, size_t bufsize, uint32_t vmask) return; } + memset(buf, 0, bufsize); print_flags_buffer(buf, bufsize, tablevaltypes, vmask); } @@ -1308,6 +1310,63 @@ tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type, tentry->masklen = masklen; } +/* + * Tries to guess table key type. + * This procedure is used in legacy table auto-create + * code AND in `ipfw -n` ruleset checking. + * + * Imported from old table_fill_xentry() parse code. + */ +static int +guess_key_type(char *key, uint8_t *ptype) +{ + char *p; + struct in6_addr addr; + uint32_t kv; + + if (ishexnumber(*key) != 0 || *key == ':') { + /* Remove / if exists */ + if ((p = strchr(key, '/')) != NULL) + *p = '\0'; + + if ((inet_pton(AF_INET, key, &addr) == 1) || + (inet_pton(AF_INET6, key, &addr) == 1)) { + *ptype = IPFW_TABLE_CIDR; + if (p != NULL) + *p = '/'; + return (0); + } else { + /* Port or any other key */ + /* Skip non-base 10 entries like 'fa1' */ + kv = strtol(key, &p, 10); + if (*p == '\0') { + *ptype = IPFW_TABLE_NUMBER; + return (0); + } else if ((p != key) && (*p == '.')) { + /* + * Warn on IPv4 address strings + * which are "valid" for inet_aton() but not + * in inet_pton(). + * + * Typical examples: '10.5' or '10.0.0.05' + */ + return (1); + } + } + } + + if (strchr(key, '.') == NULL) { + *ptype = IPFW_TABLE_INTERFACE; + return (0); + } + + if (lookup_host(key, (struct in_addr *)&addr) != 0) + return (1); + + *ptype = IPFW_TABLE_CIDR; + return (0); +} + static void tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key, int add, uint8_t *ptype, uint32_t *pvmask, ipfw_xtable_info *xi) @@ -1315,7 +1374,6 @@ tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key, uint8_t type, tflags; uint32_t vmask; int error; - char *del; type = 0; tflags = 0; @@ -1327,10 +1385,24 @@ tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key, error = 0; if (error == 0) { - /* Table found. */ - type = xi->type; - tflags = xi->tflags; - vmask = xi->vmask; + if (co.test_only == 0) { + /* Table found */ + type = xi->type; + tflags = xi->tflags; + vmask = xi->vmask; + } else { + /* + * we're running `ipfw -n` + * Compability layer: try to guess key type + * before failing. + */ + if (guess_key_type(key, &type) != 0) { + /* Inknown key */ + errx(EX_USAGE, "Cannot guess " + "key '%s' type", key); + } + vmask = IPFW_VTYPE_LEGACY; + } } else { if (error != ESRCH) errx(EX_OSERR, "Error requesting table %s info", @@ -1339,24 +1411,16 @@ tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key, errx(EX_DATAERR, "Table %s does not exist", oh->ntlv.name); /* - * Table does not exist. - * Compability layer: try to interpret data as ADDR - * before failing. + * Table does not exist + * Compability layer: try to guess key type before failing. */ - if ((del = strchr(key, '/')) != NULL) - *del = '\0'; - if (inet_pton(AF_INET, key, &tent->k.addr6) == 1 || - inet_pton(AF_INET6, key, &tent->k.addr6) == 1) { - /* OK Prepare and send */ - type = IPFW_TABLE_ADDR; - vmask = IPFW_VTYPE_LEGACY; - } else { + if (guess_key_type(key, &type) != 0) { /* Inknown key */ errx(EX_USAGE, "Table %s does not exist, cannot guess " "key '%s' type", oh->ntlv.name, key); } - if (del != NULL) - *del = '/'; + + vmask = IPFW_VTYPE_LEGACY; } tentry_fill_key_type(key, tent, type, tflags); @@ -1384,6 +1448,7 @@ static void tentry_fill_value(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *arg, uint8_t type, uint32_t vmask) { + struct addrinfo hints, *res; uint32_t a4, flag, val, vm; ipfw_table_value *v; uint32_t i; @@ -1494,9 +1559,19 @@ tentry_fill_value(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *arg, } break; case IPFW_VTYPE_NH6: - if (strchr(n, ':') != NULL && - inet_pton(AF_INET6, n, &v->nh6) == 1) - break; + if (strchr(n, ':') != NULL) { + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET6; + hints.ai_flags = AI_NUMERICHOST; + if (getaddrinfo(n, NULL, &hints, &res) == 0) { + v->nh6 = ((struct sockaddr_in6 *) + res->ai_addr)->sin6_addr; + v->zoneid = ((struct sockaddr_in6 *) + res->ai_addr)->sin6_scope_id; + freeaddrinfo(res); + break; + } + } etype = "ipv6"; break; } @@ -1643,10 +1718,11 @@ static void table_show_value(char *buf, size_t bufsize, ipfw_table_value *v, uint32_t vmask, int print_ip) { + char abuf[INET6_ADDRSTRLEN + IF_NAMESIZE + 2]; + struct sockaddr_in6 sa6; uint32_t flag, i, l; size_t sz; struct in_addr a4; - char abuf[INET6_ADDRSTRLEN]; sz = bufsize; @@ -1702,8 +1778,15 @@ table_show_value(char *buf, size_t bufsize, ipfw_table_value *v, l = snprintf(buf, sz, "%d,", v->dscp); break; case IPFW_VTYPE_NH6: - inet_ntop(AF_INET6, &v->nh6, abuf, sizeof(abuf)); - l = snprintf(buf, sz, "%s,", abuf); + sa6.sin6_family = AF_INET6; + sa6.sin6_len = sizeof(sa6); + sa6.sin6_addr = v->nh6; + sa6.sin6_port = 0; + sa6.sin6_scope_id = v->zoneid; + if (getnameinfo((const struct sockaddr *)&sa6, + sa6.sin6_len, abuf, sizeof(abuf), NULL, 0, + NI_NUMERICHOST) == 0) + l = snprintf(buf, sz, "%s,", abuf); break; } @@ -1862,11 +1945,12 @@ struct _table_value { uint32_t nat; /* O_NAT */ uint32_t nh4; uint8_t dscp; - uint8_t spare0[3]; + uint8_t spare0; + uint16_t spare1; /* -- 32 bytes -- */ struct in6_addr nh6; uint32_t limit; /* O_LIMIT */ - uint32_t spare1; + uint32_t zoneid; uint64_t refcnt; /* Number of references */ }; @@ -1916,73 +2000,6 @@ ipfw_list_values(int ac, char *av[]) } int -compare_ntlv(const void *_a, const void *_b) -{ - ipfw_obj_ntlv *a, *b; - - a = (ipfw_obj_ntlv *)_a; - b = (ipfw_obj_ntlv *)_b; - - if (a->set < b->set) - return (-1); - else if (a->set > b->set) - return (1); - - if (a->idx < b->idx) - return (-1); - else if (a->idx > b->idx) - return (1); - - return (0); -} - -int -compare_kntlv(const void *k, const void *v) -{ - ipfw_obj_ntlv *ntlv; - uint16_t key; - - key = *((uint16_t *)k); - ntlv = (ipfw_obj_ntlv *)v; - - if (key < ntlv->idx) - return (-1); - else if (key > ntlv->idx) - return (1); - - return (0); -} - -/* - * Finds table name in @ctlv by @idx. - * Uses the following facts: - * 1) All TLVs are the same size - * 2) Kernel implementation provides already sorted list. - * - * Returns table name or NULL. - */ -char * -table_search_ctlv(ipfw_obj_ctlv *ctlv, uint16_t idx) -{ - ipfw_obj_ntlv *ntlv; - - ntlv = bsearch(&idx, (ctlv + 1), ctlv->count, ctlv->objsize, - compare_kntlv); - - if (ntlv != 0) - return (ntlv->name); - - return (NULL); -} - -void -table_sort_ctlv(ipfw_obj_ctlv *ctlv) -{ - - qsort(ctlv + 1, ctlv->count, ctlv->objsize, compare_ntlv); -} - -int table_check_name(char *tablename) { int c, i, l; |