From 5a973d30653a0d2ce9d1bca438ae120ce1294ac2 Mon Sep 17 00:00:00 2001 From: shin Date: Sat, 29 Jan 2000 13:54:44 +0000 Subject: Add ip6fw. Yes it is almost code freeze, but as the result of many thought, now I think this should be added before 4.0... make world check, kernel build check is done. Reviewed by: green Obtained from: KAME project --- sbin/ip6fw/Makefile | 6 + sbin/ip6fw/ip6fw.8 | 478 +++++++++++++++++++ sbin/ip6fw/ip6fw.c | 1290 ++++++++++++++++++++++++++++++++++++++++++++++++++ sbin/ip6fw/sample.sh | 28 ++ 4 files changed, 1802 insertions(+) create mode 100644 sbin/ip6fw/Makefile create mode 100644 sbin/ip6fw/ip6fw.8 create mode 100644 sbin/ip6fw/ip6fw.c create mode 100644 sbin/ip6fw/sample.sh (limited to 'sbin/ip6fw') diff --git a/sbin/ip6fw/Makefile b/sbin/ip6fw/Makefile new file mode 100644 index 0000000..975aef5 --- /dev/null +++ b/sbin/ip6fw/Makefile @@ -0,0 +1,6 @@ +# $FreeBSD$ + +PROG= ip6fw +MAN8= ip6fw.8 + +.include diff --git a/sbin/ip6fw/ip6fw.8 b/sbin/ip6fw/ip6fw.8 new file mode 100644 index 0000000..7a90ca9 --- /dev/null +++ b/sbin/ip6fw/ip6fw.8 @@ -0,0 +1,478 @@ +.\" +.\" $FreeBSD$ +.\" +.Dd July 20, 1996 +.Dt IP6FW 8 SMM +.Os FreeBSD +.Sh NAME +.Nm ip6fw +.Nd controlling utility for IPv6 firewall +.Sh SYNOPSIS +.Nm +.Ar file +.Nm ip6fw +.Oo +.Fl f +| +.Fl q +.Oc +flush +.Nm ip6fw +.Oo +.Fl q +.Oc +zero +.Op Ar number ... +.Nm ip6fw +delete +.Ar number ... +.Nm ip6fw +.Op Fl aftN +list +.Op Ar number ... +.Nm ip6fw +.Oo +.Fl ftN +.Oc +show +.Op Ar number ... +.Nm ip6fw +.Oo +.Fl q +.Oc +add +.Op Ar number +.Ar action +.Op log +.Ar proto +from +.Ar src +to +.Ar dst +.Op via Ar name | ipv6no +.Op Ar options +.Sh DESCRIPTION +If used as shown in the first synopsis line, the +.Ar file +will be read line by line and applied as arguments to the +.Nm +command. +.Pp +The +.Nm +code works by going through the rule-list for each packet, +until a match is found. +All rules have two associated counters, a packet count and +a byte count. +These counters are updated when a packet matches the rule. +.Pp +The rules are ordered by a ``line-number'' from 1 to 65534 that is used +to order and delete rules. Rules are tried in increasing order, and the +first rule that matches a packet applies. +Multiple rules may share the same number and apply in +the order in which they were added. +.Pp +If a rule is added without a number, it is numbered 100 higher +than the previous rule. If the highest defined rule number is +greater than 65434, new rules are appended to the last rule. +.Pp +The delete operation deletes the first rule with number +.Ar number , +if any. +.Pp +The list command prints out the current rule set. +.Pp +The show command is equivalent to `ip6fw -a list'. +.Pp +The zero operation zeroes the counters associated with rule number +.Ar number . +.Pp +The flush operation removes all rules. +.Pp +Any command beginning with a '#', or being all blank, is ignored. +.Pp +One rule is always present: +.Bd -literal -offset center +65535 deny all from any to any +.Ed +.Pp +This rule is the default policy, i.e., don't allow anything at all. +Your job in setting up rules is to modify this policy to match your +needs. +.Pp +The following options are available: +.Bl -tag -width flag +.It Fl a +While listing, show counter values. See also ``show'' command. +.It Fl f +Don't ask for confirmation for commands that can cause problems if misused +(ie; flush). +.Ar Note , +if there is no tty associated with the process, this is implied. +.It Fl q +While adding, zeroing or flushing, be quiet about actions (implies '-f'). +This is useful for adjusting rules by executing multiple ip6fw commands in a +script (e.g. sh /etc/rc.firewall), or by processing a file of many ip6fw rules, +across a remote login session. If a flush is performed in normal +(verbose) mode, it prints a message. Because all rules are flushed, the +message cannot be delivered to the login session, the login session is +closed and the remainder of the ruleset is not processed. Access to the +console is required to recover. +.It Fl t +While listing, show last match timestamp. +.It Fl N +Try to resolve addresses and service names in output. +.El +.Pp +.Ar action : +.Bl -hang -offset flag -width 1234567890123456 +.It Ar allow +Allow packets that match rule. +The search terminates. Aliases are +.Ar pass , +.Ar permit , +and +.Ar accept . +.It Ar deny +Discard packets that match this rule. +The search terminates. +.Ar Drop +is an alias for +.Ar deny . +.It Ar reject +(Deprecated.) Discard packets that match this rule, and try to send an ICMPv6 +host unreachable notice. +The search terminates. +.It Ar unreach code +Discard packets that match this rule, and try to send an ICMPv6 +unreachable notice with code +.Ar code , +where +.Ar code +is a number from zero to 255, or one of these aliases: +.Ar noroute , +.Ar admin , +.Ar notneighbor , +.Ar addr , +or +.Ar noport , +The search terminates. +.It Ar reset +TCP packets only. Discard packets that match this rule, +and try to send a TCP reset (RST) notice. +The search terminates +.Em (not working yet). +.It Ar count +Update counters for all packets that match rule. +The search continues with the next rule. +.It Ar skipto number +Skip all subsequent rules numbered less than +.Ar number . +The search continues with the first rule numbered +.Ar number +or higher. +.El +.Pp +If the kernel was compiled with +.Dv IP6FIREWALL_VERBOSE , +then when a packet matches a rule with the ``log'' +keyword a message will be printed on the console. +If the kernel was compiled with the +.Dv IP6FIREWALL_VERBOSE_LIMIT +option, then logging will cease after the number of packets +specified by the option are received for that particular +chain entry. Logging may then be re-enabled by clearing +the packet counter for that entry. +.Pp +Console logging and the log limit are adjustable dynamically +through the +.Xr sysctl 8 +interface. +.Pp +.Ar proto : +.Bl -hang -offset flag -width 1234567890123456 +.It Ar ipv6 +All packets match. The alias +.Ar all +has the same effect. +.It Ar tcp +Only TCP packets match. +.It Ar udp +Only UDP packets match. +.It Ar ipv6-icmp +Only ICMPv6 packets match. +.It Ar +Only packets for the specified protocol matches (see +.Pa /etc/protocols +for a complete list). +.El +.Pp +.Ar src +and +.Ar dst : +.Bl -hang -offset flag +.It Ar
+.Op Ar ports +.El +.Pp +The +.Em
+may be specified as: +.Bl -hang -offset flag -width 1234567890123456 +.It Ar ipv6no +An ipv6number of the form fec0::1:2:3:4. +.It Ar ipv6no/prefixlen +An ipv6number with a prefix length of the form fec0::1:2:3:4/112. +.El +.Pp +The sense of the match can be inverted by preceding an address with the +``not'' modifier, causing all other addresses to be matched instead. This +does not affect the selection of port numbers. +.Pp +With the TCP and UDP protocols, optional +.Em ports +may be specified as: +.Pp +.Bl -hang -offset flag +.It Ns {port|port-port} Ns Op ,port Ns Op ,... +.El +.Pp +Service names (from +.Pa /etc/services ) +may be used instead of numeric port values. +A range may only be specified as the first value, +and the length of the port list is limited to +.Dv IP6_FW_MAX_PORTS +(as defined in +.Pa /usr/src/sys/netinet/ip6_fw.h ) +ports. +.Pp +Fragmented packets which have a non-zero offset (i.e. not the first +fragment) will never match a rule which has one or more port +specifications. See the +.Ar frag +option for details on matching fragmented packets. +.Pp +Rules can apply to packets when they are incoming, or outgoing, or both. +The +.Ar in +keyword indicates the rule should only match incoming packets. +The +.Ar out +keyword indicates the rule should only match outgoing packets. +.Pp +To match packets going through a certain interface, specify +the interface using +.Ar via : +.Bl -hang -offset flag -width 1234567890123456 +.It Ar via ifX +Packet must be going through interface +.Ar ifX. +.It Ar via if* +Packet must be going through interface +.Ar ifX , +where X is any unit number. +.It Ar via any +Packet must be going through +.Em some +interface. +.It Ar via ipv6no +Packet must be going through the interface having IPv6 address +.Ar ipv6no . +.El +.Pp +The +.Ar via +keyword causes the interface to always be checked. +If +.Ar recv +or +.Ar xmit +is used instead of +.Ar via , +then the only receive or transmit interface (respectively) is checked. +By specifying both, it is possible to match packets based on both receive +and transmit interface, e.g.: +.Pp +.Dl "ip6fw add 100 deny ip from any to any out recv ed0 xmit ed1" +.Pp +The +.Ar recv +interface can be tested on either incoming or outgoing packets, while the +.Ar xmit +interface can only be tested on outgoing packets. So +.Ar out +is required (and +.Ar in +invalid) whenver +.Ar xmit +is used. Specifying +.Ar via +together with +.Ar xmit +or +.Ar recv +is invalid. +.Pp +A packet may not have a receive or transmit interface: packets originating +from the local host have no receive interface. while packets destined for +the local host have no transmit interface. +.Pp +Additional +.Ar options : +.Bl -hang -offset flag -width 1234567890123456 +.It frag +Matches if the packet is a fragment and this is not the first fragment +of the datagram. +.Ar frag +may not be used in conjunction with either +.Ar tcpflags +or TCP/UDP port specifications. +.It in +Matches if this packet was on the way in. +.It out +Matches if this packet was on the way out. +.It ipv6options Ar spec +Matches if the IPv6 header contains the comma separated list of +options specified in +.Ar spec . +The supported IPv6 options are: +.Ar hopopt +(hop-by-hop options header), +.Ar route +(routing header), +.Ar frag +(fragment header), +.Ar esp +(encapsulating security payload), +.Ar ah +(authentication header), +.Ar nonxt +(no next header), and +.Ar opts +(destination options header). +The absence of a particular option may be denoted +with a ``!'' +.Em (not working yet). +.It established +Matches packets that have the RST or ACK bits set. +TCP packets only. +.It setup +Matches packets that have the SYN bit set but no ACK bit. +TCP packets only. +.It tcpflags Ar spec +Matches if the TCP header contains the comma separated list of +flags specified in +.Ar spec . +The supported TCP flags are: +.Ar fin , +.Ar syn , +.Ar rst , +.Ar psh , +.Ar ack , +and +.Ar urg . +The absence of a particular flag may be denoted +with a ``!''. +A rule which contains a +.Ar tcpflags +specification can never match a fragmented packet which has +a non-zero offset. See the +.Ar frag +option for details on matching fragmented packets. +.It icmptypes Ar types +Matches if the ICMPv6 type is in the list +.Ar types . +The list may be specified as any combination of ranges +or individual types separated by commas. +.El +.Sh CHECKLIST +Here are some important points to consider when designing your +rules: +.Bl -bullet -hang -offset flag +.It +Remember that you filter both packets going in and out. +Most connections need packets going in both directions. +.It +Remember to test very carefully. +It is a good idea to be near the console when doing this. +.It +Don't forget the loopback interface. +.El +.Sh FINE POINTS +There is one kind of packet that the firewall will always discard, +that is an IPv6 fragment with a fragment offset of one. +This is a valid packet, but it only has one use, to try to circumvent +firewalls. +.Pp +If you are logged in over a network, loading the LKM version of +.Nm +is probably not as straightforward as you would think +.Em (not supported). +I recommend this command line: +.Bd -literal -offset center +modload /lkm/ip6fw_mod.o && \e +ip6fw add 32000 allow all from any to any +.Ed +.Pp +Along the same lines, doing an +.Bd -literal -offset center +ip6fw flush +.Ed +.Pp +in similar surroundings is also a bad idea. +.Sh PACKET DIVERSION +not supported. +.Sh EXAMPLES +This command adds an entry which denies all tcp packets from +.Em hacker.evil.org +to the telnet port of +.Em wolf.tambov.su +from being forwarded by the host: +.Pp +.Dl ip6fw add deny tcp from hacker.evil.org to wolf.tambov.su 23 +.Pp +This one disallows any connection from the entire hackers network to +my host: +.Pp +.Dl ip6fw addf deny all from fec0::123:45:67:0/112 to my.host.org +.Pp +Here is a good usage of the list command to see accounting records +and timestamp information: +.Pp +.Dl ip6fw -at l +.Pp +or in short form without timestamps: +.Pp +.Dl ip6fw -a l +.Pp +.Sh SEE ALSO +.Xr ip 4 , +.Xr ipfirewall 4 , +.Xr protocols 5 , +.Xr services 5 , +.Xr reboot 8 , +.Xr syslogd 8 , +.Xr sysctl 8 +.Sh BUGS +.Pp +.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! +.Pp +This program can put your computer in rather unusable state. When +using it for the first time, work on the console of the computer, and +do +.Em NOT +do anything you don't understand. +.Pp +When manipulating/adding chain entries, service and protocol names are +not accepted. +.Sh AUTHORS +Ugen J. S. Antsilevich, +Poul-Henning Kamp, +Alex Nash, +Archie Cobbs. +API based upon code written by Daniel Boulet for BSDI. +.Sh HISTORY +.Nm +first appeared in +.Fx 2.0 . diff --git a/sbin/ip6fw/ip6fw.c b/sbin/ip6fw/ip6fw.c new file mode 100644 index 0000000..9c3a7e5 --- /dev/null +++ b/sbin/ip6fw/ip6fw.c @@ -0,0 +1,1290 @@ +/* + * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp + * Copyright (c) 1994 Ugen J.S.Antsilevich + * + * Idea and grammar partially left from: + * Copyright (c) 1993 Daniel Boulet + * + * Redistribution and use in source forms, with and without modification, + * are permitted provided that this entire comment appears intact. + * + * Redistribution in binary form may occur without any restrictions. + * Obviously, it would be nice if you gave credit where credit is due + * but requiring it would be too onerous. + * + * This software is provided ``AS IS'' without any warranties of any kind. + * + * NEW command line interface for IP firewall facility + * + * $Id: ip6fw.c,v 1.1.2.2.2.2 1999/05/14 05:13:50 shin Exp $ + * $FreeBSD$ + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +int lineno = -1; + +int s; /* main RAW socket */ +int do_resolv=0; /* Would try to resolv all */ +int do_acct=0; /* Show packet/byte count */ +int do_time=0; /* Show time stamps */ +int do_quiet=0; /* Be quiet in add and flush */ +int do_force=0; /* Don't ask for confirmation */ + +struct icmpcode { + int code; + char *str; +}; + +static struct icmpcode icmp6codes[] = { + { ICMP6_DST_UNREACH_NOROUTE, "noroute" }, + { ICMP6_DST_UNREACH_ADMIN, "admin" }, + { ICMP6_DST_UNREACH_NOTNEIGHBOR, "notneighbor" }, + { ICMP6_DST_UNREACH_ADDR, "addr" }, + { ICMP6_DST_UNREACH_NOPORT, "noport" }, + { 0, NULL } +}; + +static char ntop_buf[INET6_ADDRSTRLEN]; + +static void show_usage(const char *fmt, ...); + +static int +mask_bits(u_char *m_ad, int m_len) +{ + int h_num = 0,i; + + for (i = 0; i < m_len; i++, m_ad++) { + if (*m_ad != 0xff) + break; + h_num += 8; + } + if (i < m_len) { + switch (*m_ad) { +#define MASKLEN(m, l) case m: h_num += l; break + MASKLEN(0xfe, 7); + MASKLEN(0xfc, 6); + MASKLEN(0xf8, 5); + MASKLEN(0xf0, 4); + MASKLEN(0xe0, 3); + MASKLEN(0xc0, 2); + MASKLEN(0x80, 1); +#undef MASKLEN + } + } + return h_num; +} + +static int pl2m[9] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff }; + +struct in6_addr *plen2mask(int n) +{ + static struct in6_addr ia; + u_char *p; + int i; + + memset(&ia, 0, sizeof(struct in6_addr)); + p = (u_char *)&ia; + for (i = 0; i < 16; i++, p++, n -= 8) { + if (n >= 8) { + *p = 0xff; + continue; + } + *p = pl2m[n]; + break; + } + return &ia; +} + +void +print_port(prot, port, comma) + u_char prot; + u_short port; + const char *comma; +{ + struct servent *se; + struct protoent *pe; + const char *protocol; + int printed = 0; + + if (do_resolv) { + pe = getprotobynumber(prot); + if (pe) + protocol = pe->p_name; + else + protocol = NULL; + + se = getservbyport(htons(port), protocol); + if (se) { + printf("%s%s", comma, se->s_name); + printed = 1; + } + } + if (!printed) + printf("%s%d",comma,port); +} + +static void +print_iface(char *key, union ip6_fw_if *un, int byname) +{ + char ifnb[FW_IFNLEN+1]; + + if (byname) { + strncpy(ifnb, un->fu_via_if.name, FW_IFNLEN); + ifnb[FW_IFNLEN]='\0'; + if (un->fu_via_if.unit == -1) + printf(" %s %s*", key, ifnb); + else + printf(" %s %s%d", key, ifnb, un->fu_via_if.unit); + } else if (!IN6_IS_ADDR_UNSPECIFIED(&un->fu_via_ip6)) { + printf(" %s %s", key, inet_ntop(AF_INET6,&un->fu_via_ip6,ntop_buf,sizeof(ntop_buf))); + } else + printf(" %s any", key); +} + +static void +print_reject_code(int code) +{ + struct icmpcode *ic; + + for (ic = icmp6codes; ic->str; ic++) + if (ic->code == code) { + printf("%s", ic->str); + return; + } + printf("%u", code); +} + +static void +show_ip6fw(struct ip6_fw *chain) +{ + char *comma; + struct hostent *he; + struct protoent *pe; + int i, mb; + int nsp = IPV6_FW_GETNSRCP(chain); + int ndp = IPV6_FW_GETNDSTP(chain); + + if (do_resolv) + setservent(1/*stayopen*/); + + printf("%05u ", chain->fw_number); + + if (do_acct) + printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt); + + if (do_time) + { + if (chain->timestamp) + { + char timestr[30]; + + strcpy(timestr, ctime((time_t *)&chain->timestamp)); + *strchr(timestr, '\n') = '\0'; + printf("%s ", timestr); + } + else + printf(" "); + } + + switch (chain->fw_flg & IPV6_FW_F_COMMAND) + { + case IPV6_FW_F_ACCEPT: + printf("allow"); + break; + case IPV6_FW_F_DENY: + printf("deny"); + break; + case IPV6_FW_F_COUNT: + printf("count"); + break; + case IPV6_FW_F_DIVERT: + printf("divert %u", chain->fw_divert_port); + break; + case IPV6_FW_F_TEE: + printf("tee %u", chain->fw_divert_port); + break; + case IPV6_FW_F_SKIPTO: + printf("skipto %u", chain->fw_skipto_rule); + break; + case IPV6_FW_F_REJECT: + if (chain->fw_reject_code == IPV6_FW_REJECT_RST) + printf("reset"); + else { + printf("unreach "); + print_reject_code(chain->fw_reject_code); + } + break; + default: + errx(1, "impossible"); + } + + if (chain->fw_flg & IPV6_FW_F_PRN) + printf(" log"); + + pe = getprotobynumber(chain->fw_prot); + if (pe) + printf(" %s", pe->p_name); + else + printf(" %u", chain->fw_prot); + + printf(" from %s", chain->fw_flg & IPV6_FW_F_INVSRC ? "not " : ""); + + mb=mask_bits((u_char *)&chain->fw_smsk,sizeof(chain->fw_smsk)); + if (mb==128 && do_resolv) { + he=gethostbyaddr((char *)&(chain->fw_src),sizeof(chain->fw_src),AF_INET6); + if (he==NULL) { + printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf))); + } else + printf("%s",he->h_name); + } else { + if (mb!=128) { + if (mb == 0) { + printf("any"); + } else { + printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf))); + printf("/%d",mb); + } + } else + printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf))); + } + + if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) { + comma = " "; + for (i = 0; i < nsp; i++) { + print_port(chain->fw_prot, chain->fw_pts[i], comma); + if (i==0 && (chain->fw_flg & IPV6_FW_F_SRNG)) + comma = "-"; + else + comma = ","; + } + } + + printf(" to %s", chain->fw_flg & IPV6_FW_F_INVDST ? "not " : ""); + + mb=mask_bits((u_char *)&chain->fw_dmsk,sizeof(chain->fw_dmsk)); + if (mb==128 && do_resolv) { + he=gethostbyaddr((char *)&(chain->fw_dst),sizeof(chain->fw_dst),AF_INET); + if (he==NULL) { + printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf))); + } else + printf("%s",he->h_name); + } else { + if (mb!=128) { + if (mb == 0) { + printf("any"); + } else { + printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf))); + printf("/%d",mb); + } + } else + printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf))); + } + + if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) { + comma = " "; + for (i = 0; i < ndp; i++) { + print_port(chain->fw_prot, chain->fw_pts[nsp+i], comma); + if (i==0 && (chain->fw_flg & IPV6_FW_F_DRNG)) + comma = "-"; + else + comma = ","; + } + } + + /* Direction */ + if ((chain->fw_flg & IPV6_FW_F_IN) && !(chain->fw_flg & IPV6_FW_F_OUT)) + printf(" in"); + if (!(chain->fw_flg & IPV6_FW_F_IN) && (chain->fw_flg & IPV6_FW_F_OUT)) + printf(" out"); + + /* Handle hack for "via" backwards compatibility */ + if ((chain->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) { + print_iface("via", + &chain->fw_in_if, chain->fw_flg & IPV6_FW_F_IIFNAME); + } else { + /* Receive interface specified */ + if (chain->fw_flg & IPV6_FW_F_IIFACE) + print_iface("recv", &chain->fw_in_if, + chain->fw_flg & IPV6_FW_F_IIFNAME); + /* Transmit interface specified */ + if (chain->fw_flg & IPV6_FW_F_OIFACE) + print_iface("xmit", &chain->fw_out_if, + chain->fw_flg & IPV6_FW_F_OIFNAME); + } + + if (chain->fw_flg & IPV6_FW_F_FRAG) + printf(" frag"); + + if (chain->fw_ip6opt || chain->fw_ip6nopt) { + int _opt_printed = 0; +#define PRINTOPT(x) {if (_opt_printed) printf(",");\ + printf(x); _opt_printed = 1;} + + printf(" ip6opt "); + if (chain->fw_ip6opt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("hopopt"); + if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("!hopopt"); + if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("route"); + if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("!route"); + if (chain->fw_ip6opt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("frag"); + if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("!frag"); + if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ESP) PRINTOPT("esp"); + if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ESP) PRINTOPT("!esp"); + if (chain->fw_ip6opt & IPV6_FW_IP6OPT_AH) PRINTOPT("ah"); + if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_AH) PRINTOPT("!ah"); + if (chain->fw_ip6opt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("nonxt"); + if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("!nonxt"); + if (chain->fw_ip6opt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("opts"); + if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("!opts"); + } + + if (chain->fw_tcpf & IPV6_FW_TCPF_ESTAB) + printf(" established"); + else if (chain->fw_tcpf == IPV6_FW_TCPF_SYN && + chain->fw_tcpnf == IPV6_FW_TCPF_ACK) + printf(" setup"); + else if (chain->fw_tcpf || chain->fw_tcpnf) { + int _flg_printed = 0; +#define PRINTFLG(x) {if (_flg_printed) printf(",");\ + printf(x); _flg_printed = 1;} + + printf(" tcpflg "); + if (chain->fw_tcpf & IPV6_FW_TCPF_FIN) PRINTFLG("fin"); + if (chain->fw_tcpnf & IPV6_FW_TCPF_FIN) PRINTFLG("!fin"); + if (chain->fw_tcpf & IPV6_FW_TCPF_SYN) PRINTFLG("syn"); + if (chain->fw_tcpnf & IPV6_FW_TCPF_SYN) PRINTFLG("!syn"); + if (chain->fw_tcpf & IPV6_FW_TCPF_RST) PRINTFLG("rst"); + if (chain->fw_tcpnf & IPV6_FW_TCPF_RST) PRINTFLG("!rst"); + if (chain->fw_tcpf & IPV6_FW_TCPF_PSH) PRINTFLG("psh"); + if (chain->fw_tcpnf & IPV6_FW_TCPF_PSH) PRINTFLG("!psh"); + if (chain->fw_tcpf & IPV6_FW_TCPF_ACK) PRINTFLG("ack"); + if (chain->fw_tcpnf & IPV6_FW_TCPF_ACK) PRINTFLG("!ack"); + if (chain->fw_tcpf & IPV6_FW_TCPF_URG) PRINTFLG("urg"); + if (chain->fw_tcpnf & IPV6_FW_TCPF_URG) PRINTFLG("!urg"); + } + if (chain->fw_flg & IPV6_FW_F_ICMPBIT) { + int type_index; + int first = 1; + + printf(" icmptype"); + + for (type_index = 0; type_index < IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8; ++type_index) + if (chain->fw_icmp6types[type_index / (sizeof(unsigned) * 8)] & + (1U << (type_index % (sizeof(unsigned) * 8)))) { + printf("%c%d", first == 1 ? ' ' : ',', type_index); + first = 0; + } + } + printf("\n"); + if (do_resolv) + endservent(); +} + +void +list(ac, av) + int ac; + char **av; +{ + struct ip6_fw *r; + struct ip6_fw rules[1024]; + int l,i; + unsigned long rulenum; + int bytes; + + /* extract rules from kernel */ + memset(rules,0,sizeof rules); + bytes = sizeof rules; + i = getsockopt(s, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes); + if (i < 0) + err(2,"getsockopt(IPV6_FW_GET)"); + if (!ac) { + /* display all rules */ + for (r = rules, l = bytes; l >= sizeof rules[0]; + r++, l-=sizeof rules[0]) + show_ip6fw(r); + } + else { + /* display specific rules requested on command line */ + int exitval = 0; + + while (ac--) { + char *endptr; + int seen; + + /* convert command line rule # */ + rulenum = strtoul(*av++, &endptr, 10); + if (*endptr) { + exitval = 1; + warn("invalid rule number: %s", av[-1]); + continue; + } + seen = 0; + for (r = rules, l = bytes; + l >= sizeof rules[0] && r->fw_number <= rulenum; + r++, l-=sizeof rules[0]) + if (rulenum == r->fw_number) { + show_ip6fw(r); + seen = 1; + } + if (!seen) { + exitval = 1; + warnx("rule %lu does not exist", rulenum); + } + } + if (exitval != 0) + exit(exitval); + } +} + +static void +show_usage(const char *fmt, ...) +{ + if (fmt) { + char buf[100]; + va_list args; + + va_start(args, fmt); + vsnprintf(buf, sizeof(buf), fmt, args); + va_end(args); + warnx("error: %s", buf); + } + fprintf(stderr, "usage: ipfw6 [options]\n" +" flush\n" +" add [number] rule\n" +" delete number ...\n" +" list [number ...]\n" +" show [number ...]\n" +" zero [number ...]\n" +" rule: action proto src dst extras...\n" +" action:\n" +" {allow|permit|accept|pass|deny|drop|reject|unreach code|\n" +" reset|count|skipto num} [log]\n" +" proto: {ipv6|tcp|udp|ipv6-icmp|}\n" +" src: from [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n" +" dst: to [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n" +" extras:\n" +" fragment (may not be used with ports or tcpflags)\n" +" in\n" +" out\n" +" {xmit|recv|via} {iface|ipv6|any}\n" +" {established|setup}\n" +" tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n" +" ipv6options [!]{hopopt|route|frag|esp|ah|nonxt|opts},...\n" +" icmptypes {type[,type]}...\n"); + + exit(1); +} + +static int +lookup_host (host, addr, family) + char *host; + u_char *addr; +{ + struct hostent *he = gethostbyname2(host, family); + + if (!he) + return(-1); + + memcpy(addr, he->h_addr_list[0], he->h_length); + + return(0); +} + +void +fill_ip6(ipno, mask, acp, avp) + struct in6_addr *ipno, *mask; + int *acp; + char ***avp; +{ + int ac = *acp; + char **av = *avp; + char *p = 0, md = 0; + int i; + + if (ac && !strncmp(*av,"any",strlen(*av))) { + *ipno = *mask = in6addr_any; av++; ac--; + } else { + p = strchr(*av, '/'); + if (p) { + md = *p; + *p++ = '\0'; + } + + if (lookup_host(*av, ipno, AF_INET6) != 0) + show_usage("hostname ``%s'' unknown", *av); + switch (md) { + case '/': + if (atoi(p) == 0) { + *mask = in6addr_any; + } else if (atoi(p) > 128) { + show_usage("bad width ``%s''", p); + } else { + *mask = *(plen2mask(atoi(p))); + } + break; + default: + *mask = *(plen2mask(128)); + break; + } + for (i = 0; i < sizeof(*ipno); i++) + ipno->s6_addr[i] &= mask->s6_addr[i]; + av++; + ac--; + } + *acp = ac; + *avp = av; +} + +static void +fill_reject_code6(u_short *codep, char *str) +{ + struct icmpcode *ic; + u_long val; + char *s; + + val = strtoul(str, &s, 0); + if (s != str && *s == '\0' && val < 0x100) { + *codep = val; + return; + } + for (ic = icmp6codes; ic->str; ic++) + if (!strcasecmp(str, ic->str)) { + *codep = ic->code; + return; + } + show_usage("unknown ICMP6 unreachable code ``%s''", str); +} + +static void +add_port(cnt, ptr, off, port) + u_short *cnt, *ptr, off, port; +{ + if (off + *cnt >= IPV6_FW_MAX_PORTS) + errx(1, "too many ports (max is %d)", IPV6_FW_MAX_PORTS); + ptr[off+*cnt] = port; + (*cnt)++; +} + +static int +lookup_port(const char *arg, int test, int nodash) +{ + int val; + char *earg, buf[32]; + struct servent *s; + + snprintf(buf, sizeof(buf), "%s", arg); + buf[strcspn(arg, nodash ? "-," : ",")] = 0; + val = (int) strtoul(buf, &earg, 0); + if (!*buf || *earg) { + setservent(1); + if ((s = getservbyname(buf, NULL))) { + val = htons(s->s_port); + } else { + if (!test) { + errx(1, "unknown port ``%s''", arg); + } + val = -1; + } + } else { + if (val < 0 || val > 0xffff) { + if (!test) { + errx(1, "port ``%s'' out of range", arg); + } + val = -1; + } + } + return(val); +} + +int +fill_port(cnt, ptr, off, arg) + u_short *cnt, *ptr, off; + char *arg; +{ + char *s; + int initial_range = 0; + + s = arg + strcspn(arg, "-,"); /* first port name can't have a dash */ + if (*s == '-') { + *s++ = '\0'; + if (strchr(arg, ',')) + errx(1, "port range must be first in list"); + add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0x0000); + arg = s; + s = strchr(arg,','); + if (s) + *s++ = '\0'; + add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0xffff); + arg = s; + initial_range = 1; + } + while (arg != NULL) { + s = strchr(arg,','); + if (s) + *s++ = '\0'; + add_port(cnt, ptr, off, lookup_port(arg, 0, 0)); + arg = s; + } + return initial_range; +} + +void +fill_tcpflag(set, reset, vp) + u_char *set, *reset; + char **vp; +{ + char *p = *vp,*q; + u_char *d; + + while (p && *p) { + struct tpcflags { + char * name; + u_char value; + } flags[] = { + { "syn", IPV6_FW_TCPF_SYN }, + { "fin", IPV6_FW_TCPF_FIN }, + { "ack", IPV6_FW_TCPF_ACK }, + { "psh", IPV6_FW_TCPF_PSH }, + { "rst", IPV6_FW_TCPF_RST }, + { "urg", IPV6_FW_TCPF_URG } + }; + int i; + + if (*p == '!') { + p++; + d = reset; + } else { + d = set; + } + q = strchr(p, ','); + if (q) + *q++ = '\0'; + for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i) + if (!strncmp(p, flags[i].name, strlen(p))) { + *d |= flags[i].value; + break; + } + if (i == sizeof(flags) / sizeof(flags[0])) + show_usage("invalid tcp flag ``%s''", p); + p = q; + } +} + +static void +fill_ip6opt(u_char *set, u_char *reset, char **vp) +{ + char *p = *vp,*q; + u_char *d; + + while (p && *p) { + if (*p == '!') { + p++; + d = reset; + } else { + d = set; + } + q = strchr(p, ','); + if (q) + *q++ = '\0'; + if (!strncmp(p,"hopopt",strlen(p))) *d |= IPV6_FW_IP6OPT_HOPOPT; + if (!strncmp(p,"route",strlen(p))) *d |= IPV6_FW_IP6OPT_ROUTE; + if (!strncmp(p,"frag",strlen(p))) *d |= IPV6_FW_IP6OPT_FRAG; + if (!strncmp(p,"esp",strlen(p))) *d |= IPV6_FW_IP6OPT_ESP; + if (!strncmp(p,"ah",strlen(p))) *d |= IPV6_FW_IP6OPT_AH; + if (!strncmp(p,"nonxt",strlen(p))) *d |= IPV6_FW_IP6OPT_NONXT; + if (!strncmp(p,"opts",strlen(p))) *d |= IPV6_FW_IP6OPT_OPTS; + p = q; + } +} + +void +fill_icmptypes(types, vp, fw_flg) + u_long *types; + char **vp; + u_short *fw_flg; +{ + char *c = *vp; + + while (*c) + { + unsigned long icmptype; + + if ( *c == ',' ) + ++c; + + icmptype = strtoul(c, &c, 0); + + if ( *c != ',' && *c != '\0' ) + show_usage("invalid ICMP6 type"); + + if (icmptype >= IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8) + show_usage("ICMP6 type out of range"); + + types[icmptype / (sizeof(unsigned) * 8)] |= + 1 << (icmptype % (sizeof(unsigned) * 8)); + *fw_flg |= IPV6_FW_F_ICMPBIT; + } +} + +void +delete(ac,av) + int ac; + char **av; +{ + struct ip6_fw rule; + int i; + int exitval = 0; + + memset(&rule, 0, sizeof rule); + + av++; ac--; + + /* Rule number */ + while (ac && isdigit(**av)) { + rule.fw_number = atoi(*av); av++; ac--; + i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule); + if (i) { + exitval = 1; + warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL"); + } + } + if (exitval != 0) + exit(exitval); +} + +static void +verify_interface(union ip6_fw_if *ifu) +{ + struct ifreq ifr; + + /* + * If a unit was specified, check for that exact interface. + * If a wildcard was specified, check for unit 0. + */ + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", + ifu->fu_via_if.name, + ifu->fu_via_if.unit == -1 ? 0 : ifu->fu_via_if.unit); + + if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0) + warnx("warning: interface ``%s'' does not exist", ifr.ifr_name); +} + +static void +fill_iface(char *which, union ip6_fw_if *ifu, int *byname, int ac, char *arg) +{ + if (!ac) + show_usage("missing argument for ``%s''", which); + + /* Parse the interface or address */ + if (!strcmp(arg, "any")) { + ifu->fu_via_ip6 = in6addr_any; + *byname = 0; + } else if (!isdigit(*arg)) { + char *q; + + *byname = 1; + strncpy(ifu->fu_via_if.name, arg, sizeof(ifu->fu_via_if.name)); + ifu->fu_via_if.name[sizeof(ifu->fu_via_if.name) - 1] = '\0'; + for (q = ifu->fu_via_if.name; + *q && !isdigit(*q) && *q != '*'; q++) + continue; + ifu->fu_via_if.unit = (*q == '*') ? -1 : atoi(q); + *q = '\0'; + verify_interface(ifu); + } else if (inet_pton(AF_INET6, arg, &ifu->fu_via_ip6) != 1) { + show_usage("bad ip6 address ``%s''", arg); + } else + *byname = 0; +} + +static void +add(ac,av) + int ac; + char **av; +{ + struct ip6_fw rule; + int i; + u_char proto; + struct protoent *pe; + int saw_xmrc = 0, saw_via = 0; + + memset(&rule, 0, sizeof rule); + + av++; ac--; + + /* Rule number */ + if (ac && isdigit(**av)) { + rule.fw_number = atoi(*av); av++; ac--; + } + + /* Action */ + if (ac == 0) + show_usage("missing action"); + if (!strncmp(*av,"accept",strlen(*av)) + || !strncmp(*av,"pass",strlen(*av)) + || !strncmp(*av,"allow",strlen(*av)) + || !strncmp(*av,"permit",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_ACCEPT; av++; ac--; + } else if (!strncmp(*av,"count",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_COUNT; av++; ac--; + } +#if 0 + else if (!strncmp(*av,"divert",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_DIVERT; av++; ac--; + if (!ac) + show_usage("missing divert port"); + rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--; + if (rule.fw_divert_port == 0) { + struct servent *s; + setservent(1); + s = getservbyname(av[-1], "divert"); + if (s != NULL) + rule.fw_divert_port = ntohs(s->s_port); + else + show_usage("illegal divert port"); + } + } else if (!strncmp(*av,"tee",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_TEE; av++; ac--; + if (!ac) + show_usage("missing divert port"); + rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--; + if (rule.fw_divert_port == 0) { + struct servent *s; + setservent(1); + s = getservbyname(av[-1], "divert"); + if (s != NULL) + rule.fw_divert_port = ntohs(s->s_port); + else + show_usage("illegal divert port"); + } + } +#endif + else if (!strncmp(*av,"skipto",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_SKIPTO; av++; ac--; + if (!ac) + show_usage("missing skipto rule number"); + rule.fw_skipto_rule = strtoul(*av, NULL, 0); av++; ac--; + } else if ((!strncmp(*av,"deny",strlen(*av)) + || !strncmp(*av,"drop",strlen(*av)))) { + rule.fw_flg |= IPV6_FW_F_DENY; av++; ac--; + } else if (!strncmp(*av,"reject",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--; + rule.fw_reject_code = ICMP6_DST_UNREACH_NOROUTE; + } else if (!strncmp(*av,"reset",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--; + rule.fw_reject_code = IPV6_FW_REJECT_RST; /* check TCP later */ + } else if (!strncmp(*av,"unreach",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--; + fill_reject_code6(&rule.fw_reject_code, *av); av++; ac--; + } else { + show_usage("invalid action ``%s''", *av); + } + + /* [log] */ + if (ac && !strncmp(*av,"log",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_PRN; av++; ac--; + } + + /* protocol */ + if (ac == 0) + show_usage("missing protocol"); + if ((proto = atoi(*av)) > 0) { + rule.fw_prot = proto; av++; ac--; + } else if (!strncmp(*av,"all",strlen(*av))) { + rule.fw_prot = IPPROTO_IPV6; av++; ac--; + } else if ((pe = getprotobyname(*av)) != NULL) { + rule.fw_prot = pe->p_proto; av++; ac--; + } else { + show_usage("invalid protocol ``%s''", *av); + } + + if (rule.fw_prot != IPPROTO_TCP + && (rule.fw_flg & IPV6_FW_F_COMMAND) == IPV6_FW_F_REJECT + && rule.fw_reject_code == IPV6_FW_REJECT_RST) + show_usage("``reset'' is only valid for tcp packets"); + + /* from */ + if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; } + else + show_usage("missing ``from''"); + + if (ac && !strncmp(*av,"not",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_INVSRC; + av++; ac--; + } + if (!ac) + show_usage("missing arguments"); + + fill_ip6(&rule.fw_src, &rule.fw_smsk, &ac, &av); + + if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) { + u_short nports = 0; + + if (fill_port(&nports, rule.fw_pts, 0, *av)) + rule.fw_flg |= IPV6_FW_F_SRNG; + IPV6_FW_SETNSRCP(&rule, nports); + av++; ac--; + } + + /* to */ + if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; } + else + show_usage("missing ``to''"); + + if (ac && !strncmp(*av,"not",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_INVDST; + av++; ac--; + } + if (!ac) + show_usage("missing arguments"); + + fill_ip6(&rule.fw_dst, &rule.fw_dmsk, &ac, &av); + + if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) { + u_short nports = 0; + + if (fill_port(&nports, + rule.fw_pts, IPV6_FW_GETNSRCP(&rule), *av)) + rule.fw_flg |= IPV6_FW_F_DRNG; + IPV6_FW_SETNDSTP(&rule, nports); + av++; ac--; + } + + if ((rule.fw_prot != IPPROTO_TCP) && (rule.fw_prot != IPPROTO_UDP) + && (IPV6_FW_GETNSRCP(&rule) || IPV6_FW_GETNDSTP(&rule))) { + show_usage("only TCP and UDP protocols are valid" + " with port specifications"); + } + + while (ac) { + if (!strncmp(*av,"in",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_IN; + av++; ac--; continue; + } + if (!strncmp(*av,"out",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_OUT; + av++; ac--; continue; + } + if (ac && !strncmp(*av,"xmit",strlen(*av))) { + union ip6_fw_if ifu; + int byname; + + if (saw_via) { +badviacombo: + show_usage("``via'' is incompatible" + " with ``xmit'' and ``recv''"); + } + saw_xmrc = 1; + av++; ac--; + fill_iface("xmit", &ifu, &byname, ac, *av); + rule.fw_out_if = ifu; + rule.fw_flg |= IPV6_FW_F_OIFACE; + if (byname) + rule.fw_flg |= IPV6_FW_F_OIFNAME; + av++; ac--; continue; + } + if (ac && !strncmp(*av,"recv",strlen(*av))) { + union ip6_fw_if ifu; + int byname; + + if (saw_via) + goto badviacombo; + saw_xmrc = 1; + av++; ac--; + fill_iface("recv", &ifu, &byname, ac, *av); + rule.fw_in_if = ifu; + rule.fw_flg |= IPV6_FW_F_IIFACE; + if (byname) + rule.fw_flg |= IPV6_FW_F_IIFNAME; + av++; ac--; continue; + } + if (ac && !strncmp(*av,"via",strlen(*av))) { + union ip6_fw_if ifu; + int byname = 0; + + if (saw_xmrc) + goto badviacombo; + saw_via = 1; + av++; ac--; + fill_iface("via", &ifu, &byname, ac, *av); + rule.fw_out_if = rule.fw_in_if = ifu; + if (byname) + rule.fw_flg |= + (IPV6_FW_F_IIFNAME | IPV6_FW_F_OIFNAME); + av++; ac--; continue; + } + if (!strncmp(*av,"fragment",strlen(*av))) { + rule.fw_flg |= IPV6_FW_F_FRAG; + av++; ac--; continue; + } + if (!strncmp(*av,"ipv6options",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing argument" + " for ``ipv6options''"); + fill_ip6opt(&rule.fw_ip6opt, &rule.fw_ip6nopt, av); + av++; ac--; continue; + } + if (rule.fw_prot == IPPROTO_TCP) { + if (!strncmp(*av,"established",strlen(*av))) { + rule.fw_tcpf |= IPV6_FW_TCPF_ESTAB; + av++; ac--; continue; + } + if (!strncmp(*av,"setup",strlen(*av))) { + rule.fw_tcpf |= IPV6_FW_TCPF_SYN; + rule.fw_tcpnf |= IPV6_FW_TCPF_ACK; + av++; ac--; continue; + } + if (!strncmp(*av,"tcpflags",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing argument" + " for ``tcpflags''"); + fill_tcpflag(&rule.fw_tcpf, &rule.fw_tcpnf, av); + av++; ac--; continue; + } + } + if (rule.fw_prot == IPPROTO_ICMPV6) { + if (!strncmp(*av,"icmptypes",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing argument" + " for ``icmptypes''"); + fill_icmptypes(rule.fw_icmp6types, + av, &rule.fw_flg); + av++; ac--; continue; + } + } + show_usage("unknown argument ``%s''", *av); + } + + /* No direction specified -> do both directions */ + if (!(rule.fw_flg & (IPV6_FW_F_OUT|IPV6_FW_F_IN))) + rule.fw_flg |= (IPV6_FW_F_OUT|IPV6_FW_F_IN); + + /* Sanity check interface check, but handle "via" case separately */ + if (saw_via) { + if (rule.fw_flg & IPV6_FW_F_IN) + rule.fw_flg |= IPV6_FW_F_IIFACE; + if (rule.fw_flg & IPV6_FW_F_OUT) + rule.fw_flg |= IPV6_FW_F_OIFACE; + } else if ((rule.fw_flg & IPV6_FW_F_OIFACE) && (rule.fw_flg & IPV6_FW_F_IN)) + show_usage("can't check xmit interface of incoming packets"); + + /* frag may not be used in conjunction with ports or TCP flags */ + if (rule.fw_flg & IPV6_FW_F_FRAG) { + if (rule.fw_tcpf || rule.fw_tcpnf) + show_usage("can't mix 'frag' and tcpflags"); + + if (rule.fw_nports) + show_usage("can't mix 'frag' and port specifications"); + } + + if (!do_quiet) + show_ip6fw(&rule); + i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule); + if (i) + err(1, "setsockopt(%s)", "IPV6_FW_ADD"); +} + +static void +zero (ac, av) + int ac; + char **av; +{ + av++; ac--; + + if (!ac) { + /* clear all entries */ + if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0) + err(1, "setsockopt(%s)", "IPV6_FW_ZERO"); + if (!do_quiet) + printf("Accounting cleared.\n"); + } else { + struct ip6_fw rule; + int failed = 0; + + memset(&rule, 0, sizeof rule); + while (ac) { + /* Rule number */ + if (isdigit(**av)) { + rule.fw_number = atoi(*av); av++; ac--; + if (setsockopt(s, IPPROTO_IPV6, + IPV6_FW_ZERO, &rule, sizeof rule)) { + warn("rule %u: setsockopt(%s)", rule.fw_number, + "IPV6_FW_ZERO"); + failed = 1; + } + else if (!do_quiet) + printf("Entry %d cleared\n", + rule.fw_number); + } else + show_usage("invalid rule number ``%s''", *av); + } + if (failed != 0) + exit(failed); + } +} + +int +ip6fw_main(ac,av) + int ac; + char **av; +{ + int ch; + extern int optind; + + /* init optind to 1 */ + optind = 1; + + if ( ac == 1 ) { + show_usage(NULL); + } + + /* Set the force flag for non-interactive processes */ + do_force = !isatty(STDIN_FILENO); + + while ((ch = getopt(ac, av ,"afqtN")) != -1) + switch(ch) { + case 'a': + do_acct=1; + break; + case 'f': + do_force=1; + break; + case 'q': + do_quiet=1; + break; + case 't': + do_time=1; + break; + case 'N': + do_resolv=1; + break; + default: + show_usage(NULL); + } + + ac -= optind; + if (*(av+=optind)==NULL) { + show_usage("Bad arguments"); + } + + if (!strncmp(*av, "add", strlen(*av))) { + add(ac,av); + } else if (!strncmp(*av, "delete", strlen(*av))) { + delete(ac,av); + } else if (!strncmp(*av, "flush", strlen(*av))) { + int do_flush = 0; + + if ( do_force || do_quiet ) + do_flush = 1; + else { + int c; + + /* Ask the user */ + printf("Are you sure? [yn] "); + do { + fflush(stdout); + c = toupper(getc(stdin)); + while (c != '\n' && getc(stdin) != '\n') + if (feof(stdin)) + return (0); + } while (c != 'Y' && c != 'N'); + printf("\n"); + if (c == 'Y') + do_flush = 1; + } + if ( do_flush ) { + if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0) + err(1, "setsockopt(%s)", "IPV6_FW_FLUSH"); + if (!do_quiet) + printf("Flushed all rules.\n"); + } + } else if (!strncmp(*av, "zero", strlen(*av))) { + zero(ac,av); + } else if (!strncmp(*av, "print", strlen(*av))) { + list(--ac,++av); + } else if (!strncmp(*av, "list", strlen(*av))) { + list(--ac,++av); + } else if (!strncmp(*av, "show", strlen(*av))) { + do_acct++; + list(--ac,++av); + } else { + show_usage("Bad arguments"); + } + return 0; +} + +int +main(ac, av) + int ac; + char **av; +{ +#define MAX_ARGS 32 +#define WHITESP " \t\f\v\n\r" + char buf[BUFSIZ]; + char *a, *args[MAX_ARGS]; + char linename[10]; + int i; + FILE *f; + + s = socket( AF_INET6, SOCK_RAW, IPPROTO_RAW ); + if ( s < 0 ) + err(1, "socket"); + + setbuf(stdout,0); + + if (av[1] && !access(av[1], R_OK)) { + lineno = 0; + if ((f = fopen(av[1], "r")) == NULL) + err(1, "fopen: %s", av[1]); + while (fgets(buf, BUFSIZ, f)) { + + lineno++; + sprintf(linename, "Line %d", lineno); + args[0] = linename; + + if (*buf == '#') + continue; + for (i = 1, a = strtok(buf, WHITESP); + a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++) + args[i] = a; + if (i == 1) + continue; + if (i == MAX_ARGS) + errx(1, "%s: too many arguments", linename); + args[i] = NULL; + + ip6fw_main(i, args); + } + fclose(f); + } else + ip6fw_main(ac,av); + return 0; +} diff --git a/sbin/ip6fw/sample.sh b/sbin/ip6fw/sample.sh new file mode 100644 index 0000000..32d7621 --- /dev/null +++ b/sbin/ip6fw/sample.sh @@ -0,0 +1,28 @@ +#!/bin/sh - +# $FreeBSD$ + +fwcmd=/usr/local/v6/sbin/ip6fw + +$fwcmd -f flush + +# +# loopback +# +$fwcmd add 1000 pass all from any to any via lo0 + +# +# ND +# +# DAD +$fwcmd add 2000 pass ipv6-icmp from ff02::/16 to :: +$fwcmd add 2100 pass ipv6-icmp from :: to ff02::/16 +# RS, RA, NS, NA, redirect... +$fwcmd add 2300 pass ipv6-icmp from fe80::/10 to fe80::/10 +$fwcmd add 2400 pass ipv6-icmp from fe80::/10 to ff02::/16 + +$fwcmd add 5000 pass tcp from any to any established + +# RIPng +$fwcmd add 6000 pass udp from fe80::/10 521 to ff02::9 521 + +$fwcmd add 65000 pass log all from any to any -- cgit v1.1