diff options
| author | Seth Mos <seth.mos@dds.nl> | 2010-10-22 16:01:30 +0200 |
|---|---|---|
| committer | Seth Mos <seth.mos@dds.nl> | 2010-10-22 16:01:30 +0200 |
| commit | 5a5413bb5227e084703515007cc28fd746183c9b (patch) | |
| tree | db6401de66deac4db3948dfacc60b2cc063b01c0 | |
| parent | 47593ac6ff761622a43e16cacb421acecede209d (diff) | |
| download | pfsense-5a5413bb5227e084703515007cc28fd746183c9b.zip pfsense-5a5413bb5227e084703515007cc28fd746183c9b.tar.gz | |
Add the default ipv4 route and the default ipv6 route, check both routing tables before adding or changing.
set the ipv6 IP address via a mwexec() until the pfsense module is adapted. FIXME.
Add filter rules for ipv6 to let traffic out of the firewall. FilterIflist not cooperating yet.
| -rw-r--r-- | etc/inc/filter.inc | 21 | ||||
| -rw-r--r-- | etc/inc/gwlb.inc | 71 | ||||
| -rw-r--r-- | etc/inc/interfaces.inc | 14 | ||||
| -rw-r--r-- | etc/inc/system.inc | 67 |
4 files changed, 141 insertions, 32 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 01e37ce..26f8c15 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -723,17 +723,21 @@ function filter_generate_optcfg_array() { if (!does_interface_exist($oic['if'])) continue; $oic['ip'] = get_interface_ip($if); + $oic['ipv6'] = get_interface_ipv6($if); if(!is_ipaddr($oc['ipaddr']) && !empty($oc['ipaddr'])) $oic['type'] = $oc['ipaddr']; $oic['sn'] = get_interface_subnet($if); + $oic['snv6'] = get_interface_subnetv6($if); $oic['mtu'] = empty($oc['mtu']) ? 1500 : $oc['mtu']; $oic['mss'] = empty($oc['mss']) ? '' : $oc['mss']; $oic['descr'] = $ifdetail; $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']); + $oic['sav6'] = gen_subnet($oic['ipv6'], $oic['snv6']); $oic['nonat'] = $oc['nonat']; $oic['alias-address'] = $oc['alias-address']; $oic['alias-subnet'] = $oc['alias-subnet']; $oic['gateway'] = $oc['gateway']; + $oic['gatewayv6'] = $oc['gatewayv6']; $oic['spoofcheck'] = "yes"; $oic['bridge'] = link_interface_to_bridge($if); $FilterIflist[$if] = $oic; @@ -1981,8 +1985,8 @@ EOD; if(!isset($config['system']['ipv6allow'])) { $ipfrules .= "# Block all IPv6\n"; - $ipfrules .= "block in quick inet6 all\n"; - $ipfrules .= "block out quick inet6 all\n"; + $ipfrules .= "block in inet6 all label \"Default Deny ipv6 rule\"\n"; + $ipfrules .= "block out inet6 all label \"Default Deny ipv6 rule\"\n"; } $ipfrules .= <<<EOD @@ -2131,13 +2135,20 @@ pass out all keep state allow-opts label "let out anything from firewall host it EOD; foreach ($FilterIflist as $ifdescr => $ifcfg) { - if(isset($ifcfg['virtual'])) - continue; + if(isset($ifcfg['virtual'])) + continue; + $gw = get_interface_gateway($ifdescr); + echo "gw $gw, ip {$ifcfg['ip']} \n"; if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip'])) $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; - } + $gwv6 = get_interface_gateway_v6($ifdescr); + echo "gwv6 $gwv6, ip {$ifcfg['ipv6']}\n"; + if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gwv6} ) from {$ifcfg['ipv6']} to !{$ifcfg['sav6']}/{$ifcfg['snv6']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + } + /* add ipsec interfaces */ if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc index 540a0a7..d8bd05a 100644 --- a/etc/inc/gwlb.inc +++ b/etc/inc/gwlb.inc @@ -501,35 +501,64 @@ function lookup_gateway_interface_by_name($name) { } function get_interface_gateway($interface, &$dynamic = false) { - global $config, $g; + global $config, $g; - $gw = NULL; + $gw = NULL; - $gwcfg = $config['interfaces'][$interface]; - if (!empty($gwcfg['gateway']) && is_array($config['gateways']['gateway_item'])) { - foreach($config['gateways']['gateway_item'] as $gateway) { - if ($gateway['name'] == $gwcfg['gateway']) { - $gw = $gateway['gateway']; + $gwcfg = $config['interfaces'][$interface]; + if (!empty($gwcfg['gateway']) && is_array($config['gateways']['gateway_item'])) { + foreach($config['gateways']['gateway_item'] as $gateway) { + if(($gateway['name'] == $gwcfg['gateway']) && (is_ipaddrv4($gateway['gateway']))) { + $gw = $gateway['gateway']; break; } - } + } } - // for dynamic interfaces we handle them through the $interface_router file. - if (!is_ipaddr($gw) && !is_ipaddr($gwcfg['ipaddr'])) { - $realif = get_real_interface($interface); - if (file_exists("{$g['tmp_path']}/{$realif}_router")) { - $gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n"); - $dynamic = true; - } - if (file_exists("{$g['tmp_path']}/{$realif}_defaultgw")) - $dynamic = "default"; + // for dynamic interfaces we handle them through the $interface_router file. + if (!is_ipaddr($gw) && !is_ipaddr($gwcfg['ipaddr'])) { + $realif = get_real_interface($interface); + if (file_exists("{$g['tmp_path']}/{$realif}_router")) { + $gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n"); + $dynamic = true; + } + if (file_exists("{$g['tmp_path']}/{$realif}_defaultgw")) + $dynamic = "default"; - - } + } + + /* return gateway */ + return ($gw); +} + +function get_interface_gateway_v6($interface, &$dynamic = false) { + global $config, $g; - /* return gateway */ - return ($gw); + $gw = NULL; + + $gwcfg = $config['interfaces'][$interface]; + if (!empty($gwcfg['gateway']) && is_array($config['gateways']['gateway_item'])) { + foreach($config['gateways']['gateway_item'] as $gateway) { + if(($gateway['name'] == $gwcfg['gateway']) && (is_ipaddrv6($gateway['gateway']))) { + $gw = $gateway['gateway']; + break; + } + } + } + + // for dynamic interfaces we handle them through the $interface_router file. + if (!is_ipaddrv6($gw) && !is_ipaddr($gwcfg['ipaddrv6'])) { + $realif = get_real_interface($interface); + if (file_exists("{$g['tmp_path']}/{$realif}_routerv6")) { + $gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_routerv6"), " \n"); + $dynamic = true; + } + if (file_exists("{$g['tmp_path']}/{$realif}_defaultgwv6")) + $dynamic = "default"; + + } + /* return gateway */ + return ($gw); } ?> diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 980371b..aacacfd 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -2467,6 +2467,8 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven get_interface_arr(true); unset($interface_ip_arr_cache[$realif]); unset($interface_sn_arr_cache[$realif]); + unset($interface_ipv6_arr_cache[$realif]); + unset($interface_snv6_arr_cache[$realif]); switch ($wancfg['ipaddr']) { case 'carpdev-dhcp': @@ -2502,6 +2504,18 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven break; } + switch ($wancfg['ipaddrv6']) { + case 'dhcpv6': + interface_dhcpv6_configure($interface); + break; + default: + if ($wancfg['ipaddrv6'] <> "" && $wancfg['subnetv6'] <> "") { + pfSense_interface_setaddress($realif, "{$wancfg['ipaddrv6']}/{$wancfg['subnetv6']}"); + mwexec("/sbin/ifconfig {$realif} inet6 {$wancfg['ipaddrv6']} prefixlen {$wancfg['subnetv6']} "); + } + break; + } + if(does_interface_exist($wancfg['if'])) interfaces_bring_up($wancfg['if']); diff --git a/etc/inc/system.inc b/etc/inc/system.inc index ba9ad05..022e1be 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -307,11 +307,14 @@ function system_routing_configure($interface = "") { $gatewayip = ""; $interfacegw = ""; $foundgw = false; + $gatewayipv6 = ""; + $interfacegwv6 = ""; + $foundgwv6 = false; /* tack on all the hard defined gateways as well */ if (is_array($config['gateways']['gateway_item'])) { mwexec("/bin/rm {$g['tmp_path']}/*_defaultgw", true); foreach ($config['gateways']['gateway_item'] as $gateway) { - if (isset($gateway['defaultgw'])) { + if (isset($gateway['defaultgw']) && (is_ipaddrv4($gateway['gateway']))) { if ($gateway['gateway'] == "dynamic") $gateway['gateway'] = get_interface_gateway($gateway['interface']); $gatewayip = $gateway['gateway']; @@ -325,6 +328,21 @@ function system_routing_configure($interface = "") { break; } } + foreach ($config['gateways']['gateway_item'] as $gateway) { + if (isset($gateway['defaultgw']) && (is_ipaddrv6($gateway['gateway']))) { + if ($gateway['gateway'] == "dynamic") + $gateway['gateway'] = get_interface_gateway_v6($gateway['interface']); + $gatewayipv6 = $gateway['gateway']; + $interfacegwv6 = $gateway['interface']; + if (!empty($interfacegwv6)) { + $defaultif = get_real_interface($gateway['interface']); + if ($defaultif) + @file_put_contents("{$g['tmp_path']}/{$defaultif}_defaultgwv6", $gatewayipv6); + } + $foundgwv6 = true; + break; + } + } } if ($foundgw == false) { $defaultif = get_real_interface("wan"); @@ -332,6 +350,12 @@ function system_routing_configure($interface = "") { $gatewayip = get_interface_gateway("wan"); @touch("{$g['tmp_path']}/{$defaultif}_defaultgw"); } + if ($foundgwv6 == false) { + $defaultif = get_real_interface("wan"); + $interfacegw = "wan"; + $gatewayip = get_interface_gateway_v6("wan"); + @touch("{$g['tmp_path']}/{$defaultif}_defaultgwv6"); + } $dont_add_route = false; /* if OLSRD is enabled, allow WAN to house DHCP. */ if($config['installedpackages']['olsrd']) { @@ -342,7 +366,7 @@ function system_routing_configure($interface = "") { } } } - /* Create a array from the existing route table */ + /* Create a array from the existing inet route table */ exec("/usr/bin/netstat -rnf inet", $route_str); array_shift($route_str); array_shift($route_str); @@ -357,16 +381,42 @@ function system_routing_configure($interface = "") { if ($dont_add_route == false ) { if (!empty($interface) && $interface != $interfacegw) ; - else if (($interfacegw <> "bgpd") && (is_ipaddr($gatewayip))) { + else if (($interfacegw <> "bgpd") && (is_ipaddrv4($gatewayip))) { $action = "add"; if(isset($route_arr['default'])) { $action = "change"; } - log_error("ROUTING: $action default route to $gatewayip"); + log_error("ROUTING: $action IPv4 default route to $gatewayip"); mwexec("/sbin/route {$action} default " . escapeshellarg($gatewayip)); } } + /* Create a array from the existing inet6 route table */ + exec("/usr/bin/netstat -rnf inet6", $routev6_str); + array_shift($routev6_str); + array_shift($routev6_str); + array_shift($routev6_str); + array_shift($routev6_str); + array_shift($routev6_str); + $routev6_arr = array(); + foreach($routev6_str as $routeline) { + $items = preg_split("/[ ]+/i", $routeline); + $route_arr[$items[0]] = array($items[0], $items[1], $items[5]); + } + + if ($dont_add_route == false ) { + if (!empty($interface) && $interface != $interfacegw) + ; + else if (($interfacegwv6 <> "bgpd") && (is_ipaddrv6($gatewayipv6))) { + $action = "add"; + if(isset($routev6_arr['default'])) { + $action = "change"; + } + log_error("ROUTING: $action IPv6 default route to $gatewayipv6"); + mwexec("/sbin/route {$action} -inet6 default " . escapeshellarg($gatewayipv6)); + } + } + if (is_array($config['staticroutes']['route'])) { $gateways_arr = return_gateways_array(); @@ -385,11 +435,16 @@ function system_routing_configure($interface = "") { if (isset($route_arr[$rtent['network']])) $action = "change"; + if(is_ipaddrv6($gatewayip)) { + $inet6 = "-inet6"; + } else { + $inet6 = ""; + } if (is_ipaddr($gatewayip)) { - mwexec("/sbin/route {$action} " . escapeshellarg($rtent['network']) . + mwexec("/sbin/route {$action} {$inet6} " . escapeshellarg($rtent['network']) . " " . escapeshellarg($gatewayip)); } else if (!empty($interfacegw)) { - mwexec("/sbin/route {$action} " . escapeshellarg($rtent['network']) . + mwexec("/sbin/route {$action} {$inet6} " . escapeshellarg($rtent['network']) . " -iface " . escapeshellarg($interfacegw)); } } |
