From 5a5413bb5227e084703515007cc28fd746183c9b Mon Sep 17 00:00:00 2001
From: Seth Mos <seth.mos@dds.nl>
Date: Fri, 22 Oct 2010 16:01:30 +0200
Subject: Add the default ipv4 route and the default ipv6 route, check both
 routing tables before adding or changing. set the ipv6 IP address via a
 mwexec() until the pfsense module is adapted. FIXME. Add filter rules for
 ipv6 to let traffic out of the firewall. FilterIflist not cooperating yet.

---
 etc/inc/filter.inc     | 21 +++++++++++----
 etc/inc/gwlb.inc       | 71 +++++++++++++++++++++++++++++++++++---------------
 etc/inc/interfaces.inc | 14 ++++++++++
 etc/inc/system.inc     | 67 ++++++++++++++++++++++++++++++++++++++++++-----
 4 files changed, 141 insertions(+), 32 deletions(-)

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 01e37ce..26f8c15 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -723,17 +723,21 @@ function filter_generate_optcfg_array() {
 		if (!does_interface_exist($oic['if']))
 			continue;
 		$oic['ip'] = get_interface_ip($if);
+		$oic['ipv6'] = get_interface_ipv6($if);
 		if(!is_ipaddr($oc['ipaddr']) && !empty($oc['ipaddr']))
 			$oic['type'] = $oc['ipaddr'];
 		$oic['sn'] = get_interface_subnet($if);
+		$oic['snv6'] = get_interface_subnetv6($if);
 		$oic['mtu'] = empty($oc['mtu']) ? 1500 : $oc['mtu'];
 		$oic['mss'] = empty($oc['mss']) ? '' : $oc['mss'];
 		$oic['descr'] = $ifdetail;
 		$oic['sa'] = gen_subnet($oic['ip'], $oic['sn']);
+		$oic['sav6'] = gen_subnet($oic['ipv6'], $oic['snv6']);
 		$oic['nonat'] = $oc['nonat'];
 		$oic['alias-address'] = $oc['alias-address'];
 		$oic['alias-subnet'] = $oc['alias-subnet'];
 		$oic['gateway'] = $oc['gateway'];
+		$oic['gatewayv6'] = $oc['gatewayv6'];
 		$oic['spoofcheck'] = "yes";
 		$oic['bridge'] = link_interface_to_bridge($if);
 		$FilterIflist[$if] = $oic;
@@ -1981,8 +1985,8 @@ EOD;
 
 	if(!isset($config['system']['ipv6allow'])) {
 		$ipfrules .= "# Block all IPv6\n";
-		$ipfrules .= "block in quick inet6 all\n";
-		$ipfrules .= "block out quick inet6 all\n";
+		$ipfrules .= "block in inet6 all label \"Default Deny ipv6 rule\"\n";
+		$ipfrules .= "block out inet6 all label \"Default Deny ipv6 rule\"\n";
 	}
 
 	$ipfrules .= <<<EOD
@@ -2131,13 +2135,20 @@ pass out all keep state allow-opts label "let out anything from firewall host it
 
 EOD;
 	foreach ($FilterIflist as $ifdescr => $ifcfg) {
-                if(isset($ifcfg['virtual']))
-                        continue;
+		if(isset($ifcfg['virtual']))
+			continue;
+
 		$gw = get_interface_gateway($ifdescr);
+		echo "gw $gw, ip {$ifcfg['ip']} \n";
 		if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip']))
                 	$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
-        }
 
+		$gwv6 = get_interface_gateway_v6($ifdescr);
+		echo "gwv6 $gwv6, ip {$ifcfg['ipv6']}\n";
+		if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6']))
+                	$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gwv6} ) from {$ifcfg['ipv6']} to !{$ifcfg['sav6']}/{$ifcfg['snv6']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
+	}
+	
 
 	/* add ipsec interfaces */
 	if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable']))
diff --git a/etc/inc/gwlb.inc b/etc/inc/gwlb.inc
index 540a0a7..d8bd05a 100644
--- a/etc/inc/gwlb.inc
+++ b/etc/inc/gwlb.inc
@@ -501,35 +501,64 @@ function lookup_gateway_interface_by_name($name) {
 }
 
 function get_interface_gateway($interface, &$dynamic = false) {
-        global $config, $g;
+	global $config, $g;
 
-        $gw = NULL;
+	$gw = NULL;
 
-        $gwcfg = $config['interfaces'][$interface];
-        if (!empty($gwcfg['gateway']) && is_array($config['gateways']['gateway_item'])) {
-               	foreach($config['gateways']['gateway_item'] as $gateway) {
-                        if ($gateway['name'] == $gwcfg['gateway']) {
-                                $gw = $gateway['gateway'];
+	$gwcfg = $config['interfaces'][$interface];
+	if (!empty($gwcfg['gateway']) && is_array($config['gateways']['gateway_item'])) {
+		foreach($config['gateways']['gateway_item'] as $gateway) {
+			if(($gateway['name'] == $gwcfg['gateway']) && (is_ipaddrv4($gateway['gateway']))) {
+				$gw = $gateway['gateway'];
 				break;
 			}
-                }
+		}
 	}
 
-        // for dynamic interfaces we handle them through the $interface_router file.
-        if (!is_ipaddr($gw) && !is_ipaddr($gwcfg['ipaddr'])) {
-                $realif = get_real_interface($interface);
-                if (file_exists("{$g['tmp_path']}/{$realif}_router")) {
-                        $gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n");
-					$dynamic = true;
-                }
-                if (file_exists("{$g['tmp_path']}/{$realif}_defaultgw"))
-					$dynamic = "default";
+	// for dynamic interfaces we handle them through the $interface_router file.
+	if (!is_ipaddr($gw) && !is_ipaddr($gwcfg['ipaddr'])) {
+		$realif = get_real_interface($interface);
+		if (file_exists("{$g['tmp_path']}/{$realif}_router")) {
+				$gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n");
+			$dynamic = true;
+		}
+		if (file_exists("{$g['tmp_path']}/{$realif}_defaultgw"))
+			$dynamic = "default";
 			
-				
-        }
+	}
+
+	/* return gateway */
+	return ($gw);
+}
+
+function get_interface_gateway_v6($interface, &$dynamic = false) {
+	global $config, $g;
 
-        /* return gateway */
-        return ($gw);
+	$gw = NULL;
+
+	$gwcfg = $config['interfaces'][$interface];
+	if (!empty($gwcfg['gateway']) && is_array($config['gateways']['gateway_item'])) {
+		foreach($config['gateways']['gateway_item'] as $gateway) {
+			if(($gateway['name'] == $gwcfg['gateway']) && (is_ipaddrv6($gateway['gateway']))) {
+				$gw = $gateway['gateway'];
+				break;
+			}
+		}
+	}
+
+	// for dynamic interfaces we handle them through the $interface_router file.
+	if (!is_ipaddrv6($gw) && !is_ipaddr($gwcfg['ipaddrv6'])) {
+			$realif = get_real_interface($interface);
+			if (file_exists("{$g['tmp_path']}/{$realif}_routerv6")) {
+				$gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_routerv6"), " \n");
+				$dynamic = true;
+			}
+			if (file_exists("{$g['tmp_path']}/{$realif}_defaultgwv6"))
+				$dynamic = "default";
+			
+	}
+	/* return gateway */
+	return ($gw);
 }
 
 ?>
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
index 980371b..aacacfd 100644
--- a/etc/inc/interfaces.inc
+++ b/etc/inc/interfaces.inc
@@ -2467,6 +2467,8 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven
 	get_interface_arr(true);
 	unset($interface_ip_arr_cache[$realif]);
 	unset($interface_sn_arr_cache[$realif]);
+	unset($interface_ipv6_arr_cache[$realif]);
+	unset($interface_snv6_arr_cache[$realif]);
 
 	switch ($wancfg['ipaddr']) {
 		case 'carpdev-dhcp':
@@ -2502,6 +2504,18 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven
 			break;
 	}
 
+	switch ($wancfg['ipaddrv6']) {
+		case 'dhcpv6':
+			interface_dhcpv6_configure($interface);
+			break;
+		default:
+			if ($wancfg['ipaddrv6'] <> "" && $wancfg['subnetv6'] <> "") {
+				pfSense_interface_setaddress($realif, "{$wancfg['ipaddrv6']}/{$wancfg['subnetv6']}");
+				mwexec("/sbin/ifconfig {$realif} inet6 {$wancfg['ipaddrv6']} prefixlen {$wancfg['subnetv6']} ");
+			}
+			break;
+	}
+
 	if(does_interface_exist($wancfg['if']))
 		interfaces_bring_up($wancfg['if']);
  	
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index ba9ad05..022e1be 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -307,11 +307,14 @@ function system_routing_configure($interface = "") {
 	$gatewayip = "";
 	$interfacegw = "";
 	$foundgw = false;
+	$gatewayipv6 = "";
+	$interfacegwv6 = "";
+	$foundgwv6 = false;
 	/* tack on all the hard defined gateways as well */
 	if (is_array($config['gateways']['gateway_item'])) {
 		mwexec("/bin/rm {$g['tmp_path']}/*_defaultgw", true);
 		foreach	($config['gateways']['gateway_item'] as $gateway) {
-			if (isset($gateway['defaultgw'])) {
+			if (isset($gateway['defaultgw']) && (is_ipaddrv4($gateway['gateway']))) {
 				if ($gateway['gateway'] == "dynamic")
 					$gateway['gateway'] = get_interface_gateway($gateway['interface']);
 				$gatewayip = $gateway['gateway'];
@@ -325,6 +328,21 @@ function system_routing_configure($interface = "") {
 				break;
 			}
 		}
+		foreach	($config['gateways']['gateway_item'] as $gateway) {
+			if (isset($gateway['defaultgw']) && (is_ipaddrv6($gateway['gateway']))) {
+				if ($gateway['gateway'] == "dynamic")
+					$gateway['gateway'] = get_interface_gateway_v6($gateway['interface']);
+				$gatewayipv6 = $gateway['gateway'];
+				$interfacegwv6 = $gateway['interface'];
+				if (!empty($interfacegwv6)) {
+					$defaultif = get_real_interface($gateway['interface']);
+					if ($defaultif)
+						@file_put_contents("{$g['tmp_path']}/{$defaultif}_defaultgwv6", $gatewayipv6);
+				}
+				$foundgwv6 = true;
+				break;
+			}
+		}
 	}
 	if ($foundgw == false) {
 		$defaultif = get_real_interface("wan");
@@ -332,6 +350,12 @@ function system_routing_configure($interface = "") {
 		$gatewayip = get_interface_gateway("wan");
 		@touch("{$g['tmp_path']}/{$defaultif}_defaultgw");
 	}	
+	if ($foundgwv6 == false) {
+		$defaultif = get_real_interface("wan");
+		$interfacegw = "wan";
+		$gatewayip = get_interface_gateway_v6("wan");
+		@touch("{$g['tmp_path']}/{$defaultif}_defaultgwv6");
+	}	
 	$dont_add_route = false;
 	/* if OLSRD is enabled, allow WAN to house DHCP. */
 	if($config['installedpackages']['olsrd']) {
@@ -342,7 +366,7 @@ function system_routing_configure($interface = "") {
 			}
 		}
 	}
-	/* Create a array from the existing route table */
+	/* Create a array from the existing inet route table */
 	exec("/usr/bin/netstat -rnf inet", $route_str);
 	array_shift($route_str);
 	array_shift($route_str);
@@ -357,16 +381,42 @@ function system_routing_configure($interface = "") {
 	if ($dont_add_route == false ) {
 		if (!empty($interface) && $interface != $interfacegw)
 			;
-		else if (($interfacegw <> "bgpd") && (is_ipaddr($gatewayip))) {
+		else if (($interfacegw <> "bgpd") && (is_ipaddrv4($gatewayip))) {
 			$action = "add";
 			if(isset($route_arr['default'])) {
 				$action = "change";
 			}
-			log_error("ROUTING: $action default route to $gatewayip");
+			log_error("ROUTING: $action IPv4 default route to $gatewayip");
 			mwexec("/sbin/route {$action} default " . escapeshellarg($gatewayip));
 		}
 	}
 
+	/* Create a array from the existing inet6 route table */
+	exec("/usr/bin/netstat -rnf inet6", $routev6_str);
+	array_shift($routev6_str);
+	array_shift($routev6_str);
+	array_shift($routev6_str);
+	array_shift($routev6_str);
+	array_shift($routev6_str);
+	$routev6_arr = array();
+	foreach($routev6_str as $routeline) {
+		$items = preg_split("/[ ]+/i", $routeline);
+		$route_arr[$items[0]] = array($items[0], $items[1], $items[5]);
+	}
+
+	if ($dont_add_route == false ) {
+		if (!empty($interface) && $interface != $interfacegw)
+			;
+		else if (($interfacegwv6 <> "bgpd") && (is_ipaddrv6($gatewayipv6))) {
+			$action = "add";
+			if(isset($routev6_arr['default'])) {
+				$action = "change";
+			}
+			log_error("ROUTING: $action IPv6 default route to $gatewayipv6");
+			mwexec("/sbin/route {$action} -inet6 default " . escapeshellarg($gatewayipv6));
+		}
+	}
+
 	if (is_array($config['staticroutes']['route'])) {
 		$gateways_arr = return_gateways_array();
 
@@ -385,11 +435,16 @@ function system_routing_configure($interface = "") {
 			if (isset($route_arr[$rtent['network']]))
 				$action = "change";
 
+			if(is_ipaddrv6($gatewayip)) {
+				$inet6 = "-inet6";
+			} else {
+				$inet6 = "";
+			}
 			if (is_ipaddr($gatewayip)) {
-				mwexec("/sbin/route {$action} " . escapeshellarg($rtent['network']) .
+				mwexec("/sbin/route {$action} {$inet6} " . escapeshellarg($rtent['network']) .
 					" " . escapeshellarg($gatewayip));
 			} else if (!empty($interfacegw)) {
-				mwexec("/sbin/route {$action} " . escapeshellarg($rtent['network']) .
+				mwexec("/sbin/route {$action} {$inet6} " . escapeshellarg($rtent['network']) .
 					" -iface " . escapeshellarg($interfacegw));
 			}
 		}
-- 
cgit v1.1