1 /* $KAME: ip6fw.c,v 1.13 2001/06/22 05:51:16 itojun Exp $ */
4 * Copyright (C) 1998, 1999, 2000 and 2001 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
34 * Copyright (c) 1994 Ugen J.S.Antsilevich
36 * Idea and grammar partially left from:
37 * Copyright (c) 1993 Daniel Boulet
39 * Redistribution and use in source forms, with and without modification,
40 * are permitted provided that this entire comment appears intact.
42 * Redistribution in binary form may occur without any restrictions.
43 * Obviously, it would be nice if you gave credit where credit is due
44 * but requiring it would be too onerous.
46 * This software is provided ``AS IS'' without any warranties of any kind.
48 * NEW command line interface for IP firewall facility
50 * $Id: ip6fw.c,v 1.1.2.2.2.2 1999/05/14 05:13:50 shin Exp $
51 * $FreeBSD: src/sbin/ip6fw/ip6fw.c,v 1.1.2.9 2003/04/05 10:54:51 ume Exp $
52 * $DragonFly: src/sbin/ip6fw/ip6fw.c,v 1.9 2005/11/06 12:29:11 swildner Exp $
55 #include <sys/types.h>
56 #include <sys/queue.h>
57 #include <sys/socket.h>
58 #include <sys/sockio.h>
60 #include <sys/ioctl.h>
78 #include <netinet/in.h>
79 #include <netinet/in_systm.h>
80 #include <netinet/ip6.h>
81 #include <netinet/icmp6.h>
82 #include <net/ip6fw/ip6_fw.h>
83 #include <netinet/tcp.h>
84 #include <arpa/inet.h>
88 int s
; /* main RAW socket */
89 int do_resolv
=0; /* Would try to resolv all */
90 int do_acct
=0; /* Show packet/byte count */
91 int do_time
=0; /* Show time stamps */
92 int do_quiet
=0; /* Be quiet in add and flush */
93 int do_force
=0; /* Don't ask for confirmation */
100 static struct icmpcode icmp6codes
[] = {
101 { ICMP6_DST_UNREACH_NOROUTE
, "noroute" },
102 { ICMP6_DST_UNREACH_ADMIN
, "admin" },
103 { ICMP6_DST_UNREACH_NOTNEIGHBOR
, "notneighbor" },
104 { ICMP6_DST_UNREACH_ADDR
, "addr" },
105 { ICMP6_DST_UNREACH_NOPORT
, "noport" },
109 static char ntop_buf
[INET6_ADDRSTRLEN
];
111 static void show_usage(const char *fmt
, ...);
114 mask_bits(u_char
*m_ad
, int m_len
)
118 for (i
= 0; i
< m_len
; i
++, m_ad
++) {
125 #define MASKLEN(m, l) case m: h_num += l; break
139 static int pl2m
[9] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
144 static struct in6_addr ia
;
148 memset(&ia
, 0, sizeof(struct in6_addr
));
150 for (i
= 0; i
< 16; i
++, p
++, n
-= 8) {
162 print_port(u_char prot
, u_short port
, const char *comma
)
166 const char *protocol
;
170 pe
= getprotobynumber(prot
);
172 protocol
= pe
->p_name
;
176 se
= getservbyport(htons(port
), protocol
);
178 printf("%s%s", comma
, se
->s_name
);
183 printf("%s%d",comma
,port
);
187 print_iface(char *key
, union ip6_fw_if
*un
, int byname
)
191 printf(" %s %s", key
, un
->fu_via_if
.name
);
192 } else if (!IN6_IS_ADDR_UNSPECIFIED(&un
->fu_via_ip6
)) {
193 printf(" %s %s", key
, inet_ntop(AF_INET6
,&un
->fu_via_ip6
,ntop_buf
,sizeof(ntop_buf
)));
195 printf(" %s any", key
);
199 print_reject_code(int code
)
203 for (ic
= icmp6codes
; ic
->str
; ic
++)
204 if (ic
->code
== code
) {
205 printf("%s", ic
->str
);
212 show_ip6fw(struct ip6_fw
*chain
)
218 int nsp
= IPV6_FW_GETNSRCP(chain
);
219 int ndp
= IPV6_FW_GETNDSTP(chain
);
222 setservent(1/*stayopen*/);
224 printf("%05u ", chain
->fw_number
);
227 printf("%10lu %10lu ",chain
->fw_pcnt
,chain
->fw_bcnt
);
231 if (chain
->timestamp
)
235 strcpy(timestr
, ctime((time_t *)&chain
->timestamp
));
236 *strchr(timestr
, '\n') = '\0';
237 printf("%s ", timestr
);
243 switch (chain
->fw_flg
& IPV6_FW_F_COMMAND
)
245 case IPV6_FW_F_ACCEPT
:
251 case IPV6_FW_F_COUNT
:
254 case IPV6_FW_F_DIVERT
:
255 printf("divert %u", chain
->fw_divert_port
);
258 printf("tee %u", chain
->fw_divert_port
);
260 case IPV6_FW_F_SKIPTO
:
261 printf("skipto %u", chain
->fw_skipto_rule
);
263 case IPV6_FW_F_REJECT
:
264 if (chain
->fw_reject_code
== IPV6_FW_REJECT_RST
)
268 print_reject_code(chain
->fw_reject_code
);
272 errx(EX_OSERR
, "impossible");
275 if (chain
->fw_flg
& IPV6_FW_F_PRN
)
278 pe
= getprotobynumber(chain
->fw_prot
);
280 printf(" %s", pe
->p_name
);
282 printf(" %u", chain
->fw_prot
);
284 printf(" from %s", chain
->fw_flg
& IPV6_FW_F_INVSRC
? "not " : "");
286 mb
=mask_bits((u_char
*)&chain
->fw_smsk
,sizeof(chain
->fw_smsk
));
287 if (mb
==128 && do_resolv
) {
288 he
=gethostbyaddr(&(chain
->fw_src
),sizeof(chain
->fw_src
),AF_INET6
);
290 printf(inet_ntop(AF_INET6
,&chain
->fw_src
,ntop_buf
,sizeof(ntop_buf
)));
292 printf("%s",he
->h_name
);
298 printf(inet_ntop(AF_INET6
,&chain
->fw_src
,ntop_buf
,sizeof(ntop_buf
)));
302 printf(inet_ntop(AF_INET6
,&chain
->fw_src
,ntop_buf
,sizeof(ntop_buf
)));
305 if (chain
->fw_prot
== IPPROTO_TCP
|| chain
->fw_prot
== IPPROTO_UDP
) {
307 for (i
= 0; i
< nsp
; i
++) {
308 print_port(chain
->fw_prot
, chain
->fw_pts
[i
], comma
);
309 if (i
==0 && (chain
->fw_flg
& IPV6_FW_F_SRNG
))
316 printf(" to %s", chain
->fw_flg
& IPV6_FW_F_INVDST
? "not " : "");
318 mb
=mask_bits((u_char
*)&chain
->fw_dmsk
,sizeof(chain
->fw_dmsk
));
319 if (mb
==128 && do_resolv
) {
320 he
=gethostbyaddr(&(chain
->fw_dst
),sizeof(chain
->fw_dst
),AF_INET6
);
322 printf(inet_ntop(AF_INET6
,&chain
->fw_dst
,ntop_buf
,sizeof(ntop_buf
)));
324 printf("%s",he
->h_name
);
330 printf(inet_ntop(AF_INET6
,&chain
->fw_dst
,ntop_buf
,sizeof(ntop_buf
)));
334 printf(inet_ntop(AF_INET6
,&chain
->fw_dst
,ntop_buf
,sizeof(ntop_buf
)));
337 if (chain
->fw_prot
== IPPROTO_TCP
|| chain
->fw_prot
== IPPROTO_UDP
) {
339 for (i
= 0; i
< ndp
; i
++) {
340 print_port(chain
->fw_prot
, chain
->fw_pts
[nsp
+i
], comma
);
341 if (i
==0 && (chain
->fw_flg
& IPV6_FW_F_DRNG
))
349 if ((chain
->fw_flg
& IPV6_FW_F_IN
) && !(chain
->fw_flg
& IPV6_FW_F_OUT
))
351 if (!(chain
->fw_flg
& IPV6_FW_F_IN
) && (chain
->fw_flg
& IPV6_FW_F_OUT
))
354 /* Handle hack for "via" backwards compatibility */
355 if ((chain
->fw_flg
& IF6_FW_F_VIAHACK
) == IF6_FW_F_VIAHACK
) {
357 &chain
->fw_in_if
, chain
->fw_flg
& IPV6_FW_F_IIFNAME
);
359 /* Receive interface specified */
360 if (chain
->fw_flg
& IPV6_FW_F_IIFACE
)
361 print_iface("recv", &chain
->fw_in_if
,
362 chain
->fw_flg
& IPV6_FW_F_IIFNAME
);
363 /* Transmit interface specified */
364 if (chain
->fw_flg
& IPV6_FW_F_OIFACE
)
365 print_iface("xmit", &chain
->fw_out_if
,
366 chain
->fw_flg
& IPV6_FW_F_OIFNAME
);
369 if (chain
->fw_flg
& IPV6_FW_F_FRAG
)
372 if (chain
->fw_ip6opt
|| chain
->fw_ip6nopt
) {
373 int _opt_printed
= 0;
374 #define PRINTOPT(x) {if (_opt_printed) printf(",");\
375 printf(x); _opt_printed = 1;}
378 if (chain
->fw_ip6opt
& IPV6_FW_IP6OPT_HOPOPT
) PRINTOPT("hopopt");
379 if (chain
->fw_ip6nopt
& IPV6_FW_IP6OPT_HOPOPT
) PRINTOPT("!hopopt");
380 if (chain
->fw_ip6opt
& IPV6_FW_IP6OPT_ROUTE
) PRINTOPT("route");
381 if (chain
->fw_ip6nopt
& IPV6_FW_IP6OPT_ROUTE
) PRINTOPT("!route");
382 if (chain
->fw_ip6opt
& IPV6_FW_IP6OPT_FRAG
) PRINTOPT("frag");
383 if (chain
->fw_ip6nopt
& IPV6_FW_IP6OPT_FRAG
) PRINTOPT("!frag");
384 if (chain
->fw_ip6opt
& IPV6_FW_IP6OPT_ESP
) PRINTOPT("esp");
385 if (chain
->fw_ip6nopt
& IPV6_FW_IP6OPT_ESP
) PRINTOPT("!esp");
386 if (chain
->fw_ip6opt
& IPV6_FW_IP6OPT_AH
) PRINTOPT("ah");
387 if (chain
->fw_ip6nopt
& IPV6_FW_IP6OPT_AH
) PRINTOPT("!ah");
388 if (chain
->fw_ip6opt
& IPV6_FW_IP6OPT_NONXT
) PRINTOPT("nonxt");
389 if (chain
->fw_ip6nopt
& IPV6_FW_IP6OPT_NONXT
) PRINTOPT("!nonxt");
390 if (chain
->fw_ip6opt
& IPV6_FW_IP6OPT_OPTS
) PRINTOPT("opts");
391 if (chain
->fw_ip6nopt
& IPV6_FW_IP6OPT_OPTS
) PRINTOPT("!opts");
394 if (chain
->fw_ipflg
& IPV6_FW_IF_TCPEST
)
395 printf(" established");
396 else if (chain
->fw_tcpf
== IPV6_FW_TCPF_SYN
&&
397 chain
->fw_tcpnf
== IPV6_FW_TCPF_ACK
)
399 else if (chain
->fw_tcpf
|| chain
->fw_tcpnf
) {
400 int _flg_printed
= 0;
401 #define PRINTFLG(x) {if (_flg_printed) printf(",");\
402 printf(x); _flg_printed = 1;}
405 if (chain
->fw_tcpf
& IPV6_FW_TCPF_FIN
) PRINTFLG("fin");
406 if (chain
->fw_tcpnf
& IPV6_FW_TCPF_FIN
) PRINTFLG("!fin");
407 if (chain
->fw_tcpf
& IPV6_FW_TCPF_SYN
) PRINTFLG("syn");
408 if (chain
->fw_tcpnf
& IPV6_FW_TCPF_SYN
) PRINTFLG("!syn");
409 if (chain
->fw_tcpf
& IPV6_FW_TCPF_RST
) PRINTFLG("rst");
410 if (chain
->fw_tcpnf
& IPV6_FW_TCPF_RST
) PRINTFLG("!rst");
411 if (chain
->fw_tcpf
& IPV6_FW_TCPF_PSH
) PRINTFLG("psh");
412 if (chain
->fw_tcpnf
& IPV6_FW_TCPF_PSH
) PRINTFLG("!psh");
413 if (chain
->fw_tcpf
& IPV6_FW_TCPF_ACK
) PRINTFLG("ack");
414 if (chain
->fw_tcpnf
& IPV6_FW_TCPF_ACK
) PRINTFLG("!ack");
415 if (chain
->fw_tcpf
& IPV6_FW_TCPF_URG
) PRINTFLG("urg");
416 if (chain
->fw_tcpnf
& IPV6_FW_TCPF_URG
) PRINTFLG("!urg");
418 if (chain
->fw_flg
& IPV6_FW_F_ICMPBIT
) {
424 for (type_index
= 0; type_index
< IPV6_FW_ICMPTYPES_DIM
* sizeof(unsigned) * 8; ++type_index
)
425 if (chain
->fw_icmp6types
[type_index
/ (sizeof(unsigned) * 8)] &
426 (1U << (type_index
% (sizeof(unsigned) * 8)))) {
427 printf("%c%d", first
== 1 ? ' ' : ',', type_index
);
437 list(int ac
, char **av
)
439 struct ip6_fw
*r
, *rules
, *n
;
441 unsigned long rulenum
;
442 int nalloc
, bytes
, maxbytes
;
444 /* extract rules from kernel, resizing array as necessary */
446 nalloc
= sizeof *rules
;
448 maxbytes
= 65536 * sizeof *rules
;
449 while (bytes
>= nalloc
) {
450 if ((n
= realloc(rules
, nalloc
* 2 + 200)) == NULL
)
451 err(EX_OSERR
, "realloc");
452 bytes
= nalloc
= nalloc
* 2 + 200;
454 i
= getsockopt(s
, IPPROTO_IPV6
, IPV6_FW_GET
, rules
, &bytes
);
455 if ((i
< 0 && errno
!= EINVAL
) || nalloc
> maxbytes
)
456 err(EX_OSERR
, "getsockopt(IPV6_FW_GET)");
459 /* display all rules */
460 for (r
= rules
, l
= bytes
; l
>= sizeof rules
[0];
461 r
++, l
-=sizeof rules
[0])
465 /* display specific rules requested on command line */
472 /* convert command line rule # */
473 rulenum
= strtoul(*av
++, &endptr
, 10);
476 warn("invalid rule number: %s", av
[-1]);
480 for (r
= rules
, l
= bytes
;
481 l
>= sizeof rules
[0] && r
->fw_number
<= rulenum
;
482 r
++, l
-=sizeof rules
[0])
483 if (rulenum
== r
->fw_number
) {
489 warnx("rule %lu does not exist", rulenum
);
498 show_usage(const char *fmt
, ...)
505 vsnprintf(buf
, sizeof(buf
), fmt
, args
);
507 warnx("error: %s", buf
);
509 fprintf(stderr
, "usage: ip6fw [options]\n"
511 " add [number] rule\n"
512 " delete number ...\n"
513 " list [number ...]\n"
514 " show [number ...]\n"
515 " zero [number ...]\n"
516 " rule: action proto src dst extras...\n"
518 " {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
519 " reset|count|skipto num} [log]\n"
520 " proto: {ipv6|tcp|udp|ipv6-icmp|<number>}\n"
521 " src: from [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
522 " dst: to [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
524 " fragment (may not be used with ports or tcpflags)\n"
527 " {xmit|recv|via} {iface|ipv6|any}\n"
528 " {established|setup}\n"
529 " tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
530 " ipv6options [!]{hopopt|route|frag|esp|ah|nonxt|opts},...\n"
531 " icmptypes {type[,type]}...\n");
537 lookup_host (const char *host
, u_char
*addr
, int family
)
541 if (inet_pton(family
, host
, addr
) != 1) {
542 if ((he
= gethostbyname2(host
, family
)) == NULL
)
544 memcpy(addr
, he
->h_addr_list
[0], he
->h_length
);
550 fill_ip6(struct in6_addr
*ipno
, struct in6_addr
*mask
, int *acp
, char ***avp
)
557 if (ac
&& !strncmp(*av
,"any",strlen(*av
))) {
558 *ipno
= *mask
= in6addr_any
; av
++; ac
--;
560 p
= strchr(*av
, '/');
566 if (lookup_host(*av
, (u_char
*)ipno
, AF_INET6
) != 0)
567 show_usage("hostname ``%s'' unknown", *av
);
572 } else if (atoi(p
) > 128) {
573 show_usage("bad width ``%s''", p
);
575 *mask
= *(plen2mask(atoi(p
)));
579 *mask
= *(plen2mask(128));
582 for (i
= 0; i
< sizeof(*ipno
); i
++)
583 ipno
->s6_addr
[i
] &= mask
->s6_addr
[i
];
592 fill_reject_code6(u_short
*codep
, char *str
)
598 val
= strtoul(str
, &s
, 0);
599 if (s
!= str
&& *s
== '\0' && val
< 0x100) {
603 for (ic
= icmp6codes
; ic
->str
; ic
++)
604 if (!strcasecmp(str
, ic
->str
)) {
608 show_usage("unknown ICMP6 unreachable code ``%s''", str
);
612 add_port(u_short
*cnt
, u_short
*ptr
, u_short off
, u_short port
)
614 if (off
+ *cnt
>= IPV6_FW_MAX_PORTS
)
615 errx(1, "too many ports (max is %d)", IPV6_FW_MAX_PORTS
);
616 ptr
[off
+*cnt
] = port
;
621 lookup_port(const char *arg
, int test
, int nodash
)
627 snprintf(buf
, sizeof(buf
), "%s", arg
);
628 buf
[strcspn(arg
, nodash
? "-," : ",")] = 0;
629 val
= (int) strtoul(buf
, &earg
, 0);
630 if (!*buf
|| *earg
) {
632 if ((s
= getservbyname(buf
, NULL
))) {
633 val
= htons(s
->s_port
);
636 errx(1, "unknown port ``%s''", arg
);
641 if (val
< 0 || val
> 0xffff) {
643 errx(1, "port ``%s'' out of range", arg
);
652 fill_port(u_short
*cnt
, u_short
*ptr
, u_short off
, char *arg
)
655 int initial_range
= 0;
657 s
= arg
+ strcspn(arg
, "-,"); /* first port name can't have a dash */
660 if (strchr(arg
, ','))
661 errx(1, "port range must be first in list");
662 add_port(cnt
, ptr
, off
, *arg
? lookup_port(arg
, 0, 0) : 0x0000);
667 add_port(cnt
, ptr
, off
, *arg
? lookup_port(arg
, 0, 0) : 0xffff);
671 while (arg
!= NULL
) {
675 add_port(cnt
, ptr
, off
, lookup_port(arg
, 0, 0));
678 return initial_range
;
682 fill_tcpflag(u_char
*set
, u_char
*reset
, char **vp
)
692 { "syn", IPV6_FW_TCPF_SYN
},
693 { "fin", IPV6_FW_TCPF_FIN
},
694 { "ack", IPV6_FW_TCPF_ACK
},
695 { "psh", IPV6_FW_TCPF_PSH
},
696 { "rst", IPV6_FW_TCPF_RST
},
697 { "urg", IPV6_FW_TCPF_URG
}
710 for (i
= 0; i
< sizeof(flags
) / sizeof(flags
[0]); ++i
)
711 if (!strncmp(p
, flags
[i
].name
, strlen(p
))) {
712 *d
|= flags
[i
].value
;
715 if (i
== sizeof(flags
) / sizeof(flags
[0]))
716 show_usage("invalid tcp flag ``%s''", p
);
722 fill_ip6opt(u_char
*set
, u_char
*reset
, char **vp
)
737 if (!strncmp(p
,"hopopt",strlen(p
))) *d
|= IPV6_FW_IP6OPT_HOPOPT
;
738 if (!strncmp(p
,"route",strlen(p
))) *d
|= IPV6_FW_IP6OPT_ROUTE
;
739 if (!strncmp(p
,"frag",strlen(p
))) *d
|= IPV6_FW_IP6OPT_FRAG
;
740 if (!strncmp(p
,"esp",strlen(p
))) *d
|= IPV6_FW_IP6OPT_ESP
;
741 if (!strncmp(p
,"ah",strlen(p
))) *d
|= IPV6_FW_IP6OPT_AH
;
742 if (!strncmp(p
,"nonxt",strlen(p
))) *d
|= IPV6_FW_IP6OPT_NONXT
;
743 if (!strncmp(p
,"opts",strlen(p
))) *d
|= IPV6_FW_IP6OPT_OPTS
;
749 fill_icmptypes(unsigned *types
, char **vp
, u_short
*fw_flg
)
755 unsigned long icmptype
;
760 icmptype
= strtoul(c
, &c
, 0);
762 if ( *c
!= ',' && *c
!= '\0' )
763 show_usage("invalid ICMP6 type");
765 if (icmptype
>= IPV6_FW_ICMPTYPES_DIM
* sizeof(unsigned) * 8)
766 show_usage("ICMP6 type out of range");
768 types
[icmptype
/ (sizeof(unsigned) * 8)] |=
769 1 << (icmptype
% (sizeof(unsigned) * 8));
770 *fw_flg
|= IPV6_FW_F_ICMPBIT
;
775 delete(int ac
, char **av
)
781 memset(&rule
, 0, sizeof rule
);
786 while (ac
&& isdigit(**av
)) {
787 rule
.fw_number
= atoi(*av
); av
++; ac
--;
788 i
= setsockopt(s
, IPPROTO_IPV6
, IPV6_FW_DEL
, &rule
, sizeof rule
);
791 warn("rule %u: setsockopt(%s)", rule
.fw_number
, "IPV6_FW_DEL");
799 verify_interface(union ip6_fw_if
*ifu
)
803 strlcpy(ifr
.ifr_name
, ifu
->fu_via_if
.name
, sizeof(ifr
.ifr_name
));
805 if (ioctl(s
, SIOCGIFFLAGS
, &ifr
) < 0)
806 warnx("warning: interface ``%s'' does not exist", ifr
.ifr_name
);
810 fill_iface(char *which
, union ip6_fw_if
*ifu
, int *byname
, int ac
, char *arg
)
813 show_usage("missing argument for ``%s''", which
);
815 /* Parse the interface or address */
816 if (!strcmp(arg
, "any")) {
817 ifu
->fu_via_ip6
= in6addr_any
;
819 } else if (!isdigit(*arg
)) {
821 strlcpy(ifu
->fu_via_if
.name
, arg
, sizeof(ifu
->fu_via_if
.name
));
823 * We assume that strings containing '*', '?', or '['
824 * are ment to be shell pattern.
826 if (strpbrk(arg
, "*?[") != NULL
) {
827 ifu
->fu_via_if
.glob
= 1;
829 ifu
->fu_via_if
.glob
= 0;
830 verify_interface(ifu
);
832 } else if (inet_pton(AF_INET6
, arg
, &ifu
->fu_via_ip6
) != 1) {
833 show_usage("bad ip6 address ``%s''", arg
);
839 add(int ac
, char **av
)
845 int saw_xmrc
= 0, saw_via
= 0;
847 memset(&rule
, 0, sizeof rule
);
852 if (ac
&& isdigit(**av
)) {
853 rule
.fw_number
= atoi(*av
); av
++; ac
--;
858 show_usage("missing action");
859 if (!strncmp(*av
,"accept",strlen(*av
))
860 || !strncmp(*av
,"pass",strlen(*av
))
861 || !strncmp(*av
,"allow",strlen(*av
))
862 || !strncmp(*av
,"permit",strlen(*av
))) {
863 rule
.fw_flg
|= IPV6_FW_F_ACCEPT
; av
++; ac
--;
864 } else if (!strncmp(*av
,"count",strlen(*av
))) {
865 rule
.fw_flg
|= IPV6_FW_F_COUNT
; av
++; ac
--;
868 else if (!strncmp(*av
,"divert",strlen(*av
))) {
869 rule
.fw_flg
|= IPV6_FW_F_DIVERT
; av
++; ac
--;
871 show_usage("missing divert port");
872 rule
.fw_divert_port
= strtoul(*av
, NULL
, 0); av
++; ac
--;
873 if (rule
.fw_divert_port
== 0) {
876 s
= getservbyname(av
[-1], "divert");
878 rule
.fw_divert_port
= ntohs(s
->s_port
);
880 show_usage("illegal divert port");
882 } else if (!strncmp(*av
,"tee",strlen(*av
))) {
883 rule
.fw_flg
|= IPV6_FW_F_TEE
; av
++; ac
--;
885 show_usage("missing divert port");
886 rule
.fw_divert_port
= strtoul(*av
, NULL
, 0); av
++; ac
--;
887 if (rule
.fw_divert_port
== 0) {
890 s
= getservbyname(av
[-1], "divert");
892 rule
.fw_divert_port
= ntohs(s
->s_port
);
894 show_usage("illegal divert port");
898 else if (!strncmp(*av
,"skipto",strlen(*av
))) {
899 rule
.fw_flg
|= IPV6_FW_F_SKIPTO
; av
++; ac
--;
901 show_usage("missing skipto rule number");
902 rule
.fw_skipto_rule
= strtoul(*av
, NULL
, 0); av
++; ac
--;
903 } else if ((!strncmp(*av
,"deny",strlen(*av
))
904 || !strncmp(*av
,"drop",strlen(*av
)))) {
905 rule
.fw_flg
|= IPV6_FW_F_DENY
; av
++; ac
--;
906 } else if (!strncmp(*av
,"reject",strlen(*av
))) {
907 rule
.fw_flg
|= IPV6_FW_F_REJECT
; av
++; ac
--;
908 rule
.fw_reject_code
= ICMP6_DST_UNREACH_NOROUTE
;
909 } else if (!strncmp(*av
,"reset",strlen(*av
))) {
910 rule
.fw_flg
|= IPV6_FW_F_REJECT
; av
++; ac
--;
911 rule
.fw_reject_code
= IPV6_FW_REJECT_RST
; /* check TCP later */
912 } else if (!strncmp(*av
,"unreach",strlen(*av
))) {
913 rule
.fw_flg
|= IPV6_FW_F_REJECT
; av
++; ac
--;
914 fill_reject_code6(&rule
.fw_reject_code
, *av
); av
++; ac
--;
916 show_usage("invalid action ``%s''", *av
);
920 if (ac
&& !strncmp(*av
,"log",strlen(*av
))) {
921 rule
.fw_flg
|= IPV6_FW_F_PRN
; av
++; ac
--;
926 show_usage("missing protocol");
927 if ((proto
= atoi(*av
)) > 0) {
928 rule
.fw_prot
= proto
; av
++; ac
--;
929 } else if (!strncmp(*av
,"all",strlen(*av
))) {
930 rule
.fw_prot
= IPPROTO_IPV6
; av
++; ac
--;
931 } else if ((pe
= getprotobyname(*av
)) != NULL
) {
932 rule
.fw_prot
= pe
->p_proto
; av
++; ac
--;
934 show_usage("invalid protocol ``%s''", *av
);
937 if (rule
.fw_prot
!= IPPROTO_TCP
938 && (rule
.fw_flg
& IPV6_FW_F_COMMAND
) == IPV6_FW_F_REJECT
939 && rule
.fw_reject_code
== IPV6_FW_REJECT_RST
)
940 show_usage("``reset'' is only valid for tcp packets");
943 if (ac
&& !strncmp(*av
,"from",strlen(*av
))) { av
++; ac
--; }
945 show_usage("missing ``from''");
947 if (ac
&& !strncmp(*av
,"not",strlen(*av
))) {
948 rule
.fw_flg
|= IPV6_FW_F_INVSRC
;
952 show_usage("missing arguments");
954 fill_ip6(&rule
.fw_src
, &rule
.fw_smsk
, &ac
, &av
);
956 if (ac
&& (isdigit(**av
) || lookup_port(*av
, 1, 1) >= 0)) {
959 if (fill_port(&nports
, rule
.fw_pts
, 0, *av
))
960 rule
.fw_flg
|= IPV6_FW_F_SRNG
;
961 IPV6_FW_SETNSRCP(&rule
, nports
);
966 if (ac
&& !strncmp(*av
,"to",strlen(*av
))) { av
++; ac
--; }
968 show_usage("missing ``to''");
970 if (ac
&& !strncmp(*av
,"not",strlen(*av
))) {
971 rule
.fw_flg
|= IPV6_FW_F_INVDST
;
975 show_usage("missing arguments");
977 fill_ip6(&rule
.fw_dst
, &rule
.fw_dmsk
, &ac
, &av
);
979 if (ac
&& (isdigit(**av
) || lookup_port(*av
, 1, 1) >= 0)) {
982 if (fill_port(&nports
,
983 rule
.fw_pts
, IPV6_FW_GETNSRCP(&rule
), *av
))
984 rule
.fw_flg
|= IPV6_FW_F_DRNG
;
985 IPV6_FW_SETNDSTP(&rule
, nports
);
989 if ((rule
.fw_prot
!= IPPROTO_TCP
) && (rule
.fw_prot
!= IPPROTO_UDP
)
990 && (IPV6_FW_GETNSRCP(&rule
) || IPV6_FW_GETNDSTP(&rule
))) {
991 show_usage("only TCP and UDP protocols are valid"
992 " with port specifications");
996 if (!strncmp(*av
,"in",strlen(*av
))) {
997 rule
.fw_flg
|= IPV6_FW_F_IN
;
998 av
++; ac
--; continue;
1000 if (!strncmp(*av
,"out",strlen(*av
))) {
1001 rule
.fw_flg
|= IPV6_FW_F_OUT
;
1002 av
++; ac
--; continue;
1004 if (ac
&& !strncmp(*av
,"xmit",strlen(*av
))) {
1005 union ip6_fw_if ifu
;
1010 show_usage("``via'' is incompatible"
1011 " with ``xmit'' and ``recv''");
1015 fill_iface("xmit", &ifu
, &byname
, ac
, *av
);
1016 rule
.fw_out_if
= ifu
;
1017 rule
.fw_flg
|= IPV6_FW_F_OIFACE
;
1019 rule
.fw_flg
|= IPV6_FW_F_OIFNAME
;
1020 av
++; ac
--; continue;
1022 if (ac
&& !strncmp(*av
,"recv",strlen(*av
))) {
1023 union ip6_fw_if ifu
;
1030 fill_iface("recv", &ifu
, &byname
, ac
, *av
);
1031 rule
.fw_in_if
= ifu
;
1032 rule
.fw_flg
|= IPV6_FW_F_IIFACE
;
1034 rule
.fw_flg
|= IPV6_FW_F_IIFNAME
;
1035 av
++; ac
--; continue;
1037 if (ac
&& !strncmp(*av
,"via",strlen(*av
))) {
1038 union ip6_fw_if ifu
;
1045 fill_iface("via", &ifu
, &byname
, ac
, *av
);
1046 rule
.fw_out_if
= rule
.fw_in_if
= ifu
;
1049 (IPV6_FW_F_IIFNAME
| IPV6_FW_F_OIFNAME
);
1050 av
++; ac
--; continue;
1052 if (!strncmp(*av
,"fragment",strlen(*av
))) {
1053 rule
.fw_flg
|= IPV6_FW_F_FRAG
;
1054 av
++; ac
--; continue;
1056 if (!strncmp(*av
,"ipv6options",strlen(*av
))) {
1059 show_usage("missing argument"
1060 " for ``ipv6options''");
1061 fill_ip6opt(&rule
.fw_ip6opt
, &rule
.fw_ip6nopt
, av
);
1062 av
++; ac
--; continue;
1064 if (rule
.fw_prot
== IPPROTO_TCP
) {
1065 if (!strncmp(*av
,"established",strlen(*av
))) {
1066 rule
.fw_ipflg
|= IPV6_FW_IF_TCPEST
;
1067 av
++; ac
--; continue;
1069 if (!strncmp(*av
,"setup",strlen(*av
))) {
1070 rule
.fw_tcpf
|= IPV6_FW_TCPF_SYN
;
1071 rule
.fw_tcpnf
|= IPV6_FW_TCPF_ACK
;
1072 av
++; ac
--; continue;
1074 if (!strncmp(*av
,"tcpflags",strlen(*av
))) {
1077 show_usage("missing argument"
1078 " for ``tcpflags''");
1079 fill_tcpflag(&rule
.fw_tcpf
, &rule
.fw_tcpnf
, av
);
1080 av
++; ac
--; continue;
1083 if (rule
.fw_prot
== IPPROTO_ICMPV6
) {
1084 if (!strncmp(*av
,"icmptypes",strlen(*av
))) {
1087 show_usage("missing argument"
1088 " for ``icmptypes''");
1089 fill_icmptypes(rule
.fw_icmp6types
,
1091 av
++; ac
--; continue;
1094 show_usage("unknown argument ``%s''", *av
);
1097 /* No direction specified -> do both directions */
1098 if (!(rule
.fw_flg
& (IPV6_FW_F_OUT
|IPV6_FW_F_IN
)))
1099 rule
.fw_flg
|= (IPV6_FW_F_OUT
|IPV6_FW_F_IN
);
1101 /* Sanity check interface check, but handle "via" case separately */
1103 if (rule
.fw_flg
& IPV6_FW_F_IN
)
1104 rule
.fw_flg
|= IPV6_FW_F_IIFACE
;
1105 if (rule
.fw_flg
& IPV6_FW_F_OUT
)
1106 rule
.fw_flg
|= IPV6_FW_F_OIFACE
;
1107 } else if ((rule
.fw_flg
& IPV6_FW_F_OIFACE
) && (rule
.fw_flg
& IPV6_FW_F_IN
))
1108 show_usage("can't check xmit interface of incoming packets");
1110 /* frag may not be used in conjunction with ports or TCP flags */
1111 if (rule
.fw_flg
& IPV6_FW_F_FRAG
) {
1112 if (rule
.fw_tcpf
|| rule
.fw_tcpnf
)
1113 show_usage("can't mix 'frag' and tcpflags");
1116 show_usage("can't mix 'frag' and port specifications");
1121 i
= setsockopt(s
, IPPROTO_IPV6
, IPV6_FW_ADD
, &rule
, sizeof rule
);
1123 err(EX_UNAVAILABLE
, "setsockopt(%s)", "IPV6_FW_ADD");
1127 zero (int ac
, char **av
)
1132 /* clear all entries */
1133 if (setsockopt(s
,IPPROTO_IPV6
,IPV6_FW_ZERO
,NULL
,0)<0)
1134 err(EX_UNAVAILABLE
, "setsockopt(%s)", "IPV6_FW_ZERO");
1136 printf("Accounting cleared.\n");
1141 memset(&rule
, 0, sizeof rule
);
1144 if (isdigit(**av
)) {
1145 rule
.fw_number
= atoi(*av
); av
++; ac
--;
1146 if (setsockopt(s
, IPPROTO_IPV6
,
1147 IPV6_FW_ZERO
, &rule
, sizeof rule
)) {
1148 warn("rule %u: setsockopt(%s)", rule
.fw_number
,
1153 printf("Entry %d cleared\n",
1156 show_usage("invalid rule number ``%s''", *av
);
1164 ip6fw_main(int ac
, char **av
)
1169 /* init optind to 1 */
1176 /* Set the force flag for non-interactive processes */
1177 do_force
= !isatty(STDIN_FILENO
);
1179 while ((ch
= getopt(ac
, av
,"afqtN")) != -1)
1201 if (*(av
+=optind
)==NULL
) {
1202 show_usage("Bad arguments");
1205 if (!strncmp(*av
, "add", strlen(*av
))) {
1207 } else if (!strncmp(*av
, "delete", strlen(*av
))) {
1209 } else if (!strncmp(*av
, "flush", strlen(*av
))) {
1212 if ( do_force
|| do_quiet
)
1218 printf("Are you sure? [yn] ");
1221 c
= toupper(getc(stdin
));
1222 while (c
!= '\n' && getc(stdin
) != '\n')
1225 } while (c
!= 'Y' && c
!= 'N');
1231 if (setsockopt(s
,IPPROTO_IPV6
,IPV6_FW_FLUSH
,NULL
,0) < 0)
1232 err(EX_UNAVAILABLE
, "setsockopt(%s)", "IPV6_FW_FLUSH");
1234 printf("Flushed all rules.\n");
1236 } else if (!strncmp(*av
, "zero", strlen(*av
))) {
1238 } else if (!strncmp(*av
, "print", strlen(*av
))) {
1240 } else if (!strncmp(*av
, "list", strlen(*av
))) {
1242 } else if (!strncmp(*av
, "show", strlen(*av
))) {
1246 show_usage("Bad arguments");
1252 main(int ac
, char **av
)
1255 #define WHITESP " \t\f\v\n\r"
1257 char *a
, *p
, *args
[MAX_ARGS
], *cmd
= NULL
;
1259 int i
, c
, lineno
, qflag
, pflag
, status
;
1263 s
= socket( AF_INET6
, SOCK_RAW
, IPPROTO_RAW
);
1265 err(EX_UNAVAILABLE
, "socket");
1270 * Only interpret the last command line argument as a file to
1271 * be preprocessed if it is specified as an absolute pathname.
1274 if (ac
> 1 && av
[ac
- 1][0] == '/' && access(av
[ac
- 1], R_OK
) == 0) {
1275 qflag
= pflag
= i
= 0;
1278 while ((c
= getopt(ac
, av
, "D:U:p:q")) != -1)
1282 errx(EX_USAGE
, "-D requires -p");
1283 if (i
> MAX_ARGS
- 2)
1285 "too many -D or -U options");
1292 errx(EX_USAGE
, "-U requires -p");
1293 if (i
> MAX_ARGS
- 2)
1295 "too many -D or -U options");
1318 show_usage("extraneous filename arguments");
1320 if ((f
= fopen(av
[0], "r")) == NULL
)
1321 err(EX_UNAVAILABLE
, "fopen: %s", av
[0]);
1324 /* pipe through preprocessor (cpp or m4) */
1329 if (pipe(pipedes
) == -1)
1330 err(EX_OSERR
, "cannot create pipe");
1332 switch((preproc
= fork())) {
1334 err(EX_OSERR
, "cannot fork");
1338 if (dup2(fileno(f
), 0) == -1 ||
1339 dup2(pipedes
[1], 1) == -1)
1340 err(EX_OSERR
, "dup2()");
1345 err(EX_OSERR
, "execvp(%s) failed", cmd
);
1351 if ((f
= fdopen(pipedes
[0], "r")) == NULL
) {
1352 int savederrno
= errno
;
1354 kill(preproc
, SIGTERM
);
1356 err(EX_OSERR
, "fdopen()");
1361 while (fgets(buf
, BUFSIZ
, f
)) {
1363 sprintf(linename
, "Line %d", lineno
);
1368 if ((p
= strchr(buf
, '#')) != NULL
)
1371 if (qflag
) args
[i
++]="-q";
1372 for (a
= strtok(buf
, WHITESP
);
1373 a
&& i
< MAX_ARGS
; a
= strtok(NULL
, WHITESP
), i
++)
1375 if (i
== (qflag
? 2: 1))
1378 errx(EX_USAGE
, "%s: too many arguments", linename
);
1381 ip6fw_main(i
, args
);
1385 if (waitpid(preproc
, &status
, 0) != -1) {
1386 if (WIFEXITED(status
)) {
1387 if (WEXITSTATUS(status
) != EX_OK
)
1388 errx(EX_UNAVAILABLE
,
1389 "preprocessor exited with status %d",
1390 WEXITSTATUS(status
));
1391 } else if (WIFSIGNALED(status
)) {
1392 errx(EX_UNAVAILABLE
,
1393 "preprocessor exited with signal %d",