1 /* $KAME: ip6fw.c,v 1.13 2001/06/22 05:51:16 itojun Exp $ */
4 * Copyright (C) 1998, 1999, 2000 and 2001 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
34 * Copyright (c) 1994 Ugen J.S.Antsilevich
36 * Idea and grammar partially left from:
37 * Copyright (c) 1993 Daniel Boulet
39 * Redistribution and use in source forms, with and without modification,
40 * are permitted provided that this entire comment appears intact.
42 * Redistribution in binary form may occur without any restrictions.
43 * Obviously, it would be nice if you gave credit where credit is due
44 * but requiring it would be too onerous.
46 * This software is provided ``AS IS'' without any warranties of any kind.
48 * NEW command line interface for IP firewall facility
50 * $Id: ip6fw.c,v 1.1.2.2.2.2 1999/05/14 05:13:50 shin Exp $
51 * $FreeBSD: src/sbin/ip6fw/ip6fw.c,v 1.1.2.9 2003/04/05 10:54:51 ume Exp $
52 * $DragonFly: src/sbin/ip6fw/ip6fw.c,v 1.3 2003/08/08 04:18:38 dillon Exp $
55 #include <sys/types.h>
56 #include <sys/queue.h>
57 #include <sys/socket.h>
58 #include <sys/sockio.h>
60 #include <sys/ioctl.h>
78 #include <netinet/in.h>
79 #include <netinet/in_systm.h>
80 #include <netinet/ip6.h>
81 #include <netinet/icmp6.h>
82 #include <net/ip6fw/ip6_fw.h>
83 #include <netinet/tcp.h>
84 #include <arpa/inet.h>
88 int s; /* main RAW socket */
89 int do_resolv=0; /* Would try to resolv all */
90 int do_acct=0; /* Show packet/byte count */
91 int do_time=0; /* Show time stamps */
92 int do_quiet=0; /* Be quiet in add and flush */
93 int do_force=0; /* Don't ask for confirmation */
100 static struct icmpcode icmp6codes[] = {
101 { ICMP6_DST_UNREACH_NOROUTE, "noroute" },
102 { ICMP6_DST_UNREACH_ADMIN, "admin" },
103 { ICMP6_DST_UNREACH_NOTNEIGHBOR, "notneighbor" },
104 { ICMP6_DST_UNREACH_ADDR, "addr" },
105 { ICMP6_DST_UNREACH_NOPORT, "noport" },
109 static char ntop_buf[INET6_ADDRSTRLEN];
111 static void show_usage(const char *fmt, ...);
114 mask_bits(u_char *m_ad, int m_len)
118 for (i = 0; i < m_len; i++, m_ad++) {
125 #define MASKLEN(m, l) case m: h_num += l; break
139 static int pl2m[9] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
141 struct in6_addr *plen2mask(int n)
143 static struct in6_addr ia;
147 memset(&ia, 0, sizeof(struct in6_addr));
149 for (i = 0; i < 16; i++, p++, n -= 8) {
161 print_port(prot, port, comma)
168 const char *protocol;
172 pe = getprotobynumber(prot);
174 protocol = pe->p_name;
178 se = getservbyport(htons(port), protocol);
180 printf("%s%s", comma, se->s_name);
185 printf("%s%d",comma,port);
189 print_iface(char *key, union ip6_fw_if *un, int byname)
191 char ifnb[IP6FW_IFNLEN+1];
194 strncpy(ifnb, un->fu_via_if.name, IP6FW_IFNLEN);
195 ifnb[IP6FW_IFNLEN]='\0';
196 if (un->fu_via_if.unit == -1)
197 printf(" %s %s*", key, ifnb);
199 printf(" %s %s%d", key, ifnb, un->fu_via_if.unit);
200 } else if (!IN6_IS_ADDR_UNSPECIFIED(&un->fu_via_ip6)) {
201 printf(" %s %s", key, inet_ntop(AF_INET6,&un->fu_via_ip6,ntop_buf,sizeof(ntop_buf)));
203 printf(" %s any", key);
207 print_reject_code(int code)
211 for (ic = icmp6codes; ic->str; ic++)
212 if (ic->code == code) {
213 printf("%s", ic->str);
220 show_ip6fw(struct ip6_fw *chain)
226 int nsp = IPV6_FW_GETNSRCP(chain);
227 int ndp = IPV6_FW_GETNDSTP(chain);
230 setservent(1/*stayopen*/);
232 printf("%05u ", chain->fw_number);
235 printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt);
239 if (chain->timestamp)
243 strcpy(timestr, ctime((time_t *)&chain->timestamp));
244 *strchr(timestr, '\n') = '\0';
245 printf("%s ", timestr);
251 switch (chain->fw_flg & IPV6_FW_F_COMMAND)
253 case IPV6_FW_F_ACCEPT:
259 case IPV6_FW_F_COUNT:
262 case IPV6_FW_F_DIVERT:
263 printf("divert %u", chain->fw_divert_port);
266 printf("tee %u", chain->fw_divert_port);
268 case IPV6_FW_F_SKIPTO:
269 printf("skipto %u", chain->fw_skipto_rule);
271 case IPV6_FW_F_REJECT:
272 if (chain->fw_reject_code == IPV6_FW_REJECT_RST)
276 print_reject_code(chain->fw_reject_code);
280 errx(EX_OSERR, "impossible");
283 if (chain->fw_flg & IPV6_FW_F_PRN)
286 pe = getprotobynumber(chain->fw_prot);
288 printf(" %s", pe->p_name);
290 printf(" %u", chain->fw_prot);
292 printf(" from %s", chain->fw_flg & IPV6_FW_F_INVSRC ? "not " : "");
294 mb=mask_bits((u_char *)&chain->fw_smsk,sizeof(chain->fw_smsk));
295 if (mb==128 && do_resolv) {
296 he=gethostbyaddr((char *)&(chain->fw_src),sizeof(chain->fw_src),AF_INET6);
298 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
300 printf("%s",he->h_name);
306 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
310 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
313 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
315 for (i = 0; i < nsp; i++) {
316 print_port(chain->fw_prot, chain->fw_pts[i], comma);
317 if (i==0 && (chain->fw_flg & IPV6_FW_F_SRNG))
324 printf(" to %s", chain->fw_flg & IPV6_FW_F_INVDST ? "not " : "");
326 mb=mask_bits((u_char *)&chain->fw_dmsk,sizeof(chain->fw_dmsk));
327 if (mb==128 && do_resolv) {
328 he=gethostbyaddr((char *)&(chain->fw_dst),sizeof(chain->fw_dst),AF_INET6);
330 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
332 printf("%s",he->h_name);
338 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
342 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
345 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
347 for (i = 0; i < ndp; i++) {
348 print_port(chain->fw_prot, chain->fw_pts[nsp+i], comma);
349 if (i==0 && (chain->fw_flg & IPV6_FW_F_DRNG))
357 if ((chain->fw_flg & IPV6_FW_F_IN) && !(chain->fw_flg & IPV6_FW_F_OUT))
359 if (!(chain->fw_flg & IPV6_FW_F_IN) && (chain->fw_flg & IPV6_FW_F_OUT))
362 /* Handle hack for "via" backwards compatibility */
363 if ((chain->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) {
365 &chain->fw_in_if, chain->fw_flg & IPV6_FW_F_IIFNAME);
367 /* Receive interface specified */
368 if (chain->fw_flg & IPV6_FW_F_IIFACE)
369 print_iface("recv", &chain->fw_in_if,
370 chain->fw_flg & IPV6_FW_F_IIFNAME);
371 /* Transmit interface specified */
372 if (chain->fw_flg & IPV6_FW_F_OIFACE)
373 print_iface("xmit", &chain->fw_out_if,
374 chain->fw_flg & IPV6_FW_F_OIFNAME);
377 if (chain->fw_flg & IPV6_FW_F_FRAG)
380 if (chain->fw_ip6opt || chain->fw_ip6nopt) {
381 int _opt_printed = 0;
382 #define PRINTOPT(x) {if (_opt_printed) printf(",");\
383 printf(x); _opt_printed = 1;}
386 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("hopopt");
387 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("!hopopt");
388 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("route");
389 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("!route");
390 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("frag");
391 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("!frag");
392 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ESP) PRINTOPT("esp");
393 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ESP) PRINTOPT("!esp");
394 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_AH) PRINTOPT("ah");
395 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_AH) PRINTOPT("!ah");
396 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("nonxt");
397 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("!nonxt");
398 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("opts");
399 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("!opts");
402 if (chain->fw_ipflg & IPV6_FW_IF_TCPEST)
403 printf(" established");
404 else if (chain->fw_tcpf == IPV6_FW_TCPF_SYN &&
405 chain->fw_tcpnf == IPV6_FW_TCPF_ACK)
407 else if (chain->fw_tcpf || chain->fw_tcpnf) {
408 int _flg_printed = 0;
409 #define PRINTFLG(x) {if (_flg_printed) printf(",");\
410 printf(x); _flg_printed = 1;}
413 if (chain->fw_tcpf & IPV6_FW_TCPF_FIN) PRINTFLG("fin");
414 if (chain->fw_tcpnf & IPV6_FW_TCPF_FIN) PRINTFLG("!fin");
415 if (chain->fw_tcpf & IPV6_FW_TCPF_SYN) PRINTFLG("syn");
416 if (chain->fw_tcpnf & IPV6_FW_TCPF_SYN) PRINTFLG("!syn");
417 if (chain->fw_tcpf & IPV6_FW_TCPF_RST) PRINTFLG("rst");
418 if (chain->fw_tcpnf & IPV6_FW_TCPF_RST) PRINTFLG("!rst");
419 if (chain->fw_tcpf & IPV6_FW_TCPF_PSH) PRINTFLG("psh");
420 if (chain->fw_tcpnf & IPV6_FW_TCPF_PSH) PRINTFLG("!psh");
421 if (chain->fw_tcpf & IPV6_FW_TCPF_ACK) PRINTFLG("ack");
422 if (chain->fw_tcpnf & IPV6_FW_TCPF_ACK) PRINTFLG("!ack");
423 if (chain->fw_tcpf & IPV6_FW_TCPF_URG) PRINTFLG("urg");
424 if (chain->fw_tcpnf & IPV6_FW_TCPF_URG) PRINTFLG("!urg");
426 if (chain->fw_flg & IPV6_FW_F_ICMPBIT) {
432 for (type_index = 0; type_index < IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8; ++type_index)
433 if (chain->fw_icmp6types[type_index / (sizeof(unsigned) * 8)] &
434 (1U << (type_index % (sizeof(unsigned) * 8)))) {
435 printf("%c%d", first == 1 ? ' ' : ',', type_index);
449 struct ip6_fw *r, *rules;
451 unsigned long rulenum;
452 int nalloc, bytes, maxbytes;
454 /* extract rules from kernel, resizing array as necessary */
456 nalloc = sizeof *rules;
458 maxbytes = 65536 * sizeof *rules;
459 while (bytes >= nalloc) {
460 nalloc = nalloc * 2 + 200;
462 if ((rules = realloc(rules, bytes)) == NULL)
463 err(EX_OSERR, "realloc");
464 i = getsockopt(s, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes);
465 if ((i < 0 && errno != EINVAL) || nalloc > maxbytes)
466 err(EX_OSERR, "getsockopt(IPV6_FW_GET)");
469 /* display all rules */
470 for (r = rules, l = bytes; l >= sizeof rules[0];
471 r++, l-=sizeof rules[0])
475 /* display specific rules requested on command line */
482 /* convert command line rule # */
483 rulenum = strtoul(*av++, &endptr, 10);
486 warn("invalid rule number: %s", av[-1]);
490 for (r = rules, l = bytes;
491 l >= sizeof rules[0] && r->fw_number <= rulenum;
492 r++, l-=sizeof rules[0])
493 if (rulenum == r->fw_number) {
499 warnx("rule %lu does not exist", rulenum);
508 show_usage(const char *fmt, ...)
515 vsnprintf(buf, sizeof(buf), fmt, args);
517 warnx("error: %s", buf);
519 fprintf(stderr, "usage: ip6fw [options]\n"
521 " add [number] rule\n"
522 " delete number ...\n"
523 " list [number ...]\n"
524 " show [number ...]\n"
525 " zero [number ...]\n"
526 " rule: action proto src dst extras...\n"
528 " {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
529 " reset|count|skipto num} [log]\n"
530 " proto: {ipv6|tcp|udp|ipv6-icmp|<number>}\n"
531 " src: from [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
532 " dst: to [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
534 " fragment (may not be used with ports or tcpflags)\n"
537 " {xmit|recv|via} {iface|ipv6|any}\n"
538 " {established|setup}\n"
539 " tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
540 " ipv6options [!]{hopopt|route|frag|esp|ah|nonxt|opts},...\n"
541 " icmptypes {type[,type]}...\n");
547 lookup_host (host, addr, family)
553 if (inet_pton(family, host, addr) != 1) {
554 if ((he = gethostbyname2(host, family)) == NULL)
556 memcpy(addr, he->h_addr_list[0], he->h_length);
562 fill_ip6(ipno, mask, acp, avp)
563 struct in6_addr *ipno, *mask;
572 if (ac && !strncmp(*av,"any",strlen(*av))) {
573 *ipno = *mask = in6addr_any; av++; ac--;
575 p = strchr(*av, '/');
581 if (lookup_host(*av, ipno, AF_INET6) != 0)
582 show_usage("hostname ``%s'' unknown", *av);
587 } else if (atoi(p) > 128) {
588 show_usage("bad width ``%s''", p);
590 *mask = *(plen2mask(atoi(p)));
594 *mask = *(plen2mask(128));
597 for (i = 0; i < sizeof(*ipno); i++)
598 ipno->s6_addr[i] &= mask->s6_addr[i];
607 fill_reject_code6(u_short *codep, char *str)
613 val = strtoul(str, &s, 0);
614 if (s != str && *s == '\0' && val < 0x100) {
618 for (ic = icmp6codes; ic->str; ic++)
619 if (!strcasecmp(str, ic->str)) {
623 show_usage("unknown ICMP6 unreachable code ``%s''", str);
627 add_port(cnt, ptr, off, port)
628 u_short *cnt, *ptr, off, port;
630 if (off + *cnt >= IPV6_FW_MAX_PORTS)
631 errx(1, "too many ports (max is %d)", IPV6_FW_MAX_PORTS);
632 ptr[off+*cnt] = port;
637 lookup_port(const char *arg, int test, int nodash)
643 snprintf(buf, sizeof(buf), "%s", arg);
644 buf[strcspn(arg, nodash ? "-," : ",")] = 0;
645 val = (int) strtoul(buf, &earg, 0);
646 if (!*buf || *earg) {
648 if ((s = getservbyname(buf, NULL))) {
649 val = htons(s->s_port);
652 errx(1, "unknown port ``%s''", arg);
657 if (val < 0 || val > 0xffff) {
659 errx(1, "port ``%s'' out of range", arg);
668 fill_port(cnt, ptr, off, arg)
669 u_short *cnt, *ptr, off;
673 int initial_range = 0;
675 s = arg + strcspn(arg, "-,"); /* first port name can't have a dash */
678 if (strchr(arg, ','))
679 errx(1, "port range must be first in list");
680 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0x0000);
685 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0xffff);
689 while (arg != NULL) {
693 add_port(cnt, ptr, off, lookup_port(arg, 0, 0));
696 return initial_range;
700 fill_tcpflag(set, reset, vp)
712 { "syn", IPV6_FW_TCPF_SYN },
713 { "fin", IPV6_FW_TCPF_FIN },
714 { "ack", IPV6_FW_TCPF_ACK },
715 { "psh", IPV6_FW_TCPF_PSH },
716 { "rst", IPV6_FW_TCPF_RST },
717 { "urg", IPV6_FW_TCPF_URG }
730 for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i)
731 if (!strncmp(p, flags[i].name, strlen(p))) {
732 *d |= flags[i].value;
735 if (i == sizeof(flags) / sizeof(flags[0]))
736 show_usage("invalid tcp flag ``%s''", p);
742 fill_ip6opt(u_char *set, u_char *reset, char **vp)
757 if (!strncmp(p,"hopopt",strlen(p))) *d |= IPV6_FW_IP6OPT_HOPOPT;
758 if (!strncmp(p,"route",strlen(p))) *d |= IPV6_FW_IP6OPT_ROUTE;
759 if (!strncmp(p,"frag",strlen(p))) *d |= IPV6_FW_IP6OPT_FRAG;
760 if (!strncmp(p,"esp",strlen(p))) *d |= IPV6_FW_IP6OPT_ESP;
761 if (!strncmp(p,"ah",strlen(p))) *d |= IPV6_FW_IP6OPT_AH;
762 if (!strncmp(p,"nonxt",strlen(p))) *d |= IPV6_FW_IP6OPT_NONXT;
763 if (!strncmp(p,"opts",strlen(p))) *d |= IPV6_FW_IP6OPT_OPTS;
769 fill_icmptypes(types, vp, fw_flg)
778 unsigned long icmptype;
783 icmptype = strtoul(c, &c, 0);
785 if ( *c != ',' && *c != '\0' )
786 show_usage("invalid ICMP6 type");
788 if (icmptype >= IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8)
789 show_usage("ICMP6 type out of range");
791 types[icmptype / (sizeof(unsigned) * 8)] |=
792 1 << (icmptype % (sizeof(unsigned) * 8));
793 *fw_flg |= IPV6_FW_F_ICMPBIT;
806 memset(&rule, 0, sizeof rule);
811 while (ac && isdigit(**av)) {
812 rule.fw_number = atoi(*av); av++; ac--;
813 i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule);
816 warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL");
824 verify_interface(union ip6_fw_if *ifu)
829 * If a unit was specified, check for that exact interface.
830 * If a wildcard was specified, check for unit 0.
832 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d",
834 ifu->fu_via_if.unit == -1 ? 0 : ifu->fu_via_if.unit);
836 if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0)
837 warnx("warning: interface ``%s'' does not exist", ifr.ifr_name);
841 fill_iface(char *which, union ip6_fw_if *ifu, int *byname, int ac, char *arg)
844 show_usage("missing argument for ``%s''", which);
846 /* Parse the interface or address */
847 if (!strcmp(arg, "any")) {
848 ifu->fu_via_ip6 = in6addr_any;
850 } else if (!isdigit(*arg)) {
854 strncpy(ifu->fu_via_if.name, arg, sizeof(ifu->fu_via_if.name));
855 ifu->fu_via_if.name[sizeof(ifu->fu_via_if.name) - 1] = '\0';
856 for (q = ifu->fu_via_if.name;
857 *q && !isdigit(*q) && *q != '*'; q++)
859 ifu->fu_via_if.unit = (*q == '*') ? -1 : atoi(q);
861 verify_interface(ifu);
862 } else if (inet_pton(AF_INET6, arg, &ifu->fu_via_ip6) != 1) {
863 show_usage("bad ip6 address ``%s''", arg);
877 int saw_xmrc = 0, saw_via = 0;
879 memset(&rule, 0, sizeof rule);
884 if (ac && isdigit(**av)) {
885 rule.fw_number = atoi(*av); av++; ac--;
890 show_usage("missing action");
891 if (!strncmp(*av,"accept",strlen(*av))
892 || !strncmp(*av,"pass",strlen(*av))
893 || !strncmp(*av,"allow",strlen(*av))
894 || !strncmp(*av,"permit",strlen(*av))) {
895 rule.fw_flg |= IPV6_FW_F_ACCEPT; av++; ac--;
896 } else if (!strncmp(*av,"count",strlen(*av))) {
897 rule.fw_flg |= IPV6_FW_F_COUNT; av++; ac--;
900 else if (!strncmp(*av,"divert",strlen(*av))) {
901 rule.fw_flg |= IPV6_FW_F_DIVERT; av++; ac--;
903 show_usage("missing divert port");
904 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
905 if (rule.fw_divert_port == 0) {
908 s = getservbyname(av[-1], "divert");
910 rule.fw_divert_port = ntohs(s->s_port);
912 show_usage("illegal divert port");
914 } else if (!strncmp(*av,"tee",strlen(*av))) {
915 rule.fw_flg |= IPV6_FW_F_TEE; av++; ac--;
917 show_usage("missing divert port");
918 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
919 if (rule.fw_divert_port == 0) {
922 s = getservbyname(av[-1], "divert");
924 rule.fw_divert_port = ntohs(s->s_port);
926 show_usage("illegal divert port");
930 else if (!strncmp(*av,"skipto",strlen(*av))) {
931 rule.fw_flg |= IPV6_FW_F_SKIPTO; av++; ac--;
933 show_usage("missing skipto rule number");
934 rule.fw_skipto_rule = strtoul(*av, NULL, 0); av++; ac--;
935 } else if ((!strncmp(*av,"deny",strlen(*av))
936 || !strncmp(*av,"drop",strlen(*av)))) {
937 rule.fw_flg |= IPV6_FW_F_DENY; av++; ac--;
938 } else if (!strncmp(*av,"reject",strlen(*av))) {
939 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
940 rule.fw_reject_code = ICMP6_DST_UNREACH_NOROUTE;
941 } else if (!strncmp(*av,"reset",strlen(*av))) {
942 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
943 rule.fw_reject_code = IPV6_FW_REJECT_RST; /* check TCP later */
944 } else if (!strncmp(*av,"unreach",strlen(*av))) {
945 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
946 fill_reject_code6(&rule.fw_reject_code, *av); av++; ac--;
948 show_usage("invalid action ``%s''", *av);
952 if (ac && !strncmp(*av,"log",strlen(*av))) {
953 rule.fw_flg |= IPV6_FW_F_PRN; av++; ac--;
958 show_usage("missing protocol");
959 if ((proto = atoi(*av)) > 0) {
960 rule.fw_prot = proto; av++; ac--;
961 } else if (!strncmp(*av,"all",strlen(*av))) {
962 rule.fw_prot = IPPROTO_IPV6; av++; ac--;
963 } else if ((pe = getprotobyname(*av)) != NULL) {
964 rule.fw_prot = pe->p_proto; av++; ac--;
966 show_usage("invalid protocol ``%s''", *av);
969 if (rule.fw_prot != IPPROTO_TCP
970 && (rule.fw_flg & IPV6_FW_F_COMMAND) == IPV6_FW_F_REJECT
971 && rule.fw_reject_code == IPV6_FW_REJECT_RST)
972 show_usage("``reset'' is only valid for tcp packets");
975 if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
977 show_usage("missing ``from''");
979 if (ac && !strncmp(*av,"not",strlen(*av))) {
980 rule.fw_flg |= IPV6_FW_F_INVSRC;
984 show_usage("missing arguments");
986 fill_ip6(&rule.fw_src, &rule.fw_smsk, &ac, &av);
988 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
991 if (fill_port(&nports, rule.fw_pts, 0, *av))
992 rule.fw_flg |= IPV6_FW_F_SRNG;
993 IPV6_FW_SETNSRCP(&rule, nports);
998 if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; }
1000 show_usage("missing ``to''");
1002 if (ac && !strncmp(*av,"not",strlen(*av))) {
1003 rule.fw_flg |= IPV6_FW_F_INVDST;
1007 show_usage("missing arguments");
1009 fill_ip6(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
1011 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
1014 if (fill_port(&nports,
1015 rule.fw_pts, IPV6_FW_GETNSRCP(&rule), *av))
1016 rule.fw_flg |= IPV6_FW_F_DRNG;
1017 IPV6_FW_SETNDSTP(&rule, nports);
1021 if ((rule.fw_prot != IPPROTO_TCP) && (rule.fw_prot != IPPROTO_UDP)
1022 && (IPV6_FW_GETNSRCP(&rule) || IPV6_FW_GETNDSTP(&rule))) {
1023 show_usage("only TCP and UDP protocols are valid"
1024 " with port specifications");
1028 if (!strncmp(*av,"in",strlen(*av))) {
1029 rule.fw_flg |= IPV6_FW_F_IN;
1030 av++; ac--; continue;
1032 if (!strncmp(*av,"out",strlen(*av))) {
1033 rule.fw_flg |= IPV6_FW_F_OUT;
1034 av++; ac--; continue;
1036 if (ac && !strncmp(*av,"xmit",strlen(*av))) {
1037 union ip6_fw_if ifu;
1042 show_usage("``via'' is incompatible"
1043 " with ``xmit'' and ``recv''");
1047 fill_iface("xmit", &ifu, &byname, ac, *av);
1048 rule.fw_out_if = ifu;
1049 rule.fw_flg |= IPV6_FW_F_OIFACE;
1051 rule.fw_flg |= IPV6_FW_F_OIFNAME;
1052 av++; ac--; continue;
1054 if (ac && !strncmp(*av,"recv",strlen(*av))) {
1055 union ip6_fw_if ifu;
1062 fill_iface("recv", &ifu, &byname, ac, *av);
1063 rule.fw_in_if = ifu;
1064 rule.fw_flg |= IPV6_FW_F_IIFACE;
1066 rule.fw_flg |= IPV6_FW_F_IIFNAME;
1067 av++; ac--; continue;
1069 if (ac && !strncmp(*av,"via",strlen(*av))) {
1070 union ip6_fw_if ifu;
1077 fill_iface("via", &ifu, &byname, ac, *av);
1078 rule.fw_out_if = rule.fw_in_if = ifu;
1081 (IPV6_FW_F_IIFNAME | IPV6_FW_F_OIFNAME);
1082 av++; ac--; continue;
1084 if (!strncmp(*av,"fragment",strlen(*av))) {
1085 rule.fw_flg |= IPV6_FW_F_FRAG;
1086 av++; ac--; continue;
1088 if (!strncmp(*av,"ipv6options",strlen(*av))) {
1091 show_usage("missing argument"
1092 " for ``ipv6options''");
1093 fill_ip6opt(&rule.fw_ip6opt, &rule.fw_ip6nopt, av);
1094 av++; ac--; continue;
1096 if (rule.fw_prot == IPPROTO_TCP) {
1097 if (!strncmp(*av,"established",strlen(*av))) {
1098 rule.fw_ipflg |= IPV6_FW_IF_TCPEST;
1099 av++; ac--; continue;
1101 if (!strncmp(*av,"setup",strlen(*av))) {
1102 rule.fw_tcpf |= IPV6_FW_TCPF_SYN;
1103 rule.fw_tcpnf |= IPV6_FW_TCPF_ACK;
1104 av++; ac--; continue;
1106 if (!strncmp(*av,"tcpflags",strlen(*av))) {
1109 show_usage("missing argument"
1110 " for ``tcpflags''");
1111 fill_tcpflag(&rule.fw_tcpf, &rule.fw_tcpnf, av);
1112 av++; ac--; continue;
1115 if (rule.fw_prot == IPPROTO_ICMPV6) {
1116 if (!strncmp(*av,"icmptypes",strlen(*av))) {
1119 show_usage("missing argument"
1120 " for ``icmptypes''");
1121 fill_icmptypes(rule.fw_icmp6types,
1123 av++; ac--; continue;
1126 show_usage("unknown argument ``%s''", *av);
1129 /* No direction specified -> do both directions */
1130 if (!(rule.fw_flg & (IPV6_FW_F_OUT|IPV6_FW_F_IN)))
1131 rule.fw_flg |= (IPV6_FW_F_OUT|IPV6_FW_F_IN);
1133 /* Sanity check interface check, but handle "via" case separately */
1135 if (rule.fw_flg & IPV6_FW_F_IN)
1136 rule.fw_flg |= IPV6_FW_F_IIFACE;
1137 if (rule.fw_flg & IPV6_FW_F_OUT)
1138 rule.fw_flg |= IPV6_FW_F_OIFACE;
1139 } else if ((rule.fw_flg & IPV6_FW_F_OIFACE) && (rule.fw_flg & IPV6_FW_F_IN))
1140 show_usage("can't check xmit interface of incoming packets");
1142 /* frag may not be used in conjunction with ports or TCP flags */
1143 if (rule.fw_flg & IPV6_FW_F_FRAG) {
1144 if (rule.fw_tcpf || rule.fw_tcpnf)
1145 show_usage("can't mix 'frag' and tcpflags");
1148 show_usage("can't mix 'frag' and port specifications");
1153 i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule);
1155 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ADD");
1166 /* clear all entries */
1167 if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
1168 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ZERO");
1170 printf("Accounting cleared.\n");
1175 memset(&rule, 0, sizeof rule);
1178 if (isdigit(**av)) {
1179 rule.fw_number = atoi(*av); av++; ac--;
1180 if (setsockopt(s, IPPROTO_IPV6,
1181 IPV6_FW_ZERO, &rule, sizeof rule)) {
1182 warn("rule %u: setsockopt(%s)", rule.fw_number,
1187 printf("Entry %d cleared\n",
1190 show_usage("invalid rule number ``%s''", *av);
1205 /* init optind to 1 */
1212 /* Set the force flag for non-interactive processes */
1213 do_force = !isatty(STDIN_FILENO);
1215 while ((ch = getopt(ac, av ,"afqtN")) != -1)
1237 if (*(av+=optind)==NULL) {
1238 show_usage("Bad arguments");
1241 if (!strncmp(*av, "add", strlen(*av))) {
1243 } else if (!strncmp(*av, "delete", strlen(*av))) {
1245 } else if (!strncmp(*av, "flush", strlen(*av))) {
1248 if ( do_force || do_quiet )
1254 printf("Are you sure? [yn] ");
1257 c = toupper(getc(stdin));
1258 while (c != '\n' && getc(stdin) != '\n')
1261 } while (c != 'Y' && c != 'N');
1267 if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
1268 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_FLUSH");
1270 printf("Flushed all rules.\n");
1272 } else if (!strncmp(*av, "zero", strlen(*av))) {
1274 } else if (!strncmp(*av, "print", strlen(*av))) {
1276 } else if (!strncmp(*av, "list", strlen(*av))) {
1278 } else if (!strncmp(*av, "show", strlen(*av))) {
1282 show_usage("Bad arguments");
1293 #define WHITESP " \t\f\v\n\r"
1295 char *a, *p, *args[MAX_ARGS], *cmd = NULL;
1297 int i, c, lineno, qflag, pflag, status;
1301 s = socket( AF_INET6, SOCK_RAW, IPPROTO_RAW );
1303 err(EX_UNAVAILABLE, "socket");
1308 * Only interpret the last command line argument as a file to
1309 * be preprocessed if it is specified as an absolute pathname.
1312 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) {
1313 qflag = pflag = i = 0;
1316 while ((c = getopt(ac, av, "D:U:p:q")) != -1)
1320 errx(EX_USAGE, "-D requires -p");
1321 if (i > MAX_ARGS - 2)
1323 "too many -D or -U options");
1330 errx(EX_USAGE, "-U requires -p");
1331 if (i > MAX_ARGS - 2)
1333 "too many -D or -U options");
1356 show_usage("extraneous filename arguments");
1358 if ((f = fopen(av[0], "r")) == NULL)
1359 err(EX_UNAVAILABLE, "fopen: %s", av[0]);
1362 /* pipe through preprocessor (cpp or m4) */
1367 if (pipe(pipedes) == -1)
1368 err(EX_OSERR, "cannot create pipe");
1370 switch((preproc = fork())) {
1372 err(EX_OSERR, "cannot fork");
1376 if (dup2(fileno(f), 0) == -1 ||
1377 dup2(pipedes[1], 1) == -1)
1378 err(EX_OSERR, "dup2()");
1383 err(EX_OSERR, "execvp(%s) failed", cmd);
1389 if ((f = fdopen(pipedes[0], "r")) == NULL) {
1390 int savederrno = errno;
1392 (void)kill(preproc, SIGTERM);
1394 err(EX_OSERR, "fdopen()");
1399 while (fgets(buf, BUFSIZ, f)) {
1401 sprintf(linename, "Line %d", lineno);
1406 if ((p = strchr(buf, '#')) != NULL)
1409 if (qflag) args[i++]="-q";
1410 for (a = strtok(buf, WHITESP);
1411 a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
1413 if (i == (qflag? 2: 1))
1416 errx(EX_USAGE, "%s: too many arguments", linename);
1419 ip6fw_main(i, args);
1423 if (waitpid(preproc, &status, 0) != -1) {
1424 if (WIFEXITED(status)) {
1425 if (WEXITSTATUS(status) != EX_OK)
1426 errx(EX_UNAVAILABLE,
1427 "preprocessor exited with status %d",
1428 WEXITSTATUS(status));
1429 } else if (WIFSIGNALED(status)) {
1430 errx(EX_UNAVAILABLE,
1431 "preprocessor exited with signal %d",