1 /* $KAME: ip6fw.c,v 1.13 2001/06/22 05:51:16 itojun Exp $ */
4 * Copyright (C) 1998, 1999, 2000 and 2001 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
34 * Copyright (c) 1994 Ugen J.S.Antsilevich
36 * Idea and grammar partially left from:
37 * Copyright (c) 1993 Daniel Boulet
39 * Redistribution and use in source forms, with and without modification,
40 * are permitted provided that this entire comment appears intact.
42 * Redistribution in binary form may occur without any restrictions.
43 * Obviously, it would be nice if you gave credit where credit is due
44 * but requiring it would be too onerous.
46 * This software is provided ``AS IS'' without any warranties of any kind.
48 * NEW command line interface for IP firewall facility
50 * $Id: ip6fw.c,v 1.1.2.2.2.2 1999/05/14 05:13:50 shin Exp $
51 * $FreeBSD: src/sbin/ip6fw/ip6fw.c,v 1.1.2.9 2003/04/05 10:54:51 ume Exp $
52 * $DragonFly: src/sbin/ip6fw/ip6fw.c,v 1.7 2004/02/04 17:39:59 joerg Exp $
55 #include <sys/types.h>
56 #include <sys/queue.h>
57 #include <sys/socket.h>
58 #include <sys/sockio.h>
60 #include <sys/ioctl.h>
78 #include <netinet/in.h>
79 #include <netinet/in_systm.h>
80 #include <netinet/ip6.h>
81 #include <netinet/icmp6.h>
82 #include <net/ip6fw/ip6_fw.h>
83 #include <netinet/tcp.h>
84 #include <arpa/inet.h>
88 int s; /* main RAW socket */
89 int do_resolv=0; /* Would try to resolv all */
90 int do_acct=0; /* Show packet/byte count */
91 int do_time=0; /* Show time stamps */
92 int do_quiet=0; /* Be quiet in add and flush */
93 int do_force=0; /* Don't ask for confirmation */
100 static struct icmpcode icmp6codes[] = {
101 { ICMP6_DST_UNREACH_NOROUTE, "noroute" },
102 { ICMP6_DST_UNREACH_ADMIN, "admin" },
103 { ICMP6_DST_UNREACH_NOTNEIGHBOR, "notneighbor" },
104 { ICMP6_DST_UNREACH_ADDR, "addr" },
105 { ICMP6_DST_UNREACH_NOPORT, "noport" },
109 static char ntop_buf[INET6_ADDRSTRLEN];
111 static void show_usage(const char *fmt, ...);
114 mask_bits(u_char *m_ad, int m_len)
118 for (i = 0; i < m_len; i++, m_ad++) {
125 #define MASKLEN(m, l) case m: h_num += l; break
139 static int pl2m[9] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
141 struct in6_addr *plen2mask(int n)
143 static struct in6_addr ia;
147 memset(&ia, 0, sizeof(struct in6_addr));
149 for (i = 0; i < 16; i++, p++, n -= 8) {
161 print_port(u_char prot, u_short port, const char *comma)
165 const char *protocol;
169 pe = getprotobynumber(prot);
171 protocol = pe->p_name;
175 se = getservbyport(htons(port), protocol);
177 printf("%s%s", comma, se->s_name);
182 printf("%s%d",comma,port);
186 print_iface(char *key, union ip6_fw_if *un, int byname)
190 printf(" %s %s", key, un->fu_via_if.name);
191 } else if (!IN6_IS_ADDR_UNSPECIFIED(&un->fu_via_ip6)) {
192 printf(" %s %s", key, inet_ntop(AF_INET6,&un->fu_via_ip6,ntop_buf,sizeof(ntop_buf)));
194 printf(" %s any", key);
198 print_reject_code(int code)
202 for (ic = icmp6codes; ic->str; ic++)
203 if (ic->code == code) {
204 printf("%s", ic->str);
211 show_ip6fw(struct ip6_fw *chain)
217 int nsp = IPV6_FW_GETNSRCP(chain);
218 int ndp = IPV6_FW_GETNDSTP(chain);
221 setservent(1/*stayopen*/);
223 printf("%05u ", chain->fw_number);
226 printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt);
230 if (chain->timestamp)
234 strcpy(timestr, ctime((time_t *)&chain->timestamp));
235 *strchr(timestr, '\n') = '\0';
236 printf("%s ", timestr);
242 switch (chain->fw_flg & IPV6_FW_F_COMMAND)
244 case IPV6_FW_F_ACCEPT:
250 case IPV6_FW_F_COUNT:
253 case IPV6_FW_F_DIVERT:
254 printf("divert %u", chain->fw_divert_port);
257 printf("tee %u", chain->fw_divert_port);
259 case IPV6_FW_F_SKIPTO:
260 printf("skipto %u", chain->fw_skipto_rule);
262 case IPV6_FW_F_REJECT:
263 if (chain->fw_reject_code == IPV6_FW_REJECT_RST)
267 print_reject_code(chain->fw_reject_code);
271 errx(EX_OSERR, "impossible");
274 if (chain->fw_flg & IPV6_FW_F_PRN)
277 pe = getprotobynumber(chain->fw_prot);
279 printf(" %s", pe->p_name);
281 printf(" %u", chain->fw_prot);
283 printf(" from %s", chain->fw_flg & IPV6_FW_F_INVSRC ? "not " : "");
285 mb=mask_bits((u_char *)&chain->fw_smsk,sizeof(chain->fw_smsk));
286 if (mb==128 && do_resolv) {
287 he=gethostbyaddr((char *)&(chain->fw_src),sizeof(chain->fw_src),AF_INET6);
289 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
291 printf("%s",he->h_name);
297 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
301 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
304 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
306 for (i = 0; i < nsp; i++) {
307 print_port(chain->fw_prot, chain->fw_pts[i], comma);
308 if (i==0 && (chain->fw_flg & IPV6_FW_F_SRNG))
315 printf(" to %s", chain->fw_flg & IPV6_FW_F_INVDST ? "not " : "");
317 mb=mask_bits((u_char *)&chain->fw_dmsk,sizeof(chain->fw_dmsk));
318 if (mb==128 && do_resolv) {
319 he=gethostbyaddr((char *)&(chain->fw_dst),sizeof(chain->fw_dst),AF_INET6);
321 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
323 printf("%s",he->h_name);
329 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
333 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
336 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
338 for (i = 0; i < ndp; i++) {
339 print_port(chain->fw_prot, chain->fw_pts[nsp+i], comma);
340 if (i==0 && (chain->fw_flg & IPV6_FW_F_DRNG))
348 if ((chain->fw_flg & IPV6_FW_F_IN) && !(chain->fw_flg & IPV6_FW_F_OUT))
350 if (!(chain->fw_flg & IPV6_FW_F_IN) && (chain->fw_flg & IPV6_FW_F_OUT))
353 /* Handle hack for "via" backwards compatibility */
354 if ((chain->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) {
356 &chain->fw_in_if, chain->fw_flg & IPV6_FW_F_IIFNAME);
358 /* Receive interface specified */
359 if (chain->fw_flg & IPV6_FW_F_IIFACE)
360 print_iface("recv", &chain->fw_in_if,
361 chain->fw_flg & IPV6_FW_F_IIFNAME);
362 /* Transmit interface specified */
363 if (chain->fw_flg & IPV6_FW_F_OIFACE)
364 print_iface("xmit", &chain->fw_out_if,
365 chain->fw_flg & IPV6_FW_F_OIFNAME);
368 if (chain->fw_flg & IPV6_FW_F_FRAG)
371 if (chain->fw_ip6opt || chain->fw_ip6nopt) {
372 int _opt_printed = 0;
373 #define PRINTOPT(x) {if (_opt_printed) printf(",");\
374 printf(x); _opt_printed = 1;}
377 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("hopopt");
378 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("!hopopt");
379 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("route");
380 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("!route");
381 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("frag");
382 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("!frag");
383 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ESP) PRINTOPT("esp");
384 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ESP) PRINTOPT("!esp");
385 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_AH) PRINTOPT("ah");
386 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_AH) PRINTOPT("!ah");
387 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("nonxt");
388 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("!nonxt");
389 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("opts");
390 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("!opts");
393 if (chain->fw_ipflg & IPV6_FW_IF_TCPEST)
394 printf(" established");
395 else if (chain->fw_tcpf == IPV6_FW_TCPF_SYN &&
396 chain->fw_tcpnf == IPV6_FW_TCPF_ACK)
398 else if (chain->fw_tcpf || chain->fw_tcpnf) {
399 int _flg_printed = 0;
400 #define PRINTFLG(x) {if (_flg_printed) printf(",");\
401 printf(x); _flg_printed = 1;}
404 if (chain->fw_tcpf & IPV6_FW_TCPF_FIN) PRINTFLG("fin");
405 if (chain->fw_tcpnf & IPV6_FW_TCPF_FIN) PRINTFLG("!fin");
406 if (chain->fw_tcpf & IPV6_FW_TCPF_SYN) PRINTFLG("syn");
407 if (chain->fw_tcpnf & IPV6_FW_TCPF_SYN) PRINTFLG("!syn");
408 if (chain->fw_tcpf & IPV6_FW_TCPF_RST) PRINTFLG("rst");
409 if (chain->fw_tcpnf & IPV6_FW_TCPF_RST) PRINTFLG("!rst");
410 if (chain->fw_tcpf & IPV6_FW_TCPF_PSH) PRINTFLG("psh");
411 if (chain->fw_tcpnf & IPV6_FW_TCPF_PSH) PRINTFLG("!psh");
412 if (chain->fw_tcpf & IPV6_FW_TCPF_ACK) PRINTFLG("ack");
413 if (chain->fw_tcpnf & IPV6_FW_TCPF_ACK) PRINTFLG("!ack");
414 if (chain->fw_tcpf & IPV6_FW_TCPF_URG) PRINTFLG("urg");
415 if (chain->fw_tcpnf & IPV6_FW_TCPF_URG) PRINTFLG("!urg");
417 if (chain->fw_flg & IPV6_FW_F_ICMPBIT) {
423 for (type_index = 0; type_index < IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8; ++type_index)
424 if (chain->fw_icmp6types[type_index / (sizeof(unsigned) * 8)] &
425 (1U << (type_index % (sizeof(unsigned) * 8)))) {
426 printf("%c%d", first == 1 ? ' ' : ',', type_index);
436 list(int ac, char **av)
438 struct ip6_fw *r, *rules, *n;
440 unsigned long rulenum;
441 int nalloc, bytes, maxbytes;
443 /* extract rules from kernel, resizing array as necessary */
445 nalloc = sizeof *rules;
447 maxbytes = 65536 * sizeof *rules;
448 while (bytes >= nalloc) {
449 if ((n = realloc(rules, nalloc * 2 + 200)) == NULL)
450 err(EX_OSERR, "realloc");
451 bytes = nalloc = nalloc * 2 + 200;
453 i = getsockopt(s, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes);
454 if ((i < 0 && errno != EINVAL) || nalloc > maxbytes)
455 err(EX_OSERR, "getsockopt(IPV6_FW_GET)");
458 /* display all rules */
459 for (r = rules, l = bytes; l >= sizeof rules[0];
460 r++, l-=sizeof rules[0])
464 /* display specific rules requested on command line */
471 /* convert command line rule # */
472 rulenum = strtoul(*av++, &endptr, 10);
475 warn("invalid rule number: %s", av[-1]);
479 for (r = rules, l = bytes;
480 l >= sizeof rules[0] && r->fw_number <= rulenum;
481 r++, l-=sizeof rules[0])
482 if (rulenum == r->fw_number) {
488 warnx("rule %lu does not exist", rulenum);
497 show_usage(const char *fmt, ...)
504 vsnprintf(buf, sizeof(buf), fmt, args);
506 warnx("error: %s", buf);
508 fprintf(stderr, "usage: ip6fw [options]\n"
510 " add [number] rule\n"
511 " delete number ...\n"
512 " list [number ...]\n"
513 " show [number ...]\n"
514 " zero [number ...]\n"
515 " rule: action proto src dst extras...\n"
517 " {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
518 " reset|count|skipto num} [log]\n"
519 " proto: {ipv6|tcp|udp|ipv6-icmp|<number>}\n"
520 " src: from [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
521 " dst: to [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
523 " fragment (may not be used with ports or tcpflags)\n"
526 " {xmit|recv|via} {iface|ipv6|any}\n"
527 " {established|setup}\n"
528 " tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
529 " ipv6options [!]{hopopt|route|frag|esp|ah|nonxt|opts},...\n"
530 " icmptypes {type[,type]}...\n");
536 lookup_host (const char *host, u_char *addr, int family)
540 if (inet_pton(family, host, addr) != 1) {
541 if ((he = gethostbyname2(host, family)) == NULL)
543 memcpy(addr, he->h_addr_list[0], he->h_length);
549 fill_ip6(struct in6_addr *ipno, struct in6_addr *mask, int *acp, char ***avp)
556 if (ac && !strncmp(*av,"any",strlen(*av))) {
557 *ipno = *mask = in6addr_any; av++; ac--;
559 p = strchr(*av, '/');
565 if (lookup_host(*av, (u_char *)ipno, AF_INET6) != 0)
566 show_usage("hostname ``%s'' unknown", *av);
571 } else if (atoi(p) > 128) {
572 show_usage("bad width ``%s''", p);
574 *mask = *(plen2mask(atoi(p)));
578 *mask = *(plen2mask(128));
581 for (i = 0; i < sizeof(*ipno); i++)
582 ipno->s6_addr[i] &= mask->s6_addr[i];
591 fill_reject_code6(u_short *codep, char *str)
597 val = strtoul(str, &s, 0);
598 if (s != str && *s == '\0' && val < 0x100) {
602 for (ic = icmp6codes; ic->str; ic++)
603 if (!strcasecmp(str, ic->str)) {
607 show_usage("unknown ICMP6 unreachable code ``%s''", str);
611 add_port(u_short *cnt, u_short *ptr, u_short off, u_short port)
613 if (off + *cnt >= IPV6_FW_MAX_PORTS)
614 errx(1, "too many ports (max is %d)", IPV6_FW_MAX_PORTS);
615 ptr[off+*cnt] = port;
620 lookup_port(const char *arg, int test, int nodash)
626 snprintf(buf, sizeof(buf), "%s", arg);
627 buf[strcspn(arg, nodash ? "-," : ",")] = 0;
628 val = (int) strtoul(buf, &earg, 0);
629 if (!*buf || *earg) {
631 if ((s = getservbyname(buf, NULL))) {
632 val = htons(s->s_port);
635 errx(1, "unknown port ``%s''", arg);
640 if (val < 0 || val > 0xffff) {
642 errx(1, "port ``%s'' out of range", arg);
651 fill_port(u_short *cnt, u_short *ptr, u_short off, char *arg)
654 int initial_range = 0;
656 s = arg + strcspn(arg, "-,"); /* first port name can't have a dash */
659 if (strchr(arg, ','))
660 errx(1, "port range must be first in list");
661 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0x0000);
666 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0xffff);
670 while (arg != NULL) {
674 add_port(cnt, ptr, off, lookup_port(arg, 0, 0));
677 return initial_range;
681 fill_tcpflag(u_char *set, u_char *reset, char **vp)
691 { "syn", IPV6_FW_TCPF_SYN },
692 { "fin", IPV6_FW_TCPF_FIN },
693 { "ack", IPV6_FW_TCPF_ACK },
694 { "psh", IPV6_FW_TCPF_PSH },
695 { "rst", IPV6_FW_TCPF_RST },
696 { "urg", IPV6_FW_TCPF_URG }
709 for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i)
710 if (!strncmp(p, flags[i].name, strlen(p))) {
711 *d |= flags[i].value;
714 if (i == sizeof(flags) / sizeof(flags[0]))
715 show_usage("invalid tcp flag ``%s''", p);
721 fill_ip6opt(u_char *set, u_char *reset, char **vp)
736 if (!strncmp(p,"hopopt",strlen(p))) *d |= IPV6_FW_IP6OPT_HOPOPT;
737 if (!strncmp(p,"route",strlen(p))) *d |= IPV6_FW_IP6OPT_ROUTE;
738 if (!strncmp(p,"frag",strlen(p))) *d |= IPV6_FW_IP6OPT_FRAG;
739 if (!strncmp(p,"esp",strlen(p))) *d |= IPV6_FW_IP6OPT_ESP;
740 if (!strncmp(p,"ah",strlen(p))) *d |= IPV6_FW_IP6OPT_AH;
741 if (!strncmp(p,"nonxt",strlen(p))) *d |= IPV6_FW_IP6OPT_NONXT;
742 if (!strncmp(p,"opts",strlen(p))) *d |= IPV6_FW_IP6OPT_OPTS;
748 fill_icmptypes(unsigned *types, char **vp, u_short *fw_flg)
754 unsigned long icmptype;
759 icmptype = strtoul(c, &c, 0);
761 if ( *c != ',' && *c != '\0' )
762 show_usage("invalid ICMP6 type");
764 if (icmptype >= IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8)
765 show_usage("ICMP6 type out of range");
767 types[icmptype / (sizeof(unsigned) * 8)] |=
768 1 << (icmptype % (sizeof(unsigned) * 8));
769 *fw_flg |= IPV6_FW_F_ICMPBIT;
774 delete(int ac, char **av)
780 memset(&rule, 0, sizeof rule);
785 while (ac && isdigit(**av)) {
786 rule.fw_number = atoi(*av); av++; ac--;
787 i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule);
790 warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL");
798 verify_interface(union ip6_fw_if *ifu)
802 strlcpy(ifr.ifr_name, ifu->fu_via_if.name, sizeof(ifr.ifr_name));
804 if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0)
805 warnx("warning: interface ``%s'' does not exist", ifr.ifr_name);
809 fill_iface(char *which, union ip6_fw_if *ifu, int *byname, int ac, char *arg)
812 show_usage("missing argument for ``%s''", which);
814 /* Parse the interface or address */
815 if (!strcmp(arg, "any")) {
816 ifu->fu_via_ip6 = in6addr_any;
818 } else if (!isdigit(*arg)) {
820 strlcpy(ifu->fu_via_if.name, arg, sizeof(ifu->fu_via_if.name));
822 * We assume that strings containing '*', '?', or '['
823 * are ment to be shell pattern.
825 if (strpbrk(arg, "*?[") != NULL) {
826 ifu->fu_via_if.glob = 1;
828 ifu->fu_via_if.glob = 0;
829 verify_interface(ifu);
831 } else if (inet_pton(AF_INET6, arg, &ifu->fu_via_ip6) != 1) {
832 show_usage("bad ip6 address ``%s''", arg);
838 add(int ac, char **av)
844 int saw_xmrc = 0, saw_via = 0;
846 memset(&rule, 0, sizeof rule);
851 if (ac && isdigit(**av)) {
852 rule.fw_number = atoi(*av); av++; ac--;
857 show_usage("missing action");
858 if (!strncmp(*av,"accept",strlen(*av))
859 || !strncmp(*av,"pass",strlen(*av))
860 || !strncmp(*av,"allow",strlen(*av))
861 || !strncmp(*av,"permit",strlen(*av))) {
862 rule.fw_flg |= IPV6_FW_F_ACCEPT; av++; ac--;
863 } else if (!strncmp(*av,"count",strlen(*av))) {
864 rule.fw_flg |= IPV6_FW_F_COUNT; av++; ac--;
867 else if (!strncmp(*av,"divert",strlen(*av))) {
868 rule.fw_flg |= IPV6_FW_F_DIVERT; av++; ac--;
870 show_usage("missing divert port");
871 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
872 if (rule.fw_divert_port == 0) {
875 s = getservbyname(av[-1], "divert");
877 rule.fw_divert_port = ntohs(s->s_port);
879 show_usage("illegal divert port");
881 } else if (!strncmp(*av,"tee",strlen(*av))) {
882 rule.fw_flg |= IPV6_FW_F_TEE; av++; ac--;
884 show_usage("missing divert port");
885 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
886 if (rule.fw_divert_port == 0) {
889 s = getservbyname(av[-1], "divert");
891 rule.fw_divert_port = ntohs(s->s_port);
893 show_usage("illegal divert port");
897 else if (!strncmp(*av,"skipto",strlen(*av))) {
898 rule.fw_flg |= IPV6_FW_F_SKIPTO; av++; ac--;
900 show_usage("missing skipto rule number");
901 rule.fw_skipto_rule = strtoul(*av, NULL, 0); av++; ac--;
902 } else if ((!strncmp(*av,"deny",strlen(*av))
903 || !strncmp(*av,"drop",strlen(*av)))) {
904 rule.fw_flg |= IPV6_FW_F_DENY; av++; ac--;
905 } else if (!strncmp(*av,"reject",strlen(*av))) {
906 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
907 rule.fw_reject_code = ICMP6_DST_UNREACH_NOROUTE;
908 } else if (!strncmp(*av,"reset",strlen(*av))) {
909 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
910 rule.fw_reject_code = IPV6_FW_REJECT_RST; /* check TCP later */
911 } else if (!strncmp(*av,"unreach",strlen(*av))) {
912 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
913 fill_reject_code6(&rule.fw_reject_code, *av); av++; ac--;
915 show_usage("invalid action ``%s''", *av);
919 if (ac && !strncmp(*av,"log",strlen(*av))) {
920 rule.fw_flg |= IPV6_FW_F_PRN; av++; ac--;
925 show_usage("missing protocol");
926 if ((proto = atoi(*av)) > 0) {
927 rule.fw_prot = proto; av++; ac--;
928 } else if (!strncmp(*av,"all",strlen(*av))) {
929 rule.fw_prot = IPPROTO_IPV6; av++; ac--;
930 } else if ((pe = getprotobyname(*av)) != NULL) {
931 rule.fw_prot = pe->p_proto; av++; ac--;
933 show_usage("invalid protocol ``%s''", *av);
936 if (rule.fw_prot != IPPROTO_TCP
937 && (rule.fw_flg & IPV6_FW_F_COMMAND) == IPV6_FW_F_REJECT
938 && rule.fw_reject_code == IPV6_FW_REJECT_RST)
939 show_usage("``reset'' is only valid for tcp packets");
942 if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
944 show_usage("missing ``from''");
946 if (ac && !strncmp(*av,"not",strlen(*av))) {
947 rule.fw_flg |= IPV6_FW_F_INVSRC;
951 show_usage("missing arguments");
953 fill_ip6(&rule.fw_src, &rule.fw_smsk, &ac, &av);
955 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
958 if (fill_port(&nports, rule.fw_pts, 0, *av))
959 rule.fw_flg |= IPV6_FW_F_SRNG;
960 IPV6_FW_SETNSRCP(&rule, nports);
965 if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; }
967 show_usage("missing ``to''");
969 if (ac && !strncmp(*av,"not",strlen(*av))) {
970 rule.fw_flg |= IPV6_FW_F_INVDST;
974 show_usage("missing arguments");
976 fill_ip6(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
978 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
981 if (fill_port(&nports,
982 rule.fw_pts, IPV6_FW_GETNSRCP(&rule), *av))
983 rule.fw_flg |= IPV6_FW_F_DRNG;
984 IPV6_FW_SETNDSTP(&rule, nports);
988 if ((rule.fw_prot != IPPROTO_TCP) && (rule.fw_prot != IPPROTO_UDP)
989 && (IPV6_FW_GETNSRCP(&rule) || IPV6_FW_GETNDSTP(&rule))) {
990 show_usage("only TCP and UDP protocols are valid"
991 " with port specifications");
995 if (!strncmp(*av,"in",strlen(*av))) {
996 rule.fw_flg |= IPV6_FW_F_IN;
997 av++; ac--; continue;
999 if (!strncmp(*av,"out",strlen(*av))) {
1000 rule.fw_flg |= IPV6_FW_F_OUT;
1001 av++; ac--; continue;
1003 if (ac && !strncmp(*av,"xmit",strlen(*av))) {
1004 union ip6_fw_if ifu;
1009 show_usage("``via'' is incompatible"
1010 " with ``xmit'' and ``recv''");
1014 fill_iface("xmit", &ifu, &byname, ac, *av);
1015 rule.fw_out_if = ifu;
1016 rule.fw_flg |= IPV6_FW_F_OIFACE;
1018 rule.fw_flg |= IPV6_FW_F_OIFNAME;
1019 av++; ac--; continue;
1021 if (ac && !strncmp(*av,"recv",strlen(*av))) {
1022 union ip6_fw_if ifu;
1029 fill_iface("recv", &ifu, &byname, ac, *av);
1030 rule.fw_in_if = ifu;
1031 rule.fw_flg |= IPV6_FW_F_IIFACE;
1033 rule.fw_flg |= IPV6_FW_F_IIFNAME;
1034 av++; ac--; continue;
1036 if (ac && !strncmp(*av,"via",strlen(*av))) {
1037 union ip6_fw_if ifu;
1044 fill_iface("via", &ifu, &byname, ac, *av);
1045 rule.fw_out_if = rule.fw_in_if = ifu;
1048 (IPV6_FW_F_IIFNAME | IPV6_FW_F_OIFNAME);
1049 av++; ac--; continue;
1051 if (!strncmp(*av,"fragment",strlen(*av))) {
1052 rule.fw_flg |= IPV6_FW_F_FRAG;
1053 av++; ac--; continue;
1055 if (!strncmp(*av,"ipv6options",strlen(*av))) {
1058 show_usage("missing argument"
1059 " for ``ipv6options''");
1060 fill_ip6opt(&rule.fw_ip6opt, &rule.fw_ip6nopt, av);
1061 av++; ac--; continue;
1063 if (rule.fw_prot == IPPROTO_TCP) {
1064 if (!strncmp(*av,"established",strlen(*av))) {
1065 rule.fw_ipflg |= IPV6_FW_IF_TCPEST;
1066 av++; ac--; continue;
1068 if (!strncmp(*av,"setup",strlen(*av))) {
1069 rule.fw_tcpf |= IPV6_FW_TCPF_SYN;
1070 rule.fw_tcpnf |= IPV6_FW_TCPF_ACK;
1071 av++; ac--; continue;
1073 if (!strncmp(*av,"tcpflags",strlen(*av))) {
1076 show_usage("missing argument"
1077 " for ``tcpflags''");
1078 fill_tcpflag(&rule.fw_tcpf, &rule.fw_tcpnf, av);
1079 av++; ac--; continue;
1082 if (rule.fw_prot == IPPROTO_ICMPV6) {
1083 if (!strncmp(*av,"icmptypes",strlen(*av))) {
1086 show_usage("missing argument"
1087 " for ``icmptypes''");
1088 fill_icmptypes(rule.fw_icmp6types,
1090 av++; ac--; continue;
1093 show_usage("unknown argument ``%s''", *av);
1096 /* No direction specified -> do both directions */
1097 if (!(rule.fw_flg & (IPV6_FW_F_OUT|IPV6_FW_F_IN)))
1098 rule.fw_flg |= (IPV6_FW_F_OUT|IPV6_FW_F_IN);
1100 /* Sanity check interface check, but handle "via" case separately */
1102 if (rule.fw_flg & IPV6_FW_F_IN)
1103 rule.fw_flg |= IPV6_FW_F_IIFACE;
1104 if (rule.fw_flg & IPV6_FW_F_OUT)
1105 rule.fw_flg |= IPV6_FW_F_OIFACE;
1106 } else if ((rule.fw_flg & IPV6_FW_F_OIFACE) && (rule.fw_flg & IPV6_FW_F_IN))
1107 show_usage("can't check xmit interface of incoming packets");
1109 /* frag may not be used in conjunction with ports or TCP flags */
1110 if (rule.fw_flg & IPV6_FW_F_FRAG) {
1111 if (rule.fw_tcpf || rule.fw_tcpnf)
1112 show_usage("can't mix 'frag' and tcpflags");
1115 show_usage("can't mix 'frag' and port specifications");
1120 i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule);
1122 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ADD");
1126 zero (int ac, char **av)
1131 /* clear all entries */
1132 if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
1133 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ZERO");
1135 printf("Accounting cleared.\n");
1140 memset(&rule, 0, sizeof rule);
1143 if (isdigit(**av)) {
1144 rule.fw_number = atoi(*av); av++; ac--;
1145 if (setsockopt(s, IPPROTO_IPV6,
1146 IPV6_FW_ZERO, &rule, sizeof rule)) {
1147 warn("rule %u: setsockopt(%s)", rule.fw_number,
1152 printf("Entry %d cleared\n",
1155 show_usage("invalid rule number ``%s''", *av);
1163 ip6fw_main(int ac, char **av)
1168 /* init optind to 1 */
1175 /* Set the force flag for non-interactive processes */
1176 do_force = !isatty(STDIN_FILENO);
1178 while ((ch = getopt(ac, av ,"afqtN")) != -1)
1200 if (*(av+=optind)==NULL) {
1201 show_usage("Bad arguments");
1204 if (!strncmp(*av, "add", strlen(*av))) {
1206 } else if (!strncmp(*av, "delete", strlen(*av))) {
1208 } else if (!strncmp(*av, "flush", strlen(*av))) {
1211 if ( do_force || do_quiet )
1217 printf("Are you sure? [yn] ");
1220 c = toupper(getc(stdin));
1221 while (c != '\n' && getc(stdin) != '\n')
1224 } while (c != 'Y' && c != 'N');
1230 if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
1231 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_FLUSH");
1233 printf("Flushed all rules.\n");
1235 } else if (!strncmp(*av, "zero", strlen(*av))) {
1237 } else if (!strncmp(*av, "print", strlen(*av))) {
1239 } else if (!strncmp(*av, "list", strlen(*av))) {
1241 } else if (!strncmp(*av, "show", strlen(*av))) {
1245 show_usage("Bad arguments");
1251 main(int ac, char **av)
1254 #define WHITESP " \t\f\v\n\r"
1256 char *a, *p, *args[MAX_ARGS], *cmd = NULL;
1258 int i, c, lineno, qflag, pflag, status;
1262 s = socket( AF_INET6, SOCK_RAW, IPPROTO_RAW );
1264 err(EX_UNAVAILABLE, "socket");
1269 * Only interpret the last command line argument as a file to
1270 * be preprocessed if it is specified as an absolute pathname.
1273 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) {
1274 qflag = pflag = i = 0;
1277 while ((c = getopt(ac, av, "D:U:p:q")) != -1)
1281 errx(EX_USAGE, "-D requires -p");
1282 if (i > MAX_ARGS - 2)
1284 "too many -D or -U options");
1291 errx(EX_USAGE, "-U requires -p");
1292 if (i > MAX_ARGS - 2)
1294 "too many -D or -U options");
1317 show_usage("extraneous filename arguments");
1319 if ((f = fopen(av[0], "r")) == NULL)
1320 err(EX_UNAVAILABLE, "fopen: %s", av[0]);
1323 /* pipe through preprocessor (cpp or m4) */
1328 if (pipe(pipedes) == -1)
1329 err(EX_OSERR, "cannot create pipe");
1331 switch((preproc = fork())) {
1333 err(EX_OSERR, "cannot fork");
1337 if (dup2(fileno(f), 0) == -1 ||
1338 dup2(pipedes[1], 1) == -1)
1339 err(EX_OSERR, "dup2()");
1344 err(EX_OSERR, "execvp(%s) failed", cmd);
1350 if ((f = fdopen(pipedes[0], "r")) == NULL) {
1351 int savederrno = errno;
1353 (void)kill(preproc, SIGTERM);
1355 err(EX_OSERR, "fdopen()");
1360 while (fgets(buf, BUFSIZ, f)) {
1362 sprintf(linename, "Line %d", lineno);
1367 if ((p = strchr(buf, '#')) != NULL)
1370 if (qflag) args[i++]="-q";
1371 for (a = strtok(buf, WHITESP);
1372 a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
1374 if (i == (qflag? 2: 1))
1377 errx(EX_USAGE, "%s: too many arguments", linename);
1380 ip6fw_main(i, args);
1384 if (waitpid(preproc, &status, 0) != -1) {
1385 if (WIFEXITED(status)) {
1386 if (WEXITSTATUS(status) != EX_OK)
1387 errx(EX_UNAVAILABLE,
1388 "preprocessor exited with status %d",
1389 WEXITSTATUS(status));
1390 } else if (WIFSIGNALED(status)) {
1391 errx(EX_UNAVAILABLE,
1392 "preprocessor exited with signal %d",
projects / dragonfly.git / blob