1 /* $KAME: ip6fw.c,v 1.13 2001/06/22 05:51:16 itojun Exp $ */
4 * Copyright (C) 1998, 1999, 2000 and 2001 WIDE Project.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
34 * Copyright (c) 1994 Ugen J.S.Antsilevich
36 * Idea and grammar partially left from:
37 * Copyright (c) 1993 Daniel Boulet
39 * Redistribution and use in source forms, with and without modification,
40 * are permitted provided that this entire comment appears intact.
42 * Redistribution in binary form may occur without any restrictions.
43 * Obviously, it would be nice if you gave credit where credit is due
44 * but requiring it would be too onerous.
46 * This software is provided ``AS IS'' without any warranties of any kind.
48 * NEW command line interface for IP firewall facility
50 * $Id: ip6fw.c,v 1.1.2.2.2.2 1999/05/14 05:13:50 shin Exp $
51 * $FreeBSD: src/sbin/ip6fw/ip6fw.c,v 1.1.2.9 2003/04/05 10:54:51 ume Exp $
52 * $DragonFly: src/sbin/ip6fw/ip6fw.c,v 1.4 2003/09/28 14:39:18 hmp Exp $
55 #include <sys/types.h>
56 #include <sys/queue.h>
57 #include <sys/socket.h>
58 #include <sys/sockio.h>
60 #include <sys/ioctl.h>
78 #include <netinet/in.h>
79 #include <netinet/in_systm.h>
80 #include <netinet/ip6.h>
81 #include <netinet/icmp6.h>
82 #include <net/ip6fw/ip6_fw.h>
83 #include <netinet/tcp.h>
84 #include <arpa/inet.h>
88 int s; /* main RAW socket */
89 int do_resolv=0; /* Would try to resolv all */
90 int do_acct=0; /* Show packet/byte count */
91 int do_time=0; /* Show time stamps */
92 int do_quiet=0; /* Be quiet in add and flush */
93 int do_force=0; /* Don't ask for confirmation */
100 static struct icmpcode icmp6codes[] = {
101 { ICMP6_DST_UNREACH_NOROUTE, "noroute" },
102 { ICMP6_DST_UNREACH_ADMIN, "admin" },
103 { ICMP6_DST_UNREACH_NOTNEIGHBOR, "notneighbor" },
104 { ICMP6_DST_UNREACH_ADDR, "addr" },
105 { ICMP6_DST_UNREACH_NOPORT, "noport" },
109 static char ntop_buf[INET6_ADDRSTRLEN];
111 static void show_usage(const char *fmt, ...);
114 mask_bits(u_char *m_ad, int m_len)
118 for (i = 0; i < m_len; i++, m_ad++) {
125 #define MASKLEN(m, l) case m: h_num += l; break
139 static int pl2m[9] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
141 struct in6_addr *plen2mask(int n)
143 static struct in6_addr ia;
147 memset(&ia, 0, sizeof(struct in6_addr));
149 for (i = 0; i < 16; i++, p++, n -= 8) {
161 print_port(u_char prot, u_short port, const char *comma)
165 const char *protocol;
169 pe = getprotobynumber(prot);
171 protocol = pe->p_name;
175 se = getservbyport(htons(port), protocol);
177 printf("%s%s", comma, se->s_name);
182 printf("%s%d",comma,port);
186 print_iface(char *key, union ip6_fw_if *un, int byname)
188 char ifnb[IP6FW_IFNLEN+1];
191 strncpy(ifnb, un->fu_via_if.name, IP6FW_IFNLEN);
192 ifnb[IP6FW_IFNLEN]='\0';
193 if (un->fu_via_if.unit == -1)
194 printf(" %s %s*", key, ifnb);
196 printf(" %s %s%d", key, ifnb, un->fu_via_if.unit);
197 } else if (!IN6_IS_ADDR_UNSPECIFIED(&un->fu_via_ip6)) {
198 printf(" %s %s", key, inet_ntop(AF_INET6,&un->fu_via_ip6,ntop_buf,sizeof(ntop_buf)));
200 printf(" %s any", key);
204 print_reject_code(int code)
208 for (ic = icmp6codes; ic->str; ic++)
209 if (ic->code == code) {
210 printf("%s", ic->str);
217 show_ip6fw(struct ip6_fw *chain)
223 int nsp = IPV6_FW_GETNSRCP(chain);
224 int ndp = IPV6_FW_GETNDSTP(chain);
227 setservent(1/*stayopen*/);
229 printf("%05u ", chain->fw_number);
232 printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt);
236 if (chain->timestamp)
240 strcpy(timestr, ctime((time_t *)&chain->timestamp));
241 *strchr(timestr, '\n') = '\0';
242 printf("%s ", timestr);
248 switch (chain->fw_flg & IPV6_FW_F_COMMAND)
250 case IPV6_FW_F_ACCEPT:
256 case IPV6_FW_F_COUNT:
259 case IPV6_FW_F_DIVERT:
260 printf("divert %u", chain->fw_divert_port);
263 printf("tee %u", chain->fw_divert_port);
265 case IPV6_FW_F_SKIPTO:
266 printf("skipto %u", chain->fw_skipto_rule);
268 case IPV6_FW_F_REJECT:
269 if (chain->fw_reject_code == IPV6_FW_REJECT_RST)
273 print_reject_code(chain->fw_reject_code);
277 errx(EX_OSERR, "impossible");
280 if (chain->fw_flg & IPV6_FW_F_PRN)
283 pe = getprotobynumber(chain->fw_prot);
285 printf(" %s", pe->p_name);
287 printf(" %u", chain->fw_prot);
289 printf(" from %s", chain->fw_flg & IPV6_FW_F_INVSRC ? "not " : "");
291 mb=mask_bits((u_char *)&chain->fw_smsk,sizeof(chain->fw_smsk));
292 if (mb==128 && do_resolv) {
293 he=gethostbyaddr((char *)&(chain->fw_src),sizeof(chain->fw_src),AF_INET6);
295 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
297 printf("%s",he->h_name);
303 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
307 printf(inet_ntop(AF_INET6,&chain->fw_src,ntop_buf,sizeof(ntop_buf)));
310 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
312 for (i = 0; i < nsp; i++) {
313 print_port(chain->fw_prot, chain->fw_pts[i], comma);
314 if (i==0 && (chain->fw_flg & IPV6_FW_F_SRNG))
321 printf(" to %s", chain->fw_flg & IPV6_FW_F_INVDST ? "not " : "");
323 mb=mask_bits((u_char *)&chain->fw_dmsk,sizeof(chain->fw_dmsk));
324 if (mb==128 && do_resolv) {
325 he=gethostbyaddr((char *)&(chain->fw_dst),sizeof(chain->fw_dst),AF_INET6);
327 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
329 printf("%s",he->h_name);
335 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
339 printf(inet_ntop(AF_INET6,&chain->fw_dst,ntop_buf,sizeof(ntop_buf)));
342 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
344 for (i = 0; i < ndp; i++) {
345 print_port(chain->fw_prot, chain->fw_pts[nsp+i], comma);
346 if (i==0 && (chain->fw_flg & IPV6_FW_F_DRNG))
354 if ((chain->fw_flg & IPV6_FW_F_IN) && !(chain->fw_flg & IPV6_FW_F_OUT))
356 if (!(chain->fw_flg & IPV6_FW_F_IN) && (chain->fw_flg & IPV6_FW_F_OUT))
359 /* Handle hack for "via" backwards compatibility */
360 if ((chain->fw_flg & IF6_FW_F_VIAHACK) == IF6_FW_F_VIAHACK) {
362 &chain->fw_in_if, chain->fw_flg & IPV6_FW_F_IIFNAME);
364 /* Receive interface specified */
365 if (chain->fw_flg & IPV6_FW_F_IIFACE)
366 print_iface("recv", &chain->fw_in_if,
367 chain->fw_flg & IPV6_FW_F_IIFNAME);
368 /* Transmit interface specified */
369 if (chain->fw_flg & IPV6_FW_F_OIFACE)
370 print_iface("xmit", &chain->fw_out_if,
371 chain->fw_flg & IPV6_FW_F_OIFNAME);
374 if (chain->fw_flg & IPV6_FW_F_FRAG)
377 if (chain->fw_ip6opt || chain->fw_ip6nopt) {
378 int _opt_printed = 0;
379 #define PRINTOPT(x) {if (_opt_printed) printf(",");\
380 printf(x); _opt_printed = 1;}
383 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("hopopt");
384 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_HOPOPT) PRINTOPT("!hopopt");
385 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("route");
386 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ROUTE) PRINTOPT("!route");
387 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("frag");
388 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_FRAG) PRINTOPT("!frag");
389 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_ESP) PRINTOPT("esp");
390 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_ESP) PRINTOPT("!esp");
391 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_AH) PRINTOPT("ah");
392 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_AH) PRINTOPT("!ah");
393 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("nonxt");
394 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_NONXT) PRINTOPT("!nonxt");
395 if (chain->fw_ip6opt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("opts");
396 if (chain->fw_ip6nopt & IPV6_FW_IP6OPT_OPTS) PRINTOPT("!opts");
399 if (chain->fw_ipflg & IPV6_FW_IF_TCPEST)
400 printf(" established");
401 else if (chain->fw_tcpf == IPV6_FW_TCPF_SYN &&
402 chain->fw_tcpnf == IPV6_FW_TCPF_ACK)
404 else if (chain->fw_tcpf || chain->fw_tcpnf) {
405 int _flg_printed = 0;
406 #define PRINTFLG(x) {if (_flg_printed) printf(",");\
407 printf(x); _flg_printed = 1;}
410 if (chain->fw_tcpf & IPV6_FW_TCPF_FIN) PRINTFLG("fin");
411 if (chain->fw_tcpnf & IPV6_FW_TCPF_FIN) PRINTFLG("!fin");
412 if (chain->fw_tcpf & IPV6_FW_TCPF_SYN) PRINTFLG("syn");
413 if (chain->fw_tcpnf & IPV6_FW_TCPF_SYN) PRINTFLG("!syn");
414 if (chain->fw_tcpf & IPV6_FW_TCPF_RST) PRINTFLG("rst");
415 if (chain->fw_tcpnf & IPV6_FW_TCPF_RST) PRINTFLG("!rst");
416 if (chain->fw_tcpf & IPV6_FW_TCPF_PSH) PRINTFLG("psh");
417 if (chain->fw_tcpnf & IPV6_FW_TCPF_PSH) PRINTFLG("!psh");
418 if (chain->fw_tcpf & IPV6_FW_TCPF_ACK) PRINTFLG("ack");
419 if (chain->fw_tcpnf & IPV6_FW_TCPF_ACK) PRINTFLG("!ack");
420 if (chain->fw_tcpf & IPV6_FW_TCPF_URG) PRINTFLG("urg");
421 if (chain->fw_tcpnf & IPV6_FW_TCPF_URG) PRINTFLG("!urg");
423 if (chain->fw_flg & IPV6_FW_F_ICMPBIT) {
429 for (type_index = 0; type_index < IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8; ++type_index)
430 if (chain->fw_icmp6types[type_index / (sizeof(unsigned) * 8)] &
431 (1U << (type_index % (sizeof(unsigned) * 8)))) {
432 printf("%c%d", first == 1 ? ' ' : ',', type_index);
442 list(int ac, char **av)
444 struct ip6_fw *r, *rules;
446 unsigned long rulenum;
447 int nalloc, bytes, maxbytes;
449 /* extract rules from kernel, resizing array as necessary */
451 nalloc = sizeof *rules;
453 maxbytes = 65536 * sizeof *rules;
454 while (bytes >= nalloc) {
455 nalloc = nalloc * 2 + 200;
457 if ((rules = realloc(rules, bytes)) == NULL)
458 err(EX_OSERR, "realloc");
459 i = getsockopt(s, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes);
460 if ((i < 0 && errno != EINVAL) || nalloc > maxbytes)
461 err(EX_OSERR, "getsockopt(IPV6_FW_GET)");
464 /* display all rules */
465 for (r = rules, l = bytes; l >= sizeof rules[0];
466 r++, l-=sizeof rules[0])
470 /* display specific rules requested on command line */
477 /* convert command line rule # */
478 rulenum = strtoul(*av++, &endptr, 10);
481 warn("invalid rule number: %s", av[-1]);
485 for (r = rules, l = bytes;
486 l >= sizeof rules[0] && r->fw_number <= rulenum;
487 r++, l-=sizeof rules[0])
488 if (rulenum == r->fw_number) {
494 warnx("rule %lu does not exist", rulenum);
503 show_usage(const char *fmt, ...)
510 vsnprintf(buf, sizeof(buf), fmt, args);
512 warnx("error: %s", buf);
514 fprintf(stderr, "usage: ip6fw [options]\n"
516 " add [number] rule\n"
517 " delete number ...\n"
518 " list [number ...]\n"
519 " show [number ...]\n"
520 " zero [number ...]\n"
521 " rule: action proto src dst extras...\n"
523 " {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
524 " reset|count|skipto num} [log]\n"
525 " proto: {ipv6|tcp|udp|ipv6-icmp|<number>}\n"
526 " src: from [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
527 " dst: to [not] {any|ipv6[/prefixlen]} [{port|port-port},[port],...]\n"
529 " fragment (may not be used with ports or tcpflags)\n"
532 " {xmit|recv|via} {iface|ipv6|any}\n"
533 " {established|setup}\n"
534 " tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
535 " ipv6options [!]{hopopt|route|frag|esp|ah|nonxt|opts},...\n"
536 " icmptypes {type[,type]}...\n");
542 lookup_host (char *host, u_char *addr, int family)
546 if (inet_pton(family, host, addr) != 1) {
547 if ((he = gethostbyname2(host, family)) == NULL)
549 memcpy(addr, he->h_addr_list[0], he->h_length);
555 fill_ip6(struct in6_addr *ipno, struct in6_addr *mask, int *acp, char ***avp)
562 if (ac && !strncmp(*av,"any",strlen(*av))) {
563 *ipno = *mask = in6addr_any; av++; ac--;
565 p = strchr(*av, '/');
571 if (lookup_host(*av, ipno, AF_INET6) != 0)
572 show_usage("hostname ``%s'' unknown", *av);
577 } else if (atoi(p) > 128) {
578 show_usage("bad width ``%s''", p);
580 *mask = *(plen2mask(atoi(p)));
584 *mask = *(plen2mask(128));
587 for (i = 0; i < sizeof(*ipno); i++)
588 ipno->s6_addr[i] &= mask->s6_addr[i];
597 fill_reject_code6(u_short *codep, char *str)
603 val = strtoul(str, &s, 0);
604 if (s != str && *s == '\0' && val < 0x100) {
608 for (ic = icmp6codes; ic->str; ic++)
609 if (!strcasecmp(str, ic->str)) {
613 show_usage("unknown ICMP6 unreachable code ``%s''", str);
617 add_port(u_short *cnt, u_short *ptr, u_short off, u_short port)
619 if (off + *cnt >= IPV6_FW_MAX_PORTS)
620 errx(1, "too many ports (max is %d)", IPV6_FW_MAX_PORTS);
621 ptr[off+*cnt] = port;
626 lookup_port(const char *arg, int test, int nodash)
632 snprintf(buf, sizeof(buf), "%s", arg);
633 buf[strcspn(arg, nodash ? "-," : ",")] = 0;
634 val = (int) strtoul(buf, &earg, 0);
635 if (!*buf || *earg) {
637 if ((s = getservbyname(buf, NULL))) {
638 val = htons(s->s_port);
641 errx(1, "unknown port ``%s''", arg);
646 if (val < 0 || val > 0xffff) {
648 errx(1, "port ``%s'' out of range", arg);
657 fill_port(u_short *cnt, u_short *ptr, u_short off, char *arg)
660 int initial_range = 0;
662 s = arg + strcspn(arg, "-,"); /* first port name can't have a dash */
665 if (strchr(arg, ','))
666 errx(1, "port range must be first in list");
667 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0x0000);
672 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0xffff);
676 while (arg != NULL) {
680 add_port(cnt, ptr, off, lookup_port(arg, 0, 0));
683 return initial_range;
687 fill_tcpflag(u_char *set, u_char *reset, char **vp)
697 { "syn", IPV6_FW_TCPF_SYN },
698 { "fin", IPV6_FW_TCPF_FIN },
699 { "ack", IPV6_FW_TCPF_ACK },
700 { "psh", IPV6_FW_TCPF_PSH },
701 { "rst", IPV6_FW_TCPF_RST },
702 { "urg", IPV6_FW_TCPF_URG }
715 for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i)
716 if (!strncmp(p, flags[i].name, strlen(p))) {
717 *d |= flags[i].value;
720 if (i == sizeof(flags) / sizeof(flags[0]))
721 show_usage("invalid tcp flag ``%s''", p);
727 fill_ip6opt(u_char *set, u_char *reset, char **vp)
742 if (!strncmp(p,"hopopt",strlen(p))) *d |= IPV6_FW_IP6OPT_HOPOPT;
743 if (!strncmp(p,"route",strlen(p))) *d |= IPV6_FW_IP6OPT_ROUTE;
744 if (!strncmp(p,"frag",strlen(p))) *d |= IPV6_FW_IP6OPT_FRAG;
745 if (!strncmp(p,"esp",strlen(p))) *d |= IPV6_FW_IP6OPT_ESP;
746 if (!strncmp(p,"ah",strlen(p))) *d |= IPV6_FW_IP6OPT_AH;
747 if (!strncmp(p,"nonxt",strlen(p))) *d |= IPV6_FW_IP6OPT_NONXT;
748 if (!strncmp(p,"opts",strlen(p))) *d |= IPV6_FW_IP6OPT_OPTS;
754 fill_icmptypes(u_long *types, char **vp, u_short *fw_flg)
760 unsigned long icmptype;
765 icmptype = strtoul(c, &c, 0);
767 if ( *c != ',' && *c != '\0' )
768 show_usage("invalid ICMP6 type");
770 if (icmptype >= IPV6_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8)
771 show_usage("ICMP6 type out of range");
773 types[icmptype / (sizeof(unsigned) * 8)] |=
774 1 << (icmptype % (sizeof(unsigned) * 8));
775 *fw_flg |= IPV6_FW_F_ICMPBIT;
780 delete(int ac, char **av)
786 memset(&rule, 0, sizeof rule);
791 while (ac && isdigit(**av)) {
792 rule.fw_number = atoi(*av); av++; ac--;
793 i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule);
796 warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL");
804 verify_interface(union ip6_fw_if *ifu)
809 * If a unit was specified, check for that exact interface.
810 * If a wildcard was specified, check for unit 0.
812 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d",
814 ifu->fu_via_if.unit == -1 ? 0 : ifu->fu_via_if.unit);
816 if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0)
817 warnx("warning: interface ``%s'' does not exist", ifr.ifr_name);
821 fill_iface(char *which, union ip6_fw_if *ifu, int *byname, int ac, char *arg)
824 show_usage("missing argument for ``%s''", which);
826 /* Parse the interface or address */
827 if (!strcmp(arg, "any")) {
828 ifu->fu_via_ip6 = in6addr_any;
830 } else if (!isdigit(*arg)) {
834 strncpy(ifu->fu_via_if.name, arg, sizeof(ifu->fu_via_if.name));
835 ifu->fu_via_if.name[sizeof(ifu->fu_via_if.name) - 1] = '\0';
836 for (q = ifu->fu_via_if.name;
837 *q && !isdigit(*q) && *q != '*'; q++)
839 ifu->fu_via_if.unit = (*q == '*') ? -1 : atoi(q);
841 verify_interface(ifu);
842 } else if (inet_pton(AF_INET6, arg, &ifu->fu_via_ip6) != 1) {
843 show_usage("bad ip6 address ``%s''", arg);
849 add(int ac, char **av)
855 int saw_xmrc = 0, saw_via = 0;
857 memset(&rule, 0, sizeof rule);
862 if (ac && isdigit(**av)) {
863 rule.fw_number = atoi(*av); av++; ac--;
868 show_usage("missing action");
869 if (!strncmp(*av,"accept",strlen(*av))
870 || !strncmp(*av,"pass",strlen(*av))
871 || !strncmp(*av,"allow",strlen(*av))
872 || !strncmp(*av,"permit",strlen(*av))) {
873 rule.fw_flg |= IPV6_FW_F_ACCEPT; av++; ac--;
874 } else if (!strncmp(*av,"count",strlen(*av))) {
875 rule.fw_flg |= IPV6_FW_F_COUNT; av++; ac--;
878 else if (!strncmp(*av,"divert",strlen(*av))) {
879 rule.fw_flg |= IPV6_FW_F_DIVERT; av++; ac--;
881 show_usage("missing divert port");
882 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
883 if (rule.fw_divert_port == 0) {
886 s = getservbyname(av[-1], "divert");
888 rule.fw_divert_port = ntohs(s->s_port);
890 show_usage("illegal divert port");
892 } else if (!strncmp(*av,"tee",strlen(*av))) {
893 rule.fw_flg |= IPV6_FW_F_TEE; av++; ac--;
895 show_usage("missing divert port");
896 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
897 if (rule.fw_divert_port == 0) {
900 s = getservbyname(av[-1], "divert");
902 rule.fw_divert_port = ntohs(s->s_port);
904 show_usage("illegal divert port");
908 else if (!strncmp(*av,"skipto",strlen(*av))) {
909 rule.fw_flg |= IPV6_FW_F_SKIPTO; av++; ac--;
911 show_usage("missing skipto rule number");
912 rule.fw_skipto_rule = strtoul(*av, NULL, 0); av++; ac--;
913 } else if ((!strncmp(*av,"deny",strlen(*av))
914 || !strncmp(*av,"drop",strlen(*av)))) {
915 rule.fw_flg |= IPV6_FW_F_DENY; av++; ac--;
916 } else if (!strncmp(*av,"reject",strlen(*av))) {
917 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
918 rule.fw_reject_code = ICMP6_DST_UNREACH_NOROUTE;
919 } else if (!strncmp(*av,"reset",strlen(*av))) {
920 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
921 rule.fw_reject_code = IPV6_FW_REJECT_RST; /* check TCP later */
922 } else if (!strncmp(*av,"unreach",strlen(*av))) {
923 rule.fw_flg |= IPV6_FW_F_REJECT; av++; ac--;
924 fill_reject_code6(&rule.fw_reject_code, *av); av++; ac--;
926 show_usage("invalid action ``%s''", *av);
930 if (ac && !strncmp(*av,"log",strlen(*av))) {
931 rule.fw_flg |= IPV6_FW_F_PRN; av++; ac--;
936 show_usage("missing protocol");
937 if ((proto = atoi(*av)) > 0) {
938 rule.fw_prot = proto; av++; ac--;
939 } else if (!strncmp(*av,"all",strlen(*av))) {
940 rule.fw_prot = IPPROTO_IPV6; av++; ac--;
941 } else if ((pe = getprotobyname(*av)) != NULL) {
942 rule.fw_prot = pe->p_proto; av++; ac--;
944 show_usage("invalid protocol ``%s''", *av);
947 if (rule.fw_prot != IPPROTO_TCP
948 && (rule.fw_flg & IPV6_FW_F_COMMAND) == IPV6_FW_F_REJECT
949 && rule.fw_reject_code == IPV6_FW_REJECT_RST)
950 show_usage("``reset'' is only valid for tcp packets");
953 if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
955 show_usage("missing ``from''");
957 if (ac && !strncmp(*av,"not",strlen(*av))) {
958 rule.fw_flg |= IPV6_FW_F_INVSRC;
962 show_usage("missing arguments");
964 fill_ip6(&rule.fw_src, &rule.fw_smsk, &ac, &av);
966 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
969 if (fill_port(&nports, rule.fw_pts, 0, *av))
970 rule.fw_flg |= IPV6_FW_F_SRNG;
971 IPV6_FW_SETNSRCP(&rule, nports);
976 if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; }
978 show_usage("missing ``to''");
980 if (ac && !strncmp(*av,"not",strlen(*av))) {
981 rule.fw_flg |= IPV6_FW_F_INVDST;
985 show_usage("missing arguments");
987 fill_ip6(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
989 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
992 if (fill_port(&nports,
993 rule.fw_pts, IPV6_FW_GETNSRCP(&rule), *av))
994 rule.fw_flg |= IPV6_FW_F_DRNG;
995 IPV6_FW_SETNDSTP(&rule, nports);
999 if ((rule.fw_prot != IPPROTO_TCP) && (rule.fw_prot != IPPROTO_UDP)
1000 && (IPV6_FW_GETNSRCP(&rule) || IPV6_FW_GETNDSTP(&rule))) {
1001 show_usage("only TCP and UDP protocols are valid"
1002 " with port specifications");
1006 if (!strncmp(*av,"in",strlen(*av))) {
1007 rule.fw_flg |= IPV6_FW_F_IN;
1008 av++; ac--; continue;
1010 if (!strncmp(*av,"out",strlen(*av))) {
1011 rule.fw_flg |= IPV6_FW_F_OUT;
1012 av++; ac--; continue;
1014 if (ac && !strncmp(*av,"xmit",strlen(*av))) {
1015 union ip6_fw_if ifu;
1020 show_usage("``via'' is incompatible"
1021 " with ``xmit'' and ``recv''");
1025 fill_iface("xmit", &ifu, &byname, ac, *av);
1026 rule.fw_out_if = ifu;
1027 rule.fw_flg |= IPV6_FW_F_OIFACE;
1029 rule.fw_flg |= IPV6_FW_F_OIFNAME;
1030 av++; ac--; continue;
1032 if (ac && !strncmp(*av,"recv",strlen(*av))) {
1033 union ip6_fw_if ifu;
1040 fill_iface("recv", &ifu, &byname, ac, *av);
1041 rule.fw_in_if = ifu;
1042 rule.fw_flg |= IPV6_FW_F_IIFACE;
1044 rule.fw_flg |= IPV6_FW_F_IIFNAME;
1045 av++; ac--; continue;
1047 if (ac && !strncmp(*av,"via",strlen(*av))) {
1048 union ip6_fw_if ifu;
1055 fill_iface("via", &ifu, &byname, ac, *av);
1056 rule.fw_out_if = rule.fw_in_if = ifu;
1059 (IPV6_FW_F_IIFNAME | IPV6_FW_F_OIFNAME);
1060 av++; ac--; continue;
1062 if (!strncmp(*av,"fragment",strlen(*av))) {
1063 rule.fw_flg |= IPV6_FW_F_FRAG;
1064 av++; ac--; continue;
1066 if (!strncmp(*av,"ipv6options",strlen(*av))) {
1069 show_usage("missing argument"
1070 " for ``ipv6options''");
1071 fill_ip6opt(&rule.fw_ip6opt, &rule.fw_ip6nopt, av);
1072 av++; ac--; continue;
1074 if (rule.fw_prot == IPPROTO_TCP) {
1075 if (!strncmp(*av,"established",strlen(*av))) {
1076 rule.fw_ipflg |= IPV6_FW_IF_TCPEST;
1077 av++; ac--; continue;
1079 if (!strncmp(*av,"setup",strlen(*av))) {
1080 rule.fw_tcpf |= IPV6_FW_TCPF_SYN;
1081 rule.fw_tcpnf |= IPV6_FW_TCPF_ACK;
1082 av++; ac--; continue;
1084 if (!strncmp(*av,"tcpflags",strlen(*av))) {
1087 show_usage("missing argument"
1088 " for ``tcpflags''");
1089 fill_tcpflag(&rule.fw_tcpf, &rule.fw_tcpnf, av);
1090 av++; ac--; continue;
1093 if (rule.fw_prot == IPPROTO_ICMPV6) {
1094 if (!strncmp(*av,"icmptypes",strlen(*av))) {
1097 show_usage("missing argument"
1098 " for ``icmptypes''");
1099 fill_icmptypes(rule.fw_icmp6types,
1101 av++; ac--; continue;
1104 show_usage("unknown argument ``%s''", *av);
1107 /* No direction specified -> do both directions */
1108 if (!(rule.fw_flg & (IPV6_FW_F_OUT|IPV6_FW_F_IN)))
1109 rule.fw_flg |= (IPV6_FW_F_OUT|IPV6_FW_F_IN);
1111 /* Sanity check interface check, but handle "via" case separately */
1113 if (rule.fw_flg & IPV6_FW_F_IN)
1114 rule.fw_flg |= IPV6_FW_F_IIFACE;
1115 if (rule.fw_flg & IPV6_FW_F_OUT)
1116 rule.fw_flg |= IPV6_FW_F_OIFACE;
1117 } else if ((rule.fw_flg & IPV6_FW_F_OIFACE) && (rule.fw_flg & IPV6_FW_F_IN))
1118 show_usage("can't check xmit interface of incoming packets");
1120 /* frag may not be used in conjunction with ports or TCP flags */
1121 if (rule.fw_flg & IPV6_FW_F_FRAG) {
1122 if (rule.fw_tcpf || rule.fw_tcpnf)
1123 show_usage("can't mix 'frag' and tcpflags");
1126 show_usage("can't mix 'frag' and port specifications");
1131 i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule);
1133 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ADD");
1137 zero (int ac, char **av)
1142 /* clear all entries */
1143 if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
1144 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ZERO");
1146 printf("Accounting cleared.\n");
1151 memset(&rule, 0, sizeof rule);
1154 if (isdigit(**av)) {
1155 rule.fw_number = atoi(*av); av++; ac--;
1156 if (setsockopt(s, IPPROTO_IPV6,
1157 IPV6_FW_ZERO, &rule, sizeof rule)) {
1158 warn("rule %u: setsockopt(%s)", rule.fw_number,
1163 printf("Entry %d cleared\n",
1166 show_usage("invalid rule number ``%s''", *av);
1174 ip6fw_main(int ac, char **av)
1179 /* init optind to 1 */
1186 /* Set the force flag for non-interactive processes */
1187 do_force = !isatty(STDIN_FILENO);
1189 while ((ch = getopt(ac, av ,"afqtN")) != -1)
1211 if (*(av+=optind)==NULL) {
1212 show_usage("Bad arguments");
1215 if (!strncmp(*av, "add", strlen(*av))) {
1217 } else if (!strncmp(*av, "delete", strlen(*av))) {
1219 } else if (!strncmp(*av, "flush", strlen(*av))) {
1222 if ( do_force || do_quiet )
1228 printf("Are you sure? [yn] ");
1231 c = toupper(getc(stdin));
1232 while (c != '\n' && getc(stdin) != '\n')
1235 } while (c != 'Y' && c != 'N');
1241 if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
1242 err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_FLUSH");
1244 printf("Flushed all rules.\n");
1246 } else if (!strncmp(*av, "zero", strlen(*av))) {
1248 } else if (!strncmp(*av, "print", strlen(*av))) {
1250 } else if (!strncmp(*av, "list", strlen(*av))) {
1252 } else if (!strncmp(*av, "show", strlen(*av))) {
1256 show_usage("Bad arguments");
1262 main(int ac, char **av)
1265 #define WHITESP " \t\f\v\n\r"
1267 char *a, *p, *args[MAX_ARGS], *cmd = NULL;
1269 int i, c, lineno, qflag, pflag, status;
1273 s = socket( AF_INET6, SOCK_RAW, IPPROTO_RAW );
1275 err(EX_UNAVAILABLE, "socket");
1280 * Only interpret the last command line argument as a file to
1281 * be preprocessed if it is specified as an absolute pathname.
1284 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) {
1285 qflag = pflag = i = 0;
1288 while ((c = getopt(ac, av, "D:U:p:q")) != -1)
1292 errx(EX_USAGE, "-D requires -p");
1293 if (i > MAX_ARGS - 2)
1295 "too many -D or -U options");
1302 errx(EX_USAGE, "-U requires -p");
1303 if (i > MAX_ARGS - 2)
1305 "too many -D or -U options");
1328 show_usage("extraneous filename arguments");
1330 if ((f = fopen(av[0], "r")) == NULL)
1331 err(EX_UNAVAILABLE, "fopen: %s", av[0]);
1334 /* pipe through preprocessor (cpp or m4) */
1339 if (pipe(pipedes) == -1)
1340 err(EX_OSERR, "cannot create pipe");
1342 switch((preproc = fork())) {
1344 err(EX_OSERR, "cannot fork");
1348 if (dup2(fileno(f), 0) == -1 ||
1349 dup2(pipedes[1], 1) == -1)
1350 err(EX_OSERR, "dup2()");
1355 err(EX_OSERR, "execvp(%s) failed", cmd);
1361 if ((f = fdopen(pipedes[0], "r")) == NULL) {
1362 int savederrno = errno;
1364 (void)kill(preproc, SIGTERM);
1366 err(EX_OSERR, "fdopen()");
1371 while (fgets(buf, BUFSIZ, f)) {
1373 sprintf(linename, "Line %d", lineno);
1378 if ((p = strchr(buf, '#')) != NULL)
1381 if (qflag) args[i++]="-q";
1382 for (a = strtok(buf, WHITESP);
1383 a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
1385 if (i == (qflag? 2: 1))
1388 errx(EX_USAGE, "%s: too many arguments", linename);
1391 ip6fw_main(i, args);
1395 if (waitpid(preproc, &status, 0) != -1) {
1396 if (WIFEXITED(status)) {
1397 if (WEXITSTATUS(status) != EX_OK)
1398 errx(EX_UNAVAILABLE,
1399 "preprocessor exited with status %d",
1400 WEXITSTATUS(status));
1401 } else if (WIFSIGNALED(status)) {
1402 errx(EX_UNAVAILABLE,
1403 "preprocessor exited with signal %d",