mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
Add ip6fw.
Yes it is almost code freeze, but as the result of many thought, now I think this should be added before 4.0... make world check, kernel build check is done. Reviewed by: green Obtained from: KAME project
This commit is contained in:
parent
7b387768d7
commit
210d0432a3
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=56815
@ -21,6 +21,7 @@ SUBDIR= adjkerntz \
|
||||
fsirand \
|
||||
ifconfig \
|
||||
init \
|
||||
ip6fw \
|
||||
ipf \
|
||||
ipfstat \
|
||||
ipfw \
|
||||
|
6
sbin/ip6fw/Makefile
Normal file
6
sbin/ip6fw/Makefile
Normal file
@ -0,0 +1,6 @@
|
||||
# $FreeBSD$
|
||||
|
||||
PROG= ip6fw
|
||||
MAN8= ip6fw.8
|
||||
|
||||
.include <bsd.prog.mk>
|
478
sbin/ip6fw/ip6fw.8
Normal file
478
sbin/ip6fw/ip6fw.8
Normal file
@ -0,0 +1,478 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd July 20, 1996
|
||||
.Dt IP6FW 8 SMM
|
||||
.Os FreeBSD
|
||||
.Sh NAME
|
||||
.Nm ip6fw
|
||||
.Nd controlling utility for IPv6 firewall
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Ar file
|
||||
.Nm ip6fw
|
||||
.Oo
|
||||
.Fl f
|
||||
|
|
||||
.Fl q
|
||||
.Oc
|
||||
flush
|
||||
.Nm ip6fw
|
||||
.Oo
|
||||
.Fl q
|
||||
.Oc
|
||||
zero
|
||||
.Op Ar number ...
|
||||
.Nm ip6fw
|
||||
delete
|
||||
.Ar number ...
|
||||
.Nm ip6fw
|
||||
.Op Fl aftN
|
||||
list
|
||||
.Op Ar number ...
|
||||
.Nm ip6fw
|
||||
.Oo
|
||||
.Fl ftN
|
||||
.Oc
|
||||
show
|
||||
.Op Ar number ...
|
||||
.Nm ip6fw
|
||||
.Oo
|
||||
.Fl q
|
||||
.Oc
|
||||
add
|
||||
.Op Ar number
|
||||
.Ar action
|
||||
.Op log
|
||||
.Ar proto
|
||||
from
|
||||
.Ar src
|
||||
to
|
||||
.Ar dst
|
||||
.Op via Ar name | ipv6no
|
||||
.Op Ar options
|
||||
.Sh DESCRIPTION
|
||||
If used as shown in the first synopsis line, the
|
||||
.Ar file
|
||||
will be read line by line and applied as arguments to the
|
||||
.Nm
|
||||
command.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
code works by going through the rule-list for each packet,
|
||||
until a match is found.
|
||||
All rules have two associated counters, a packet count and
|
||||
a byte count.
|
||||
These counters are updated when a packet matches the rule.
|
||||
.Pp
|
||||
The rules are ordered by a ``line-number'' from 1 to 65534 that is used
|
||||
to order and delete rules. Rules are tried in increasing order, and the
|
||||
first rule that matches a packet applies.
|
||||
Multiple rules may share the same number and apply in
|
||||
the order in which they were added.
|
||||
.Pp
|
||||
If a rule is added without a number, it is numbered 100 higher
|
||||
than the previous rule. If the highest defined rule number is
|
||||
greater than 65434, new rules are appended to the last rule.
|
||||
.Pp
|
||||
The delete operation deletes the first rule with number
|
||||
.Ar number ,
|
||||
if any.
|
||||
.Pp
|
||||
The list command prints out the current rule set.
|
||||
.Pp
|
||||
The show command is equivalent to `ip6fw -a list'.
|
||||
.Pp
|
||||
The zero operation zeroes the counters associated with rule number
|
||||
.Ar number .
|
||||
.Pp
|
||||
The flush operation removes all rules.
|
||||
.Pp
|
||||
Any command beginning with a '#', or being all blank, is ignored.
|
||||
.Pp
|
||||
One rule is always present:
|
||||
.Bd -literal -offset center
|
||||
65535 deny all from any to any
|
||||
.Ed
|
||||
.Pp
|
||||
This rule is the default policy, i.e., don't allow anything at all.
|
||||
Your job in setting up rules is to modify this policy to match your
|
||||
needs.
|
||||
.Pp
|
||||
The following options are available:
|
||||
.Bl -tag -width flag
|
||||
.It Fl a
|
||||
While listing, show counter values. See also ``show'' command.
|
||||
.It Fl f
|
||||
Don't ask for confirmation for commands that can cause problems if misused
|
||||
(ie; flush).
|
||||
.Ar Note ,
|
||||
if there is no tty associated with the process, this is implied.
|
||||
.It Fl q
|
||||
While adding, zeroing or flushing, be quiet about actions (implies '-f').
|
||||
This is useful for adjusting rules by executing multiple ip6fw commands in a
|
||||
script (e.g. sh /etc/rc.firewall), or by processing a file of many ip6fw rules,
|
||||
across a remote login session. If a flush is performed in normal
|
||||
(verbose) mode, it prints a message. Because all rules are flushed, the
|
||||
message cannot be delivered to the login session, the login session is
|
||||
closed and the remainder of the ruleset is not processed. Access to the
|
||||
console is required to recover.
|
||||
.It Fl t
|
||||
While listing, show last match timestamp.
|
||||
.It Fl N
|
||||
Try to resolve addresses and service names in output.
|
||||
.El
|
||||
.Pp
|
||||
.Ar action :
|
||||
.Bl -hang -offset flag -width 1234567890123456
|
||||
.It Ar allow
|
||||
Allow packets that match rule.
|
||||
The search terminates. Aliases are
|
||||
.Ar pass ,
|
||||
.Ar permit ,
|
||||
and
|
||||
.Ar accept .
|
||||
.It Ar deny
|
||||
Discard packets that match this rule.
|
||||
The search terminates.
|
||||
.Ar Drop
|
||||
is an alias for
|
||||
.Ar deny .
|
||||
.It Ar reject
|
||||
(Deprecated.) Discard packets that match this rule, and try to send an ICMPv6
|
||||
host unreachable notice.
|
||||
The search terminates.
|
||||
.It Ar unreach code
|
||||
Discard packets that match this rule, and try to send an ICMPv6
|
||||
unreachable notice with code
|
||||
.Ar code ,
|
||||
where
|
||||
.Ar code
|
||||
is a number from zero to 255, or one of these aliases:
|
||||
.Ar noroute ,
|
||||
.Ar admin ,
|
||||
.Ar notneighbor ,
|
||||
.Ar addr ,
|
||||
or
|
||||
.Ar noport ,
|
||||
The search terminates.
|
||||
.It Ar reset
|
||||
TCP packets only. Discard packets that match this rule,
|
||||
and try to send a TCP reset (RST) notice.
|
||||
The search terminates
|
||||
.Em (not working yet).
|
||||
.It Ar count
|
||||
Update counters for all packets that match rule.
|
||||
The search continues with the next rule.
|
||||
.It Ar skipto number
|
||||
Skip all subsequent rules numbered less than
|
||||
.Ar number .
|
||||
The search continues with the first rule numbered
|
||||
.Ar number
|
||||
or higher.
|
||||
.El
|
||||
.Pp
|
||||
If the kernel was compiled with
|
||||
.Dv IP6FIREWALL_VERBOSE ,
|
||||
then when a packet matches a rule with the ``log''
|
||||
keyword a message will be printed on the console.
|
||||
If the kernel was compiled with the
|
||||
.Dv IP6FIREWALL_VERBOSE_LIMIT
|
||||
option, then logging will cease after the number of packets
|
||||
specified by the option are received for that particular
|
||||
chain entry. Logging may then be re-enabled by clearing
|
||||
the packet counter for that entry.
|
||||
.Pp
|
||||
Console logging and the log limit are adjustable dynamically
|
||||
through the
|
||||
.Xr sysctl 8
|
||||
interface.
|
||||
.Pp
|
||||
.Ar proto :
|
||||
.Bl -hang -offset flag -width 1234567890123456
|
||||
.It Ar ipv6
|
||||
All packets match. The alias
|
||||
.Ar all
|
||||
has the same effect.
|
||||
.It Ar tcp
|
||||
Only TCP packets match.
|
||||
.It Ar udp
|
||||
Only UDP packets match.
|
||||
.It Ar ipv6-icmp
|
||||
Only ICMPv6 packets match.
|
||||
.It Ar <number|name>
|
||||
Only packets for the specified protocol matches (see
|
||||
.Pa /etc/protocols
|
||||
for a complete list).
|
||||
.El
|
||||
.Pp
|
||||
.Ar src
|
||||
and
|
||||
.Ar dst :
|
||||
.Bl -hang -offset flag
|
||||
.It Ar <address/prefixlen>
|
||||
.Op Ar ports
|
||||
.El
|
||||
.Pp
|
||||
The
|
||||
.Em <address/prefixlen>
|
||||
may be specified as:
|
||||
.Bl -hang -offset flag -width 1234567890123456
|
||||
.It Ar ipv6no
|
||||
An ipv6number of the form fec0::1:2:3:4.
|
||||
.It Ar ipv6no/prefixlen
|
||||
An ipv6number with a prefix length of the form fec0::1:2:3:4/112.
|
||||
.El
|
||||
.Pp
|
||||
The sense of the match can be inverted by preceding an address with the
|
||||
``not'' modifier, causing all other addresses to be matched instead. This
|
||||
does not affect the selection of port numbers.
|
||||
.Pp
|
||||
With the TCP and UDP protocols, optional
|
||||
.Em ports
|
||||
may be specified as:
|
||||
.Pp
|
||||
.Bl -hang -offset flag
|
||||
.It Ns {port|port-port} Ns Op ,port Ns Op ,...
|
||||
.El
|
||||
.Pp
|
||||
Service names (from
|
||||
.Pa /etc/services )
|
||||
may be used instead of numeric port values.
|
||||
A range may only be specified as the first value,
|
||||
and the length of the port list is limited to
|
||||
.Dv IP6_FW_MAX_PORTS
|
||||
(as defined in
|
||||
.Pa /usr/src/sys/netinet/ip6_fw.h )
|
||||
ports.
|
||||
.Pp
|
||||
Fragmented packets which have a non-zero offset (i.e. not the first
|
||||
fragment) will never match a rule which has one or more port
|
||||
specifications. See the
|
||||
.Ar frag
|
||||
option for details on matching fragmented packets.
|
||||
.Pp
|
||||
Rules can apply to packets when they are incoming, or outgoing, or both.
|
||||
The
|
||||
.Ar in
|
||||
keyword indicates the rule should only match incoming packets.
|
||||
The
|
||||
.Ar out
|
||||
keyword indicates the rule should only match outgoing packets.
|
||||
.Pp
|
||||
To match packets going through a certain interface, specify
|
||||
the interface using
|
||||
.Ar via :
|
||||
.Bl -hang -offset flag -width 1234567890123456
|
||||
.It Ar via ifX
|
||||
Packet must be going through interface
|
||||
.Ar ifX.
|
||||
.It Ar via if*
|
||||
Packet must be going through interface
|
||||
.Ar ifX ,
|
||||
where X is any unit number.
|
||||
.It Ar via any
|
||||
Packet must be going through
|
||||
.Em some
|
||||
interface.
|
||||
.It Ar via ipv6no
|
||||
Packet must be going through the interface having IPv6 address
|
||||
.Ar ipv6no .
|
||||
.El
|
||||
.Pp
|
||||
The
|
||||
.Ar via
|
||||
keyword causes the interface to always be checked.
|
||||
If
|
||||
.Ar recv
|
||||
or
|
||||
.Ar xmit
|
||||
is used instead of
|
||||
.Ar via ,
|
||||
then the only receive or transmit interface (respectively) is checked.
|
||||
By specifying both, it is possible to match packets based on both receive
|
||||
and transmit interface, e.g.:
|
||||
.Pp
|
||||
.Dl "ip6fw add 100 deny ip from any to any out recv ed0 xmit ed1"
|
||||
.Pp
|
||||
The
|
||||
.Ar recv
|
||||
interface can be tested on either incoming or outgoing packets, while the
|
||||
.Ar xmit
|
||||
interface can only be tested on outgoing packets. So
|
||||
.Ar out
|
||||
is required (and
|
||||
.Ar in
|
||||
invalid) whenver
|
||||
.Ar xmit
|
||||
is used. Specifying
|
||||
.Ar via
|
||||
together with
|
||||
.Ar xmit
|
||||
or
|
||||
.Ar recv
|
||||
is invalid.
|
||||
.Pp
|
||||
A packet may not have a receive or transmit interface: packets originating
|
||||
from the local host have no receive interface. while packets destined for
|
||||
the local host have no transmit interface.
|
||||
.Pp
|
||||
Additional
|
||||
.Ar options :
|
||||
.Bl -hang -offset flag -width 1234567890123456
|
||||
.It frag
|
||||
Matches if the packet is a fragment and this is not the first fragment
|
||||
of the datagram.
|
||||
.Ar frag
|
||||
may not be used in conjunction with either
|
||||
.Ar tcpflags
|
||||
or TCP/UDP port specifications.
|
||||
.It in
|
||||
Matches if this packet was on the way in.
|
||||
.It out
|
||||
Matches if this packet was on the way out.
|
||||
.It ipv6options Ar spec
|
||||
Matches if the IPv6 header contains the comma separated list of
|
||||
options specified in
|
||||
.Ar spec .
|
||||
The supported IPv6 options are:
|
||||
.Ar hopopt
|
||||
(hop-by-hop options header),
|
||||
.Ar route
|
||||
(routing header),
|
||||
.Ar frag
|
||||
(fragment header),
|
||||
.Ar esp
|
||||
(encapsulating security payload),
|
||||
.Ar ah
|
||||
(authentication header),
|
||||
.Ar nonxt
|
||||
(no next header), and
|
||||
.Ar opts
|
||||
(destination options header).
|
||||
The absence of a particular option may be denoted
|
||||
with a ``!''
|
||||
.Em (not working yet).
|
||||
.It established
|
||||
Matches packets that have the RST or ACK bits set.
|
||||
TCP packets only.
|
||||
.It setup
|
||||
Matches packets that have the SYN bit set but no ACK bit.
|
||||
TCP packets only.
|
||||
.It tcpflags Ar spec
|
||||
Matches if the TCP header contains the comma separated list of
|
||||
flags specified in
|
||||
.Ar spec .
|
||||
The supported TCP flags are:
|
||||
.Ar fin ,
|
||||
.Ar syn ,
|
||||
.Ar rst ,
|
||||
.Ar psh ,
|
||||
.Ar ack ,
|
||||
and
|
||||
.Ar urg .
|
||||
The absence of a particular flag may be denoted
|
||||
with a ``!''.
|
||||
A rule which contains a
|
||||
.Ar tcpflags
|
||||
specification can never match a fragmented packet which has
|
||||
a non-zero offset. See the
|
||||
.Ar frag
|
||||
option for details on matching fragmented packets.
|
||||
.It icmptypes Ar types
|
||||
Matches if the ICMPv6 type is in the list
|
||||
.Ar types .
|
||||
The list may be specified as any combination of ranges
|
||||
or individual types separated by commas.
|
||||
.El
|
||||
.Sh CHECKLIST
|
||||
Here are some important points to consider when designing your
|
||||
rules:
|
||||
.Bl -bullet -hang -offset flag
|
||||
.It
|
||||
Remember that you filter both packets going in and out.
|
||||
Most connections need packets going in both directions.
|
||||
.It
|
||||
Remember to test very carefully.
|
||||
It is a good idea to be near the console when doing this.
|
||||
.It
|
||||
Don't forget the loopback interface.
|
||||
.El
|
||||
.Sh FINE POINTS
|
||||
There is one kind of packet that the firewall will always discard,
|
||||
that is an IPv6 fragment with a fragment offset of one.
|
||||
This is a valid packet, but it only has one use, to try to circumvent
|
||||
firewalls.
|
||||
.Pp
|
||||
If you are logged in over a network, loading the LKM version of
|
||||
.Nm
|
||||
is probably not as straightforward as you would think
|
||||
.Em (not supported).
|
||||
I recommend this command line:
|
||||
.Bd -literal -offset center
|
||||
modload /lkm/ip6fw_mod.o && \e
|
||||
ip6fw add 32000 allow all from any to any
|
||||
.Ed
|
||||
.Pp
|
||||
Along the same lines, doing an
|
||||
.Bd -literal -offset center
|
||||
ip6fw flush
|
||||
.Ed
|
||||
.Pp
|
||||
in similar surroundings is also a bad idea.
|
||||
.Sh PACKET DIVERSION
|
||||
not supported.
|
||||
.Sh EXAMPLES
|
||||
This command adds an entry which denies all tcp packets from
|
||||
.Em hacker.evil.org
|
||||
to the telnet port of
|
||||
.Em wolf.tambov.su
|
||||
from being forwarded by the host:
|
||||
.Pp
|
||||
.Dl ip6fw add deny tcp from hacker.evil.org to wolf.tambov.su 23
|
||||
.Pp
|
||||
This one disallows any connection from the entire hackers network to
|
||||
my host:
|
||||
.Pp
|
||||
.Dl ip6fw addf deny all from fec0::123:45:67:0/112 to my.host.org
|
||||
.Pp
|
||||
Here is a good usage of the list command to see accounting records
|
||||
and timestamp information:
|
||||
.Pp
|
||||
.Dl ip6fw -at l
|
||||
.Pp
|
||||
or in short form without timestamps:
|
||||
.Pp
|
||||
.Dl ip6fw -a l
|
||||
.Pp
|
||||
.Sh SEE ALSO
|
||||
.Xr ip 4 ,
|
||||
.Xr ipfirewall 4 ,
|
||||
.Xr protocols 5 ,
|
||||
.Xr services 5 ,
|
||||
.Xr reboot 8 ,
|
||||
.Xr syslogd 8 ,
|
||||
.Xr sysctl 8
|
||||
.Sh BUGS
|
||||
.Pp
|
||||
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
||||
.Pp
|
||||
This program can put your computer in rather unusable state. When
|
||||
using it for the first time, work on the console of the computer, and
|
||||
do
|
||||
.Em NOT
|
||||
do anything you don't understand.
|
||||
.Pp
|
||||
When manipulating/adding chain entries, service and protocol names are
|
||||
not accepted.
|
||||
.Sh AUTHORS
|
||||
Ugen J. S. Antsilevich,
|
||||
Poul-Henning Kamp,
|
||||
Alex Nash,
|
||||
Archie Cobbs.
|
||||
API based upon code written by Daniel Boulet for BSDI.
|
||||
.Sh HISTORY
|
||||
.Nm
|
||||
first appeared in
|
||||
.Fx 2.0 .
|
1290
sbin/ip6fw/ip6fw.c
Normal file
1290
sbin/ip6fw/ip6fw.c
Normal file
File diff suppressed because it is too large
Load Diff
28
sbin/ip6fw/sample.sh
Normal file
28
sbin/ip6fw/sample.sh
Normal file
@ -0,0 +1,28 @@
|
||||
#!/bin/sh -
|
||||
# $FreeBSD$
|
||||
|
||||
fwcmd=/usr/local/v6/sbin/ip6fw
|
||||
|
||||
$fwcmd -f flush
|
||||
|
||||
#
|
||||
# loopback
|
||||
#
|
||||
$fwcmd add 1000 pass all from any to any via lo0
|
||||
|
||||
#
|
||||
# ND
|
||||
#
|
||||
# DAD
|
||||
$fwcmd add 2000 pass ipv6-icmp from ff02::/16 to ::
|
||||
$fwcmd add 2100 pass ipv6-icmp from :: to ff02::/16
|
||||
# RS, RA, NS, NA, redirect...
|
||||
$fwcmd add 2300 pass ipv6-icmp from fe80::/10 to fe80::/10
|
||||
$fwcmd add 2400 pass ipv6-icmp from fe80::/10 to ff02::/16
|
||||
|
||||
$fwcmd add 5000 pass tcp from any to any established
|
||||
|
||||
# RIPng
|
||||
$fwcmd add 6000 pass udp from fe80::/10 521 to ff02::9 521
|
||||
|
||||
$fwcmd add 65000 pass log all from any to any
|
@ -525,6 +525,10 @@ options IPFIREWALL_VERBOSE #print information about
|
||||
options IPFIREWALL_FORWARD #enable transparent proxy support
|
||||
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
|
||||
options IPV6FIREWALL #firewall for IPv6
|
||||
options IPV6FIREWALL_VERBOSE
|
||||
options IPV6FIREWALL_VERBOSE_LIMIT=100
|
||||
options IPV6FIREWALL_DEFAULT_TO_ACCEPT
|
||||
options IPDIVERT #divert sockets
|
||||
options IPFILTER #ipfilter support
|
||||
options IPFILTER_LOG #ipfilter logging
|
||||
|
@ -721,6 +721,7 @@ netinet6/in6.c optional inet6
|
||||
netinet6/in6_cksum.c optional inet6
|
||||
netinet6/in6_gif.c optional gif inet6
|
||||
netinet6/ip6_forward.c optional inet6
|
||||
netinet6/ip6_fw.c optional inet6
|
||||
netinet6/in6_ifattach.c optional inet6
|
||||
netinet6/ip6_input.c optional inet6
|
||||
netinet6/ip6_mroute.c optional inet6
|
||||
|
@ -251,6 +251,10 @@ IPFIREWALL_VERBOSE opt_ipfw.h
|
||||
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
|
||||
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
|
||||
IPFIREWALL_FORWARD opt_ipfw.h
|
||||
IPV6FIREWALL opt_ip6fw.h
|
||||
IPV6FIREWALL_VERBOSE opt_ip6fw.h
|
||||
IPV6FIREWALL_VERBOSE_LIMIT opt_ip6fw.h
|
||||
IPV6FIREWALL_DEFAULT_TO_ACCEPT opt_ip6fw.h
|
||||
IPSTEALTH
|
||||
IPX opt_ipx.h
|
||||
IPXIP opt_ipx.h
|
||||
|
@ -525,6 +525,10 @@ options IPFIREWALL_VERBOSE #print information about
|
||||
options IPFIREWALL_FORWARD #enable transparent proxy support
|
||||
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
|
||||
options IPV6FIREWALL #firewall for IPv6
|
||||
options IPV6FIREWALL_VERBOSE
|
||||
options IPV6FIREWALL_VERBOSE_LIMIT=100
|
||||
options IPV6FIREWALL_DEFAULT_TO_ACCEPT
|
||||
options IPDIVERT #divert sockets
|
||||
options IPFILTER #ipfilter support
|
||||
options IPFILTER_LOG #ipfilter logging
|
||||
|
@ -525,6 +525,10 @@ options IPFIREWALL_VERBOSE #print information about
|
||||
options IPFIREWALL_FORWARD #enable transparent proxy support
|
||||
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
|
||||
options IPV6FIREWALL #firewall for IPv6
|
||||
options IPV6FIREWALL_VERBOSE
|
||||
options IPV6FIREWALL_VERBOSE_LIMIT=100
|
||||
options IPV6FIREWALL_DEFAULT_TO_ACCEPT
|
||||
options IPDIVERT #divert sockets
|
||||
options IPFILTER #ipfilter support
|
||||
options IPFILTER_LOG #ipfilter logging
|
||||
|
1171
sys/netinet6/ip6_fw.c
Normal file
1171
sys/netinet6/ip6_fw.c
Normal file
File diff suppressed because it is too large
Load Diff
202
sys/netinet6/ip6_fw.h
Normal file
202
sys/netinet6/ip6_fw.h
Normal file
@ -0,0 +1,202 @@
|
||||
/*
|
||||
* Copyright (c) 1993 Daniel Boulet
|
||||
* Copyright (c) 1994 Ugen J.S.Antsilevich
|
||||
*
|
||||
* Redistribution and use in source forms, with and without modification,
|
||||
* are permitted provided that this entire comment appears intact.
|
||||
*
|
||||
* Redistribution in binary form may occur without any restrictions.
|
||||
* Obviously, it would be nice if you gave credit where credit is due
|
||||
* but requiring it would be too onerous.
|
||||
*
|
||||
* This software is provided ``AS IS'' without any warranties of any kind.
|
||||
*
|
||||
* $Id: ip6_fw.h,v 1.1 1999/08/06 14:10:09 itojun Exp $
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef _IP6_FW_H
|
||||
#define _IP6_FW_H
|
||||
|
||||
#include <net/if.h>
|
||||
|
||||
/*
|
||||
* This union structure identifies an interface, either explicitly
|
||||
* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
|
||||
* and IP_FW_F_OIFNAME say how to interpret this structure. An
|
||||
* interface unit number of -1 matches any unit number, while an
|
||||
* IP address of 0.0.0.0 indicates matches any interface.
|
||||
*
|
||||
* The receive and transmit interfaces are only compared against the
|
||||
* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
|
||||
* is set. Note some packets lack a receive or transmit interface
|
||||
* (in which case the missing "interface" never matches).
|
||||
*/
|
||||
|
||||
union ip6_fw_if {
|
||||
struct in6_addr fu_via_ip6; /* Specified by IPv6 address */
|
||||
struct { /* Specified by interface name */
|
||||
#define FW_IFNLEN IFNAMSIZ
|
||||
char name[FW_IFNLEN];
|
||||
short unit; /* -1 means match any unit */
|
||||
} fu_via_if;
|
||||
};
|
||||
|
||||
/*
|
||||
* Format of an IP firewall descriptor
|
||||
*
|
||||
* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
|
||||
* fw_flg and fw_n*p are stored in host byte order (of course).
|
||||
* Port numbers are stored in HOST byte order.
|
||||
* Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)
|
||||
*/
|
||||
|
||||
struct ip6_fw {
|
||||
u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */
|
||||
struct in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */
|
||||
/* Mask for src and dest IPv6 addr */
|
||||
struct in6_addr fw_smsk, fw_dmsk;
|
||||
u_short fw_number; /* Rule number */
|
||||
u_short fw_flg; /* Flags word */
|
||||
#define IPV6_FW_MAX_PORTS 10 /* A reasonable maximum */
|
||||
/* Array of port numbers to match */
|
||||
u_short fw_pts[IPV6_FW_MAX_PORTS];
|
||||
u_char fw_ip6opt,fw_ip6nopt; /* IPv6 options set/unset */
|
||||
u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
|
||||
#define IPV6_FW_ICMPTYPES_DIM (32 / (sizeof(unsigned) * 8))
|
||||
/* ICMP types bitmap */
|
||||
unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM];
|
||||
long timestamp; /* timestamp (tv_sec) of last match */
|
||||
/* Incoming and outgoing interfaces */
|
||||
union ip6_fw_if fw_in_if, fw_out_if;
|
||||
union {
|
||||
u_short fu_divert_port; /* Divert/tee port (options IP6DIVERT) */
|
||||
u_short fu_skipto_rule; /* SKIPTO command rule number */
|
||||
u_short fu_reject_code; /* REJECT response code */
|
||||
} fw_un;
|
||||
u_char fw_prot; /* IPv6 protocol */
|
||||
u_char fw_nports; /* N'of src ports and # of dst ports */
|
||||
/* in ports array (dst ports follow */
|
||||
/* src ports; max of 10 ports in all; */
|
||||
/* count of 0 means match all ports) */
|
||||
};
|
||||
|
||||
#define IPV6_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
|
||||
#define IPV6_FW_SETNSRCP(rule, n) do { \
|
||||
(rule)->fw_nports &= ~0x0f; \
|
||||
(rule)->fw_nports |= (n); \
|
||||
} while (0)
|
||||
#define IPV6_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
|
||||
#define IPV6_FW_SETNDSTP(rule, n) do { \
|
||||
(rule)->fw_nports &= ~0xf0; \
|
||||
(rule)->fw_nports |= (n) << 4;\
|
||||
} while (0)
|
||||
|
||||
#define fw_divert_port fw_un.fu_divert_port
|
||||
#define fw_skipto_rule fw_un.fu_skipto_rule
|
||||
#define fw_reject_code fw_un.fu_reject_code
|
||||
|
||||
struct ip6_fw_chain {
|
||||
LIST_ENTRY(ip6_fw_chain) chain;
|
||||
struct ip6_fw *rule;
|
||||
};
|
||||
|
||||
/*
|
||||
* Values for "flags" field .
|
||||
*/
|
||||
#define IPV6_FW_F_IN 0x0001 /* Check inbound packets */
|
||||
#define IPV6_FW_F_OUT 0x0002 /* Check outbound packets */
|
||||
#define IPV6_FW_F_IIFACE 0x0004 /* Apply inbound interface test */
|
||||
#define IPV6_FW_F_OIFACE 0x0008 /* Apply outbound interface test */
|
||||
|
||||
#define IPV6_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */
|
||||
#define IPV6_FW_F_DENY 0x0000 /* This is a deny rule */
|
||||
#define IPV6_FW_F_REJECT 0x0010 /* Deny and send a response packet */
|
||||
#define IPV6_FW_F_ACCEPT 0x0020 /* This is an accept rule */
|
||||
#define IPV6_FW_F_COUNT 0x0030 /* This is a count rule */
|
||||
#define IPV6_FW_F_DIVERT 0x0040 /* This is a divert rule */
|
||||
#define IPV6_FW_F_TEE 0x0050 /* This is a tee rule */
|
||||
#define IPV6_FW_F_SKIPTO 0x0060 /* This is a skipto rule */
|
||||
|
||||
#define IPV6_FW_F_PRN 0x0080 /* Print if this rule matches */
|
||||
|
||||
#define IPV6_FW_F_SRNG 0x0100 /* The first two src ports are a min *
|
||||
* and max range (stored in host byte *
|
||||
* order). */
|
||||
|
||||
#define IPV6_FW_F_DRNG 0x0200 /* The first two dst ports are a min *
|
||||
* and max range (stored in host byte *
|
||||
* order). */
|
||||
|
||||
/* In interface by name/unit (not IP) */
|
||||
#define IPV6_FW_F_IIFNAME 0x0400
|
||||
/* Out interface by name/unit (not IP) */
|
||||
#define IPV6_FW_F_OIFNAME 0x0800
|
||||
|
||||
#define IPV6_FW_F_INVSRC 0x1000 /* Invert sense of src check */
|
||||
#define IPV6_FW_F_INVDST 0x2000 /* Invert sense of dst check */
|
||||
|
||||
#define IPV6_FW_F_FRAG 0x4000 /* Fragment */
|
||||
|
||||
#define IPV6_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */
|
||||
|
||||
#define IPV6_FW_F_MASK 0xFFFF /* All possible flag bits mask */
|
||||
|
||||
/*
|
||||
* For backwards compatibility with rules specifying "via iface" but
|
||||
* not restricted to only "in" or "out" packets, we define this combination
|
||||
* of bits to represent this configuration.
|
||||
*/
|
||||
|
||||
#define IF6_FW_F_VIAHACK (IPV6_FW_F_IN|IPV6_FW_F_OUT|IPV6_FW_F_IIFACE|\
|
||||
IPV6_FW_F_OIFACE)
|
||||
|
||||
/*
|
||||
* Definitions for REJECT response codes.
|
||||
* Values less than 256 correspond to ICMP unreachable codes.
|
||||
*/
|
||||
#define IPV6_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
|
||||
|
||||
/*
|
||||
* Definitions for IPv6 option names.
|
||||
*/
|
||||
#define IPV6_FW_IP6OPT_HOPOPT 0x01
|
||||
#define IPV6_FW_IP6OPT_ROUTE 0x02
|
||||
#define IPV6_FW_IP6OPT_FRAG 0x04
|
||||
#define IPV6_FW_IP6OPT_ESP 0x08
|
||||
#define IPV6_FW_IP6OPT_AH 0x10
|
||||
#define IPV6_FW_IP6OPT_NONXT 0x20
|
||||
#define IPV6_FW_IP6OPT_OPTS 0x40
|
||||
|
||||
/*
|
||||
* Definitions for TCP flags.
|
||||
*/
|
||||
#define IPV6_FW_TCPF_FIN TH_FIN
|
||||
#define IPV6_FW_TCPF_SYN TH_SYN
|
||||
#define IPV6_FW_TCPF_RST TH_RST
|
||||
#define IPV6_FW_TCPF_PSH TH_PUSH
|
||||
#define IPV6_FW_TCPF_ACK TH_ACK
|
||||
#define IPV6_FW_TCPF_URG TH_URG
|
||||
#define IPV6_FW_TCPF_ESTAB 0x40
|
||||
|
||||
/*
|
||||
* Main firewall chains definitions and global var's definitions.
|
||||
*/
|
||||
#ifdef _KERNEL
|
||||
|
||||
/*
|
||||
* Function definitions.
|
||||
*/
|
||||
void ip6_fw_init(void);
|
||||
|
||||
/* Firewall hooks */
|
||||
struct ip6_hdr;
|
||||
typedef int ip6_fw_chk_t __P((struct ip6_hdr**, struct ifnet*,
|
||||
u_short *, struct mbuf**));
|
||||
typedef int ip6_fw_ctl_t __P((int, struct mbuf**));
|
||||
extern ip6_fw_chk_t *ip6_fw_chk_ptr;
|
||||
extern ip6_fw_ctl_t *ip6_fw_ctl_ptr;
|
||||
|
||||
#endif /* _KERNEL */
|
||||
|
||||
#endif /* _IP6_FW_H */
|
@ -65,6 +65,7 @@
|
||||
*/
|
||||
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_ip6fw.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
@ -65,6 +65,7 @@
|
||||
*/
|
||||
|
||||
#include "opt_ipsec.h"
|
||||
#include "opt_ip6fw.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/malloc.h>
|
||||
|
Loading…
Reference in New Issue
Block a user