mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-20 08:44:33 +00:00
Remove ip6fw. Since ipfw has full functional IPv6 support now and - in
contrast to ip6fw - is properly lockes, it is time to retire ip6fw.
This commit is contained in:
parent
b0d081a0b4
commit
656faadcb8
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=158500
|
@ -38,7 +38,6 @@ SUBDIR= adjkerntz \
|
|||
gvinum \
|
||||
ifconfig \
|
||||
init \
|
||||
${_ip6fw} \
|
||||
${_ipf} \
|
||||
ipfw \
|
||||
kldconfig \
|
||||
|
@ -112,7 +111,6 @@ _pflogd= pflogd
|
|||
.endif
|
||||
|
||||
.if ${MK_INET6} != "no"
|
||||
_ip6fw= ip6fw
|
||||
_ping6= ping6
|
||||
.endif
|
||||
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
# $FreeBSD$
|
||||
|
||||
PROG= ip6fw
|
||||
WARNS?= 2
|
||||
MAN= ip6fw.8
|
||||
|
||||
.include <bsd.prog.mk>
|
|
@ -1,582 +0,0 @@
|
|||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.\" $KAME$
|
||||
.\"
|
||||
.\" Copyright (C) 1998, 1999, 2000 and 2001 WIDE Project.
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\" 3. Neither the name of the project nor the names of its contributors
|
||||
.\" may be used to endorse or promote products derived from this software
|
||||
.\" without specific prior written permission.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd March 13, 2000
|
||||
.Dt IP6FW 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm ip6fw
|
||||
.Nd controlling utility for IPv6 firewall
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Fl nq
|
||||
.Oo
|
||||
.Fl p Ar preproc
|
||||
.Oo Fl D
|
||||
.Ar macro Ns Op = Ns Ar value
|
||||
.Oc
|
||||
.Op Fl U Ar macro
|
||||
.Oc
|
||||
.Ar pathname
|
||||
.Nm
|
||||
.Op Fl n
|
||||
.Op Fl f | Fl q
|
||||
flush
|
||||
.Nm
|
||||
.Op Fl nq
|
||||
zero
|
||||
.Op Ar number ...
|
||||
.Nm
|
||||
.Op Fl n
|
||||
delete
|
||||
.Ar number ...
|
||||
.Nm
|
||||
.Op Fl aftN
|
||||
list
|
||||
.Op Ar number ...
|
||||
.Nm
|
||||
.Op Fl ftN
|
||||
show
|
||||
.Op Ar number ...
|
||||
.Nm
|
||||
.Op Fl nq
|
||||
add
|
||||
.Op Ar number
|
||||
.Ar action
|
||||
.Op log
|
||||
.Ar proto
|
||||
from
|
||||
.Ar src
|
||||
to
|
||||
.Ar dst
|
||||
.Op via Ar name | ipv6no
|
||||
.Op Ar options
|
||||
.Sh DESCRIPTION
|
||||
To ease configuration, rules can be put into a file which is
|
||||
processed using
|
||||
.Nm
|
||||
as shown in the first synopsis line.
|
||||
An absolute
|
||||
.Ar pathname
|
||||
must be used.
|
||||
The file
|
||||
will be read line by line and applied as arguments to the
|
||||
.Nm
|
||||
utility.
|
||||
.Pp
|
||||
Optionally, a preprocessor can be specified using
|
||||
.Fl p Ar preproc
|
||||
where
|
||||
.Ar pathname
|
||||
is to be piped through.
|
||||
Useful preprocessors include
|
||||
.Xr cpp 1
|
||||
and
|
||||
.Xr m4 1 .
|
||||
If
|
||||
.Ar preproc
|
||||
does not start with a slash
|
||||
.Pq Ql /
|
||||
as its first character, the usual
|
||||
.Ev PATH
|
||||
name search is performed.
|
||||
Care should be taken with this in environments where not all
|
||||
file systems are mounted (yet) by the time
|
||||
.Nm
|
||||
is being run (e.g.\& when they are mounted over NFS).
|
||||
Once
|
||||
.Fl p
|
||||
has been specified, optional
|
||||
.Fl D
|
||||
and
|
||||
.Fl U
|
||||
specifications can follow and will be passed on to the preprocessor.
|
||||
This allows for flexible configuration files (like conditionalizing
|
||||
them on the local hostname) and the use of macros to centralize
|
||||
frequently required arguments like IP addresses.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
code works by going through the rule-list for each packet,
|
||||
until a match is found.
|
||||
All rules have two associated counters, a packet count and
|
||||
a byte count.
|
||||
These counters are updated when a packet matches the rule.
|
||||
.Pp
|
||||
The rules are ordered by a
|
||||
.Dq line-number
|
||||
from 1 to 65534 that is used
|
||||
to order and delete rules.
|
||||
Rules are tried in increasing order, and the
|
||||
first rule that matches a packet applies.
|
||||
Multiple rules may share the same number and apply in
|
||||
the order in which they were added.
|
||||
.Pp
|
||||
If a rule is added without a number, it is numbered 100 higher
|
||||
than the previous rule.
|
||||
If the highest defined rule number is
|
||||
greater than 65434, new rules are appended to the last rule.
|
||||
.Pp
|
||||
The delete operation deletes the first rule with number
|
||||
.Ar number ,
|
||||
if any.
|
||||
.Pp
|
||||
The list command prints out the current rule set.
|
||||
.Pp
|
||||
The show command is equivalent to `ip6fw -a list'.
|
||||
.Pp
|
||||
The zero operation zeroes the counters associated with rule number
|
||||
.Ar number .
|
||||
.Pp
|
||||
The flush operation removes all rules.
|
||||
.Pp
|
||||
Any command beginning with a
|
||||
.Sq # ,
|
||||
or being all blank, is ignored.
|
||||
.Pp
|
||||
One rule is always present:
|
||||
.Bd -literal -offset center
|
||||
65535 deny all from any to any
|
||||
.Ed
|
||||
.Pp
|
||||
This rule is the default policy, i.e., do not allow anything at all.
|
||||
Your job in setting up rules is to modify this policy to match your
|
||||
needs.
|
||||
.Pp
|
||||
The following options are available:
|
||||
.Bl -tag -width flag
|
||||
.It Fl a
|
||||
While listing, show counter values.
|
||||
See also
|
||||
.Dq show
|
||||
command.
|
||||
.It Fl f
|
||||
Do not ask for confirmation for commands that can cause problems if misused
|
||||
(ie; flush).
|
||||
.Ar Note ,
|
||||
if there is no tty associated with the process, this is implied.
|
||||
.It Fl n
|
||||
Only check syntax of the command strings,
|
||||
without actually passing them into the kernel.
|
||||
.It Fl q
|
||||
While adding, zeroing or flushing, be quiet about actions (implies '-f').
|
||||
This is useful for adjusting rules by executing multiple ip6fw commands in a
|
||||
script (e.g.\& sh /etc/rc.firewall), or by processing a file of many ip6fw rules,
|
||||
across a remote login session.
|
||||
If a flush is performed in normal
|
||||
(verbose) mode, it prints a message.
|
||||
Because all rules are flushed, the
|
||||
message cannot be delivered to the login session, the login session is
|
||||
closed and the remainder of the ruleset is not processed.
|
||||
Access to the
|
||||
console is required to recover.
|
||||
.It Fl t
|
||||
While listing, show last match timestamp.
|
||||
.It Fl N
|
||||
Try to resolve addresses and service names in output.
|
||||
.El
|
||||
.Pp
|
||||
.Ar action :
|
||||
.Bl -hang -offset flag -width 16n
|
||||
.It Ar allow
|
||||
Allow packets that match rule.
|
||||
The search terminates.
|
||||
Aliases are
|
||||
.Ar pass ,
|
||||
.Ar permit ,
|
||||
and
|
||||
.Ar accept .
|
||||
.It Ar deny
|
||||
Discard packets that match this rule.
|
||||
The search terminates.
|
||||
.Ar Drop
|
||||
is an alias for
|
||||
.Ar deny .
|
||||
.It Ar reject
|
||||
(Deprecated.)
|
||||
Discard packets that match this rule, and try to send an ICMPv6
|
||||
host unreachable notice.
|
||||
The search terminates.
|
||||
.It Ar unreach code
|
||||
Discard packets that match this rule, and try to send an ICMPv6
|
||||
unreachable notice with code
|
||||
.Ar code ,
|
||||
where
|
||||
.Ar code
|
||||
is a number from zero to 255, or one of these aliases:
|
||||
.Ar noroute ,
|
||||
.Ar admin ,
|
||||
.Ar notneighbor ,
|
||||
.Ar addr ,
|
||||
or
|
||||
.Ar noport ,
|
||||
The search terminates.
|
||||
.It Ar reset
|
||||
TCP packets only.
|
||||
Discard packets that match this rule,
|
||||
and try to send a TCP reset (RST) notice.
|
||||
The search terminates
|
||||
.It Ar count
|
||||
Update counters for all packets that match rule.
|
||||
The search continues with the next rule.
|
||||
.It Ar skipto number
|
||||
Skip all subsequent rules numbered less than
|
||||
.Ar number .
|
||||
The search continues with the first rule numbered
|
||||
.Ar number
|
||||
or higher.
|
||||
.El
|
||||
.Pp
|
||||
If the kernel was compiled with
|
||||
.Dv IPV6FIREWALL_VERBOSE ,
|
||||
then when a packet matches a rule with the
|
||||
.Dq log
|
||||
keyword or a clear/resetlog is performed, a message will be logged to
|
||||
.Xr syslogd 8 ,
|
||||
or, if that fails, to the console.
|
||||
If the kernel was compiled with the
|
||||
.Dv IPV6FIREWALL_VERBOSE_LIMIT
|
||||
option, then logging will cease after the number of packets
|
||||
specified by the option are received for that particular
|
||||
chain entry.
|
||||
When this limit is reached, the limit and rule number will be logged.
|
||||
Logging may then be re-enabled by clearing
|
||||
the packet counter for that entry.
|
||||
.Pp
|
||||
The
|
||||
.Xr syslogd 8
|
||||
logging and the default log limit are adjustable dynamically through the
|
||||
.Xr sysctl 8
|
||||
interface.
|
||||
.Pp
|
||||
.Ar proto :
|
||||
.Bl -hang -offset flag -width 16n
|
||||
.It Ar ipv6
|
||||
All packets match.
|
||||
The alias
|
||||
.Ar all
|
||||
has the same effect.
|
||||
.It Ar tcp
|
||||
Only TCP packets match.
|
||||
.It Ar udp
|
||||
Only UDP packets match.
|
||||
.It Ar ipv6-icmp
|
||||
Only ICMPv6 packets match.
|
||||
.It Ar <number|name>
|
||||
Only packets for the specified protocol matches (see
|
||||
.Pa /etc/protocols
|
||||
for a complete list).
|
||||
.El
|
||||
.Pp
|
||||
.Ar src
|
||||
and
|
||||
.Ar dst :
|
||||
.Bl -hang -offset flag
|
||||
.It Ar <address/prefixlen>
|
||||
.Op Ar ports
|
||||
.El
|
||||
.Pp
|
||||
The
|
||||
.Em <address/prefixlen>
|
||||
may be specified as:
|
||||
.Bl -hang -offset flag -width 16n
|
||||
.It Ar ipv6no
|
||||
An ipv6number of the form
|
||||
.Li fec0::1:2:3:4 .
|
||||
.It Ar ipv6no/prefixlen
|
||||
An ipv6number with a prefix length of the form
|
||||
.Li fec0::1:2:3:4/112 .
|
||||
.El
|
||||
.Pp
|
||||
The sense of the match can be inverted by preceding an address with the
|
||||
.Dq not
|
||||
modifier, causing all other addresses to be matched instead.
|
||||
This
|
||||
does not affect the selection of port numbers.
|
||||
.Pp
|
||||
With the TCP and UDP protocols, optional
|
||||
.Em ports
|
||||
may be specified as:
|
||||
.Pp
|
||||
.Bl -hang -offset flag
|
||||
.It Ns {port|port-port} Ns Op ,port Ns Op ,...
|
||||
.El
|
||||
.Pp
|
||||
Service names (from
|
||||
.Pa /etc/services )
|
||||
may be used instead of numeric port values.
|
||||
A range may only be specified as the first value,
|
||||
and the length of the port list is limited to
|
||||
.Dv IPV6_FW_MAX_PORTS
|
||||
(as defined in
|
||||
.In netinet6/ip6_fw.h )
|
||||
ports.
|
||||
.Pp
|
||||
Fragmented packets which have a non-zero offset (i.e., not the first
|
||||
fragment) will never match a rule which has one or more port
|
||||
specifications.
|
||||
See the
|
||||
.Ar frag
|
||||
option for details on matching fragmented packets.
|
||||
.Pp
|
||||
Rules can apply to packets when they are incoming, or outgoing, or both.
|
||||
The
|
||||
.Ar in
|
||||
keyword indicates the rule should only match incoming packets.
|
||||
The
|
||||
.Ar out
|
||||
keyword indicates the rule should only match outgoing packets.
|
||||
.Pp
|
||||
To match packets going through a certain interface, specify
|
||||
the interface using
|
||||
.Ar via :
|
||||
.Bl -hang -offset flag -width 16n
|
||||
.It Ar via ifX
|
||||
Packet must be going through interface
|
||||
.Ar ifX .
|
||||
.It Ar via if*
|
||||
Packet must be going through interface
|
||||
.Ar ifX ,
|
||||
where X is any unit number.
|
||||
.It Ar via any
|
||||
Packet must be going through
|
||||
.Em some
|
||||
interface.
|
||||
.It Ar via ipv6no
|
||||
Packet must be going through the interface having IPv6 address
|
||||
.Ar ipv6no .
|
||||
.El
|
||||
.Pp
|
||||
The
|
||||
.Ar via
|
||||
keyword causes the interface to always be checked.
|
||||
If
|
||||
.Ar recv
|
||||
or
|
||||
.Ar xmit
|
||||
is used instead of
|
||||
.Ar via ,
|
||||
then the only receive or transmit interface (respectively) is checked.
|
||||
By specifying both, it is possible to match packets based on both receive
|
||||
and transmit interface, e.g.:
|
||||
.Pp
|
||||
.Dl "ip6fw add 100 deny ip from any to any out recv ed0 xmit ed1"
|
||||
.Pp
|
||||
The
|
||||
.Ar recv
|
||||
interface can be tested on either incoming or outgoing packets, while the
|
||||
.Ar xmit
|
||||
interface can only be tested on outgoing packets.
|
||||
So
|
||||
.Ar out
|
||||
is required (and
|
||||
.Ar in
|
||||
invalid) whenever
|
||||
.Ar xmit
|
||||
is used.
|
||||
Specifying
|
||||
.Ar via
|
||||
together with
|
||||
.Ar xmit
|
||||
or
|
||||
.Ar recv
|
||||
is invalid.
|
||||
.Pp
|
||||
A packet may not have a receive or transmit interface: packets originating
|
||||
from the local host have no receive interface, while packets destined for
|
||||
the local host have no transmit interface.
|
||||
.Pp
|
||||
Additional
|
||||
.Ar options :
|
||||
.Bl -hang -offset flag -width 16n
|
||||
.It frag
|
||||
Matches if the packet is a fragment and this is not the first fragment
|
||||
of the datagram.
|
||||
.Ar frag
|
||||
may not be used in conjunction with either
|
||||
.Ar tcpflags
|
||||
or TCP/UDP port specifications.
|
||||
.It in
|
||||
Matches if this packet was on the way in.
|
||||
.It out
|
||||
Matches if this packet was on the way out.
|
||||
.It ipv6options Ar spec
|
||||
Matches if the IPv6 header contains the comma separated list of
|
||||
options specified in
|
||||
.Ar spec .
|
||||
The supported IPv6 options are:
|
||||
.Ar hopopt
|
||||
(hop-by-hop options header),
|
||||
.Ar route
|
||||
(routing header),
|
||||
.Ar frag
|
||||
(fragment header),
|
||||
.Ar esp
|
||||
(encapsulating security payload),
|
||||
.Ar ah
|
||||
(authentication header),
|
||||
.Ar nonxt
|
||||
(no next header), and
|
||||
.Ar opts
|
||||
(destination options header).
|
||||
The absence of a particular option may be denoted
|
||||
with a
|
||||
.Dq \&!
|
||||
.Em ( "not working yet" ) .
|
||||
.It established
|
||||
Matches packets that have the RST or ACK bits set.
|
||||
TCP packets only.
|
||||
.It setup
|
||||
Matches packets that have the SYN bit set but no ACK bit.
|
||||
TCP packets only.
|
||||
.It tcpflags Ar spec
|
||||
Matches if the TCP header contains the comma separated list of
|
||||
flags specified in
|
||||
.Ar spec .
|
||||
The supported TCP flags are:
|
||||
.Ar fin ,
|
||||
.Ar syn ,
|
||||
.Ar rst ,
|
||||
.Ar psh ,
|
||||
.Ar ack ,
|
||||
and
|
||||
.Ar urg .
|
||||
The absence of a particular flag may be denoted
|
||||
with a
|
||||
.Dq \&! .
|
||||
A rule which contains a
|
||||
.Ar tcpflags
|
||||
specification can never match a fragmented packet which has
|
||||
a non-zero offset.
|
||||
See the
|
||||
.Ar frag
|
||||
option for details on matching fragmented packets.
|
||||
.It icmptypes Ar types
|
||||
Matches if the ICMPv6 type is in the list
|
||||
.Ar types .
|
||||
The list may be specified as any combination of ranges
|
||||
or individual types separated by commas.
|
||||
.El
|
||||
.Sh CHECKLIST
|
||||
Here are some important points to consider when designing your
|
||||
rules:
|
||||
.Bl -bullet -offset flag
|
||||
.It
|
||||
Remember that you filter both packets going in and out.
|
||||
Most connections need packets going in both directions.
|
||||
.It
|
||||
Remember to test very carefully.
|
||||
It is a good idea to be near the console when doing this.
|
||||
.It
|
||||
Do not forget the loopback interface.
|
||||
.El
|
||||
.Sh FINE POINTS
|
||||
There is one kind of packet that the firewall will always discard,
|
||||
that is an IPv6 fragment with a fragment offset of one.
|
||||
This is a valid packet, but it only has one use, to try to circumvent
|
||||
firewalls.
|
||||
.Pp
|
||||
If you are logged in over a network, loading the KLD version of
|
||||
.Nm
|
||||
is probably not as straightforward as you would think
|
||||
.Em ( "not supported" ) .
|
||||
I recommend this command line:
|
||||
.Bd -literal -offset center
|
||||
kldload ip6fw && \e
|
||||
ip6fw add 32000 allow all from any to any
|
||||
.Ed
|
||||
.Pp
|
||||
Along the same lines, doing an
|
||||
.Bd -literal -offset center
|
||||
ip6fw flush
|
||||
.Ed
|
||||
.Pp
|
||||
in similar surroundings is also a bad idea.
|
||||
.Sh PACKET DIVERSION
|
||||
not supported.
|
||||
.Sh EXAMPLES
|
||||
This command adds an entry which denies all tcp packets from
|
||||
.Em hacker.evil.org
|
||||
to the telnet port of
|
||||
.Em wolf.tambov.su
|
||||
from being forwarded by the host:
|
||||
.Pp
|
||||
.Dl ip6fw add deny tcp from hacker.evil.org to wolf.tambov.su 23
|
||||
.Pp
|
||||
This one disallows any connection from the entire hackers network to
|
||||
my host:
|
||||
.Pp
|
||||
.Dl ip6fw add deny all from fec0::123:45:67:0/112 to my.host.org
|
||||
.Pp
|
||||
Here is a good usage of the list command to see accounting records
|
||||
and timestamp information:
|
||||
.Pp
|
||||
.Dl ip6fw -at l
|
||||
.Pp
|
||||
or in short form without timestamps:
|
||||
.Pp
|
||||
.Dl ip6fw -a l
|
||||
.Sh SEE ALSO
|
||||
.Xr ip 4 ,
|
||||
.Xr ipfirewall 4 ,
|
||||
.Xr protocols 5 ,
|
||||
.Xr services 5 ,
|
||||
.Xr reboot 8 ,
|
||||
.Xr sysctl 8 ,
|
||||
.Xr syslogd 8
|
||||
.Sh HISTORY
|
||||
A
|
||||
.Nm
|
||||
utility first appeared in
|
||||
.Fx 4.0 .
|
||||
.Sh AUTHORS
|
||||
.An Ugen J. S. Antsilevich ,
|
||||
.An Poul-Henning Kamp ,
|
||||
.An Alex Nash ,
|
||||
.An Archie Cobbs .
|
||||
.Pp
|
||||
.An -nosplit
|
||||
API based upon code written by
|
||||
.An Daniel Boulet
|
||||
for BSDI.
|
||||
.Sh BUGS
|
||||
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
||||
.Pp
|
||||
This program can put your computer in rather unusable state.
|
||||
When
|
||||
using it for the first time, work on the console of the computer, and
|
||||
do
|
||||
.Em NOT
|
||||
do anything you do not understand.
|
||||
.Pp
|
||||
When manipulating/adding chain entries, service and protocol names are
|
||||
not accepted.
|
1453
sbin/ip6fw/ip6fw.c
1453
sbin/ip6fw/ip6fw.c
File diff suppressed because it is too large
Load diff
|
@ -1,28 +0,0 @@
|
|||
#!/bin/sh -
|
||||
# $FreeBSD$
|
||||
|
||||
fwcmd=/sbin/ip6fw
|
||||
|
||||
$fwcmd -f flush
|
||||
|
||||
#
|
||||
# loopback
|
||||
#
|
||||
$fwcmd add 1000 pass all from any to any via lo0
|
||||
|
||||
#
|
||||
# ND
|
||||
#
|
||||
# DAD
|
||||
$fwcmd add 2000 pass ipv6-icmp from ff02::/16 to ::
|
||||
$fwcmd add 2100 pass ipv6-icmp from :: to ff02::/16
|
||||
# RS, RA, NS, NA, redirect...
|
||||
$fwcmd add 2300 pass ipv6-icmp from fe80::/10 to fe80::/10
|
||||
$fwcmd add 2400 pass ipv6-icmp from fe80::/10 to ff02::/16
|
||||
|
||||
$fwcmd add 5000 pass tcp from any to any established
|
||||
|
||||
# RIPng
|
||||
$fwcmd add 6000 pass udp from fe80::/10 521 to ff02::9 521
|
||||
|
||||
$fwcmd add 65000 pass log all from any to any
|
|
@ -1726,7 +1726,6 @@ netinet6/in6_proto.c optional inet6
|
|||
netinet6/in6_rmx.c optional inet6
|
||||
netinet6/in6_src.c optional inet6
|
||||
netinet6/ip6_forward.c optional inet6
|
||||
netinet6/ip6_fw.c optional inet6 ipv6firewall
|
||||
netinet6/ip6_id.c optional inet6
|
||||
netinet6/ip6_input.c optional inet6
|
||||
netinet6/ip6_mroute.c optional inet6
|
||||
|
|
|
@ -366,10 +366,6 @@ IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
|
|||
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
|
||||
IPFIREWALL_FORWARD opt_ipfw.h
|
||||
IPFIREWALL_FORWARD_EXTENDED opt_ipfw.h
|
||||
IPV6FIREWALL opt_ip6fw.h
|
||||
IPV6FIREWALL_VERBOSE opt_ip6fw.h
|
||||
IPV6FIREWALL_VERBOSE_LIMIT opt_ip6fw.h
|
||||
IPV6FIREWALL_DEFAULT_TO_ACCEPT opt_ip6fw.h
|
||||
IPSTEALTH
|
||||
IPX
|
||||
IPXIP opt_ipx.h
|
||||
|
|
|
@ -113,7 +113,6 @@ SUBDIR= ${_3dfx} \
|
|||
if_vlan \
|
||||
${_iir} \
|
||||
${_io} \
|
||||
ip6fw \
|
||||
ipdivert \
|
||||
${_ipfilter} \
|
||||
ipfw \
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
# $FreeBSD$
|
||||
|
||||
.PATH: ${.CURDIR}/../../netinet6
|
||||
|
||||
KMOD= ip6fw
|
||||
SRCS= ip6_fw.c
|
||||
|
||||
CFLAGS+= -DIPV6FIREWALL
|
||||
|
||||
#If you want it verbose
|
||||
#CFLAGS+= -DIPV6FIREWALL_VERBOSE
|
||||
#CFLAGS+= -DIPV6FIREWALL_VERBOSE_LIMIT=100
|
||||
#
|
||||
#If you want it to pass all packets by default
|
||||
#CFLAGS+= -DIPV6FIREWALL_DEFAULT_TO_ACCEPT
|
||||
|
||||
.include <bsd.kmod.mk>
|
|
@ -246,8 +246,8 @@
|
|||
* listen/accept (like tcp).
|
||||
*
|
||||
* - header files with defopt (opt_xx.h)
|
||||
* FreeBSD3: opt_{inet,ipsec,ip6fw,altq}.h
|
||||
* FreeBSD4: opt_{inet,inet6,ipsec,ip6fw,altq}.h
|
||||
* FreeBSD3: opt_{inet,ipsec,altq}.h
|
||||
* FreeBSD4: opt_{inet,inet6,ipsec,altq}.h
|
||||
* NetBSD: opt_{inet,ipsec,altq}.h
|
||||
* others: does not use defopt
|
||||
*
|
||||
|
|
|
@ -34,7 +34,6 @@
|
|||
|
||||
#if !defined(KLD_MODULE)
|
||||
#include "opt_ipfw.h"
|
||||
#include "opt_ip6fw.h"
|
||||
#include "opt_ipdn.h"
|
||||
#include "opt_inet.h"
|
||||
#ifndef INET
|
||||
|
|
|
@ -30,7 +30,6 @@
|
|||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "opt_ip6fw.h"
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
|
@ -81,8 +80,6 @@
|
|||
#define IPSEC
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <netinet6/ip6_fw.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
#include <netinet6/ip6protosw.h>
|
||||
|
@ -554,20 +551,6 @@ ip6_forward(m, srcrt)
|
|||
type = ND_REDIRECT;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check with the firewall...
|
||||
*/
|
||||
if (ip6_fw_enable && ip6_fw_chk_ptr) {
|
||||
u_short port = 0;
|
||||
/* If ipfw says divert, we have to just drop packet */
|
||||
if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) {
|
||||
m_freem(m);
|
||||
goto freecopy;
|
||||
}
|
||||
if (!m)
|
||||
goto freecopy;
|
||||
}
|
||||
|
||||
/*
|
||||
* Fake scoped addresses. Note that even link-local source or
|
||||
* destinaion can appear, if the originating node just sends the
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,231 +0,0 @@
|
|||
/* $FreeBSD$ */
|
||||
/* $KAME: ip6_fw.h,v 1.9 2001/08/01 04:29:57 sumikawa Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (C) 1998, 1999, 2000 and 2001 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1993 Daniel Boulet
|
||||
* Copyright (c) 1994 Ugen J.S.Antsilevich
|
||||
*
|
||||
* Redistribution and use in source forms, with and without modification,
|
||||
* are permitted provided that this entire comment appears intact.
|
||||
*
|
||||
* Redistribution in binary form may occur without any restrictions.
|
||||
* Obviously, it would be nice if you gave credit where credit is due
|
||||
* but requiring it would be too onerous.
|
||||
*
|
||||
* This software is provided ``AS IS'' without any warranties of any kind.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef _IP6_FW_H
|
||||
#define _IP6_FW_H
|
||||
|
||||
#include <net/if.h>
|
||||
|
||||
/*
|
||||
* This union structure identifies an interface, either explicitly
|
||||
* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
|
||||
* and IP_FW_F_OIFNAME say how to interpret this structure. An
|
||||
* interface unit number of -1 matches any unit number, while an
|
||||
* IP address of 0.0.0.0 indicates matches any interface.
|
||||
*
|
||||
* The receive and transmit interfaces are only compared against the
|
||||
* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
|
||||
* is set. Note some packets lack a receive or transmit interface
|
||||
* (in which case the missing "interface" never matches).
|
||||
*/
|
||||
|
||||
union ip6_fw_if {
|
||||
struct in6_addr fu_via_ip6; /* Specified by IPv6 address */
|
||||
struct { /* Specified by interface name */
|
||||
#define IP6FW_IFNLEN IFNAMSIZ
|
||||
char name[IP6FW_IFNLEN];
|
||||
short glob; /* Is name a pattern or a name? */
|
||||
} fu_via_if;
|
||||
};
|
||||
|
||||
/*
|
||||
* Format of an IP firewall descriptor
|
||||
*
|
||||
* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
|
||||
* fw_flg and fw_n*p are stored in host byte order (of course).
|
||||
* Port numbers are stored in HOST byte order.
|
||||
* Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)
|
||||
*/
|
||||
|
||||
struct ip6_fw {
|
||||
u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */
|
||||
struct in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */
|
||||
struct in6_addr fw_smsk, fw_dmsk; /* Mask for src and dest IPv6 addr */
|
||||
u_short fw_number; /* Rule number */
|
||||
u_short fw_flg; /* Flags word */
|
||||
#define IPV6_FW_MAX_PORTS 10 /* A reasonable maximum */
|
||||
u_int fw_ipflg; /* IP flags word */
|
||||
u_short fw_pts[IPV6_FW_MAX_PORTS]; /* Array of port numbers to match */
|
||||
u_char fw_ip6opt,fw_ip6nopt; /* IPv6 options set/unset */
|
||||
u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
|
||||
#define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
|
||||
unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
|
||||
long timestamp; /* timestamp (tv_sec) of last match */
|
||||
union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */
|
||||
union {
|
||||
u_short fu_divert_port; /* Divert/tee port (options IP6DIVERT) */
|
||||
u_short fu_skipto_rule; /* SKIPTO command rule number */
|
||||
u_short fu_reject_code; /* REJECT response code */
|
||||
} fw_un;
|
||||
u_char fw_prot; /* IPv6 protocol */
|
||||
u_char fw_nports; /* N'of src ports and # of dst ports */
|
||||
/* in ports array (dst ports follow */
|
||||
/* src ports; max of 10 ports in all; */
|
||||
/* count of 0 means match all ports) */
|
||||
};
|
||||
|
||||
#define IPV6_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
|
||||
#define IPV6_FW_SETNSRCP(rule, n) do { \
|
||||
(rule)->fw_nports &= ~0x0f; \
|
||||
(rule)->fw_nports |= (n); \
|
||||
} while (/*CONSTCOND*/ 0)
|
||||
#define IPV6_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
|
||||
#define IPV6_FW_SETNDSTP(rule, n) do { \
|
||||
(rule)->fw_nports &= ~0xf0; \
|
||||
(rule)->fw_nports |= (n) << 4;\
|
||||
} while (/*CONSTCOND*/ 0)
|
||||
|
||||
#define fw_divert_port fw_un.fu_divert_port
|
||||
#define fw_skipto_rule fw_un.fu_skipto_rule
|
||||
#define fw_reject_code fw_un.fu_reject_code
|
||||
|
||||
struct ip6_fw_chain {
|
||||
LIST_ENTRY(ip6_fw_chain) chain;
|
||||
struct ip6_fw *rule;
|
||||
};
|
||||
|
||||
/*
|
||||
* Values for "flags" field .
|
||||
*/
|
||||
#define IPV6_FW_F_IN 0x0001 /* Check inbound packets */
|
||||
#define IPV6_FW_F_OUT 0x0002 /* Check outbound packets */
|
||||
#define IPV6_FW_F_IIFACE 0x0004 /* Apply inbound interface test */
|
||||
#define IPV6_FW_F_OIFACE 0x0008 /* Apply outbound interface test */
|
||||
|
||||
#define IPV6_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */
|
||||
#define IPV6_FW_F_DENY 0x0000 /* This is a deny rule */
|
||||
#define IPV6_FW_F_REJECT 0x0010 /* Deny and send a response packet */
|
||||
#define IPV6_FW_F_ACCEPT 0x0020 /* This is an accept rule */
|
||||
#define IPV6_FW_F_COUNT 0x0030 /* This is a count rule */
|
||||
#define IPV6_FW_F_DIVERT 0x0040 /* This is a divert rule */
|
||||
#define IPV6_FW_F_TEE 0x0050 /* This is a tee rule */
|
||||
#define IPV6_FW_F_SKIPTO 0x0060 /* This is a skipto rule */
|
||||
|
||||
#define IPV6_FW_F_PRN 0x0080 /* Print if this rule matches */
|
||||
|
||||
#define IPV6_FW_F_SRNG 0x0100 /* The first two src ports are a min *
|
||||
* and max range (stored in host byte *
|
||||
* order). */
|
||||
|
||||
#define IPV6_FW_F_DRNG 0x0200 /* The first two dst ports are a min *
|
||||
* and max range (stored in host byte *
|
||||
* order). */
|
||||
|
||||
#define IPV6_FW_F_IIFNAME 0x0400 /* In interface by name/unit (not IP) */
|
||||
#define IPV6_FW_F_OIFNAME 0x0800 /* Out interface by name/unit (not IP) */
|
||||
|
||||
#define IPV6_FW_F_INVSRC 0x1000 /* Invert sense of src check */
|
||||
#define IPV6_FW_F_INVDST 0x2000 /* Invert sense of dst check */
|
||||
|
||||
#define IPV6_FW_F_FRAG 0x4000 /* Fragment */
|
||||
|
||||
#define IPV6_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */
|
||||
|
||||
#define IPV6_FW_F_MASK 0xFFFF /* All possible flag bits mask */
|
||||
|
||||
/*
|
||||
* Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */
|
||||
#define IPV6_FW_IF_TCPEST 0x00000020 /* established TCP connection */
|
||||
#define IPV6_FW_IF_TCPMSK 0x00000020 /* mask of all TCP values */
|
||||
|
||||
/*
|
||||
* For backwards compatibility with rules specifying "via iface" but
|
||||
* not restricted to only "in" or "out" packets, we define this combination
|
||||
* of bits to represent this configuration.
|
||||
*/
|
||||
|
||||
#define IF6_FW_F_VIAHACK (IPV6_FW_F_IN|IPV6_FW_F_OUT|IPV6_FW_F_IIFACE|IPV6_FW_F_OIFACE)
|
||||
|
||||
/*
|
||||
* Definitions for REJECT response codes.
|
||||
* Values less than 256 correspond to ICMP unreachable codes.
|
||||
*/
|
||||
#define IPV6_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
|
||||
|
||||
/*
|
||||
* Definitions for IPv6 option names.
|
||||
*/
|
||||
#define IPV6_FW_IP6OPT_HOPOPT 0x01
|
||||
#define IPV6_FW_IP6OPT_ROUTE 0x02
|
||||
#define IPV6_FW_IP6OPT_FRAG 0x04
|
||||
#define IPV6_FW_IP6OPT_ESP 0x08
|
||||
#define IPV6_FW_IP6OPT_AH 0x10
|
||||
#define IPV6_FW_IP6OPT_NONXT 0x20
|
||||
#define IPV6_FW_IP6OPT_OPTS 0x40
|
||||
|
||||
/*
|
||||
* Definitions for TCP flags.
|
||||
*/
|
||||
#define IPV6_FW_TCPF_FIN TH_FIN
|
||||
#define IPV6_FW_TCPF_SYN TH_SYN
|
||||
#define IPV6_FW_TCPF_RST TH_RST
|
||||
#define IPV6_FW_TCPF_PSH TH_PUSH
|
||||
#define IPV6_FW_TCPF_ACK TH_ACK
|
||||
#define IPV6_FW_TCPF_URG TH_URG
|
||||
|
||||
/*
|
||||
* Main firewall chains definitions and global var's definitions.
|
||||
*/
|
||||
#ifdef _KERNEL
|
||||
|
||||
/*
|
||||
* Function definitions.
|
||||
*/
|
||||
void ip6_fw_init(void);
|
||||
|
||||
/* Firewall hooks */
|
||||
struct ip6_hdr;
|
||||
typedef int ip6_fw_chk_t __P((struct ip6_hdr**, struct ifnet*,
|
||||
u_short *, struct mbuf**));
|
||||
typedef int ip6_fw_ctl_t __P((int, struct mbuf**));
|
||||
extern ip6_fw_chk_t *ip6_fw_chk_ptr;
|
||||
extern ip6_fw_ctl_t *ip6_fw_ctl_ptr;
|
||||
extern int ip6_fw_enable;
|
||||
|
||||
#endif /* _KERNEL */
|
||||
|
||||
#endif /* _IP6_FW_H */
|
|
@ -61,7 +61,6 @@
|
|||
* @(#)ip_input.c 8.2 (Berkeley) 1/4/94
|
||||
*/
|
||||
|
||||
#include "opt_ip6fw.h"
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
|
@ -115,8 +114,6 @@
|
|||
#define IPSEC
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <netinet6/ip6_fw.h>
|
||||
|
||||
#include <netinet6/ip6protosw.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
@ -138,11 +135,6 @@ int ip6_ours_check_algorithm;
|
|||
|
||||
struct pfil_head inet6_pfil_hook;
|
||||
|
||||
/* firewall hooks */
|
||||
ip6_fw_chk_t *ip6_fw_chk_ptr;
|
||||
ip6_fw_ctl_t *ip6_fw_ctl_ptr;
|
||||
int ip6_fw_enable = 1;
|
||||
|
||||
struct ip6stat ip6stat;
|
||||
|
||||
static void ip6_init2 __P((void *));
|
||||
|
@ -425,21 +417,6 @@ ip6_input(m)
|
|||
srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
|
||||
|
||||
passin:
|
||||
/*
|
||||
* Check with the firewall...
|
||||
*/
|
||||
if (ip6_fw_enable && ip6_fw_chk_ptr) {
|
||||
u_short port = 0;
|
||||
/* If ipfw says divert, we have to just drop packet */
|
||||
/* use port as a dummy argument */
|
||||
if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
|
||||
m_freem(m);
|
||||
m = NULL;
|
||||
}
|
||||
if (!m)
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* Disambiguate address scope zones (if there is ambiguity).
|
||||
* We first make sure that the original source or destination address
|
||||
|
|
|
@ -61,7 +61,6 @@
|
|||
* @(#)ip_output.c 8.3 (Berkeley) 1/21/94
|
||||
*/
|
||||
|
||||
#include "opt_ip6fw.h"
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
|
@ -106,8 +105,6 @@
|
|||
#include <netipsec/key.h>
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <netinet6/ip6_fw.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
#include <netinet6/ip6protosw.h>
|
||||
|
@ -838,23 +835,6 @@ skip_ipsec2:;
|
|||
in6_clearscope(&ip6->ip6_src);
|
||||
in6_clearscope(&ip6->ip6_dst);
|
||||
|
||||
/*
|
||||
* Check with the firewall...
|
||||
*/
|
||||
if (ip6_fw_enable && ip6_fw_chk_ptr) {
|
||||
u_short port = 0;
|
||||
m->m_pkthdr.rcvif = NULL; /* XXX */
|
||||
/* If ipfw says divert, we have to just drop packet */
|
||||
if ((*ip6_fw_chk_ptr)(&ip6, ifp, &port, &m)) {
|
||||
m_freem(m);
|
||||
goto done;
|
||||
}
|
||||
if (!m) {
|
||||
error = EACCES;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* If the outgoing packet contains a hop-by-hop options header,
|
||||
* it must be examined and processed even by the source node.
|
||||
|
@ -1891,27 +1871,6 @@ do { \
|
|||
break;
|
||||
#endif /* KAME IPSEC */
|
||||
|
||||
case IPV6_FW_ADD:
|
||||
case IPV6_FW_DEL:
|
||||
case IPV6_FW_FLUSH:
|
||||
case IPV6_FW_ZERO:
|
||||
{
|
||||
struct mbuf *m;
|
||||
struct mbuf **mp = &m;
|
||||
|
||||
if (ip6_fw_ctl_ptr == NULL)
|
||||
return EINVAL;
|
||||
/* XXX */
|
||||
if ((error = soopt_getm(sopt, &m)) != 0)
|
||||
break;
|
||||
/* XXX */
|
||||
if ((error = soopt_mcopyin(sopt, m)) != 0)
|
||||
break;
|
||||
error = (*ip6_fw_ctl_ptr)(optname, mp);
|
||||
m = *mp;
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
error = ENOPROTOOPT;
|
||||
break;
|
||||
|
@ -2138,23 +2097,6 @@ do { \
|
|||
}
|
||||
#endif /* KAME IPSEC */
|
||||
|
||||
case IPV6_FW_GET:
|
||||
{
|
||||
struct mbuf *m;
|
||||
struct mbuf **mp = &m;
|
||||
|
||||
if (ip6_fw_ctl_ptr == NULL)
|
||||
{
|
||||
return EINVAL;
|
||||
}
|
||||
error = (*ip6_fw_ctl_ptr)(optname, mp);
|
||||
if (error == 0)
|
||||
error = soopt_mcopyout(sopt, m); /* XXX */
|
||||
if (error == 0 && m)
|
||||
m_freem(m);
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
error = ENOPROTOOPT;
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue