IPFW: supported IPv6.

This commit is contained in:
Junwei Zhou 2020-06-15 17:48:46 +08:00 committed by fengbojiang(姜凤波)
parent 2747a35d56
commit 4af0f1ccbb
6 changed files with 41 additions and 27 deletions

View File

@ -18,6 +18,10 @@ SRCS+= altq.c
CFLAGS+=-DPF CFLAGS+=-DPF
endif endif
ifneq (${MK_INET6_SUPPORT},"no")
CFLAGS+= -DINET6
endif
LIBADD= util LIBADD= util
MAN= ipfw.8 MAN= ipfw.8

View File

@ -404,9 +404,9 @@ print_mask(struct ipfw_flow_id *id)
printf("\n mask: %sproto: 0x%02x, flow_id: 0x%08x, ", printf("\n mask: %sproto: 0x%02x, flow_id: 0x%08x, ",
id->extra ? "queue," : "", id->extra ? "queue," : "",
id->proto, id->flow_id6); id->proto, id->flow_id6);
inet_ntop(AF_INET6, &(id->src_ip6), buf, sizeof(buf)); inet_ntop(AF_INET6_LINUX, &(id->src_ip6), buf, sizeof(buf));
printf("%s/0x%04x -> ", buf, id->src_port); printf("%s/0x%04x -> ", buf, id->src_port);
inet_ntop(AF_INET6, &(id->dst_ip6), buf, sizeof(buf)); inet_ntop(AF_INET6_LINUX, &(id->dst_ip6), buf, sizeof(buf));
printf("%s/0x%04x\n", buf, id->dst_port); printf("%s/0x%04x\n", buf, id->dst_port);
} }
} }
@ -455,10 +455,10 @@ list_flow(struct buf_pr *bp, struct dn_flow *ni)
else else
bprintf(bp, "%9u ", id->proto); bprintf(bp, "%9u ", id->proto);
bprintf(bp, "%7d %39s/%-5d ", id->flow_id6, bprintf(bp, "%7d %39s/%-5d ", id->flow_id6,
inet_ntop(AF_INET6, &(id->src_ip6), buff, sizeof(buff)), inet_ntop(AF_INET6_LINUX, &(id->src_ip6), buff, sizeof(buff)),
id->src_port); id->src_port);
bprintf(bp, " %39s/%-5d ", bprintf(bp, " %39s/%-5d ",
inet_ntop(AF_INET6, &(id->dst_ip6), buff, sizeof(buff)), inet_ntop(AF_INET6_LINUX, &(id->dst_ip6), buff, sizeof(buff)),
id->dst_port); id->dst_port);
} }
pr_u64(bp, &ni->tot_pkts, 4); pr_u64(bp, &ni->tot_pkts, 4);

View File

@ -2181,9 +2181,9 @@ show_dyn_state(struct cmdline_opts *co, struct format_opts *fo,
a.s_addr = htonl(d->id.dst_ip); a.s_addr = htonl(d->id.dst_ip);
bprintf(bp, " <-> %s %d", inet_ntoa(a), d->id.dst_port); bprintf(bp, " <-> %s %d", inet_ntoa(a), d->id.dst_port);
} else if (d->id.addr_type == 6) { } else if (d->id.addr_type == 6) {
bprintf(bp, " %s %d", inet_ntop(AF_INET6, &d->id.src_ip6, buf, bprintf(bp, " %s %d", inet_ntop(AF_INET6_LINUX, &d->id.src_ip6, buf,
sizeof(buf)), d->id.src_port); sizeof(buf)), d->id.src_port);
bprintf(bp, " <-> %s %d", inet_ntop(AF_INET6, &d->id.dst_ip6, bprintf(bp, " <-> %s %d", inet_ntop(AF_INET6_LINUX, &d->id.dst_ip6,
buf, sizeof(buf)), d->id.dst_port); buf, sizeof(buf)), d->id.dst_port);
} else } else
bprintf(bp, " UNKNOWN <-> UNKNOWN\n"); bprintf(bp, " UNKNOWN <-> UNKNOWN\n");
@ -3559,11 +3559,11 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cblen, struct tidx *tstate)
host = av; host = av;
if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
inet_pton(AF_INET6, host, &a) == 1) inet_pton(AF_INET6_LINUX, host, &a) == 1)
ret = add_srcip6(cmd, av, cblen); ret = add_srcip6(cmd, av, cblen);
/* XXX: should check for IPv4, not !IPv6 */ /* XXX: should check for IPv4, not !IPv6 */
if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
inet_pton(AF_INET6, host, &a) != 1)) inet_pton(AF_INET6_LINUX, host, &a) != 1))
ret = add_srcip(cmd, av, cblen, tstate); ret = add_srcip(cmd, av, cblen, tstate);
if (ret == NULL && strcmp(av, "any") != 0) if (ret == NULL && strcmp(av, "any") != 0)
ret = cmd; ret = cmd;
@ -3590,11 +3590,11 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cblen, struct tidx *tstate)
host = av; host = av;
if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
inet_pton(AF_INET6, host, &a) == 1) inet_pton(AF_INET6_LINUX, host, &a) == 1)
ret = add_dstip6(cmd, av, cblen); ret = add_dstip6(cmd, av, cblen);
/* XXX: should check for IPv4, not !IPv6 */ /* XXX: should check for IPv4, not !IPv6 */
if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 || if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
inet_pton(AF_INET6, host, &a) != 1)) inet_pton(AF_INET6_LINUX, host, &a) != 1))
ret = add_dstip(cmd, av, cblen, tstate); ret = add_dstip(cmd, av, cblen, tstate);
if (ret == NULL && strcmp(av, "any") != 0) if (ret == NULL && strcmp(av, "any") != 0)
ret = cmd; ret = cmd;
@ -3884,7 +3884,7 @@ chkarg:
CHECK_ACTLEN; CHECK_ACTLEN;
p->sa.sin6_len = sizeof(struct sockaddr_in6); p->sa.sin6_len = sizeof(struct sockaddr_in6);
p->sa.sin6_family = AF_INET6; p->sa.sin6_family = AF_INET6_LINUX;
p->sa.sin6_port = port_number; p->sa.sin6_port = port_number;
p->sa.sin6_flowinfo = 0; p->sa.sin6_flowinfo = 0;
p->sa.sin6_scope_id = p->sa.sin6_scope_id =

View File

@ -42,6 +42,8 @@
#include <netinet/ip_fw.h> #include <netinet/ip_fw.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include "compat.h"
#define CHECK_LENGTH(v, len) do { \ #define CHECK_LENGTH(v, len) do { \
if ((v) < (len)) \ if ((v) < (len)) \
errx(EX_DATAERR, "Rule too long"); \ errx(EX_DATAERR, "Rule too long"); \
@ -115,18 +117,18 @@ print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd, char const *s)
128 : contigmask((uint8_t *)&(a[1]), 128); 128 : contigmask((uint8_t *)&(a[1]), 128);
if (mb == 128 && co.do_resolv) if (mb == 128 && co.do_resolv)
he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6); he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6_LINUX);
if (he != NULL) /* resolved to name */ if (he != NULL) /* resolved to name */
bprintf(bp, "%s", he->h_name); bprintf(bp, "%s", he->h_name);
else if (mb == 0) /* any */ else if (mb == 0) /* any */
bprintf(bp, "any"); bprintf(bp, "any");
else { /* numeric IP followed by some kind of mask */ else { /* numeric IP followed by some kind of mask */
if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL) if (inet_ntop(AF_INET6_LINUX, a, trad, sizeof( trad ) ) == NULL)
bprintf(bp, "Error ntop in print_ip6\n"); bprintf(bp, "Error ntop in print_ip6\n");
bprintf(bp, "%s", trad ); bprintf(bp, "%s", trad );
if (mb < 0) /* XXX not really legal... */ if (mb < 0) /* XXX not really legal... */
bprintf(bp, ":%s", bprintf(bp, ":%s",
inet_ntop(AF_INET6, &a[1], trad, sizeof(trad))); inet_ntop(AF_INET6_LINUX, &a[1], trad, sizeof(trad)));
else if (mb < 128) else if (mb < 128)
bprintf(bp, "/%d", mb); bprintf(bp, "/%d", mb);
} }
@ -309,8 +311,8 @@ lookup_host6 (char *host, struct in6_addr *ip6addr)
{ {
struct hostent *he; struct hostent *he;
if (!inet_pton(AF_INET6, host, ip6addr)) { if (!inet_pton(AF_INET6_LINUX, host, ip6addr)) {
if ((he = gethostbyname2(host, AF_INET6)) == NULL) if ((he = gethostbyname2(host, AF_INET6_LINUX)) == NULL)
return(-1); return(-1);
memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
} }

View File

@ -33,6 +33,8 @@
#ifdef FSTACK #ifdef FSTACK
#include <stdint.h> #include <stdint.h>
#include "compat.h"
#include "ff_ipc.h" #include "ff_ipc.h"
#endif #endif
@ -84,6 +86,9 @@ help(void)
" setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
" tcpdatalen LIST | verrevpath | versrcreach | antispoof\n" " tcpdatalen LIST | verrevpath | versrcreach | antispoof\n"
); );
#ifdef FSTACK
ff_ipc_exit();
#endif
exit(0); exit(0);
} }
@ -661,5 +666,8 @@ main(int ac, char *av[])
"do \"ipfw -h\" or \"man ipfw\" for details"); "do \"ipfw -h\" or \"man ipfw\" for details");
} }
} }
#ifdef FSTACK
ff_ipc_exit();
#endif
return EX_OK; return EX_OK;
} }

View File

@ -1145,7 +1145,7 @@ tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type,
masklen = p ? mask : 32; masklen = p ? mask : 32;
af = AF_INET; af = AF_INET;
} else if (inet_pton(AF_INET6, arg, paddr) == 1) { } else if (inet_pton(AF_INET6_LINUX, arg, paddr) == 1) {
if (IN6_IS_ADDR_V4COMPAT(paddr)) if (IN6_IS_ADDR_V4COMPAT(paddr))
errx(EX_DATAERR, errx(EX_DATAERR,
"Use IPv4 instead of v4-compatible"); "Use IPv4 instead of v4-compatible");
@ -1154,7 +1154,7 @@ tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type,
p + 1); p + 1);
masklen = p ? mask : 128; masklen = p ? mask : 128;
af = AF_INET6; af = AF_INET6_LINUX;
} else { } else {
/* Assume FQDN */ /* Assume FQDN */
if (lookup_host(arg, (struct in_addr *)paddr) != 0) if (lookup_host(arg, (struct in_addr *)paddr) != 0)
@ -1198,11 +1198,11 @@ tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type,
"Inconsistent address family\n"); "Inconsistent address family\n");
af = AF_INET; af = AF_INET;
memcpy(&tfe->a.a4.sip, &tmp, 4); memcpy(&tfe->a.a4.sip, &tmp, 4);
} else if (inet_pton(AF_INET6, arg, &tmp) == 1) { } else if (inet_pton(AF_INET6_LINUX, arg, &tmp) == 1) {
if (af != 0 && af != AF_INET6) if (af != 0 && af != AF_INET6_LINUX)
errx(EX_DATAERR, errx(EX_DATAERR,
"Inconsistent address family\n"); "Inconsistent address family\n");
af = AF_INET6; af = AF_INET6_LINUX;
memcpy(&tfe->a.a6.sip6, &tmp, 16); memcpy(&tfe->a.a6.sip6, &tmp, 16);
} }
@ -1266,11 +1266,11 @@ tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type,
"Inconsistent address family"); "Inconsistent address family");
af = AF_INET; af = AF_INET;
memcpy(&tfe->a.a4.dip, &tmp, 4); memcpy(&tfe->a.a4.dip, &tmp, 4);
} else if (inet_pton(AF_INET6, arg, &tmp) == 1) { } else if (inet_pton(AF_INET6_LINUX, arg, &tmp) == 1) {
if (af != 0 && af != AF_INET6) if (af != 0 && af != AF_INET6_LINUX)
errx(EX_DATAERR, errx(EX_DATAERR,
"Inconsistent address family"); "Inconsistent address family");
af = AF_INET6; af = AF_INET6_LINUX;
memcpy(&tfe->a.a6.dip6, &tmp, 16); memcpy(&tfe->a.a6.dip6, &tmp, 16);
} }
@ -1329,7 +1329,7 @@ guess_key_type(char *key, uint8_t *ptype)
*p = '\0'; *p = '\0';
if ((inet_pton(AF_INET, key, &addr) == 1) || if ((inet_pton(AF_INET, key, &addr) == 1) ||
(inet_pton(AF_INET6, key, &addr) == 1)) { (inet_pton(AF_INET6_LINUX, key, &addr) == 1)) {
*ptype = IPFW_TABLE_CIDR; *ptype = IPFW_TABLE_CIDR;
if (p != NULL) if (p != NULL)
*p = '/'; *p = '/';
@ -1559,7 +1559,7 @@ tentry_fill_value(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *arg,
case IPFW_VTYPE_NH6: case IPFW_VTYPE_NH6:
if (strchr(n, ':') != NULL) { if (strchr(n, ':') != NULL) {
memset(&hints, 0, sizeof(hints)); memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6; hints.ai_family = AF_INET6_LINUX;
hints.ai_flags = AI_NUMERICHOST; hints.ai_flags = AI_NUMERICHOST;
if (getaddrinfo(n, NULL, &hints, &res) == 0) { if (getaddrinfo(n, NULL, &hints, &res) == 0) {
v->nh6 = ((struct sockaddr_in6 *) v->nh6 = ((struct sockaddr_in6 *)
@ -1776,7 +1776,7 @@ table_show_value(char *buf, size_t bufsize, ipfw_table_value *v,
l = snprintf(buf, sz, "%d,", v->dscp); l = snprintf(buf, sz, "%d,", v->dscp);
break; break;
case IPFW_VTYPE_NH6: case IPFW_VTYPE_NH6:
sa6.sin6_family = AF_INET6; sa6.sin6_family = AF_INET6_LINUX;
sa6.sin6_len = sizeof(sa6); sa6.sin6_len = sizeof(sa6);
sa6.sin6_addr = v->nh6; sa6.sin6_addr = v->nh6;
sa6.sin6_port = 0; sa6.sin6_port = 0;