diff options
12 files changed, 189 insertions, 27 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 7575061..558d4ae 100644 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -23,6 +23,7 @@ my %fields = ( _icmp_code => undef, _icmp_type => undef, _icmp_name => undef, + _icmpv6_type => undef, _mod_mark => undef, _mod_dscp => undef, _ipsec => undef, @@ -73,6 +74,7 @@ my %dummy_rule = ( _icmp_code => undef, _icmp_type => undef, _icmp_name => undef, + _icmpv6_type => undef, _mod_mark => undef, _mod_dscp => undef, _ipsec => undef, @@ -151,6 +153,7 @@ sub setup_base { $self->{_icmp_code} = $config->$val_func("icmp code"); $self->{_icmp_type} = $config->$val_func("icmp type"); $self->{_icmp_name} = $config->$val_func("icmp type-name"); + $self->{_icmpv6_type} = $config->$val_func("icmpv6 type"); $self->{_mod_mark} = $config->$val_func("modify mark"); $self->{_mod_dscp} = $config->$val_func("modify dscp"); $self->{_ipsec} = $config->$exists_func("ipsec match-ipsec"); @@ -225,6 +228,8 @@ sub print { print "log: $self->{_log}\n" if defined $self->{_log}; print "icmp code: $self->{_icmp_code}\n" if defined $self->{_icmp_code}; print "icmp type: $self->{_icmp_type}\n" if defined $self->{_icmp_type}; + print "icmpv6 type: $self->{_icmpv6_type}\n" + if defined $self->{_icmpv6_type}; print "mod mark: $self->{_mod_mark}\n" if defined $self->{_mod_mark}; print "mod dscp: $self->{_mod_dscp}\n" if defined $self->{_mod_dscp}; @@ -341,6 +346,18 @@ sub rule { return ("ICMP type/code or type-name can only be defined if protocol is ICMP", ); } + # Setup ICMPv6 rule if configured + # ICMPv6 parameters are only valid if the rule is matching on the + # ICMPv6 protocol ID. + # + if (($self->{_protocol} eq "icmpv6") || + ($self->{_protocol} eq "ipv6-icmp") || + ($self->{_protocol} eq "58")) { + if (defined($self->{_icmpv6_type})) { + $rule .= "-m icmpv6 --icmpv6-type $self->{_icmpv6_type}"; + } + } + # add the source and destination rules ($srcrule, $err_str) = $src->rule(); return ($err_str, ) if (!defined($srcrule)); diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def index 6aafb65..5c7f5e9 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def @@ -1,10 +1,14 @@ type: txt -help: Set source IPv6 address or prefix to match +help: Set source IPv6 address, prefix or range to match comp_help: Possible completions: - <x:x:x:x:x:x:x:x> IPv6 address to match - <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match - !<x:x:x:x:x:x:x:x> Everything except IPv6 address - !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + <x:x:x:x:x:x:x:x> IPv6 address to match + <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match + <x:x:x:x:x:x>-<x:x:x:x:x:x> Range of IPv6 addresses + !<x:x:x:x:x:x:x:x> Everything except IPv6 address + !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + !<x:x:x:x:x:x>-<x:x:x:x:x:x> Everything except range + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-frag/node.def deleted file mode 100644 index 75338e3..0000000 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-frag/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Match second and further fragments of fragmented packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-non-frag/node.def deleted file mode 100644 index 3105271..0000000 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-non-frag/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Match head fragments or unfragmented packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/node.def deleted file mode 100644 index c532d49..0000000 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Set IP fragment matching diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/code/node.def deleted file mode 100644 index 8ff1c09..0000000 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/code/node.def +++ /dev/null @@ -1,5 +0,0 @@ -type: u32; "ICMP code must be between 0 and 255" - -help: Set ICMP code (0-255) - -syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/node.def deleted file mode 100644 index dcf9fcc..0000000 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Set rule ICMP type and code information diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/type/node.def deleted file mode 100644 index 9cd72b3..0000000 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/type/node.def +++ /dev/null @@ -1,5 +0,0 @@ -type: u32; "ICMP type must be between 0 and 255" - -help: Set ICMP type (0-255) - -syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/node.def new file mode 100644 index 0000000..d4dc9c0 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/node.def @@ -0,0 +1 @@ +help: Set rule ICMPv6 type and code information diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/type/node.def new file mode 100644 index 0000000..13ff654 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/type/node.def @@ -0,0 +1,135 @@ +type: txt + +help: Set ICMPv6 type/code + +comp_help: Possible completions: + destination-unreachable ICMPv6 type/code name + no-route ICMPv6 type/code name + communication-prohibited ICMPv6 type/code name + address-unreachable ICMPv6 type/code name + port-unreachable ICMPv6 type/code name + packet-too-big ICMPv6 type/code name + time-exceeded ICMPv6 type/code name + ttl-zero-during-transit ICMPv6 type/code name + ttl-zero-during-reassembly ICMPv6 type/code name + parameter-problem ICMPv6 type/code name + bad-header ICMPv6 type/code name + unknown-header-type ICMPv6 type/code name + unknown-option ICMPv6 type/code name + echo-request ICMPv6 type/code name + ping ICMPv6 type/code name + echo-reply ICMPv6 type/code name + pong ICMPv6 type/code name + router-solicitation ICMPv6 type/code name + router-advertisement ICMPv6 type/code name + neighbour-solicitation ICMPv6 type/code name + neighbor-solicitation ICMPv6 type/code name + neighbour-advertisement ICMPv6 type/code name + neighbor-advertisement ICMPv6 type/code name + <0 - 255> ICMPv6 type number + <0 - 255>/<0 - 255> ICMPv6 type and code numbers + +allowed: + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + echo -n ${array[@]} + +syntax:expression: exec " + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + len=${#array[*]} + i=0 + while [ $i -lt $len ]; do + if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then + exit 0 + fi + let i++ + done + + param=$VAR(@) + codepart=${param##*/} + if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then + codepart=\"0\" + fi + + typepart=${param%%/*} + if [ -z \"$typepart\" ]; then + echo \"Must specify ICMPv6 type\" + exit 1 + fi + + shopt -s extglob + + leftover=${typepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 type: $typepart\" + exit 1 + fi + + leftover=${codepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 code: $codepart\" + exit 1 + fi + + if [ $typepart -lt 0 -o $typepart -gt 255 ]; then + echo \"ICMPv6 type must be between 0 and 255\" + exit 1 + fi + + if [ $codepart -lt 0 -o $codepart -gt 255 ]; then + echo \"ICMPv6 code must be between 0 and 255\" + exit 1 + fi +" + + + + + + + diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def index 8614dc7..d43ffdd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def @@ -1,11 +1,26 @@ type: txt -help: Set protocol to match (protocol name, protocol number, or "all") +help: Set IPv6 protocol to match (protocol name, number, or "all") -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'" ; "invalid protocol \"$VAR(@)\"" +syntax:expression: exec " + param=$VAR(@) + if [ \"$param\" = \"icmpv6\" ]; then + exit 0 + fi + /opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)' + " ; + "invalid protocol \"$VAR(@)\"" + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` + protos="all icmpv6 $protos" + echo -n $protos comp_help:Possible completions: <text> An IPv6 protocol name (e.g. "tcp" or "udp") <1-255> An IPv6 protocol number all All IPv6 protocols - !<protocol> All IPv6 protocols except for the specified name or number + !<text> All IPv6 protocols except for the specified name + !<1-255> All IPv6 protocols except for the specified number
\ No newline at end of file diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def index 6aafb65..81f2b03 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def @@ -1,10 +1,14 @@ + type: txt -help: Set source IPv6 address or prefix to match +help: Set source IPv6 address, prefix or range to match comp_help: Possible completions: - <x:x:x:x:x:x:x:x> IPv6 address to match - <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match - !<x:x:x:x:x:x:x:x> Everything except IPv6 address - !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + <x:x:x:x:x:x:x:x> IPv6 address to match + <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match + <x:x:x:x:x:x>-<x:x:x:x:x:x> Range of IPv6 addresses + !<x:x:x:x:x:x:x:x> Everything except IPv6 address + !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + !<x:x:x:x:x:x>-<x:x:x:x:x:x> Everything except range +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)"
\ No newline at end of file |