From 7a92401aeaf966f16ec96027cf70df14baa95d1a Mon Sep 17 00:00:00 2001 From: "Bjoern A. Zeeb" Date: Fri, 4 May 2007 11:15:41 +0000 Subject: [PATCH] Add support for filtering on Routing Header Type 0 and Mobile IPv6 Routing Header Type 2 in addition to filter on the non-differentiated presence of any Routing Header. MFC after: 3 weeks --- sbin/ipfw/ipfw.8 | 10 +++++++--- sbin/ipfw/ipfw2.c | 18 ++++++++++++++++++ sys/netinet/ip_fw.h | 2 ++ sys/netinet/ip_fw2.c | 4 ++++ 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index bad7b1598946..52bb326071dd 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 25, 2006 +.Dd May 4, 2007 .Dt IPFW 8 .Os .Sh NAME @@ -456,7 +456,7 @@ Time To Live .It IP options .It IPv6 Extension headers Fragmentation, Hop-by-Hop options, -source routing, IPSec options. +Routing Headers, Source routing rthdr0, Mobile IPv6 rthdr2, IPSec options. .It IPv6 Flow-ID .It Misc. TCP header fields TCP flags (SYN, FIN, ACK, RST, etc.), @@ -1125,8 +1125,12 @@ Fragment, .Pq Cm frag , Hop-to-hop options .Pq Cm hopopt , -Source routing +any type of Routing Header .Pq Cm route , +Source routing Routing Header Type 0 +.Pq Cm rthdr0 , +Mobile IPv6 Routing Header Type 2 +.Pq Cm rthdr2 , Destination options .Pq Cm dstopt , IPSec authentication headers diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 14c707c27bd5..bb40006dfee9 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -1301,6 +1301,8 @@ static struct _s_x ext6hdrcodes[] = { { "dstopt", EXT_DSTOPTS }, { "ah", EXT_AH }, { "esp", EXT_ESP }, + { "rthdr0", EXT_RTHDR0 }, + { "rthdr2", EXT_RTHDR2 }, { NULL, 0 } }; @@ -1341,6 +1343,14 @@ fill_ext6hdr( ipfw_insn *cmd, char *av) cmd->arg1 |= EXT_ESP; break; + case EXT_RTHDR0: + cmd->arg1 |= EXT_RTHDR0; + break; + + case EXT_RTHDR2: + cmd->arg1 |= EXT_RTHDR2; + break; + default: errx( EX_DATAERR, "invalid option for ipv6 exten header" ); break; @@ -1371,6 +1381,14 @@ print_ext6hdr( ipfw_insn *cmd ) printf("%crouting options", sep); sep = ','; } + if (cmd->arg1 & EXT_RTHDR0 ) { + printf("%crthdr0", sep); + sep = ','; + } + if (cmd->arg1 & EXT_RTHDR2 ) { + printf("%crthdr2", sep); + sep = ','; + } if (cmd->arg1 & EXT_DSTOPTS ) { printf("%cdestination options", sep); sep = ','; diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 199d569aeb00..16d0c5da5afd 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -174,6 +174,8 @@ enum ipfw_opcodes { /* arguments (4 byte each) */ #define EXT_AH 0x8 #define EXT_ESP 0x10 #define EXT_DSTOPTS 0x20 +#define EXT_RTHDR0 0x40 +#define EXT_RTHDR2 0x80 /* * Template for instructions. diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 72c343a5e189..21f991489252 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -2469,6 +2469,10 @@ do { \ PULLUP_TO(hlen, ulp, struct ip6_rthdr); switch (((struct ip6_rthdr *)ulp)->ip6r_type) { case 0: + ext_hd |= EXT_RTHDR0; + break; + case 2: + ext_hd |= EXT_RTHDR2; break; default: printf("IPFW2: IPV6 - Unknown Routing "