d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- ipv6_prefix_* and ipv6_ifconfig_* work for end node

Browse Source 
- rtsol should be work for only one interface
- new variable ipv6_defaultrouter is added
- option name of rtadvd in comment are corrected
- ipv6_firewall_enable, ipv6_firewall_type, ipv6_firewall_script,
  ipv6_firewall_logging are added to introduce rc.firewall6.

IPv6 firewall rule is just starting point and should be brushed up.
This commit includes PR18621, PR21694, PR22051.

PR:		conf/18621, conf/21694, conf/22051
Reviewed by:	asmodai
This commit is contained in:
Hajimu UMEMOTO 2000-10-29 19:59:05 +00:00
parent fe4e324374
commit e726be510b
4 changed files with 695 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
etc/defaults/rc.conf
View File

@ -84,7 +84,6 @@ icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets
network_interfaces="auto" # List of network interfaces (or "auto").
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
#ifconfig_ed0_alias0="inet6 fec0:0000:0000:0005::1 prefixlen 64" # Sample alias entry for IPv6.
#ifconfig_ed0_ipx="ipx 0x00010010" # Sample IPX address family entry.
#
# If you have any sppp(4) interfaces above, you might also want to set
@ -216,6 +215,7 @@ icmp_bmcastecho="NO" # respond to broadcast ping packets
### IPv6 options: ###
ipv6_enable="NO" # Set to YES to set up for IPv6.
ipv6_network_interfaces="auto" # List of network interfaces (or "auto").
ipv6_defaultrouter="NO" # Set to IPv6 default gateway (or NO).
ipv6_static_routes="" # Set to static route list (or leave empty).
#ipv6_static_routes="xxx" # An example to set fec0:0000:0000:0006::/64
# route toward loopback interface.
@ -226,10 +226,12 @@ ipv6_router="/usr/sbin/route6d" # Name of IPv6 routing daemon.
ipv6_router_flags="" # Flags to IPv6 routing daemon.
#ipv6_router_flags="-l" # Example for route6d with only IPv6 site local
# addrs.
#ipv6_network_interfaces="ed0 ep0" # Examples for router.
#ipv6_network_interfaces="ed0 ep0" # Examples for router
# or static configuration for end node.
# Choose correct prefix value.
#ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002" # Examples for rtr.
#ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004" # Examples for rtr.
#ipv6_ifconfig_ed0="fec0:0:0:5::1 prefixlen 64" # Sample alias entry
ipv6_default_interface="" # Default output interface for scoped addrs.
# Now this works only for IPv6 link local
# multicast addrs.
@ -256,8 +258,15 @@ stf_interface_ipv4plen="0" # Prefix length for 6to4 IPv4 addr,
stf_interface_ipv6_ifid="0:0:0:1" # IPv6 interface id for stf0.
# If you like, you can set "AUTO" for this.
stf_interface_ipv6_slaid="0000" # IPv6 Site Level Aggregator for stf0
ipv6_ipv4mapping="YES"; # Leave empty to disable IPv4 mapped IPv6 addr
ipv6_ipv4mapping="YES" # Leave empty to disable IPv4 mapped IPv6 addr
# communication. (like ::ffff:a.b.c.d)
ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall
# functionality
ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall
ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6)
ipv6_firewall_quiet="NO" # Set to YES to suppress rule display
ipv6_firewall_logging="NO" # Set to YES to enable events logging
ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file
##############################################################
### System console options #################################

322
etc/rc.d/network_ipv6
View File

@ -37,26 +37,74 @@
network6_pass1() {
echo -n 'Doing IPv6 network setup:'
case ${ipv6_gateway_enable} in
# Initialize IP filtering using ip6fw
#
if /sbin/ip6fw -q flush > /dev/null 2>&1; then
ipv6_firewall_in_kernel=1
else
ipv6_firewall_in_kernel=0
fi
case ${ipv6_firewall_enable} in
[Yy][Ee][Ss])
#
# list of interfaces, and prefix for interfaces
#
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
ipv6_network_interfaces="`ifconfig -l`"
if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then
ipv6_firewall_in_kernel=1
echo "Kernel IPv6 firewall module loaded."
elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then
echo "Warning: IPv6 firewall kernel module failed to load."
fi
;;
esac
# Load the filters if required
#
case ${ipv6_firewall_in_kernel} in
1)
if [ -z "${ipv6_firewall_script}" ]; then
ipv6_firewall_script=/etc/rc.firewall6
fi
case ${ipv6_firewall_enable} in
[Yy][Ee][Ss])
if [ -r "${ipv6_firewall_script}" ]; then
. "${ipv6_firewall_script}"
echo -n 'IPv6 Firewall rules loaded.'
elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
echo -n "Warning: kernel has IPv6 firewall functionality, "
echo "but IPv6 firewall rules are not enabled."
echo " All ipv6 services are disabled."
fi
case ${ipv6_firewall_logging} in
[Yy][Ee][Ss] | '')
echo 'IPv6 Firewall logging=YES'
sysctl -w net.inet6.ip6.fw.verbose=1 >/dev/null
;;
*)
;;
esac
;;
esac
;;
*)
#
# manual configurations - in case ip6_gateway_enable=NO
# you can configure only single interface,
# as specification assumes that
# autoconfigured host has single interface only.
#
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
esac
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
#
# list of interfaces, and prefix for interfaces
#
ipv6_network_interfaces="`ifconfig -l`"
;;
*)
#
# manual configurations - in case ip6_gateway_enable=NO
# you can configure only single interface,
# as specification assumes that
# autoconfigured host has single interface only.
#
set `ifconfig -l`
ipv6_network_interfaces="$1"
;;
@ -83,46 +131,26 @@ network6_pass1() {
done
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
;;
*)
# act as endhost - start with manual configuration
sysctl -w net.inet6.ip6.forwarding=0
sysctl -w net.inet6.ip6.accept_rtadv=0
;;
esac
# setting up interfaces
for i in $ipv6_network_interfaces; do
eval prefix=\$ipv6_prefix_$i
case ${prefix} in
'')
continue;
;;
esac
for j in ${prefix}; do
case ${prefixcmd_enable} in
[Yy][Ee][Ss])
prefix $i $j::
;;
*)
laddr=`network6_getladdr $i`
hostid=`expr "${laddr}" : \
'fe80::\(.*\)%\(.*\)'`
address=$j\:${hostid}
# gifconfig
network6_gif_setup
eval hostid_$i=${hostid}
eval address_$i=${address}
# setting up interfaces
network6_interface_setup
ifconfig $i inet6 ${address} \
prefixlen 64 alias
;;
esac
# subnet-router anycast address (rfc2373)
ifconfig $i inet6 $j:: prefixlen 64 \
alias anycast
done
ifconfig $i inet6
done
# again, wait for DAD's completion (for global addrs)
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
# wait for DAD's completion (for global addrs)
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
# Filter out interfaces on which IPv6 addr init failed.
ipv6_working_interfaces=""
for i in ${ipv6_network_interfaces}; do
@ -137,20 +165,21 @@ network6_pass1() {
esac
done
ipv6_network_interfaces=${ipv6_working_interfaces}
;;
esac
# gifconfig
network6_gif_setup
# 6to4 setup
network6_stf_setup
# 6to4 setup
network6_stf_setup
# install the "default interface" to kernel, which will be used
# as the default route when there's no router.
network6_default_interface_setup
# install the "default interface" to kernel, which will be used
# as the default route when there's no router.
network6_default_interface_setup
# setup static routes
network6_static_routes_setup
# setup static routes
network6_static_routes_setup
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
# ipv6_router
case ${ipv6_router_enable} in
[Yy][Ee][Ss])
@ -167,7 +196,7 @@ network6_pass1() {
#
# And if you wish your rtadvd to receive and process
# router renumbering messages, specify your Router Renumbering
# security policy by -P option.
# security policy by -R option.
#
# See `man 3 ipsec_set_policy` for IPsec policy specification
# details.
@ -178,25 +207,29 @@ network6_pass1() {
case ${rtadvd_enable} in
[Yy][Ee][Ss])
# default
for i in ${ipv6_network_interfaces}; do
case $i in
stf*)
continue
;;
*)
rtadvd_interfaces="${rtadvd_interfaces} ${i}"
;;
esac
done
case ${rtadvd_interfaces} in
'')
for i in ${ipv6_network_interfaces}; do
case $i in
stf*)
continue
;;
*)
rtadvd_interfaces="${rtadvd_interfaces} ${i}"
;;
esac
done
;;
esac
rtadvd ${rtadvd_interfaces}
#
# Enable Router Renumbering, unicast case
# (use correct src/dst addr)
# rtadvd -P "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
# rtadvd -R "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
# ${ipv6_network_interfaces}
# Enable Router Renumbering, multicast case
# (use correct src addr)
# rtadvd -P "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
# rtadvd -R "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
# ${ipv6_network_interfaces}
;;
esac
@ -211,38 +244,6 @@ network6_pass1() {
;;
esac
;;
*)
# act as endhost - automatically configured
sysctl -w net.inet6.ip6.forwarding=0
sysctl -w net.inet6.ip6.accept_rtadv=1
case ${ipv6_network_interfaces} in
lo0|gif*|stf*|faith*)
;;
*)
ifconfig ${ipv6_network_interfaces} up
rtsol ${ipv6_network_interfaces}
;;
esac
# wait for DAD's completion (for global addrs)
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
# gifconfig
network6_gif_setup
# 6to4 setup
network6_stf_setup
# install the "default interface" to kernel, which will be used
# as the default route when there's no router.
# ndp -I ${ipv6_default_interface}
network6_default_interface_setup
# setup static routes
network6_static_routes_setup
;;
esac
case ${ipv6_ipv4mapping} in
@ -263,6 +264,85 @@ network6_pass1() {
network6_pass1_done=YES
}
network6_interface_setup() {
rtsol_interfaces=''
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
rtsol_available=no
;;
*)
rtsol_available=yes
prefixcmd_enable=NO
;;
esac
for i in $ipv6_network_interfaces; do
rtsol_interface=yes
eval prefix=\$ipv6_prefix_$i
if [ -n "${prefix}" ]; then
rtsol_available=no
rtsol_interface=no
for j in ${prefix}; do
case ${prefixcmd_enable} in
[Yy][Ee][Ss])
prefix $i $j::
;;
*)
laddr=`network6_getladdr $i`
hostid=`expr "${laddr}" : \
'fe80::\(.*\)%\(.*\)'`
address=$j\:${hostid}
eval hostid_$i=${hostid}
eval address_$i=${address}
ifconfig $i inet6 ${address} \
prefixlen 64 alias
;;
esac
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
# subnet-router anycast address
# (rfc2373)
ifconfig $i inet6 $j:: prefixlen 64 \
alias anycast
;;
esac
done
fi
eval ipv6_ifconfig=\$ipv6_ifconfig_$i
if [ -n "${ipv6_ifconfig}" ]; then
rtsol_available=no
rtsol_interface=no
ifconfig $i inet6 ${ipv6_ifconfig} alias
fi
if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ]
then
case ${i} in
lo0|gif*|stf*|faith*)
;;
*)
rtsol_interfaces="${rtsol_interfaces} ${i}"
;;
esac
else
ifconfig $i inet6
fi
done
if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then
# Act as endhost - automatically configured.
# You can configure only single interface, as
# specification assumes that autoconfigured host has
# single interface only.
sysctl -w net.inet6.ip6.accept_rtadv=1
set ${rtsol_interfaces}
ifconfig $1 up
rtsol $1
fi
}
network6_gif_setup() {
case ${gif_interfaces} in
[Nn][Oo] | '')
@ -330,6 +410,14 @@ network6_stf_setup() {
network6_static_routes_setup() {
# Set up any static routes.
case ${ipv6_defaultrouter} in
[Nn][Oo] | '')
;;
*)
ipv6_static_routes="default ${ipv6_static_routes}"
ipv6_route_default="default ${ipv6_defaultrouter}"
;;
esac
case ${ipv6_static_routes} in
[Nn][Oo] | '')
;;
@ -362,16 +450,32 @@ network6_default_interface_setup() {
# Disallow unicast packets without outgoing scope identifiers,
# or route such packets to a "default" interface, if it is specified.
route add -inet6 fe80:: -prefixlen 10 ::1 -reject
case ${ipv6_default_interface} in
[Nn][Oo] | '')
route add -inet6 fe80:: -prefixlen 10 ::1 -reject
route add -inet6 fec0:: -prefixlen 10 ::1 -reject
;;
*)
laddr=`network6_getladdr ${ipv6_default_interface}`
route add -inet6 fec0:: ${laddr} -prefixlen 10 -interface \
-cloning
ndp -I ${ipv6_default_interface}
# Disable installing the default interface with the
# case net.inet6.ip6.forwarding=0 and
# net.inet6.ip6.accept_rtadv=0, due to avoid conflict
# between the default router list and the manual
# configured default route.
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
ndp -I ${ipv6_default_interface}
;;
*)
if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ]
then
ndp -I ${ipv6_default_interface}
fi
;;
esac
;;
esac
}

257
etc/rc.firewall6 Normal file
View File

@ -0,0 +1,257 @@
############
# Setup system for IPv6 firewall service.
# $FreeBSD$
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - will allow anyone in
# client - will try to protect just this machine
# simple - will try to protect a whole network
# closed - totally disables IP services except via lo0 interface
# UNKNOWN - disables the loading of firewall rules.
# filename - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.
############
#
# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
# Building Internet Firewalls
# Brent Chapman and Elizabeth Zwicky
#
# O'Reilly & Associates, Inc
# ISBN 1-56592-124-0
# http://www.ora.com/
#
# For a more advanced treatment of Internet Security read:
#
# Firewalls & Internet Security
# Repelling the wily hacker
# William R. Cheswick, Steven M. Bellowin
#
# Addison-Wesley
# ISBN 0-201-6337-4
# http://www.awl.com/
#
if [ -n "${1}" ]; then
ipv6_firewall_type="${1}"
fi
############
# Set quiet mode if requested
#
case ${ipv6_firewall_quiet} in
[Yy][Ee][Ss])
fw6cmd="/sbin/ip6fw -q"
;;
*)
fw6cmd="/sbin/ip6fw"
;;
esac
############
# Flush out the list before we begin.
#
${fw6cmd} -f flush
############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open. You can also
# do this as your only action by setting the ipv6_firewall_type to ``open''.
#
# ${fw6cmd} add 65000 pass all from any to any
############
# Only in rare cases do you want to change these rules
#
${fw6cmd} add 100 pass all from any to any via lo0
#
# ND
#
# DAD
${fw6cmd} add pass ipv6-icmp from ff02::/16 to ::
${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
# RS, RA, NS, NA, redirect...
${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
# Prototype setups.
#
case ${ipv6_firewall_type} in
[Oo][Pp][Ee][Nn])
${fw6cmd} add 65000 pass all from any to any
;;
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.
############
# set these to your network and prefixlen and ip
#
# This needs more work
#
net="3ffe:505:2:1::"
prefixlen="64"
ip="3ffe:505:2:1::1"
# Allow any traffic to or from my own net.
${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen}
${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip}
# Allow TCP through if setup succeeded
${fw6cmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fw6cmd} add pass all from any to any frag
# Allow setup of incoming email
${fw6cmd} add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
${fw6cmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fw6cmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
${fw6cmd} add pass udp from any 53 to ${ip}
${fw6cmd} add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
${fw6cmd} add pass udp from any 123 to ${ip}
${fw6cmd} add pass udp from ${ip} to any 123
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and prefixlen and ip
oif="ed0"
onet="3ffe:505:2:1::"
oprefixlen="64"
oip="3ffe:505:2:1::1"
# set these to your inside interface network and prefixlen and ip
iif="ed1"
inet="3ffe:505:2:2::"
iprefixlen="64"
iip="3ffe:505:2:2::1"
# Stop spoofing
${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif}
${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif}
# Stop site-local on the outside interface
${fw6cmd} add deny all from ff02::/16 to any via ${oif}
${fw6cmd} add deny all from any to ff02::/16 via ${oif}
# Disallow "internal" addresses to appear on the wire.
${fw6cmd} add deny all from ::ffff:0.0.0.0/96 to any via ${oif}
${fw6cmd} add deny all from any to ::ffff:0.0.0.0/96 via ${oif}
# Disallow packets to malicious IPv4 compatible prefix.
${fw6cmd} add deny all from ::224.0.0.0/100 to any via ${oif}
${fw6cmd} add deny all from any to ::224.0.0.0/100 via ${oif}
${fw6cmd} add deny all from ::127.0.0.0/104 to any via ${oif}
${fw6cmd} add deny all from any to ::127.0.0.0/104 via ${oif}
${fw6cmd} add deny all from ::0.0.0.0/104 to any via ${oif}
${fw6cmd} add deny all from any to ::0.0.0.0/104 via ${oif}
${fw6cmd} add deny all from ::255.0.0.0/104 to any via ${oif}
${fw6cmd} add deny all from any to ::255.0.0.0/104 via ${oif}
${fw6cmd} add deny all from ::0.0.0.0/96 to any via ${oif}
${fw6cmd} add deny all from any to ::0.0.0.0/96 via ${oif}
# Disallow packets to malicious 6to4 prefix.
${fw6cmd} add deny all from 2002:e000::/20 to any via ${oif}
${fw6cmd} add deny all from any to 2002:e000::/20 via ${oif}
${fw6cmd} add deny all from 2002:7f00::/24 to any via ${oif}
${fw6cmd} add deny all from any to 2002:7f00::/24 via ${oif}
${fw6cmd} add deny all from 2002:0000::/24 to any via ${oif}
${fw6cmd} add deny all from any to 2002:0000::/24 via ${oif}
${fw6cmd} add deny all from 2002:ff00::/24 to any via ${oif}
${fw6cmd} add deny all from any to 2002:ff00::/24 via ${oif}
${fw6cmd} add deny all from 2002:0a00::/24 to any via ${oif}
${fw6cmd} add deny all from any to 2002:0a00::/24 via ${oif}
${fw6cmd} add deny all from 2002:ac10::/28 to any via ${oif}
${fw6cmd} add deny all from any to 2002:ac10::/28 via ${oif}
${fw6cmd} add deny all from 2002:c0a8::/32 to any via ${oif}
${fw6cmd} add deny all from any to 2002:c0a8::/32 via ${oif}
${fw6cmd} add deny all from ff05::/32 to any via ${oif}
${fw6cmd} add deny all from any to ff05::/32 via ${oif}
# Allow TCP through if setup succeeded
${fw6cmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fw6cmd} add pass all from any to any frag
# Allow setup of incoming email
${fw6cmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fw6cmd} add pass tcp from any to ${oip} 53 setup
${fw6cmd} add pass udp from any to ${oip} 53
${fw6cmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fw6cmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fw6cmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fw6cmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fw6cmd} add pass udp from any 53 to ${oip}
${fw6cmd} add pass udp from ${oip} to any 53
# Allow NTP queries out in the world
${fw6cmd} add pass udp from any 123 to ${oip}
${fw6cmd} add pass udp from ${oip} to any 123
# RIPng
#${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
;;
*)
if [ -r "${ipv6_firewall_type}" ]; then
${fw6cmd} ${ipv6_firewall_flags} ${ipv6_firewall_type}
fi
;;
esac

322
etc/rc.network6
View File

@ -37,26 +37,74 @@
network6_pass1() {
echo -n 'Doing IPv6 network setup:'
case ${ipv6_gateway_enable} in
# Initialize IP filtering using ip6fw
#
if /sbin/ip6fw -q flush > /dev/null 2>&1; then
ipv6_firewall_in_kernel=1
else
ipv6_firewall_in_kernel=0
fi
case ${ipv6_firewall_enable} in
[Yy][Ee][Ss])
#
# list of interfaces, and prefix for interfaces
#
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
ipv6_network_interfaces="`ifconfig -l`"
if [ "${ipv6_firewall_in_kernel}" -eq 0 ] && kldload ip6fw; then
ipv6_firewall_in_kernel=1
echo "Kernel IPv6 firewall module loaded."
elif [ "${ipv6_firewall_in_kernel}" -eq 0 ]; then
echo "Warning: IPv6 firewall kernel module failed to load."
fi
;;
esac
# Load the filters if required
#
case ${ipv6_firewall_in_kernel} in
1)
if [ -z "${ipv6_firewall_script}" ]; then
ipv6_firewall_script=/etc/rc.firewall6
fi
case ${ipv6_firewall_enable} in
[Yy][Ee][Ss])
if [ -r "${ipv6_firewall_script}" ]; then
. "${ipv6_firewall_script}"
echo -n 'IPv6 Firewall rules loaded.'
elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
echo -n "Warning: kernel has IPv6 firewall functionality, "
echo "but IPv6 firewall rules are not enabled."
echo " All ipv6 services are disabled."
fi
case ${ipv6_firewall_logging} in
[Yy][Ee][Ss] | '')
echo 'IPv6 Firewall logging=YES'
sysctl -w net.inet6.ip6.fw.verbose=1 >/dev/null
;;
*)
;;
esac
;;
esac
;;
*)
#
# manual configurations - in case ip6_gateway_enable=NO
# you can configure only single interface,
# as specification assumes that
# autoconfigured host has single interface only.
#
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
esac
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
#
# list of interfaces, and prefix for interfaces
#
ipv6_network_interfaces="`ifconfig -l`"
;;
*)
#
# manual configurations - in case ip6_gateway_enable=NO
# you can configure only single interface,
# as specification assumes that
# autoconfigured host has single interface only.
#
set `ifconfig -l`
ipv6_network_interfaces="$1"
;;
@ -83,46 +131,26 @@ network6_pass1() {
done
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
;;
*)
# act as endhost - start with manual configuration
sysctl -w net.inet6.ip6.forwarding=0
sysctl -w net.inet6.ip6.accept_rtadv=0
;;
esac
# setting up interfaces
for i in $ipv6_network_interfaces; do
eval prefix=\$ipv6_prefix_$i
case ${prefix} in
'')
continue;
;;
esac
for j in ${prefix}; do
case ${prefixcmd_enable} in
[Yy][Ee][Ss])
prefix $i $j::
;;
*)
laddr=`network6_getladdr $i`
hostid=`expr "${laddr}" : \
'fe80::\(.*\)%\(.*\)'`
address=$j\:${hostid}
# gifconfig
network6_gif_setup
eval hostid_$i=${hostid}
eval address_$i=${address}
# setting up interfaces
network6_interface_setup
ifconfig $i inet6 ${address} \
prefixlen 64 alias
;;
esac
# subnet-router anycast address (rfc2373)
ifconfig $i inet6 $j:: prefixlen 64 \
alias anycast
done
ifconfig $i inet6
done
# again, wait for DAD's completion (for global addrs)
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
# wait for DAD's completion (for global addrs)
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
# Filter out interfaces on which IPv6 addr init failed.
ipv6_working_interfaces=""
for i in ${ipv6_network_interfaces}; do
@ -137,20 +165,21 @@ network6_pass1() {
esac
done
ipv6_network_interfaces=${ipv6_working_interfaces}
;;
esac
# gifconfig
network6_gif_setup
# 6to4 setup
network6_stf_setup
# 6to4 setup
network6_stf_setup
# install the "default interface" to kernel, which will be used
# as the default route when there's no router.
network6_default_interface_setup
# install the "default interface" to kernel, which will be used
# as the default route when there's no router.
network6_default_interface_setup
# setup static routes
network6_static_routes_setup
# setup static routes
network6_static_routes_setup
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
# ipv6_router
case ${ipv6_router_enable} in
[Yy][Ee][Ss])
@ -167,7 +196,7 @@ network6_pass1() {
#
# And if you wish your rtadvd to receive and process
# router renumbering messages, specify your Router Renumbering
# security policy by -P option.
# security policy by -R option.
#
# See `man 3 ipsec_set_policy` for IPsec policy specification
# details.
@ -178,25 +207,29 @@ network6_pass1() {
case ${rtadvd_enable} in
[Yy][Ee][Ss])
# default
for i in ${ipv6_network_interfaces}; do
case $i in
stf*)
continue
;;
*)
rtadvd_interfaces="${rtadvd_interfaces} ${i}"
;;
esac
done
case ${rtadvd_interfaces} in
'')
for i in ${ipv6_network_interfaces}; do
case $i in
stf*)
continue
;;
*)
rtadvd_interfaces="${rtadvd_interfaces} ${i}"
;;
esac
done
;;
esac
rtadvd ${rtadvd_interfaces}
#
# Enable Router Renumbering, unicast case
# (use correct src/dst addr)
# rtadvd -P "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
# rtadvd -R "in ipsec ah/transport/fec0:0:0:1::1-fec0:0:0:10::1/require" \
# ${ipv6_network_interfaces}
# Enable Router Renumbering, multicast case
# (use correct src addr)
# rtadvd -P "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
# rtadvd -R "in ipsec ah/transport/ff05::2-fec0:0:0:10::1/require" \
# ${ipv6_network_interfaces}
;;
esac
@ -211,38 +244,6 @@ network6_pass1() {
;;
esac
;;
*)
# act as endhost - automatically configured
sysctl -w net.inet6.ip6.forwarding=0
sysctl -w net.inet6.ip6.accept_rtadv=1
case ${ipv6_network_interfaces} in
lo0|gif*|stf*|faith*)
;;
*)
ifconfig ${ipv6_network_interfaces} up
rtsol ${ipv6_network_interfaces}
;;
esac
# wait for DAD's completion (for global addrs)
sleep `sysctl -n net.inet6.ip6.dad_count`
sleep 1
# gifconfig
network6_gif_setup
# 6to4 setup
network6_stf_setup
# install the "default interface" to kernel, which will be used
# as the default route when there's no router.
# ndp -I ${ipv6_default_interface}
network6_default_interface_setup
# setup static routes
network6_static_routes_setup
;;
esac
case ${ipv6_ipv4mapping} in
@ -263,6 +264,85 @@ network6_pass1() {
network6_pass1_done=YES
}
network6_interface_setup() {
rtsol_interfaces=''
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
rtsol_available=no
;;
*)
rtsol_available=yes
prefixcmd_enable=NO
;;
esac
for i in $ipv6_network_interfaces; do
rtsol_interface=yes
eval prefix=\$ipv6_prefix_$i
if [ -n "${prefix}" ]; then
rtsol_available=no
rtsol_interface=no
for j in ${prefix}; do
case ${prefixcmd_enable} in
[Yy][Ee][Ss])
prefix $i $j::
;;
*)
laddr=`network6_getladdr $i`
hostid=`expr "${laddr}" : \
'fe80::\(.*\)%\(.*\)'`
address=$j\:${hostid}
eval hostid_$i=${hostid}
eval address_$i=${address}
ifconfig $i inet6 ${address} \
prefixlen 64 alias
;;
esac
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
# subnet-router anycast address
# (rfc2373)
ifconfig $i inet6 $j:: prefixlen 64 \
alias anycast
;;
esac
done
fi
eval ipv6_ifconfig=\$ipv6_ifconfig_$i
if [ -n "${ipv6_ifconfig}" ]; then
rtsol_available=no
rtsol_interface=no
ifconfig $i inet6 ${ipv6_ifconfig} alias
fi
if [ ${rtsol_available} = yes -a ${rtsol_interface} = yes ]
then
case ${i} in
lo0|gif*|stf*|faith*)
;;
*)
rtsol_interfaces="${rtsol_interfaces} ${i}"
;;
esac
else
ifconfig $i inet6
fi
done
if [ ${rtsol_available} = yes -a -n "${rtsol_interfaces}" ]; then
# Act as endhost - automatically configured.
# You can configure only single interface, as
# specification assumes that autoconfigured host has
# single interface only.
sysctl -w net.inet6.ip6.accept_rtadv=1
set ${rtsol_interfaces}
ifconfig $1 up
rtsol $1
fi
}
network6_gif_setup() {
case ${gif_interfaces} in
[Nn][Oo] | '')
@ -330,6 +410,14 @@ network6_stf_setup() {
network6_static_routes_setup() {
# Set up any static routes.
case ${ipv6_defaultrouter} in
[Nn][Oo] | '')
;;
*)
ipv6_static_routes="default ${ipv6_static_routes}"
ipv6_route_default="default ${ipv6_defaultrouter}"
;;
esac
case ${ipv6_static_routes} in
[Nn][Oo] | '')
;;
@ -362,16 +450,32 @@ network6_default_interface_setup() {
# Disallow unicast packets without outgoing scope identifiers,
# or route such packets to a "default" interface, if it is specified.
route add -inet6 fe80:: -prefixlen 10 ::1 -reject
case ${ipv6_default_interface} in
[Nn][Oo] | '')
route add -inet6 fe80:: -prefixlen 10 ::1 -reject
route add -inet6 fec0:: -prefixlen 10 ::1 -reject
;;
*)
laddr=`network6_getladdr ${ipv6_default_interface}`
route add -inet6 fec0:: ${laddr} -prefixlen 10 -interface \
-cloning
ndp -I ${ipv6_default_interface}
# Disable installing the default interface with the
# case net.inet6.ip6.forwarding=0 and
# net.inet6.ip6.accept_rtadv=0, due to avoid conflict
# between the default router list and the manual
# configured default route.
case ${ipv6_gateway_enable} in
[Yy][Ee][Ss])
ndp -I ${ipv6_default_interface}
;;
*)
if [ `sysctl -n net.inet6.ip6.accept_rtadv` -eq 1 ]
then
ndp -I ${ipv6_default_interface}
fi
;;
esac
;;
esac
}