firewall3: enable nat6

Make ipv6 nat managed by firewall3.
Add masq6 option in zone for nat6 masquerading.

Signed-off-by: Yanlong Wang <[email protected]>

Author: nomagick

CMakeLists.txt

@@ -19,6 +19,9 @@ ENDIF()
 
 IF (NOT DISABLE_IPV6)
   LIST(APPEND iptc_libs ip6tc)
+  IF (ENABLE_NAT6)
+    ADD_DEFINITIONS(-DENABLE_NAT6)
+  ENDIF()
 ELSE()
   ADD_DEFINITIONS(-DDISABLE_IPV6)
 ENDIF()

defaults.c

@@ -29,8 +29,13 @@ static const struct fw3_chain_spec default_chains[] = {
 	C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
 	C(ANY, FILTER, SYN_FLOOD,     "syn_flood"),
 
+#ifdef ENABLE_NAT6
+	C(ANY, NAT,    CUSTOM_CHAINS, "prerouting_rule"),
+	C(ANY, NAT,    CUSTOM_CHAINS, "postrouting_rule"),
+#else
 	C(V4,  NAT,    CUSTOM_CHAINS, "prerouting_rule"),
 	C(V4,  NAT,    CUSTOM_CHAINS, "postrouting_rule"),
+#endif
 
 	{ }
 };

options.h

@@ -263,6 +263,8 @@ struct fw3_time
 
 struct fw3_mark
 {
+	struct list_head list;
+
 	bool set;
 	bool invert;
 	uint32_t mark;
@@ -341,6 +343,8 @@ struct fw3_zone
 	struct list_head masq_src;
 	struct list_head masq_dest;
 
+	bool masq6;
+
 	bool mtu_fix;
 
 	struct list_head cthelpers;

redirects.c

@@ -124,11 +124,27 @@ check_families(struct uci_element *e, struct fw3_redirect *r)
 static bool
 compare_addr(struct fw3_address *a, struct fw3_address *b)
 {
-	if (a->family != FW3_FAMILY_V4 || b->family != FW3_FAMILY_V4)
-		return false;
-
-	return ((a->address.v4.s_addr & a->mask.v4.s_addr) ==
+	if (a->family == FW3_FAMILY_V4) {
+		if (b->family != FW3_FAMILY_V4) {
+			return false;
+		}
+		return ((a->address.v4.s_addr & a->mask.v4.s_addr) ==
 	        (b->address.v4.s_addr & a->mask.v4.s_addr));
+	}
+
+	if (a->family == FW3_FAMILY_V6) {
+		if (b->family != FW3_FAMILY_V6) {
+			return false;
+		}
+		bool r = true;
+		int i;
+		for (i = 0; i < 4; i++)
+			r = r && ((a->address.v6.s6_addr32[i] & a->mask.v6.s6_addr32[i]) == 
+			(b->address.v6.s6_addr32[i] & a->mask.v6.s6_addr32[i]));
+		return r;
+	}
+	
+	return false;
 }
 
 static bool
@@ -223,6 +239,11 @@ select_helper(struct fw3_state *state, struct fw3_redirect *redir)
 	redir->helper.ptr = helper;
 
 	set(redir->_src->flags, FW3_FAMILY_V4, FW3_FLAG_HELPER);
+
+#ifdef ENABLE_NAT6
+	set(redir->_src->flags, FW3_FAMILY_V6, FW3_FLAG_HELPER);
+#endif
+
 }
 
 static bool
@@ -297,8 +318,14 @@ check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_e
 		else if (redir->helper.invert)
 			warn_section("redirect", redir, e, "must not use a negated helper match");
 		else
-		{
-			set(redir->_src->flags, FW3_FAMILY_V4, redir->target);
+		{		
+#ifdef ENABLE_NAT6
+			if (fw3_is_family(redir, FW3_FAMILY_V6))
+				set(redir->_src->flags, FW3_FAMILY_V6, redir->target);
+			if (fw3_is_family(redir, FW3_FAMILY_V4))
+#endif
+				set(redir->_src->flags, FW3_FAMILY_V4, redir->target);
+
 			valid = true;
 
 			if (!check_local(e, redir, state) && !redir->dest.set &&
@@ -309,15 +336,32 @@ check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_e
 						redir->dest.name);
 			}
 
-			if (redir->reflection && redir->_dest && redir->_src->masq)
+			if (redir->reflection && redir->_dest)
 			{
-				set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_ACCEPT);
-				set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_DNAT);
-				set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
+				if (redir->_src->masq && fw3_is_family(redir->_dest, FW3_FAMILY_V4)) {
+					set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_ACCEPT);
+					set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_DNAT);
+					set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
+				}
+#ifdef ENABLE_NAT6 
+				if (redir->_src->masq6 && fw3_is_family(redir->_dest, FW3_FAMILY_V6)) {
+					set(redir->_dest->flags, FW3_FAMILY_V6, FW3_FLAG_ACCEPT);
+					set(redir->_dest->flags, FW3_FAMILY_V6, FW3_FLAG_DNAT);
+					set(redir->_dest->flags, FW3_FAMILY_V6, FW3_FLAG_SNAT);
+				}
+#endif			
 			}
 
 			if (redir->helper.ptr)
+			{
 				set(redir->_src->flags, FW3_FAMILY_V4, FW3_FLAG_HELPER);
+
+#ifdef ENABLE_NAT6
+				set(redir->_src->flags, FW3_FAMILY_V6, FW3_FLAG_HELPER);
+#endif
+
+			}
+				
 		}
 	}
 	else
@@ -336,6 +380,11 @@ check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_e
 		else
 		{
 			set(redir->_dest->flags, FW3_FAMILY_V4, redir->target);
+
+#ifdef ENABLE_NAT6
+			set(redir->_dest->flags, FW3_FAMILY_V6, redir->target);
+#endif
+
 			valid = true;
 		}
 	}
@@ -475,13 +524,22 @@ static void
 set_snat_dnat(struct fw3_ipt_rule *r, enum fw3_flag target,
               struct fw3_address *addr, struct fw3_port *port)
 {
+#ifdef ENABLE_NAT6
+	char buf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:65535-65535\0")];
+#else
 	char buf[sizeof("255.255.255.255:65535-65535\0")];
+#endif
 
 	buf[0] = '\0';
 
 	if (addr && addr->set)
 	{
-		inet_ntop(AF_INET, &addr->address.v4, buf, sizeof(buf));
+#ifdef ENABLE_NAT6
+		if (addr->family == FW3_FAMILY_V6) 
+			inet_ntop(AF_INET6, &addr->address.v6, buf, sizeof(buf));
+		else
+#endif
+			inet_ntop(AF_INET, &addr->address.v4, buf, sizeof(buf));
 	}
 
 	if (port && port->set)
@@ -729,8 +787,19 @@ expand_redirect(struct fw3_ipt_handle *handle, struct fw3_state *state,
 				else
 					ref_addr = *ext_addr;
 
-				ref_addr.mask.v4.s_addr = 0xFFFFFFFF;
-				ext_addr->mask.v4.s_addr = 0xFFFFFFFF;
+#ifdef ENABLE_NAT6
+				if (ref_addr.family == FW3_FAMILY_V6) 
+					memset(ref_addr.mask.v6.s6_addr, 0xFF, 16);
+				else
+#endif
+					ref_addr.mask.v4.s_addr = 0xFFFFFFFF;
+
+#ifdef ENABLE_NAT6
+				if (ext_addr->family == FW3_FAMILY_V6)
+					memset(ext_addr->mask.v6.s6_addr, 0xFF, 16);
+				else 
+#endif
+					ext_addr->mask.v4.s_addr = 0xFFFFFFFF;
 
 				print_reflection(handle, state, redir, num, proto,
 								 &ref_addr, int_addr, ext_addr);
@@ -749,8 +818,10 @@ fw3_print_redirects(struct fw3_ipt_handle *handle, struct fw3_state *state)
 	int num = 0;
 	struct fw3_redirect *redir;
 
+#ifndef ENABLE_NAT6
 	if (handle->family == FW3_FAMILY_V6)
 		return;
+#endif
 
 	if (handle->table != FW3_TABLE_FILTER &&
 	    handle->table != FW3_TABLE_NAT &&

snats.c

@@ -186,8 +186,15 @@ check_snat(struct fw3_state *state, struct fw3_snat *snat, struct uci_element *e
 		fw3_parse_protocol(&snat->proto, "all", true);
 	}
 
-	if (snat->_src)
-		set(snat->_src->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
+	if (snat->_src) {
+
+#ifdef ENABLE_NAT6
+		if (fw3_is_family(snat->_src, FW3_FAMILY_V6)) 
+			set(snat->_src->flags, FW3_FAMILY_V6, FW3_FLAG_SNAT);
+		if (fw3_is_family(snat->_src, FW3_FAMILY_V4))
+#endif
+			set(snat->_src->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
+	}
 
 	return true;
 }
@@ -265,15 +272,24 @@ static void
 set_target(struct fw3_ipt_rule *r, struct fw3_snat *snat,
            struct fw3_protocol *proto)
 {
+#ifdef ENABLE_NAT6
+	char buf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:65535-65535\0")];
+#else
 	char buf[sizeof("255.255.255.255:65535-65535\0")];
+#endif
 
 	if (snat->target == FW3_FLAG_SNAT)
 	{
 		buf[0] = '\0';
 
 		if (snat->ip_snat.set)
 		{
-			inet_ntop(AF_INET, &snat->ip_snat.address.v4, buf, sizeof(buf));
+#ifdef ENABLE_NAT6
+			if (snat->ip_snat.family == FW3_FAMILY_V6)
+				inet_ntop(AF_INET6, &snat->ip_snat.address.v6, buf, sizeof(buf));
+			else
+#endif
+				inet_ntop(AF_INET, &snat->ip_snat.address.v4, buf, sizeof(buf));
 		}
 
 		if (snat->port_snat.set && proto && !proto->any &&
@@ -410,8 +426,10 @@ fw3_print_snats(struct fw3_ipt_handle *handle, struct fw3_state *state)
 	int num = 0;
 	struct fw3_snat *snat;
 
+#ifndef ENABLE_NAT6
 	if (handle->family == FW3_FAMILY_V6)
 		return;
+#endif
 
 	if (handle->table != FW3_TABLE_NAT)
 		return;

utils.c

@@ -512,6 +512,11 @@ write_zone_uci(struct uci_context *ctx, struct fw3_zone *z,
 	ptr.value  = z->masq ? "1" : "0";
 	uci_set(ctx, &ptr);
 
+	ptr.o      = NULL;
+	ptr.option = "masq6";
+	ptr.value  = z->masq6 ? "1" : "0";
+	uci_set(ctx, &ptr);
+
 	ptr.o      = NULL;
 	ptr.option = "mtu_fix";
 	ptr.value  = z->mtu_fix ? "1" : "0";

zones.c

@@ -37,8 +37,13 @@ static const struct fw3_chain_spec zone_chains[] = {
 	C(ANY, FILTER, REJECT,        "zone_%s_dest_REJECT"),
 	C(ANY, FILTER, DROP,          "zone_%s_dest_DROP"),
 
+#ifdef ENABLE_NAT6
+	C(ANY, NAT,    SNAT,          "zone_%s_postrouting"),
+	C(ANY, NAT,    DNAT,          "zone_%s_prerouting"),
+#else
 	C(V4,  NAT,    SNAT,          "zone_%s_postrouting"),
 	C(V4,  NAT,    DNAT,          "zone_%s_prerouting"),
+#endif
 
 	C(ANY, RAW,    HELPER,        "zone_%s_helper"),
 	C(ANY, RAW,    NOTRACK,       "zone_%s_notrack"),
@@ -47,8 +52,13 @@ static const struct fw3_chain_spec zone_chains[] = {
 	C(ANY, FILTER, CUSTOM_CHAINS, "output_%s_rule"),
 	C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_%s_rule"),
 
+#ifdef ENABLE_NAT6
+	C(ANY, NAT,    CUSTOM_CHAINS, "prerouting_%s_rule"),
+	C(ANY, NAT,    CUSTOM_CHAINS, "postrouting_%s_rule"),
+#else
 	C(V4,  NAT,    CUSTOM_CHAINS, "prerouting_%s_rule"),
 	C(V4,  NAT,    CUSTOM_CHAINS, "postrouting_%s_rule"),
+#endif
 
 	{ }
 };
@@ -77,6 +87,8 @@ const struct fw3_option fw3_zone_opts[] = {
 	FW3_LIST("masq_src",           network,  zone,     masq_src),
 	FW3_LIST("masq_dest",          network,  zone,     masq_dest),
 
+	FW3_OPT("masq6",               bool,     zone,     masq6),
+
 	FW3_OPT("extra",               string,   zone,     extra_src),
 	FW3_OPT("extra_src",           string,   zone,     extra_src),
 	FW3_OPT("extra_dest",          string,   zone,     extra_dest),
@@ -306,10 +318,22 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 			fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
 		}
 
+#ifdef ENABLE_NAT6
+		if (zone->masq6) 
+		{
+			fw3_setbit(zone->flags[1], FW3_FLAG_SNAT);
+		}
+#endif
+
 		if (zone->custom_chains)
 		{
 			fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
 			fw3_setbit(zone->flags[0], FW3_FLAG_DNAT);
+
+#ifdef ENABLE_NAT6
+			fw3_setbit(zone->flags[1], FW3_FLAG_SNAT);
+			fw3_setbit(zone->flags[1], FW3_FLAG_DNAT);
+#endif
 		}
 
 		resolve_cthelpers(state, e, zone);
@@ -318,9 +342,11 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 		fw3_setbit(zone->flags[0], zone->policy_forward);
 		fw3_setbit(zone->flags[0], zone->policy_output);
 
+#ifdef ENABLE_NAT6
 		fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_input));
 		fw3_setbit(zone->flags[1], zone->policy_forward);
 		fw3_setbit(zone->flags[1], zone->policy_output);
+#endif
 
 		list_add_tail(&zone->list, &state->zones);
 	}
@@ -669,7 +695,11 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 		break;
 
 	case FW3_TABLE_NAT:
+#ifdef ENABLE_NAT6
+		if ((zone->masq && handle->family == FW3_FAMILY_V4) || (zone->masq6 && handle->family == FW3_FAMILY_V6))
+#else
 		if (zone->masq && handle->family == FW3_FAMILY_V4)
+#endif
 		{
 			/* for any negated masq_src ip, emit -s addr -j RETURN rules */
 			for (msrc = NULL;
@@ -716,6 +746,7 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
 				}
 			}
+
 		}
 		break;