2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2010 Michael Tremer & Christian Schmidt #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IP_SUPPORTED_PROTOCOLS
="${IP_SUPPORTED_PROTOCOLS} ipv6"
24 ipv6_device_autoconf_enable
() {
26 assert device_exists
"${device}"
28 sysctl_set
"net.ipv6.conf.${device}.accept_ra" 1
29 sysctl_set
"net.ipv6.conf.${device}.autoconf" 1
31 log INFO
"Enabled IPv6 auto-configuration on '${device}'"
33 # Disable IPv6 forwarding which cannot be used when the
34 # device is using IPv6 auto-configuration.
35 ipv6_device_forwarding_disable
"${device}"
38 ipv6_device_autoconf_disable
() {
40 assert device_exists
"${device}"
42 sysctl_set
"net.ipv6.conf.${device}.accept_ra" 0
43 sysctl_set
"net.ipv6.conf.${device}.autoconf" 0
45 log INFO
"Disabled IPv6 auto-configuration on '${device}'"
47 # Enable IPv6 forwarding again
48 ipv6_device_forwarding_enable
"${device}"
50 # Automatically disable privacy extensions
51 ipv6_device_privacy_extensions_disable
"${device}"
54 ipv6_device_forwarding_enable
() {
69 sysctl_set
"net.ipv6.conf.${device}.forwarding" 1
71 log INFO
"Enabled IPv6 forwarding on '${device}'"
73 # If forwarding is enabled, the kernel won't process
74 # any router advertisements any more, which is not good
75 # when we still want a default route when running in
76 # DHCP client mode on an uplink zone.
77 if [ ${accept_ra} -gt 0 ]; then
78 log INFO
" and accepting router advertisements"
80 sysctl_set
"net.ipv6.conf.${device}.accept_ra" 2
84 ipv6_device_forwarding_disable
() {
87 sysctl_set
"net.ipv6.conf.${device}.forwarding" 0
89 log INFO
"Disabled IPv6 forwarding on '${device}'"
92 # Enable IPv6 RFC3041 privacy extensions if desired
93 ipv6_device_privacy_extensions_enable
() {
95 assert device_exists
"${device}"
97 sysctl_set
"net.ipv6.conf.${device}.use_tempaddr" 2
100 ipv6_device_privacy_extensions_disable
() {
102 assert device_exists
"${device}"
104 sysctl_set
"net.ipv6.conf.${device}.use_tempaddr" 0
110 local prefix
=$
(ip_get_prefix
${address})
111 address
=$
(ip_split_prefix
${address})
113 # If prefix is set, we check if it is correct
114 if isset prefix
; then
116 isinteger prefix ||
return ${EXIT_FALSE}
118 # Must be 128 if present
119 [ ${prefix} -eq 128 ] ||
return ${EXIT_FALSE}
122 inetcalc
-6 -c ${address} && return ${EXIT_TRUE} || return ${EXIT_FALSE}
125 ipv6_net_is_valid
() {
128 local prefix
="$(ip_get_prefix "${net}")"
129 local addr
="$(ip_split_prefix "${net}")"
131 ipv6_prefix_is_valid
"${prefix}" && ipv6_is_valid
"${addr}"
134 ipv6_prefix_is_valid
() {
137 # Check if prefix is a number
138 isinteger prefix ||
return ${EXIT_FALSE}
140 [ ${prefix} -le 0 ] && return ${EXIT_FALSE}
141 [ ${prefix} -gt 128 ] && return ${EXIT_FALSE}
146 ipv6_prefix_size_is_valid_for_delegation
() {
147 local prefix_size
="${1}"
148 assert isinteger prefix_size
150 # For prefix delegation, the prefix must be between /48 and /64
151 # (RFC3769, section 3.1)
152 [[ ${prefix_size} -lt 48 ]] && return ${EXIT_FALSE}
153 [[ ${prefix_size} -gt 64 ]] && return ${EXIT_FALSE}
162 ipv6_split_prefix
() {
171 assert device_exists
"${device}"
175 local preferred_lft valid_lft
177 # Enable to wait until DAD has finished and return
178 # an error if it has failed
179 local wait_for_dad
="true"
184 --preferred-lifetime=*)
185 preferred_lft
="$(cli_get_val "${arg}")"
188 valid_lft
="$(cli_get_val "${arg}")"
194 done <<< "$(args $@)"
196 local cmd
="ip addr add ${address} dev ${device} scope ${scope}"
199 if isinteger preferred_lft
; then
200 list_append cmd
"preferred_lft ${preferred_lft}"
204 if isinteger valid_lft
; then
205 list_append cmd
"valid_lft ${valid_lft}"
208 cmd_quiet
"${cmd}" ||
return ${EXIT_ERROR}
210 if enabled wait_for_dad
; then
211 log DEBUG
"Waiting for DAD to complete..."
213 ipv6_wait_for_dad
"${address}" "${device}"
219 log DEBUG
"DAD successfully completed"
225 log ERROR
"DAD failed"
227 # Remove the IP address again
228 ipv6_address_del
"${address}" "${device}"
235 log ERROR
"DAD failed with unhandled error: ${ret}"
248 ip_address_del
"${device}" "${address}"
251 ipv6_address_flush
() {
255 log DEBUG
"Flushing all IPv6 addresses on ${device}"
257 # Remove any stale addresses from aborted clients
258 cmd_quiet ip
-6 addr flush dev
"${device}" scope global permanent
259 cmd_quiet ip
-6 addr flush dev
"${device}" scope global dynamic
262 ipv6_address_change_lifetime
() {
267 assert device_exists
"${device}"
276 --preferred-lifetime=*)
277 preferred_lft
="$(cli_get_val "${arg}")"
280 valid_lft
="$(cli_get_val "${arg}")"
283 done <<< "$(args $@)"
285 local cmd
="ip -6 addr change ${address} dev ${device} scope global"
287 if isinteger preferred_lft
; then
288 list_append cmd
"preferred_lft" "${preferred_lft}"
291 if isinteger valid_lft
; then
292 list_append cmd
"valid_lft" "${valid_lft}"
295 if ! cmd_quiet
"${cmd}"; then
296 log ERROR
"Could not change lifetimes of ${address} (${device})"
300 log DEBUG
"Changed lifetimes of ${address} (${device}) to:"
301 if isset preferred_lft
; then
302 log DEBUG
" preferred: ${preferred_lft}"
305 if isset valid_lft
; then
306 log DEBUG
" valid: ${valid_lft}"
312 ipv6_get_dad_status
() {
319 # Strip prefix from address
320 address
="$(ipv6_split_prefix "${address}")"
322 local output
="$(ip -o addr show dev "${device}" to "${address}")"
323 if ! isset output
; then
327 # Abort if DAD failed
328 if [[ ${output} =~
"dadfailed" ]]; then
329 return ${EXIT_DAD_FAILED}
332 # Wait a little more if DAD is still in progress
333 if [[ ${output} =~
"tentative" ]]; then
334 return ${EXIT_DAD_TENTATIVE}
337 # DAD has successfully completed
338 return ${EXIT_DAD_OK}
341 ipv6_wait_for_dad
() {
348 # Strip prefix from address
349 address
="$(ipv6_split_prefix "${address}")"
354 ipv6_get_dad_status
"${address}" "${interface}"
358 # DAD is still in progress. Give it a moment to settle...
359 ${EXIT_DAD_TENTATIVE})
364 # Raise all other error codes
365 ${EXIT_DAD_OK}|
${EXIT_DAD_FAILED}|
*)
374 ipv6_device_get_addresses
() {
385 scope
="$(cli_get_val "${arg}")"
388 done <<< "$(args $@)"
390 local cmd
="ip -o addr show dev ${device}"
392 assert isoneof scope global dynamic link
393 list_append cmd
"scope ${scope}"
402 for (( i
=0; i
< ${#args[@]} - 1; i
++ )); do
403 if [ "${args[${i}]}" = "inet6" ]; then
404 list_append_one addresses
"${args[$(( ${i} + 1 ))]}"
410 list_sort
${addresses}
423 inetcalc
-6 -e "${addr1}" "${addr2}" \
424 && return ${EXIT_TRUE} ||
return ${EXIT_FALSE}
433 inetcalc
-6 -g "${addr1}" "${addr2}" \
434 && return ${EXIT_TRUE} ||
return ${EXIT_FALSE}
438 ipv6_addr_eq $@ || ipv6_addr_gt $@
442 ! ipv6_addr_eq $@
&& ! ipv6_addr_gt $@
446 ipv6_addr_eq $@ ||
! ipv6_addr_gt $@