2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2010 Michael Tremer & Christian Schmidt #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IP_SUPPORTED_PROTOCOLS
="${IP_SUPPORTED_PROTOCOLS} ipv6"
24 function ipv6_device_autoconf_enable
() {
26 assert device_exists
"${device}"
28 sysctl_set
"net.ipv6.conf.${device}.accept_ra" 1
29 sysctl_set
"net.ipv6.conf.${device}.autoconf" 1
31 log INFO
"Enabled IPv6 auto-configuration on '${device}'"
33 # Disable IPv6 forwarding which cannot be used when the
34 # device is using IPv6 auto-configuration.
35 ipv6_device_forwarding_disable
"${device}"
38 function ipv6_device_autoconf_disable
() {
40 assert device_exists
"${device}"
42 sysctl_set
"net.ipv6.conf.${device}.accept_ra" 0
43 sysctl_set
"net.ipv6.conf.${device}.autoconf" 0
45 log INFO
"Disabled IPv6 auto-configuration on '${device}'"
47 # Enable IPv6 forwarding again
48 ipv6_device_forwarding_enable
"${device}"
50 # Automatically disable privacy extensions
51 ipv6_device_privacy_extensions_disable
"${device}"
54 function ipv6_device_forwarding_enable
() {
57 sysctl_set
"net.ipv6.conf.${device}.forwarding" 1
59 log INFO
"Enabled IPv6 forwarding on '${device}'"
62 function ipv6_device_forwarding_disable
() {
65 sysctl_set
"net.ipv6.conf.${device}.forwarding" 0
67 log INFO
"Disabled IPv6 forwarding on '${device}'"
70 # Enable IPv6 RFC3041 privacy extensions if desired
71 function ipv6_device_privacy_extensions_enable
() {
73 assert device_exists
"${device}"
75 sysctl_set
"net.ipv6.conf.${device}.use_tempaddr" 2
78 function ipv6_device_privacy_extensions_disable
() {
80 assert device_exists
"${device}"
82 sysctl_set
"net.ipv6.conf.${device}.use_tempaddr" 0
85 function ipv6_is_valid
() {
86 ipcalc
--ipv6 -c $@
>/dev
/null
2>&1
98 function ipv6_prefix_is_valid
() {
102 [ ${prefix} -le 0 ] && return ${EXIT_FALSE}
103 [ ${prefix} -gt 128 ] && return ${EXIT_FALSE}
108 function ipv6_get_prefix
() {
112 function ipv6_split_prefix
() {
116 function ipv6_address_add
() {
121 assert device_exists
"${device}"
125 local preferred_lft valid_lft
127 # Enable to wait until DAD has finished and return
128 # an error if it has failed
129 local wait_for_dad
="true"
134 --preferred-lifetime=*)
135 preferred_lft
="$(cli_get_val "${arg}")"
138 valid_lft
="$(cli_get_val "${arg}")"
144 done <<< "$(args $@)"
146 local cmd
="ip addr add ${address} dev ${device} scope ${scope}"
149 if isinteger preferred_lft
; then
150 list_append cmd
"preferred_lft ${preferred_lft}"
154 if isinteger valid_lft
; then
155 list_append cmd
"valid_lft ${valid_lft}"
158 cmd_quiet
"${cmd}" ||
return ${EXIT_ERROR}
160 if enabled wait_for_dad
; then
161 log DEBUG
"Waiting for DAD to complete..."
163 ipv6_wait_for_dad
"${address}" "${device}"
169 log DEBUG
"DAD successfully completed"
175 log ERROR
"DAD failed"
177 # Remove the IP address again
178 ipv6_address_del
"${address}" "${device}"
185 log ERROR
"DAD failed with unhandled error: ${ret}"
194 function ipv6_address_del
() {
198 ip_address_del
"${device}" "${address}"
201 function ipv6_address_flush
() {
205 log DEBUG
"Flushing all IPv6 addresses on ${device}"
207 # Remove any stale addresses from aborted clients
208 cmd_quiet ip
-6 addr flush dev
"${device}" scope global permanent
211 function ipv6_address_change_lifetime
() {
216 assert device_exists
"${device}"
225 --preferred-lifetime=*)
226 preferred_lft
="$(cli_get_val "${arg}")"
229 valid_lft
="$(cli_get_val "${arg}")"
232 done <<< "$(args $@)"
234 local cmd
="ip -6 addr change ${address} dev ${device} scope global"
236 if isinteger preferred_lft
; then
237 list_append cmd
"preferred_lft" "${preferred_lft}"
240 if isinteger valid_lft
; then
241 list_append cmd
"valid_lft" "${valid_lft}"
244 if ! cmd_quiet
"${cmd}"; then
245 log ERROR
"Could not change lifetimes of ${address} (${device})"
249 log DEBUG
"Changed lifetimes of ${address} (${device}) to:"
250 if isset preferred_lft
; then
251 log DEBUG
" preferred: ${preferred_lft}"
254 if isset valid_lft
; then
255 log DEBUG
" valid: ${valid_lft}"
261 function ipv6_get_dad_status
() {
268 # Strip prefix from address
269 address
="$(ipv6_split_prefix "${address}")"
271 local output
="$(ip -o addr show dev "${device}" to "${address}")"
272 if ! isset output
; then
276 # Abort if DAD failed
277 if [[ ${output} =~
"dadfailed" ]]; then
278 return ${EXIT_DAD_FAILED}
281 # Wait a little more if DAD is still in progress
282 if [[ ${output} =~
"tentative" ]]; then
283 return ${EXIT_DAD_TENTATIVE}
286 # DAD has successfully completed
287 return ${EXIT_DAD_OK}
290 function ipv6_wait_for_dad
() {
297 # Strip prefix from address
298 address
="$(ipv6_split_prefix "${address}")"
303 ipv6_get_dad_status
"${address}" "${interface}"
307 # DAD is still in progress. Give it a moment to settle...
308 ${EXIT_DAD_TENTATIVE})
313 # Raise all other error codes
314 ${EXIT_DAD_OK}|
${EXIT_DAD_FAILED}|
*)
323 function ipv6_device_get_addresses
() {
334 scope
="$(cli_get_val "${arg}")"
337 done <<< "$(args $@)"
339 local cmd
="ip -o addr show dev ${device}"
341 assert isoneof scope global dynamic link
342 list_append cmd
"scope ${scope}"
351 for (( i
=0; i
< ${#args[@]} - 1; i
++ )); do
352 if [ "${args[${i}]}" = "inet6" ]; then
353 list_append_one addresses
"${args[$(( ${i} + 1 ))]}"
359 list_sort
${addresses}
362 function ipv6_implode
() {
367 eval $
(ipcalc
-6 -i ${address} 2>/dev
/null
)
368 assert isset ADDRESS6_IMPL
370 print
"${ADDRESS6_IMPL}"
373 function ipv6_explode
() {
377 # Nothing to do if the length of the address is 39.
378 if [ ${#address} -eq 39 ]; then
384 eval $
(ipcalc
-6 -e ${address} 2>/dev
/null
)
385 assert isset ADDRESS6_EXPL
387 print
"${ADDRESS6_EXPL}"
390 function ipv6_addr_eq
() {
398 for addr
in addr1 addr2
; do
399 printf -v ${addr} "%s" $
(ipv6_explode
${!addr})
402 [[ "${addr1}" = "${addr2}" ]] \
403 && return ${EXIT_TRUE} ||
return ${EXIT_FALSE}
406 function ipv6_addr_gt
() {
414 for addr
in addr1 addr2
; do
415 printf -v ${addr} "%s" $
(ipv6_explode
${!addr})
418 local i addr1_oct addr2_oct
419 for i
in 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30; do
420 addr1_oct
="0x${addr1:${i}:2}"
421 addr2_oct
="0x${addr2:${i}:2}"
423 [[ ${addr1_oct} -gt ${addr2_oct} ]] && return ${EXIT_TRUE}
429 function ipv6_hash
() {
435 address
=$
(ipv6_explode
${address})
437 echo "${address//:/}"
440 function ipv6_get_network
() {
444 # Check if a prefix (e.g. /64) is provided.
445 local prefix
=$
(ip_get_prefix
${addr})
446 assert ipv6_prefix_is_valid
${prefix}
449 eval $
(ipcalc
--ipv6 -p ${addr})
452 print
"${PREFIX6}/${prefix}"
455 function ipv6_6rd_format_address
() {
456 local isp_prefix
="${1}"
457 assert ipv6_is_valid
"${isp_prefix}"
459 local client_address
="${2}"
460 assert ipv4_is_valid
"${client_address}"
462 local prefix
="$(ipv6_get_prefix "${isp_prefix}")"
463 isp_prefix
="$(ipv6_split_prefix "${isp_prefix}")"
465 # This only works for prefix lengths up to 32 bit.
466 assert
[ "${prefix}" -le 32 ]
467 assert
[ "${prefix}" -gt 0 ]
469 # Explode the address and throw away the second 32 bit.
470 local address
="$(ipv6_explode "${isp_prefix}")"
472 client_address
="$(ipv6_6rd_format_client_address ${client_address})"
473 assert isset client_address
475 local block1
="0x${address:0:4}"
476 local block2
="0x${address:5:4}"
477 local block3
="0x${address:10:4}"
478 local block4
="0x${address:15:4}"
480 address
="$(( (${block1} << 48) + (${block2} << 32) + (${block3} << 16) + ${block4} ))"
481 assert
[ "${address}" -gt 0 ]
483 block1
="0x${client_address:0:4}"
484 block2
="0x${client_address:5:4}"
486 client_address
="$(( (${block1} << 48) + (${block2} << 32) ))"
488 # Fix for numbers that are interpreted by bash as negative
489 # numbers and therefore filled up with ones when shifted to
491 if [ "${client_address}" -gt 0 ]; then
492 client_address
="$(( ${client_address} >> ${prefix} ))"
494 local bitmask
="$(( 1 << 63 ))"
495 client_address
="$(( ${client_address} >> 1 ))"
496 client_address
="$(( ${client_address} ^ ${bitmask} ))"
497 client_address
="$(( ${client_address} >> $(( ${prefix} - 1 )) ))"
499 assert
[ "${client_address}" -gt 0 ]
501 # XOR everything together
502 address
="$(( ${address} ^ ${client_address} ))"
503 prefix
="$(( ${prefix} + 32 ))"
505 local block formatted_address
=":"
506 while [ ${address} -gt 0 ]; do
507 printf -v block
"%x" "$(( ${address} & 0xffff ))"
508 formatted_address
="${block}:${formatted_address}"
510 address
="$(( ${address} >> 16 ))"
513 assert ipv6_is_valid
"${formatted_address}"
515 # Implode the output IP address.
516 formatted_address
="$(ipv6_implode "${formatted_address}")"
518 print
"${formatted_address}/${prefix}"
521 function ipv6_6rd_format_client_address
() {
525 print
"%02x%02x:%02x%02x" ${address//\./ }