#!/bin/bash ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2010 Michael Tremer & Christian Schmidt # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### IP_SUPPORTED_PROTOCOLS="${IP_SUPPORTED_PROTOCOLS} ipv6" function ipv6_init() { log INFO "Initializing IPv6 networking." # Enable forwarding on all devices #ipv6_device_forwarding_disable all #ipv6_device_forwarding_disable default # Disable autoconfiguration on all devices per default #ipv6_device_autoconf_disable all #ipv6_device_autoconf_disable default # XXX do we need this? #local device #for device in $(devices_get_all); do # ipv6_device_forwarding_disable ${device} # ipv6_device_autoconf_disable ${device} #done } init_register ipv6_init function ipv6_device_autoconf_enable() { local device=${1} assert isset device # Allow setting default and all settings if ! isoneof device all default; then assert device_exists ${device} fi local val for val in accept_ra accept_redirects; do echo 1 > /proc/sys/net/ipv6/conf/${device}/${val} done } function ipv6_device_autoconf_disable() { local device=${1} assert isset device # Allow setting default and all settings if ! isoneof device all default; then assert device_exists ${device} fi local val for val in accept_ra accept_redirects; do echo 0 > /proc/sys/net/ipv6/conf/${device}/${val} done } function ipv6_device_forwarding_enable() { local device=${1} assert isset device # Allow setting default and all settings if ! isoneof device all default; then assert device_exists ${device} fi echo 1 > /proc/sys/net/ipv6/conf/${device}/forwarding } function ipv6_device_forwarding_disable() { local device=${1} assert isset device # Allow setting default and all settings if ! isoneof device all default; then assert device_exists ${device} fi echo 0 > /proc/sys/net/ipv6/conf/${device}/forwarding } # Enable IPv6 RFC3041 privacy extensions if desired function ipv6_device_privacy_extensions_enable() { local device=${1} local type=${2} assert isset device assert device_exists ${device} # Default value is rfc3041 if [ -z "${type}" ]; then type="rfc3041" fi assert isset type case "${type}" in rfc3041) echo 2 > /proc/sys/net/ipv6/conf/${device}/use_tempaddr ;; *) error_log "Given type '${type}' is not supported." return ${EXIT_ERROR} ;; esac return ${EXIT_OK} } function ipv6_device_privacy_extensions_disable() { local device=${1} assert isset device assert device_exists ${device} echo 0 > /proc/sys/net/ipv6/conf/${device}/use_tempaddr } function ipv6_is_valid() { ipcalc --ipv6 -c $@ >/dev/null 2>&1 case "$?" in 0) return ${EXIT_OK} ;; *) return ${EXIT_ERROR} ;; esac } function ipv6_prefix_is_valid() { local prefix=${1} assert isset prefix [ ${prefix} -le 0 ] && return ${EXIT_FALSE} [ ${prefix} -gt 128 ] && return ${EXIT_FALSE} return ${EXIT_TRUE} } function ipv6_implode() { local address=${1} assert isset address local ADDRESS6_IMPL eval $(ipcalc -6 -i ${address} 2>/dev/null) assert isset ADDRESS6_IMPL print "${ADDRESS6_IMPL}" } function ipv6_explode() { local address=${1} assert isset address # Nothing to do if the length of the address is 39. if [ ${#address} -eq 39 ]; then print "${address}" return ${EXIT_OK} fi local ADDRESS6_EXPL eval $(ipcalc -6 -e ${address} 2>/dev/null) assert isset ADDRESS6_EXPL print "${ADDRESS6_EXPL}" } function ipv6_addr_eq() { local addr1=${1} assert isset addr1 local addr2=${2} assert isset addr2 local addr for addr in addr1 addr2; do printf -v ${addr} "%s" $(ipv6_explode ${!addr}) done [[ "${addr1}" = "${addr2}" ]] \ && return ${EXIT_TRUE} || return ${EXIT_FALSE} } function ipv6_addr_gt() { local addr1=${1} assert isset addr1 local addr2=${2} assert isset addr2 local addr for addr in addr1 addr2; do printf -v ${addr} "%s" $(ipv6_explode ${!addr}) done local i addr1_oct addr2_oct for i in 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30; do addr1_oct="0x${addr1:${i}:2}" addr2_oct="0x${addr2:${i}:2}" [[ ${addr1_oct} -gt ${addr2_oct} ]] && return ${EXIT_TRUE} done return ${EXIT_FALSE} } function ipv6_hash() { local address=${1} assert isset address # Explode address address=$(ipv6_explode ${address}) echo "${address//:/}" } function ipv6_get_network() { local addr=${1} assert isset addr # Check if a prefix (e.g. /64) is provided. local prefix=$(ip_get_prefix ${addr}) assert ipv6_prefix_is_valid ${prefix} local PREFIX6 eval $(ipcalc --ipv6 -p ${addr}) assert isset PREFIX6 print "${PREFIX6}/${prefix}" }