#!/bin/bash ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2010 Michael Tremer & Christian Schmidt # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### IP_SUPPORTED_PROTOCOLS="${IP_SUPPORTED_PROTOCOLS} ipv6" ipv6_device_autoconf_enable() { local device="${1}" assert device_exists "${device}" sysctl_set "net.ipv6.conf.${device}.accept_ra" 1 sysctl_set "net.ipv6.conf.${device}.autoconf" 1 log INFO "Enabled IPv6 auto-configuration on '${device}'" # Disable IPv6 forwarding which cannot be used when the # device is using IPv6 auto-configuration. ipv6_device_forwarding_disable "${device}" } ipv6_device_autoconf_disable() { local device="${1}" assert device_exists "${device}" sysctl_set "net.ipv6.conf.${device}.accept_ra" 0 sysctl_set "net.ipv6.conf.${device}.autoconf" 0 log INFO "Disabled IPv6 auto-configuration on '${device}'" # Enable IPv6 forwarding again ipv6_device_forwarding_enable "${device}" # Automatically disable privacy extensions ipv6_device_privacy_extensions_disable "${device}" } ipv6_device_forwarding_enable() { local device="${1}" shift local accept_ra=0 local arg while read arg; do case "${arg}" in --accept-ra) accept_ra=2 ;; esac done <<< "$(args $@)" sysctl_set "net.ipv6.conf.${device}.forwarding" 1 log INFO "Enabled IPv6 forwarding on '${device}'" # If forwarding is enabled, the kernel won't process # any router advertisements any more, which is not good # when we still want a default route when running in # DHCP client mode on an uplink zone. if [ ${accept_ra} -gt 0 ]; then log INFO " and accepting router advertisements" sysctl_set "net.ipv6.conf.${device}.accept_ra" 2 fi } ipv6_device_forwarding_disable() { local device="${1}" sysctl_set "net.ipv6.conf.${device}.forwarding" 0 log INFO "Disabled IPv6 forwarding on '${device}'" } # Enable IPv6 RFC3041 privacy extensions if desired ipv6_device_privacy_extensions_enable() { local device="${1}" assert device_exists "${device}" sysctl_set "net.ipv6.conf.${device}.use_tempaddr" 2 } ipv6_device_privacy_extensions_disable() { local device="${1}" assert device_exists "${device}" sysctl_set "net.ipv6.conf.${device}.use_tempaddr" 0 } ipv6_is_valid() { ipcalc --ipv6 -c $@ >/dev/null 2>&1 case "$?" in 0) return ${EXIT_OK} ;; *) return ${EXIT_ERROR} ;; esac } ipv6_prefix_is_valid() { local prefix=${1} assert isset prefix [ ${prefix} -le 0 ] && return ${EXIT_FALSE} [ ${prefix} -gt 128 ] && return ${EXIT_FALSE} return ${EXIT_TRUE} } ipv6_prefix_size_is_valid_for_delegation() { local prefix_size="${1}" assert isinteger prefix_size # For prefix delegation, the prefix must be between /48 and /64 # (RFC3769, section 3.1) [[ ${prefix_size} -lt 48 ]] && return ${EXIT_FALSE} [[ ${prefix_size} -gt 64 ]] && return ${EXIT_FALSE} return ${EXIT_TRUE} } ipv6_get_prefix() { ip_get_prefix "$@" } ipv6_split_prefix() { ip_split_prefix "$@" } ipv6_address_add() { local address="${1}" assert isset address local device="${2}" assert device_exists "${device}" shift 2 local scope="global" local preferred_lft valid_lft # Enable to wait until DAD has finished and return # an error if it has failed local wait_for_dad="true" local arg while read arg; do case "${arg}" in --preferred-lifetime=*) preferred_lft="$(cli_get_val "${arg}")" ;; --valid-lifetime=*) valid_lft="$(cli_get_val "${arg}")" ;; --no-wait-for-dad) wait_for_dad="false" ;; esac done <<< "$(args $@)" local cmd="ip addr add ${address} dev ${device} scope ${scope}" # Preferred lifetime if isinteger preferred_lft; then list_append cmd "preferred_lft ${preferred_lft}" fi # Valid lifetime if isinteger valid_lft; then list_append cmd "valid_lft ${valid_lft}" fi cmd_quiet "${cmd}" || return ${EXIT_ERROR} if enabled wait_for_dad; then log DEBUG "Waiting for DAD to complete..." ipv6_wait_for_dad "${address}" "${device}" local ret="${?}" case "${ret}" in # DAD OK ${EXIT_DAD_OK}) log DEBUG "DAD successfully completed" return ${EXIT_OK} ;; # DAD failed ${EXIT_DAD_FAILED}) log ERROR "DAD failed" # Remove the IP address again ipv6_address_del "${address}" "${device}" return ${EXIT_ERROR} ;; # Any unknown errors *) log ERROR "DAD failed with unhandled error: ${ret}" return ${EXIT_ERROR} ;; esac fi return ${EXIT_OK} } ipv6_address_del() { local address="${1}" local device="${2}" ip_address_del "${device}" "${address}" } ipv6_address_flush() { local device="${1}" assert isset device log DEBUG "Flushing all IPv6 addresses on ${device}" # Remove any stale addresses from aborted clients cmd_quiet ip -6 addr flush dev "${device}" scope global permanent cmd_quiet ip -6 addr flush dev "${device}" scope global dynamic } ipv6_address_change_lifetime() { local address="${1}" assert isset address local device="${2}" assert device_exists "${device}" shift 2 local preferred_lft local valid_lft local arg while read arg; do case "${arg}" in --preferred-lifetime=*) preferred_lft="$(cli_get_val "${arg}")" ;; --valid-lifetime=*) valid_lft="$(cli_get_val "${arg}")" ;; esac done <<< "$(args $@)" local cmd="ip -6 addr change ${address} dev ${device} scope global" if isinteger preferred_lft; then list_append cmd "preferred_lft" "${preferred_lft}" fi if isinteger valid_lft; then list_append cmd "valid_lft" "${valid_lft}" fi if ! cmd_quiet "${cmd}"; then log ERROR "Could not change lifetimes of ${address} (${device})" return ${EXIT_ERROR} fi log DEBUG "Changed lifetimes of ${address} (${device}) to:" if isset preferred_lft; then log DEBUG " preferred: ${preferred_lft}" fi if isset valid_lft; then log DEBUG " valid: ${valid_lft}" fi return ${EXIT_OK} } ipv6_get_dad_status() { local address="${1}" assert isset address local device="${2}" assert isset device # Strip prefix from address address="$(ipv6_split_prefix "${address}")" local output="$(ip -o addr show dev "${device}" to "${address}")" if ! isset output; then return ${EXIT_ERROR} fi # Abort if DAD failed if [[ ${output} =~ "dadfailed" ]]; then return ${EXIT_DAD_FAILED} fi # Wait a little more if DAD is still in progress if [[ ${output} =~ "tentative" ]]; then return ${EXIT_DAD_TENTATIVE} fi # DAD has successfully completed return ${EXIT_DAD_OK} } ipv6_wait_for_dad() { local address="${1}" assert isset address local device="${2}" assert isset device # Strip prefix from address address="$(ipv6_split_prefix "${address}")" local i for i in {0..10}; do # Check DAD status ipv6_get_dad_status "${address}" "${interface}" local ret="${?}" case "${ret}" in # DAD is still in progress. Give it a moment to settle... ${EXIT_DAD_TENTATIVE}) sleep 0.5 continue ;; # Raise all other error codes ${EXIT_DAD_OK}|${EXIT_DAD_FAILED}|*) return ${ret} ;; esac done return ${EXIT_ERROR} } ipv6_device_get_addresses() { local device="${1}" assert isset device shift local scope local arg while read arg; do case "${arg}" in --scope=*) scope="$(cli_get_val "${arg}")" ;; esac done <<< "$(args $@)" local cmd="ip -o addr show dev ${device}" if isset scope; then assert isoneof scope global dynamic link list_append cmd "scope ${scope}" fi local addresses local line args while read line; do args=( ${line} ) local i for (( i=0; i < ${#args[@]} - 1; i++ )); do if [ "${args[${i}]}" = "inet6" ]; then list_append_one addresses "${args[$(( ${i} + 1 ))]}" break fi done done <<< "$(${cmd})" list_sort ${addresses} } ipv6_implode() { local address=${1} assert isset address local ADDRESS6_IMPL eval $(ipcalc -6 -i ${address} 2>/dev/null) assert isset ADDRESS6_IMPL print "${ADDRESS6_IMPL}" } ipv6_explode() { local address=${1} assert isset address # Nothing to do if the length of the address is 39. if [ ${#address} -eq 39 ]; then print "${address}" return ${EXIT_OK} fi local ADDRESS6_EXPL eval $(ipcalc -6 -e ${address} 2>/dev/null) assert isset ADDRESS6_EXPL print "${ADDRESS6_EXPL}" } ipv6_addr_eq() { local addr1=${1} assert isset addr1 local addr2=${2} assert isset addr2 local addr for addr in addr1 addr2; do printf -v ${addr} "%s" $(ipv6_explode ${!addr}) done [[ "${addr1}" = "${addr2}" ]] \ && return ${EXIT_TRUE} || return ${EXIT_FALSE} } ipv6_addr_gt() { local addr1=${1} assert isset addr1 local addr2=${2} assert isset addr2 local addr for addr in addr1 addr2; do printf -v ${addr} "%s" $(ipv6_explode ${!addr}) # Remove all colons printf -v ${addr} "${!addr//:/}" done local i addr1_oct addr2_oct for i in 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30; do addr1_oct="0x${addr1:${i}:2}" addr2_oct="0x${addr2:${i}:2}" [[ ${addr1_oct} -gt ${addr2_oct} ]] && return ${EXIT_TRUE} done return ${EXIT_FALSE} } ipv6_hash() { local address=${1} assert isset address # Explode address address=$(ipv6_explode ${address}) echo "${address//:/}" } ipv6_get_network() { local addr=${1} assert isset addr # Check if a prefix (e.g. /64) is provided. local prefix=$(ip_get_prefix ${addr}) assert ipv6_prefix_is_valid ${prefix} local PREFIX6 eval $(ipcalc --ipv6 -p ${addr}) assert isset PREFIX6 print "${PREFIX6}/${prefix}" } ipv6_6rd_format_address() { local isp_prefix="${1}" assert ipv6_is_valid "${isp_prefix}" local client_address="${2}" assert ipv4_is_valid "${client_address}" local prefix="$(ipv6_get_prefix "${isp_prefix}")" isp_prefix="$(ipv6_split_prefix "${isp_prefix}")" # This only works for prefix lengths up to 32 bit. assert [ "${prefix}" -le 32 ] assert [ "${prefix}" -gt 0 ] # Explode the address and throw away the second 32 bit. local address="$(ipv6_explode "${isp_prefix}")" client_address="$(ipv6_6rd_format_client_address ${client_address})" assert isset client_address local block1="0x${address:0:4}" local block2="0x${address:5:4}" local block3="0x${address:10:4}" local block4="0x${address:15:4}" address="$(( (${block1} << 48) + (${block2} << 32) + (${block3} << 16) + ${block4} ))" assert [ "${address}" -gt 0 ] block1="0x${client_address:0:4}" block2="0x${client_address:5:4}" client_address="$(( (${block1} << 48) + (${block2} << 32) ))" # Fix for numbers that are interpreted by bash as negative # numbers and therefore filled up with ones when shifted to # the right. Weird. if [ "${client_address}" -gt 0 ]; then client_address="$(( ${client_address} >> ${prefix} ))" else local bitmask="$(( 1 << 63 ))" client_address="$(( ${client_address} >> 1 ))" client_address="$(( ${client_address} ^ ${bitmask} ))" client_address="$(( ${client_address} >> $(( ${prefix} - 1 )) ))" fi assert [ "${client_address}" -gt 0 ] # XOR everything together address="$(( ${address} ^ ${client_address} ))" prefix="$(( ${prefix} + 32 ))" local block formatted_address=":" while [ ${address} -gt 0 ]; do printf -v block "%x" "$(( ${address} & 0xffff ))" formatted_address="${block}:${formatted_address}" address="$(( ${address} >> 16 ))" done assert ipv6_is_valid "${formatted_address}" # Implode the output IP address. formatted_address="$(ipv6_implode "${formatted_address}")" print "${formatted_address}/${prefix}" } ipv6_6rd_format_client_address() { local address="${1}" assert isset address print "%02x%02x:%02x%02x" ${address//\./ } }