MFC r335921:

Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),
sockstat(1), ugidfw(8)
These are the last of the jail-aware userland utilities that didn't work
with names.

PR: 229266
Differential Revision: D16047

MFC r330792:
Do not try to reassemble IPv6 fragments in "reass" rule.

ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets
that it gets. Until proper IPv6 fragments handling function will be
implemented, pass IPv6 packets to next rule.

PR: 170604

MFC r267667:
use .Mt to mark up email addresses consistently (part1)

PR: 191174
Submitted by: Franco Fichtner <franco at lastsummer.de>

MFC r274925: misc mdoc fixes.

MFC r300779, r300781, r300783, r300784, r300949, r301162, r301180

r300779 | truckman | 2016-05-26 14:40:13 -0700 (Thu, 26 May 2016) | 64 lines

Import Dummynet AQM version 0.2.1 (CoDel, FQ-CoDel, PIE and FQ-PIE).

Centre for Advanced Internet Architectures

Implementing AQM in FreeBSD

* Overview <http://caia.swin.edu.au/freebsd/aqm/index.html>

* Articles, Papers and Presentations
<http://caia.swin.edu.au/freebsd/aqm/papers.html>

* Patches and Tools <http://caia.swin.edu.au/freebsd/aqm/downloads.html>

Overview

Recent years have seen a resurgence of interest in better managing
the depth of bottleneck queues in routers, switches and other places
that get congested. Solutions include transport protocol enhancements
at the end-hosts (such as delay-based or hybrid congestion control
schemes) and active queue management (AQM) schemes applied within
bottleneck queues.

The notion of AQM has been around since at least the late 1990s
(e.g. RFC 2309). In recent years the proliferation of oversized
buffers in all sorts of network devices (aka bufferbloat) has
stimulated keen community interest in four new AQM schemes -- CoDel,
FQ-CoDel, PIE and FQ-PIE.

The IETF AQM working group is looking to document these schemes,
and independent implementations are a corner-stone of the IETF's
process for confirming the clarity of publicly available protocol
descriptions. While significant development work on all three schemes
has occured in the Linux kernel, there is very little in FreeBSD.

Project Goals

This project began in late 2015, and aims to design and implement
functionally-correct versions of CoDel, FQ-CoDel, PIE and FQ_PIE
in FreeBSD (with code BSD-licensed as much as practical). We have
chosen to do this as extensions to FreeBSD's ipfw/dummynet firewall
and traffic shaper. Implementation of these AQM schemes in FreeBSD
will:
* Demonstrate whether the publicly available documentation is
sufficient to enable independent, functionally equivalent implementations

* Provide a broader suite of AQM options for sections the networking
community that rely on FreeBSD platforms

Program Members:

* Rasool Al Saadi (developer)

* Grenville Armitage (project lead)

Acknowledgements:

This project has been made possible in part by a gift from the
Comcast Innovation Fund.

Submitted by: Rasool Al-Saadi <ralsaadi@swin.edu.au>
X-No objection: core
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D6388

[Remove some code that was added to the mq_append() inline function in
HEAD by r258457, which was not merged to stable/10. The AQM patch
moved mq_append() from ip_dn_io.c to the new file ip_dn_private.h, so
we need to remove that copy of the r258457 changes.]
------------------------------------------------------------------------
r300781 | truckman | 2016-05-26 14:44:52 -0700 (Thu, 26 May 2016) | 7 lines

Modify BOUND_VAR() macro to wrap all of its arguments in () and tweak
its expression to work on powerpc and sparc64 (gcc compatibility).

Correct a typo in a nearby comment.

MFC after: 2 weeks (with r300779)

------------------------------------------------------------------------
r300783 | truckman | 2016-05-26 15:03:28 -0700 (Thu, 26 May 2016) | 4 lines

Correct a typo in a comment.

MFC after: 2 weeks (with r300779)

------------------------------------------------------------------------
r300784 | truckman | 2016-05-26 15:07:09 -0700 (Thu, 26 May 2016) | 5 lines

Include the new AQM files when compiling a kernel with options DUMMYNET.

Reported by: Nikolay Denev <nike_d AT cytexbg DOT com>
MFC after: 2 weeks (with r300779)

------------------------------------------------------------------------
r300949 | truckman | 2016-05-29 00:23:56 -0700 (Sun, 29 May 2016) | 10 lines

Cast some expressions that multiply a long long constant by a
floating point constant to int64_t. This avoids the runtime
conversion of the the other operand in a set of comparisons from
int64_t to floating point and doing the comparisions in floating
point.

Suggested by: lidl
Submitted by: Rasool Al-Saadi <ralsaadi@swin.edu.au>
MFC after: 2 weeks (with r300779)

------------------------------------------------------------------------
r301162 | truckman | 2016-06-01 13:04:24 -0700 (Wed, 01 Jun 2016) | 9 lines

Replace constant expressions that contain multiplications by
fractional floating point values with integer divides. This will
eliminate any chance that the compiler will generate code to evaluate
the expression using floating point at runtime.

Suggested by: bde
Submitted by: Rasool Al-Saadi <ralsaadi@swin.edu.au>
MFC after: 8 days (with r300779 and r300949)

------------------------------------------------------------------------
r301180 | truckman | 2016-06-01 17:42:15 -0700 (Wed, 01 Jun 2016) | 2 lines

Belatedly bump .Dd date for Dummynet AQM import in r300779.

Relnotes: yes

MFC r266941, r266955

Needed for anticipated dummynet AQM MFC next week.

r266941 | hiren | 2014-06-01 00:28:24 -0700 (Sun, 01 Jun 2014) | 9 lines

ECN marking implenetation for dummynet.
Changes include both DCTCP and RFC 3168 ECN marking methodology.

DCTCP draft: http://tools.ietf.org/html/draft-bensley-tcpm-dctcp-00

Submitted by: Midori Kato (aoimidori27@gmail.com)
Worked with: Lars Eggert (lars@netapp.com)
Reviewed by: luigi, hiren

r266955 | hiren | 2014-06-01 13:19:17 -0700 (Sun, 01 Jun 2014) | 5 lines

DNOLD_IS_ECN introduced by r266941 is not required.
DNOLD_* flags are for compat with old binaries.

Suggested by: luigi

Discussed with: hiren
Relnotes: yes

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove duplicated parapgraph.

MFC after: 3 days

Minor spelling and grammar fixes.

Remove EOL whitespace.

Add ipfw support for setting/matching DiffServ codepoints (DSCP).

Setting DSCP support is done via O_SETDSCP which works for both
IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4.
Dscp can be specified by name (AFXY, CSX, BE, EF), by value
(0..63) or via tablearg.

Matching DSCP is done via another opcode (O_DSCP) which accepts several
classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words).

Many people made their variants of this patch, the ones I'm aware of are
(in alphabetic order):

Dmitrii Tejblum
Marcelo Araujo
Roman Bogorodskiy (novel)
Sergey Matveichuk (sem)
Sergey Ryabin

PR: kern/102471, kern/121122
MFC after: 2 weeks

Remove the recently added sysctl variable net.pfil.forward.
Instead, add protocol specific mbuf flags M_IP_NEXTHOP and
M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain
contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup
only when this flag is set.

Suggested by: andre

Remove the IPFIREWALL_FORWARD kernel option and make possible to turn
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.

Sponsored by: Yandex LLC
Discussed with: net@
MFC after: 2 weeks

Fix grammar in the portion about FIBs. Also, cross-reference
setfib(2) instead of setfib(1) for the 16-FIB limit.

PR: docs/157452
Approved by: hrs (mentor)

Whitespace cleanup for ipfw.8 -- start each sentence on a new line,
and put a comma after e.g. and i.e.. While here, wrap long lines.

PR: docs/157452
Approved by: hrs (mentor)

In ipfw(8), make the text about dynamic rules consistent.

PR: docs/120539
Approved by: gabor (mentor)
MFC after: 5 days

Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on: freebsd-ipfw@

- Make ipfw's sched rules case insensitive, for user-friendliness.
- Add a note to the ipfw(8) man page about the rules no longer being
case sensitive.
- Fix some typos in the man page.

PR: docs/164772
Reviewed by: bz
Approved by: gabor (doc mentor, src committer)
MFC after: 2 weeks

Update maximum number of tables available in ipfw to reflect
changes done in r233478.

Approved by: kib(mentor)
MFC after: 3 days

mdoc: use Po and Pc macros instead of parens. Also avoid starting a line
with Ns.

Remove trailing whitespace per mdoc lint warning

Disussed with: gavin
No objection from: doc
Approved by: joel
MFC after: 3 days

- Permit number of ipfw tables to be changed in runtime.

net.inet.ip.fw.tables_max is now read-write.

- Bump IPFW_TABLES_MAX to 65535
Default number of tables is still 128

- Remove IPFW_TABLES_MAX from ipfw(8) code.

Sponsored by Yandex LLC

Approved by: kib(mentor)

MFC after: 2 weeks

Remove superfluous paragraph macro.

- Add ipfw eXtended tables permitting radix to be used for any kind of keys.
- Add support for IPv6 and interface extended tables
- Make number of tables to be loader tunable in range 0..65534.
- Use IP_FW3 opcode for all new extended table cmds

No ABI changes are introduced. Old userland will see valid tables for
IPv4 tables and no entries otherwise. Flush works for any table.

IP_FW3 socket option is used to encapsulate all new opcodes:
/* IP_FW3 header/opcodes */
typedef struct _ip_fw3_opheader {
uint16_t opcode; /* Operation opcode */
uint16_t reserved[3]; /* Align to 64-bit boundary */
} ip_fw3_opheader;

New opcodes added:
IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST

ipfw(8) table argument parsing behavior is changed:
'ipfw table 999 add host' now assumes 'host' to be interface name instead of
hostname.

New tunable:
net.inet.ip.fw.tables_max controls number of table supported by ipfw in given
VNET instance. 128 is still the default value.

New syntax:
ipfw add skipto tablearg ip from any to any via table(42) in
ipfw add skipto tablearg ip from any to any via table(4242) out

This is a bit hackish, special interface name '\1' is used to signal interface
table number is passed in p.glob field.

Sponsored by Yandex LLC

Reviewed by: ae
Approved by: ae (mentor)

MFC after: 4 weeks

Correct capitalization of "Hz" in user-visible text (manpages, printf(),
etc).

MFC after: 3 days

Bump .Dd for r231076.

Submitted by: bz

Make the 'tcpwin' option of ipfw(8) accept ranges and lists.

Submitted by: sem

Note that NAT instance argument can be tablearg.

PR: misc/162265
Submitted by: Paul Procacci <pprocacci gmail.com>

Add support for IPv6 to ipfw fwd:
Distinguish IPv4 and IPv6 addresses and optional port numbers in
user space to set the option for the correct protocol family.
Add support in the kernel for carrying the new IPv6 destination
address and port.
Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change
the address in the IP header.
Add support for IPv6 forwarding to a non-local destination.
Add a regession test uitilizing VIMAGE to check all 20 possible
combinations I could think of.

Obtained from: David Dolson at Sandvine Incorporated
(original version for ipfw fwd IPv6 support)
Sponsored by: Sandvine Incorporated
PR: bin/117214
MFC after: 4 weeks
Approved by: re (kib)

Add new rule actions "call" and "return" to ipfw. They make
possible to organize subroutines with rules.

The "call" action saves the current rule number in the internal
stack and rules processing continues from the first rule with
specified number (similar to skipto action). If later a rule with
"return" action is encountered, the processing returns to the first
rule with number of "call" rule saved in the stack plus one or higher.

Submitted by: Vadim Goncharov
Discussed by: ipfw@, luigi@

Implement "global" mode for ipfw nat. It is similar to natd(8)
"globalport" option for multiple NAT instances.

If ipfw rule contains "global" keyword instead of nat_number, then
for each outgoing packet ipfw_nat looks up translation state in all
configured nat instances. If an entry is found, packet aliased
according to that entry, otherwise packet is passed unchanged.

User can specify "skip_global" option in NAT configuration to exclude
an instance from the lookup in global mode.

PR: kern/157867
Submitted by: Alexander V. Chernikov (previous version)
Tested by: Eugene Grosbein

Add tablearg support for ipfw setfib.

PR: kern/156410
MFC after: 2 weeks

mdoc:
- use a proper macro for interface name ipfw0.
- add missing section number for bpf cross reference.

The first customer of the SO_USER_COOKIE option:
the "sockarg" ipfw option matches packets associated to
a local socket and with a non-zero so_user_cookie value.
The value is made available as tablearg, so it can be used
as a skipto target or pipe number in ipfw/dummynet rules.

Code by Paul Joe, manpage by me.

Submitted by: Paul Joe
MFC after: 1 week

mdoc: make pages render with mandoc

It's a bit more pedantic regarding .Bl list elements. This has an added
benefit of unbreaking the ipfw(8) manpage, where groff was silently
skipping one list element.

document logging through bpf

mdoc: drop redundant .Pp and .LP calls

They have no effect when coming in pairs, or before .Bl/.Bd

Fix incorrect usage of 'assure' and 'insure'.

Approved by: rrs (mentor)

Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki while
translating these manual pages. Minor corrections by me.

Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>

Document that the "ngtee" action no longer accepts packet, and
thus don't depend on one_pass flag anymore.

This is a POLA violation, but it is quite difficult to restore
the old behavior with new code. Also, the new behavior matches
behavior of the older "tee" action, and this is more intuitive.

Tweak language to make one point potentially clearer for non-native spekers

PR: bin/121424
Submitted by: "Julian H. Stacey" <jhs berklix.org>

more documentation on new dummynet features.

Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch. This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.

The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.

In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.

Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.

Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.

Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.

CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.

implement a new match option,

lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N

which searches the specified field in table N and sets tablearg
accordingly.
With dst-ip or src-ip the option replicates two existing options.
When used with other arguments, the option can be useful to
quickly dispatch traffic based on other fields.

Work supported by the Onelab project.

MFC after: 1 week

fix the indentation for addr: values

MFC after: 3 days

Fix setfib(1) section number.

PR: 133765
Submitted by: Konstantin Zolotukhin <erebus@gorodok.net>
MFC after: 3 days

- 'burst' description rewritten.

Submitted by: Ben Kaduk
Approved by: re (kib)

o Kill grammar nits.

PR: docs/136061
Submitted by: Ben Kaduk
MFC after: 1 week

- fix dummynet 'fast' mode for WF2Q case.
- fix printing of pipe profile data.
- introduce new pipe parameter: 'burst' - how much data can be sent through
pipe bypassing bandwidth limit.

Permit the specification of bandwidth values within
"profile" files (bandwidth is mandatory when using a
profile, so it makes sense to have everything in one place).

Update the manpage accordingly.

Submitted by: Marta Carbone

Kill hard sentence break added in the previous revision.

Add emulation of delay profiles, which lets you model various
types of MAC overheads such as preambles, link level retransmissions
and more.

Note- this commit changes the userland/kernel ABI for pipes
(but not for ordinary firewall rules) so you need to rebuild
kernel and /sbin/ipfw to use dummynet features.

Please check the manpage for details on the new feature.

The MFC would be trivial but it breaks the ABI, so it will
be postponed until after 7.2 is released.

Interested users are welcome to apply the patch manually
to their RELENG_7 tree.

Work supported by the European Commission, Projects Onelab and
Onelab2 (contract 224263).

o Grammar.

Various cleanup of text, moving a couple of paragraphs
above to avoid referencing undefined terms (humans are not compilers
but still care about these things).

Change some .Sh to .Ss to better reflect the structure of the text.

No new content.

Remove contractions, reword a sentence to avoid a double negative,
and bump document date for previous change.

OKed by: piso

Improve a bit reass documentation:

-document fragment handling sysctls
-mention some caveats about fragments handling (and to deal with it)

Implement an ipfw action to reassemble ip packets: reass.

Mdoc style, spelling, grammar and wording fixes. This manpage needs more work.

Add SCTP NAT support.

Submitted by: CAIA (http://caia.swin.edu.au)

Update the ipfw man page to reflect last change (-q option with nat option).

MFC after: 3 days

* add all keyword for table list & flush actions.
* add tables_max sysctl.
* add default_rule sysctl.

PR: 127058 (partially)

Trivial typo fix.

Approved by: gnn (mentor)

Slight wordsmithing. prompted by danger@

Document the use of the tablearg keyword together with the skipto command.

Note that setfib is not a terminal rule.

Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)

Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.

From my notes:

-----

One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.

Constraints:
------------

I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.

One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".

One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.

This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.

Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.

To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.

The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.

The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.

In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.

One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).

You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.

This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.

Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.

Packets fall into one of a number of classes.

1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..

setfib -3 ping target.example.com # will use fib 3 for ping.

It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.

2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)

3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).

4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.

5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.

6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.

Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)

In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.

In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.

Early testing experience:
-------------------------

Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.

For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.

Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.

ipfw has grown 2 new keywords:

setfib N ip from anay to any
count ip from any to any fib N

In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.

SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.

Where to next:
--------------------

After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.

Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.

My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.

When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.

Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.

This work was sponsored by Ironport Systems/Cisco

Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco

Dummynet has a limit of 100 slots queue size (or 1MB, if you give
the limit in bytes) hard coded into both the kernel and userland.
Make both these limits a sysctl, so it is easy to change the limit.
If the userland part of ipfw finds that the sysctls don't exist,
it will just fall back to the traditional limits.

(100 packets is quite a small limit these days. If you want to test
TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.)

Note these sysctls in the man page and warn against increasing them
without thinking first.

MFC after: 3 weeks

Add table/tablearg support to ipfw's nat.

MFC After: 1 week

Instead of using a heuristic to decide whether to display
table 'values' as IP addresses, use an explicit argument (-i).
This is a 'POLA' issue. This is a low risk change and should be MFC'd
to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3.
(not sure about 6.2).

Fix suggested by: Eugene Grosbein
PR: 120720
MFC After: 3 days

Add a note that ipfw states do not implicitly match ICMP error messages.

Polish this manual page a bit:

- refer to the dummynet(4) man page only once, later use rather
the .Nm macro.
- use .Va macro when refering to the sysctl variables
- grammar and markup fixes

Reviewed by: keramida, trhodes, ru (roughly)
MFC-after: 1 week

- New sysctl variable: net.inet.ip.dummynet.io_fast
If it is set to zero value (default) dummynet module will try to emulate
real link as close as possible (bandwidth & latency): packet will not leave
pipe faster than it should be on real link with given bandwidth.
(This is original behaviour of dummynet which was altered in previous commit)
If it is set to non-zero value only bandwidth is enforced: packet's latency
can be lower comparing to real link with given bandwidth.

- Document recently introduced dummynet(4) sysctl variables.

Requested by: luigi, julian
MFC after: 3 month

Change IPTOS_CE to IPTOS_ECN_CE.

Approved by: njl (mentor)

o Fix a typo in ipfw table usage example.

PR: docs/117172
Submitted by: novel
MFC after: 1 week

Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL.
Also rename the related functions in a similar way.
There are no functional changes.

For a packet coming in with IPsec tunnel mode, the default is
to only call into the firewall with the "outer" IP header and
payload.

With this option turned on, in addition to the "outer" parts,
the "inner" IP header and payload are passed to the
firewall too when going through ip_input() the second time.

The option was never only related to a gif(4) tunnel within
an IPsec tunnel and thus the name was very misleading.

Discussed at: BSDCan 2007
Best new name suggested by: rwatson
Reviewed by: rwatson
Approved by: re (bmah)

Remove references to mpsafenet. This option no longer exists.

Approved by: re@ (bmah)

o Make ipfw set more robust -- now it is possible:
- to show a specific set: ipfw set 3 show
- to delete rules from the set: ipfw set 9 delete 100 200 300
- to flush the set: ipfw set 4 flush
- to reset rules counters in the set: ipfw set 1 zero

PR: kern/113388
Submitted by: Andrey V. Elsukov
Approved by: re (kensmith)
MFC after: 6 weeks

Add support for filtering on Routing Header Type 0 and
Mobile IPv6 Routing Header Type 2 in addition to filter
on the non-differentiated presence of any Routing Header.

MFC after: 3 weeks

Mention the nat command in the synopsis and in the action section.

Approved by: glebius (mentor)

Summer of Code 2005: improve libalias - part 2 of 2

With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)

Add a note about rule syntax compared to the shell used so users do not get
frustraited when:
ipfw add 201 deny ip from any to table(2) in via xl1
returns "Badly placed ( )'s"

PR: 73638

When addr/mask examples are given, show both a host and network
address, to avoid confusing the users that a full address is
always required.

Submitted by: Josh Paetzel <josh@tcbug.org> (through freebsd-doc)
MFC after: 3 days

Markup fixes.

Fix typo.

comply with style police

Submitted by: ru
MFC after: 1 month

Allow ipfw to forward to a destination that is specified by a table.
for example:
fwd tablearg ip from any to table(1)
where table 1 has entries of the form:
1.1.1.0/24 10.2.3.4
208.23.2.0/24 router2

This allows trivial implementation of a secondary routing table implemented
in the firewall layer.

I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.

Reviewed by: Glebius
MFC after: 1 month

Take IP_FIREWALL_EXTENDED out of the man page too.
MFC after: 1 week

Specify correct argument range for tag/untag keywords.

Approved by: glebius (mentor)

Add support of 'tablearg' feature for:
- 'tag' & 'untag' action parameters.
- 'tagged' & 'limit' rule options.
Rule examples:
pipe 1 tag tablearg ip from table(1) to any
allow ip from any to table(2) tagged tablearg
allow tcp from table(3) to any 25 setup limit src-addr tablearg

sbin/ipfw/ipfw2.c:
1) new macros
GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
PRINT_UINT_ARG - support of 'tablearg' keyword.
2) strtoport(): do not silently truncate/accept invalid port list expressions
like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.

Approved by: glebius (mentor)
MFC after: 1 month

Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by: glebius (mentor)
Idea from: OpenBSD PF
MFC after: 1 month

Update manpage for net.inet6.ip6.fw.enable sysctl.

Requested by: bz

Revert `proto ip' back to the previous behavior. The kernel side of
ipfw2 doesn't allow zero as protocol number.

MFC after: 3 days

Stop ipfw from aborting when asked to delete a table entry that
doesn't exist or add one that is already present, if the -q flag
is set. Useful for "ipfw -q /dev/stdin" when the command above is
invoked from something like python or TCL to feed commands
down the throat of ipfw.
MFC in: 1 week

Fix a markup glitch.

Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore.

Document 'tablearg' keyword.

Wording by: emaste

[mdoc] add missing space before a punctuation type argument.

We couldn't specify the rule for filtering tunnel traffic since an
IPv6 support was committed:

- Stop treating `ip' and `ipv6' as special in `proto' option as they
conflict with /etc/protocols.

- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.

- When protocol is specified as numeric, treat it as it is even it is
41 (ipv6).

- Allow zero for protocol as it is valid number of `ip'.

Still, we cannot specify an IPv6 over an IPv4 tunnel like before such
as:

pass ipv6 from any to any

But, now, you can specify it like:

pass ip4 from any to any proto ipv6

PR: kern/89472
Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com>
MFC after: 1 week

-mdoc sweep.

Restore the documentation about uid, gid or prison based rules requiring
that debug.mpsafenet be set to 0. It is still possible for dead locks to
occur while these filtering options are used due to the layering violation
inherent in their implementation.

Discussed: -current, rwatson, glebius

Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.

Reminded by: ru

* Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.

Submitted by: sysctl handling derived from patch from ume needed for ip6fw
Obtained from: is_icmp6_query and send_reject6 derived from similar
functions of netinet6,ip6fw
Reviewed by: ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after: 6 days

Bump document date. Remove EOL whitespace introduced in previous
commit. Start new line at sentence break in previous commit.

Approved by: re (implicit, fixing a commit made 5 minutes ago)

Document some limitations of uid/gid rules.

Approved by: re (rwatson)
MFC after: 3 days

Markup fixes.

Approved by: re (blanket)

Better explain, then actually implement the IPFW ALTQ-rule first-match
policy. It may be used to provide more detailed classification of
traffic without actually having to decide its fate at the time of
classification.

MFC after: 1 week

Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.
This is the last requirement before we can retire ip6fw.

Reviewed by: dwhite, brooks(earlier version)
Submitted by: dwhite (manpage)
Silence from: -ipfw

'ngtee' also depends on net.inet.ip.fw.one_pass.

IPFW version 2 is the only option now in HEAD. Do not confuse
users of future releases with instructions about building IPFW2
on RELENG_4.

Add IPv6 support to IPFW and Dummynet.

Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)

Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option:

options IPFIREWALL_FORWARD_EXTENDED

This option has to be specified in addition to IPFIRWALL_FORWARD.

With this option even packets targeted for an IP address local
to the host can be redirected. All restrictions to ensure proper
behaviour for locally generated packets are turned off. Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.

Document the two kernel options.

PR: kern/71910
PR: kern/73129
MFC after: 1 week

Expand *n't contractions.

Sort SEE ALSO.

Submitted by: ru

Document how interaction with ng_ipfw node is configured.

Sort sections.

Markup nits.

Scheduled mdoc(7) sweep.

Update the IPFW man page to reflect reality. mpsafenet=0 is no longer
required when using ucred based rules.

Pointed out by: seanc (thanks!)
MFC after: 1 month

Be more clear that "bridged" is a synonym for "layer2".

PR: docs/44400
Submitted by: Constantin Stefanov <cstef at mail dot ru>

Refuse to unload the ipdivert module unless the 'force' flag is given to kldunload.

Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8)
man pages.

Add a note to the man page warning users about possible lock order
reversals+system lock ups if they are using ucred based rules
while running with debug.mpsafenet=1.

I am working on merging a shared locking mechanism into ipfw which
should take care of this problem, but it still requires a bit more
testing and review.

Reference altq(4) instead of pf.conf(5).

Tip of the hat to: mlaier

Add support to IPFW for matching by TCP data length.

Add the documentation for IPFW's diverted(-loopback|-output) matches.

Add to IPFW the ability to do ALTQ classification/tagging.

Prepare for 5.x soon becoming -STABLE.

Pointed out by: -current users

Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied
and sent to the DIVERT socket while the original packet continues with the
next rule. Unlike a normally diverted packet no IP reassembly attemts are
made on tee'd packets and they are passed upwards totally unmodified.

Note: This will not be MFC'd to 4.x because of major infrastucture changes.

PR: kern/64240 (and many others collapsed into that one)

Remove trailing whitespace and change "prisoniD" to "prisonID".

Pointed out by: simon
Approved by: bmilekic (mentor)

Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
want to add additional opcodes, they should append them to the end
of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by: pjd
Reviewed by: rwatson
Approved by: bmilekic (mentor)

New ipfw option "antispoof":

For incoming packets, the packet's source address is checked if it
belongs to a directly connected network. If the network is directly
connected, then the interface the packet came on in is compared to
the interface the network is connected to. When incoming interface
and directly connected interface are not the same, the packet does
not match.

Usage example:

ipfw add deny ip from any to any not antispoof in

Manpage education by: ru

Extend versrcreach by checking against the rt_flags for RTF_REJECT and
RTF_BLACKHOLE as well.

To quote the submitter:

The uRPF loose-check implementation by the industry vendors, at least on Cisco
and possibly Juniper, will fail the check if the route of the source address
is pointed to Null0 (on Juniper, discard or reject route). What this means is,
even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
as a pseudo-packet-firewall without using any manual filtering configuration --
one can simply inject a IGP or BGP prefix with next-hop set to a static route
that directs to null/discard facility. This results in uRPF Loose-check failing
on all packets with source addresses that are within the range of the nullroute.

Submitted by: James Jun <james@towardex.com>

Mechanically kill hard sentence breaks.

Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets. Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after: 1 week

o Fix usage example.

PR: docs/67065
Submitted by: David Syphers

Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table. The
default route is ignored because it would match everything and
render the check pointless.

This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.

Example:

ipfw add 1000 deny ip from any to any not versrcreach

also known in Cisco-speak as:

ip verify unicast source reachable-via any

Reviewed by: luigi

Backout revision 1.140; it seems that the previous version is clear
enough.

Requested by: ru

o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.

PR: docs/64534
Submitted by: Dmitry Cherkasov
MFC after: 1 week

Clarify the description of the "established" option.

PR: docs/50391
Submitted by: root@edcsm.jussieu.fr
MFC after: 1 week

grammar

o -c (compact) flag is ipfw2 feature.

PR: bin/56328
MFC after: 3 days

o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.

MFC after: 3 days

o Legitimate -f (force) flags for -p (preprocessor) case.

PR: bin/60433
Submitted: Bjoern A. Zeeb
MFC after: 3 weeks

Add a -b flag to /sbin/ipfw to print only action and comment for each
rule, thus omitting the entire body.
This makes the output a lot more readable for complex rulesets
(provided, of course, you have annotated your ruleset appropriately!)

MFC after: 3 days

Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate
code is compiled in to support the O_IPSEC operator. Previously no
support was included and ipsec rules were always matching. Note that
we do not return an error when an ipsec rule is added and the kernel
does not have IPsec support compiled in; this is done intentionally
but we may want to revisit this (document this in the man page).

PR: 58899
Submitted by: Bjoern A. Zeeb
Approved by: re (rwatson)

fix typo: s/sytem/system/

Document the alternate way of matching MAC addresses: by a bitmask.

PR: 56021
Submitted by: Glen Gibb <grg@ridley.unimelb.edu.au>
MFC after: 1 month

Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specific

Userland side of:
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.

This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.

Suggested by: Paul Richards

Add a '-T' flag to print the timestamp as numeric value instead
of converting it with ctime(). This is a lot more convenient for
postprocessing.

Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>

Document the existence of comments in ipfw rules,
the new flags handled when reading from a file,
and clarify that only numeric values are allowed for icmptypes.

MFC after: 3 days

Correct to match reality regarding interface names.

PR: 51006
Submitted by: "Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua>
mdoc clue by: "Simon L. Nielsen" <simon@nitro.dk>
MFC after: 10 days

* introduce a section on SYNTAX to document the handling
spaces and comma-separated lists of arguments;

* reword the description of address specifications, to include
previous and current changes for address sets and lists;

* document the new '-n' flag.

* update the section on differences between ipfw1 and ipfw2
(this is becoming boring!)

MFC after: 3 days

Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.

Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week

o Fix sets of rules usage example.

PR: docs/53625
Submitted by: Kostyuk Oleg <cub@cub.org.ua>
MFC after: 1 week

Add support for multiple values and ranges for the "iplen", "ipttl",
"ipid" options. This feature has been requested by several users.
On passing, fix some minor bugs in the parser. This change is fully
backward compatible so if you have an old /sbin/ipfw and a new
kernel you are not in trouble (but you need to update /sbin/ipfw
if you want to use the new features).

Document the changes in the manpage.

Now you can write things like

ipfw add skipto 1000 iplen 0-500

which some people were asking to give preferential treatment to
short packets.

The 'MFC after' is just set as a reminder, because I still need
to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately
change the size of certain kernel structures; not that it matters
a lot since ipfw2 is entirely optional and not the default...)

PR: bin/48015

MFC after: 1 week

Add a 'verrevpath' option that verifies the interface that a packet
comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.

Experimental. The usage and rule format for the feature may still be
subject to change.

/modules is gone long ago, use the safe equivalents.

Correct examples for stateful inspection

PR: 47817
Submitted by: Simon L.Nielsen <simon@nitro.dk>
Reviewed by: ceri, luigi

It turns out that we do not need to add a new ioctl to unbreak a
default-to-deny firewall. Simply turning off IPFW via a preexisting
sysctl does the job. To make it more apparent (since nobody picked up
on this in a week's worth of flames), the boolean sysctl's have been
integrated into the /sbin/ipfw command set in an obvious and straightforward
manner. For example, you can now do 'ipfw disable firewall' or
'ipfw enable firewall'. This is far easier to remember then the
net.inet.ip.fw.enable sysctl.

Reviewed by: imp
MFC after: 3 days

Fix a reference to the order of SYNOPSIS lines.

Submitted by: Olivier Cherrier <Olivier.Cherrier@cediti.be>
on freebsd-net
MFC after: 3 days

Make preprocessor support more generic by passing all command-line options
after -p except for the last (the ruleset file to process) to the
preprocessor for interpretation. This allows command-line options besides
-U and -D to be passed to cpp(1) and m4(1) as well as making it easier to
use other preprocessors.

Sponsored By: NTT Multimedia Communications Labs
MFC after: 1 week

Update documentation to match the behaviour of ipfw with respect
to net.inet.ip.fw.one_pass.
Add to notes to explain the exact behaviour of "prob xxx" and "log"
options.

Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c)

Misc fixes from Chris Pepper, plus additional explainations on
dummynet operation.

MFC after: 3 days

Increase the max dummynet hash size from 1024 to 65536. Default is still
1024.

Silence on: -net, -ipfw 4weeks+
Reviewed by: dd
Approved by: knu (mentor)
MFC after: 3 weeks

o Fix a typo.
o Remove EOL spaces.

Submitted by: Harold Gutch <logix@foobar.franken.de> (typo patch)
Approved by: luigi
MFC after: 3 days

Typo: s/o packet/on packet/

PR: docs/42543
Submitted by: Michael Lyngbøl <lyngbol@bifrost.lyngbol.dk>

s/filesystem/file system/g as discussed on -developers

Whoops, the manpage lied... ipfw2 has always accepted addr:mask
specifications.

One more (hopefully the last one) step in cleaning up the syntax,
following Julian's good suggestion: since you can specify any match
pattern as an option, rules now have the following format:

[<proto> from <src> to <dst>] [options]

i.e. the first part is now entirely optional (and left there just
for compatibility with ipfw1 rulesets).

Add a "-c" flag to show/list rules in the compact form
(i.e. without the "ip from any to any" part) when possible.
The default is to include it so that scripts processing ipfw's
canonical output will still work.
Note that as part of this cleanup (and to remove ambiguity), MAC
fields now can only be specified in the options part.

Update the manpage to reflect the syntax.

Clarify the behaviour when a match is attempted on fields which
are not present in the packet, e.g. port numbers on non TCP/UDP
packets, and the "not" operator is specified. E.g.

ipfw add allow not src-port 80

will match also ICMP packets because they do not have port numbers, so
"src-port 80" will fail and "not src-port 80" will succeed. For such
cases it is advised to insert further options to prevent undesired results
(e.g. in the case above, "ipfw add allow proto tcp not src-port 80").

We definitely need to rewrite the parser using lex and yacc!

Major cleanup of the parser and printing routines in an attempt to
render the syntax less ambiguous.

Now rules can be in one of these two forms

<action> <protocol> from <src> to <dst> [options]
<action> MAC dst-mac src-mac mac-type [options]

however you can now specify MAC and IP header fields as options e.g.

ipfw add allow all from any to any mac-type arp
ipfw add allow all from any to any { dst-ip me or src-ip me }

which makes complex expressions a lot easier to write and parse.
The "all from any to any" part is there just for backward compatibility.

Manpage updated accordingly.

Complete list of differences between ipfw1 and ipfw2.

sys/netinet/ip_fw2.c:

Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops
for firewall-generated packets (the constant has to go in sys/mbuf.h).

Better comments on keepalive generation, and enforce dyn_rst_lifetime
and dyn_fin_lifetime to be less than dyn_keepalive_period.

Enforce limits (up to 64k) on the number of dynamic buckets, and
retry allocation with smaller sizes.

Raise default number of dynamic rules to 4096.

Improved handling of set of rules -- now you can atomically
enable/disable multiple sets, move rules from one set to another,
and swap sets.

sbin/ipfw/ipfw2.c:

userland support for "noerror" pipe attribute.

userland support for sets of rules.

minor improvements on rule parsing and printing.

sbin/ipfw/ipfw.8:

more documentation on ipfw2 extensions, differences from ipfw1
(so we can use the same manpage for both), stateful rules,
and some additional examples.
Feedback and more examples needed here.

Major revision of the ipfw manpage, trying to make it up-to-date
with ipfw2 extensions and give examples of use of the new features.

This is just a preliminary commit, where i simply added the basic
syntax for the extensions, and clean up the page (e.g. by listing
things in alphabetical rather than random order).
I would appreciate feedback and possible corrections/extensions
by interested parties.

Still missing are a more detailed description of stateful rules
(with keepalives), interaction with of stateful rules and natd (don't do
that!), examples of use with the recently introduced rule sets.

There is an issue related to the MFC: RELENG_4 still has ipfw as a
default, and ipfw2 is optional. We have two options here: MFC this
page as ipfw(8) adding a large number of "SORRY NOT IN IPFW" notes,
or create a new ipfw2(8) manpage just for -stable users. I am all
for the first approach, but of course am listening to your comments.

Add SEE ALSO references to papers handling RED.

The .Nm utility

Enlighten those who read the FINE POINTS of the documentation a bit
more on how ipfw(8) deals with tiny fragments. While we're at it, add
a quick log message to even let people know we dropped a packet. (Note
that the second FINE POINT is somewhat redundant given the first, but
since the code is there, leave the docs for it.)

MFC after: 1 day

mdoc(7) police: tidy up the markup in revision 1.96.

o Note that packets diverted using a 'divert' socket, and then
reinserted by a userland process, will lose a number of packet
attributes, including their source interface. This may affect
the behavior of later rules, and while not strictly a BUG, may
cause unexpected behavior if not clearly documented. A similar
note for natd(8) might be desirable.

Move the discussion of how many times a packet will pass through
ipfirewall(4) to the IMPLEMENTATION NOTES section because it
considers kernel internals and may confuse newbies if placed
at the very beginning of the manpage (where it used to be previously.)

Not objected by: luigi

Clarify the "show" ipfw(8) command.

PR: docs/31263
Permitted by: luigi

Fix a typo: wierd -> weird

Fix documentation to match reality

Implement matching IP precedence in ipfw(4).

Submitted by: Igor Timkin <ivt@gamma.ru>

At least once mention the long names of WF2Q+ (Worst-case Fair Weighted
Fair Queueing) and RED (Random Early Detection) to both give the reader
a hint what they are and to make it easier to find out more information
about them.

Repair typo.

PR: 31262
Submitted by: <swear@blarg.net>

mdoc(7) police: fix markup.

now that jlemon has added a hash table to lookup locally configured ip
addresses (and the macros that ipfw(4) use to lookup data for the 'me'
keyword have been converted) remove a comment about using 'me' being a
"computationally expensive" operation.

while I'm here, change two instances of "IP number" to "IP address"

Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
between certain host pairs (according to masks). These are a special
type of stateful rules, which might be of interest in some cases.
See the ipfw manpage for details.

+ merge the list pointers and ipfw rule descriptors in the kernel, so
the code is smaller, faster and more readable. This patch basically
consists in replacing "foo->rule->bar" with "rule->bar" all over
the place.
I have been willing to do this for ages!

MFC after: 1 week

mdoc(7) police:

Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: remove extraneous .Pp before and/or after .Sh.

Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in the
checklist.

MFC after: 1 week

Invert the meaning of the -d option (i.e. default to *not* list dynamic rules,
but list them if -d was specified).

Avoid listing expired dynamic rules unless the (new) -e option was specified.

If specific rule numbers were listed on the command line, and the -d flag was
specified, only list dynamic rules that match the specified rule numbers.

Try to partly clean up the bleeding mess this file has become. If there is
any justice in this world, the responsible parties (you know who you are!)
should expect to wake up one morning with a horse's head in their bed. The
code still looks like spaghetti, but at least now it's *properly intented*
spaghetti (hmm? did somebody say "tagliatelle"?).

Add a flag to "ipfw show" which supresses the display of dynamic
rules. Also, don't show dynamic rules if you only asked to see a
certain rule number.

PR: 18550
Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Approved by: luigi
MFC after: 2 weeks

mdoc(7) police: removed hard sentence break introduced in rev 1.82.

Explain that TCP fragments with an offset of 1 are reported as being
dropped by rule -1 if logging is enabled.

PR: 25796
Submitted by: Crist J. Clark <cjclark@alum.mit.edu>
Approved by: nik

Document that the IPFW messages are logged via syslogd(8).

mdoc(7) police: normalize the construct.

Fix grammar nit in previous commit.

Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface. This is useful for routers with
dynamic interfaces. It is now possible to say:

0100 allow tcp from any to any established
0200 skipto 1000 tcp from any to any
0300 allow ip from any to any
1000 allow tcp from 1.2.3.4 to me 22
1010 deny tcp from any to me 22
1020 allow tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.

Prepare for mdoc(7)NG.

Prepare for mdoc(7)NG.

mdoc(7) police: do not split author names in the AUTHORS section.

mdoc(7) police: use the new features of the Nm macro.

more removal of trailing periods from SEE ALSO.

IPFW does not discard *any* IP fragments with OFF=1, only TCP ones.

Only interpret the last command line argument as a file to
be preprocessed if it is specified as an absolute pathname.

PR: bin/16179

Document the latest firewall knobs.

Document that net.inet.ip.fw.one_pass only affects dummynet(4).

Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>

Fixed style bugs of rev 1.66.

Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies. For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>

Document new dummynet functionality, namely WF2Q+ and RED

Remove extraneous Dv macro that slipped in, in rev 1.64.

Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".

A huge rewrite of the manual page (mostly -mdoc related).

Reviewed by: luigi, sheldonh

Support and document new stateful ipfw features.

Approved-by: jordan

Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.

Turn on 'ipfw tee'. Update man page. Please note (from the man page):

Packets that match a tee rule should not be immediately accepted,
but should continue going through the rule list. This may be fixed
in a later version.

I hope to fix this soon in a separate commit.

Remove one obsoleted entry from the BUGS section.

$Id$ -> $FreeBSD$

To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
* macros expanding into _two_ comma-delimited arguments!
* snprintf!
* more snprintf!
* linting and criticism by more people than you can shake a stick at!
* a slightly more uniform message style than before!
and last but not least
* no less than 5 rewrites!

Reviewed by: committers

Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.

Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.

This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).

Document the usage of escape character in a service name.

PR: 7101
Reminded by: jhs

Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by: Philippe Charnier

Add ICMP types to list of information about each packet.

Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR: docs/7437

Convert LKM/modload to KLD/kldload. Add ref to kldload(8).

Submitted by: Nathan Ahlstrom <nrahlstr@winternet.com>

Fix misleading wording in ipfw(8) man page.
PR: docs/9603

Mention affect of securelevel 3 and higher on attempts to change filter lists.

Prompted by: PR docs/7785

Disallow ipfw "tee" rules until it is actually implemented.
PR: bin/8471

Preprocessor support for `ipfw [-q] ... file'.

This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc. Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.

PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475

Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by: Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>

Reminded by: Alex Nash
Bring man page up to date with -q flag behaviour.

Typo fix.

(evil) hackers -> crackers

.Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.

Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

- Do not match fragmented packets if the rule specifies a port or
TCP flags
- Match fragmented packets if the rule does not specify a port and
TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags. Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by: Archie Cobbs <archie@whistle.com>

Support listing/showing specific rules supplied on the command line.

Use error codes from <sysexits.h>.

Allow ipfw to accept comments and blank lines.
This makes ipfw config files a LOT more readable.

Sort cross refereces in section SEE ALSO.

Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on
rule 65535

Fix typo (65434 -> 65534)

Bring comment on '-a' flag in line with reality.

Allow ipfw to look up service names from /etc/services (or NIS if turned on)
note.. this would be dangerous if your ipfw was blocking NIS access :)

Submitted by: archie@whistle.com (Archie Cobbs)

Submitted by: Whistle Communications (archie Cobbs)

these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.

Typo.
PR: 3600
Submitted by: Josh Gilliam <soil@quick.net>

Minor rewording of the examples section.

Add '-q' quiet flag for flush/add/zero commands; add 'show' command as
synonym for '-a list'; stop SEGV when specifying 'via' with no interface;
change 2 instances of strcpy() to strncpy().

This is a candidate for 2.2

implement "not" keyword for inverting the address logic

Minor mdoc/style fixes.

Fix a spelling error.
2.2 Candidate.

Note that -N is only effective when ipfw is displaying chain entries.

Because 'ipfw flush' is such a dangerous command (given that most
firewalls are remote, and this command will kill the network connection
to them), prompt the user for confirmation of this command.

Also, add the '-f' flag which ignores the need for confirmation the
command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0)
assume '-f'.

If anyone is using ipfw flush in scripts it shouldn't affect them, but you
may want to change the script to use a 'ipfw -f flush'.

Reviewed by: alex

Use the .Fx macro where appropriate.

Completely rewrite handling of protocol field for firewalls, things are
now completely consistent across all IP protocols and should be quite a
bit faster.

Use getprotoname() extensively, performed minor cleanups of admin utility.
The admin utility could use a good kick in the pants.

Basicly, these were the minimal changes I could make to the code
to get it up to tollerable shape. There will be some future commits
to clean up the basic architecture of the firewall code, and if
I'm feeling ambitious, I may pull in changes like NAT from Linux
and make the firewall hooks comletely generic so that a user can
either load the ipfw module or the ipfilter module (cf Darren Reed).

Discussed with: fenner & alex

Filter by IP protocol.

Submitted by: fenner (with modifications by me)

Bring in the interface unit wildcard flag fix from rev 1.15.4.8.

Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.

Correct definition of 'established' keyword.

Fix port specification syntax.

Submitted by: nate

Fix a typo in the view accounting records example.

Bring the man page more into line with reality.

Update to match kernel code.

Update -current ipfw program as well.
I hope it all compiles...

Document that the firewall will no longer reorder the rules.

Fix a bunch of spelling errors.

Convert manpage to -mandoc macros.

Submitted by: Gary Palmer <gary@palmer.demon.co.uk>

Minor cleanup by me in the English.

Correct minor nit - to filter out SYN packets, the keyword is
`syn' not `tcpsyn' (which matches `tcp' which blocks all tcp
packets)

Update manpage..BTW,if somebody wit good English
would go through it and fix it would be a really good idea.

Fixed manpage..ldeny,lreject and log options are there
and others not..
Submitted by: torstenb@FreeBSD.ORG

Change utility to accept interface name
along with IP as "via" argument

Finally document "via" feature..

Ok..at least this man page is up to date now
To be continued..

Changed a reboot(1) to a reboot(8).

New man pages from Ugen. Delete my old, first attempt. I only hope
that the english in Ugen's two replacement pages is not too impenetrable! :-)
[Note: Poul - please pull these into the BETA branch along with the
other firewall changes]

Submitted by: ugen