259128 |
09-Dec-2013 |
gjb |
Remove svn:mergeinfo from the releng/10.0 branch.
After branch creation from stable/10, the stable/10 branch mergeinfo was moved to the root of the branch.
Since there have not been any merges from stable/10 to releng/10.0 yet, we do not need to track any of the existing mergeinfo here.
Merges to releng/10.0 should now be done to the root of the branch.
For future branches during the release cycle, unless otherwise noted, this change will be done as part of the stable/ and releng/ branch creation.
Discussed with: peter Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
259065 |
07-Dec-2013 |
gjb |
- Copy stable/10 (r259064) to releng/10.0 as part of the 10.0-RELEASE cycle. - Update __FreeBSD_version [1] - Set branch name to -RC1
[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so start releng/10.0 at '100' so the branch is started with a value ending in zero.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
253597 |
24-Jul-2013 |
se |
Remove duplicated parapgraph.
MFC after: 3 days
|
250759 |
18-May-2013 |
melifaro |
Fix ipfw(8) sets of ipv6 addresses handling. Conditionally use stack buffer instead of calling strdup().
PR: bin/104921 MFC after: 2 weeks
|
249375 |
11-Apr-2013 |
joel |
Minor spelling and grammar fixes.
|
248578 |
21-Mar-2013 |
joel |
Remove EOL whitespace.
|
248553 |
20-Mar-2013 |
melifaro |
Remove unused variable.
|
248552 |
20-Mar-2013 |
melifaro |
Add ipfw support for setting/matching DiffServ codepoints (DSCP).
Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg.
Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words).
Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order):
Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin
PR: kern/102471, kern/121122 MFC after: 2 weeks
|
247811 |
04-Mar-2013 |
melifaro |
Do not suddenly fail on some rulesets if -n (syntax check only) is specified and ipfw(4) module is not loaded.
MFC after: 2 weeks
|
247712 |
03-Mar-2013 |
melifaro |
Implement buffer size checking in ipfw(8) add cmd.
PR: bin/65961 Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru> MFC after: 2 weeks
|
247666 |
02-Mar-2013 |
melifaro |
Fix ipfw table argument parsing/printing. Fix style.
PR: kern/175909 Submitted by: Daniel Hagerty <hag@linnaean.org> MFC after: 2 weeks
|
242463 |
02-Nov-2012 |
ae |
Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set.
Suggested by: andre
|
242079 |
25-Oct-2012 |
ae |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
|
240893 |
24-Sep-2012 |
melifaro |
Whitespace fixes
MFC after: 2 weeks
|
240892 |
24-Sep-2012 |
melifaro |
Permit table to be used as IPv6 address.
Reported by: Serhiy Popov <sergiuspso@ukr.net> MFC after: 2 weeks
|
240656 |
18-Sep-2012 |
bjk |
Fix grammar in the portion about FIBs. Also, cross-reference setfib(2) instead of setfib(1) for the 16-FIB limit.
PR: docs/157452 Approved by: hrs (mentor)
|
240628 |
18-Sep-2012 |
bjk |
Whitespace cleanup for ipfw.8 -- start each sentence on a new line, and put a comma after e.g. and i.e.. While here, wrap long lines.
PR: docs/157452 Approved by: hrs (mentor)
|
240351 |
11-Sep-2012 |
kevlo |
Remove unused values
|
238903 |
30-Jul-2012 |
luigi |
remove the last __unused instance in sbin/ipfw. This particular function (show_prerequisites() ) we should actually remove the argument from the callers as well, but i'll do it at a later time.
|
238900 |
30-Jul-2012 |
luigi |
Fix some compile errors at high WARNS, including one for an uninitialized variable.
unused parameters and variables are annotated with (void)foo; /* UNUSED */ instead of __unused, because this code needs to build also on linux and windows.
|
238540 |
16-Jul-2012 |
issyl0 |
In ipfw(8), make the text about dynamic rules consistent.
PR: docs/120539 Approved by: gabor (mentor) MFC after: 5 days
|
238277 |
09-Jul-2012 |
hrs |
Make ipfw0 logging pseudo-interface clonable. It can be created automatically by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8) after a boot.
Discussed on: freebsd-ipfw@
|
238063 |
03-Jul-2012 |
issyl0 |
- Make ipfw's sched rules case insensitive, for user-friendliness. - Add a note to the ipfw(8) man page about the rules no longer being case sensitive. - Fix some typos in the man page.
PR: docs/164772 Reviewed by: bz Approved by: gabor (doc mentor, src committer) MFC after: 2 weeks
|
236824 |
09-Jun-2012 |
melifaro |
Update maximum number of tables available in ipfw to reflect changes done in r233478.
Approved by: kib(mentor) MFC after: 3 days
|
235344 |
12-May-2012 |
joel |
mdoc: use Po and Pc macros instead of parens. Also avoid starting a line with Ns.
|
233648 |
29-Mar-2012 |
eadler |
Remove trailing whitespace per mdoc lint warning
Disussed with: gavin No objection from: doc Approved by: joel MFC after: 3 days
|
233478 |
25-Mar-2012 |
melifaro |
- Permit number of ipfw tables to be changed in runtime.
net.inet.ip.fw.tables_max is now read-write.
- Bump IPFW_TABLES_MAX to 65535 Default number of tables is still 128
- Remove IPFW_TABLES_MAX from ipfw(8) code.
Sponsored by Yandex LLC
Approved by: kib(mentor)
MFC after: 2 weeks
|
233458 |
25-Mar-2012 |
joel |
Remove superfluous paragraph macro.
|
232865 |
12-Mar-2012 |
melifaro |
- Add ipfw eXtended tables permitting radix to be used for any kind of keys. - Add support for IPv6 and interface extended tables - Make number of tables to be loader tunable in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds
No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table.
IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader;
New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST
ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add host' now assumes 'host' to be interface name instead of hostname.
New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value.
New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out
This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field.
Sponsored by Yandex LLC
Reviewed by: ae Approved by: ae (mentor)
MFC after: 4 weeks
|
232347 |
01-Mar-2012 |
luigi |
remove some write-only variables. There is another block of code that is now useless as the computation is done in the kernel.
|
232250 |
28-Feb-2012 |
gavin |
Correct capitalization of "Hz" in user-visible text (manpages, printf(), etc).
MFC after: 3 days
|
231852 |
17-Feb-2012 |
bz |
Merge multi-FIB IPv6 support from projects/multi-fibv6/head/:
Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity.
This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat.
Sponsored by: Cisco Systems, Inc. Reviewed by: melifaro (basically) MFC after: 10 days
|
231078 |
06-Feb-2012 |
glebius |
Bump .Dd for r231076.
Submitted by: bz
|
231076 |
06-Feb-2012 |
glebius |
Make the 'tcpwin' option of ipfw(8) accept ranges and lists.
Submitted by: sem
|
229778 |
07-Jan-2012 |
uqs |
Spelling fixes for sbin/
|
229403 |
03-Jan-2012 |
ed |
Replace index() and rindex() calls with strchr() and strrchr().
The index() and rindex() functions were marked LEGACY in the 2001 revision of POSIX and were subsequently removed from the 2008 revision. The strchr() and strrchr() functions are part of the C standard.
This makes the source code a lot more consistent, as most of these C files also call into other str*() routines. In fact, about a dozen already perform strchr() calls.
|
228871 |
24-Dec-2011 |
eadler |
- Add fallthrough comment
Approved by: pluknet Found with: Coverity Prevent(tm) CID: 10125
|
227901 |
23-Nov-2011 |
glebius |
Fix parsing of redirect_addr argument.
PR: kern/162739 MFC after: 3 days
|
227489 |
13-Nov-2011 |
eadler |
- fix duplicate "a a" in some comments
Submitted by: eadler Approved by: simon MFC after: 3 days
|
227419 |
10-Nov-2011 |
glebius |
Note that NAT instance argument can be tablearg.
PR: misc/162265 Submitted by: Paul Procacci <pprocacci gmail.com>
|
225044 |
20-Aug-2011 |
bz |
Add support for IPv6 to ipfw fwd: Distinguish IPv4 and IPv6 addresses and optional port numbers in user space to set the option for the correct protocol family. Add support in the kernel for carrying the new IPv6 destination address and port. Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change the address in the IP header. Add support for IPv6 forwarding to a non-local destination. Add a regession test uitilizing VIMAGE to check all 20 possible combinations I could think of.
Obtained from: David Dolson at Sandvine Incorporated (original version for ipfw fwd IPv6 support) Sponsored by: Sandvine Incorporated PR: bin/117214 MFC after: 4 weeks Approved by: re (kib)
|
224942 |
17-Aug-2011 |
jhb |
Fix a regression where a rule containing a source port option after a destination IP would incorrectly display the source port as a destination port.
Reviewed by: luigi Approved by: re (kib) MFC after: 1 week
|
223758 |
04-Jul-2011 |
attilio |
With retirement of cpumask_t and usage of cpuset_t for representing a mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.
Remove them and replace their usage with custom pc_cpuid magic (as, atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).
This change is not targeted for MFC because of struct pcpu members removal and dependency by cpumask_t retirement.
MD review by: marcel, marius, alc Tested by: pluknet MD testing by: marcel, marius, gonzo, andreast
|
223666 |
29-Jun-2011 |
ae |
Add new rule actions "call" and "return" to ipfw. They make possible to organize subroutines with rules.
The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher.
Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@
|
223661 |
29-Jun-2011 |
ae |
Improve error reporting. Use corresponding error message when file to be preprocessed is missing. Also suggest to use absolute pathname if -p option is specified.
PR: bin/156653 MFC after: 2 weeks
|
223499 |
24-Jun-2011 |
glebius |
Actually, if code had followed style(9), there would be less stupid errors like the one fixed in r223416.
Noticed by: julian
|
223416 |
22-Jun-2011 |
glebius |
One more braino from me.
Pointy hat to: glebius Submitted by: Alexander V. Chernikov <melifaro ipfw.ru>
|
223262 |
18-Jun-2011 |
benl |
Fix clang warnings.
Approved by: philip (mentor)
|
223185 |
17-Jun-2011 |
glebius |
- Fix my braino in the 220835, when I used strtok(). It isn't applicable here, since modifies the string. Switch to strchr(). - Restore support for undocumented optional parameters of redir_port and redir_proto, that were disabled in 220835. - While here, change !isalpha() checks on optinal parameters for isdigit().
Submitted by: Alexander V. Chernikov <melifaro ipfw.ru> PR: kern/143653
|
223080 |
14-Jun-2011 |
ae |
Implement "global" mode for ipfw nat. It is similar to natd(8) "globalport" option for multiple NAT instances.
If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged.
User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode.
PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein
|
223079 |
14-Jun-2011 |
ae |
Check nat id a bit more strictly.
|
222813 |
07-Jun-2011 |
attilio |
etire the cpumask_t type and replace it with cpuset_t usage.
This is intended to fix the bug where cpu mask objects are capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever value. Anyway, as long as several structures in the kernel are statically allocated and sized as MAXCPU, it is suggested to keep it as low as possible for the time being.
Technical notes on this commit itself: - More functions to handle with cpuset_t objects are introduced. The most notable are cpusetobj_ffs() (which calculates a ffs(3) for a cpuset_t object), cpusetobj_strprint() (which prepares a string representing a cpuset_t object) and cpusetobj_strscan() (which creates a valid cpuset_t starting from a string representation). - pc_cpumask and pc_other_cpus are target to be removed soon. With the moving from cpumask_t to cpuset_t they are now inefficient and not really useful. Anyway, for the time being, please note that access to pcpu datas is protected by sched_pin() in order to avoid migrating the CPU while reading more than one (possible) word - Please note that size of cpuset_t objects may differ between kernel and userland. While this is not directly related to the patch itself, it is good to understand that concept and possibly use the patch as a reference on how to deal with cpuset_t objects in userland, when accessing kernland members. - KTR_CPUMASK is changed and now is represented through a string, to be set as the example reported in NOTES.
Please additively note that no MAXCPU is bumped in this patch, but private testing has been done until to MAXCPU=128 on a real 8x8x2(htt) machine (amd64).
Please note that the FreeBSD version is not yet bumped because of the upcoming pcpu changes. However, note that this patch is not targeted for MFC.
People to thank for the time spent on this patch: - sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested several revision of the patches and really helped in improving stability of this work. - marius fixed several bugs in the sparc64 implementation and reviewed patches related to ktr. - jeff and jhb discussed the basic approach followed. - kib and marcel made targeted review on some specific part of the patch. - marius, art, nwhitehorn and andreast reviewed MD specific part of the patch. - marius, andreast, gonzo, nwhitehorn and jceel tested MD specific implementations of the patch. - Other people have made contributions on other patches that have been already committed and have been listed separately.
Companies that should be mentioned for having participated at several degrees: - Yahoo! for having offered the machines used for testing on big count of CPUs. - The FreeBSD Foundation for having sponsored my devsummit attendance, which has been instrumental. - Sandvine for having offered offices and infrastructure during development.
(I really hope I didn't forget anyone, if it happened I apologize in advance).
|
222745 |
06-Jun-2011 |
ae |
Initialize co.use_set variable before parsing each new rule.
PR: bin/134975 MFC after: 2 weeks
|
222744 |
06-Jun-2011 |
ae |
Increase buffer size for the command line.
PR: bin/125370 Submitted by: sem MFC after: 2 weeks
|
222473 |
30-May-2011 |
ae |
Add tablearg support for ipfw setfib.
PR: kern/156410 MFC after: 2 weeks
|
222023 |
17-May-2011 |
pluknet |
mdoc: - use a proper macro for interface name ipfw0. - add missing section number for bpf cross reference.
|
220835 |
19-Apr-2011 |
glebius |
Rewrite NAT configuration parser, so that memory allocation size is calculated dynamically.
PR: kern/143653
|
220804 |
18-Apr-2011 |
glebius |
More whitespace fixes.
Checked with: md5, diff -x -w
|
220802 |
18-Apr-2011 |
glebius |
Whitespace fixes.
Checked with: md5, diff -w
|
215179 |
12-Nov-2010 |
luigi |
The first customer of the SO_USER_COOKIE option: the "sockarg" ipfw option matches packets associated to a local socket and with a non-zero so_user_cookie value. The value is made available as tablearg, so it can be used as a skipto target or pipe number in ipfw/dummynet rules.
Code by Paul Joe, manpage by me.
Submitted by: Paul Joe MFC after: 1 week
|
214132 |
21-Oct-2010 |
uqs |
mdoc: make pages render with mandoc
It's a bit more pedantic regarding .Bl list elements. This has an added benefit of unbreaking the ipfw(8) manpage, where groff was silently skipping one list element.
|
213810 |
13-Oct-2010 |
luigi |
document logging through bpf
|
213573 |
08-Oct-2010 |
uqs |
mdoc: drop redundant .Pp and .LP calls
They have no effect when coming in pairs, or before .Bl/.Bd
|
211936 |
28-Aug-2010 |
brucec |
Fix incorrect usage of 'assure' and 'insure'.
Approved by: rrs (mentor)
|
211499 |
19-Aug-2010 |
des |
expand_number(3) takes a uint64_t * now.
MFC after: 3 weeks
|
211397 |
16-Aug-2010 |
joel |
Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki while translating these manual pages. Minor corrections by me.
Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>
|
210539 |
27-Jul-2010 |
glebius |
Document that the "ngtee" action no longer accepts packet, and thus don't depend on one_pass flag anymore.
This is a POLA violation, but it is quite difficult to restore the old behavior with new code. Also, the new behavior matches behavior of the older "tee" action, and this is more intuitive.
|
210118 |
15-Jul-2010 |
luigi |
better printing of headers when listing flows
|
207736 |
07-May-2010 |
mckusick |
Merger of the quota64 project into head.
This joint work of Dag-Erling Smørgrav and myself updates the FFS quota system to support both traditional 32-bit and new 64-bit quotas (for those of you who want to put 2+Tb quotas on your users).
By default quotas are not compiled into the kernel. To include them in your kernel configuration you need to specify:
options QUOTA # Enable FFS quotas
If you are already running with the current 32-bit quotas, they should continue to work just as they have in the past. If you wish to convert to using 64-bit quotas, use `quotacheck -c 64'; if you wish to revert from 64-bit quotas back to 32-bit quotas, use `quotacheck -c 32'.
There is a new library of functions to simplify the use of the quota system, do `man quotafile' for details. If your application is currently using the quotactl(2), it is highly recommended that you convert your application to use the quotafile interface. Note that existing binaries will continue to work.
Special thanks to John Kozubik of rsync.net for getting me interested in pursuing 64-bit quota support and for funding part of my development time on this project.
|
206846 |
19-Apr-2010 |
luigi |
fix 64-bit build
Reported by: Robert Noland
|
206843 |
19-Apr-2010 |
luigi |
Slightly different handling of printf/snprintf for unaligned uint64_t, which should improve readability, and also to ease the port to platforms that do not support %llu
MFC after: 3 days
|
206494 |
12-Apr-2010 |
luigi |
fix a buffer overflow with large (100k+) number of input lines.
MFC after: 3 days
|
206266 |
06-Apr-2010 |
ume |
Set net.inet6.ip6.fw.enable as well.
|
205631 |
24-Mar-2010 |
luigi |
fix another bug in "ipfw set N ..."
Submitted by: Marcin Wisnicki
|
205372 |
20-Mar-2010 |
gavin |
Tweak language to make one point potentially clearer for non-native spekers
PR: bin/121424 Submitted by: "Julian H. Stacey" <jhs berklix.org>
|
205181 |
15-Mar-2010 |
luigi |
accept lower case m as a synonym for Mega (bit/s or bytes/s).
|
205179 |
15-Mar-2010 |
luigi |
print correctly commands of the form
ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 }
(note that the above example could be better written as
ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8
Submitted by: Riccardo Panicucci
|
205173 |
15-Mar-2010 |
luigi |
+ implement (two lines) the kernel side of 'lookup dscp N' to use the dscp as a search key in table lookups;
+ (re)implement a sysctl variable to control the expire frequency of pipes and queues when they become empty;
+ add 'queue number' as optional part of the flow_id. This can be enabled with the command
queue X config mask queue ...
and makes it possible to support priority-based schedulers, where packets should be grouped according to the priority and not some fields in the 5-tuple. This is implemented as follows: - redefine a field in the ipfw_flow_id (in sys/netinet/ip_fw.h) but without changing the size or shape of the structure, so there are no ABI changes. On passing, also document how other fields are used, and remove some useless assignments in ip_fw2.c
- implement small changes in the userland code to set/read the field;
- revise the functions in ip_dummynet.c to manipulate masks so they also handle the additional field;
There are no ABI changes in this commit.
|
205169 |
15-Mar-2010 |
luigi |
Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bits of ip->ip_tos) in a table. This can be useful to direct traffic to different pipes/queues according to the DSCP of the packet, as follows:
ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue
This change is a no-op (but harmless) until the two-line kernel side is committed, which will happen shortly.
|
205050 |
11-Mar-2010 |
luigi |
implement listing of a subset of pipes/queues/schedulers. The filtering of the output is done in the kernel instead of userland to reduce the amount of data transfered.
|
204869 |
08-Mar-2010 |
luigi |
add back DPADD (removed by mistake in a previous commit)
|
204758 |
05-Mar-2010 |
luigi |
more documentation on new dummynet features.
|
204718 |
04-Mar-2010 |
luigi |
make the listing of queues/pipes/schedulers handle the case of data size increasing while we fetch the info.
|
204717 |
04-Mar-2010 |
luigi |
fix handling of sets
|
204716 |
04-Mar-2010 |
luigi |
reduce diffs with the cross-platform version (windows needs some extra initialization)
|
204712 |
04-Mar-2010 |
luigi |
remove stale comment
|
204591 |
02-Mar-2010 |
luigi |
Bring in the most recent version of ipfw and dummynet, developed and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet.
The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions.
In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ.
Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland.
Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time.
Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits.
CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
|
204329 |
25-Feb-2010 |
ru |
Fixed dependencies (make checkdpadd).
|
200567 |
15-Dec-2009 |
luigi |
implement a new match option,
lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N
which searches the specified field in table N and sets tablearg accordingly. With dst-ip or src-ip the option replicates two existing options. When used with other arguments, the option can be useful to quickly dispatch traffic based on other fields.
Work supported by the Onelab project.
MFC after: 1 week
|
200566 |
15-Dec-2009 |
luigi |
fix the indentation for addr: values
MFC after: 3 days
|
200183 |
06-Dec-2009 |
luigi |
restore setting of sin_len (was removed in 1.146 last february) as it seems that now it is necessary for 'forward' to work outside lo0. The bug (and fix) was reported on 8.0. This patch probably applies to RELENG_7 as well. It seems that 'pf' has a similar bug.
Submitted by: Lytochkin Boris MFC after: 3 days
|
200101 |
04-Dec-2009 |
luigi |
fix argument type in the call to expand_number
Submitted by: gcc 4.3 MFC after: 3 days
|
200056 |
03-Dec-2009 |
luigi |
use qsort_r instead of heapsort; staticize two functions.
MFC after: 3 days
|
199626 |
21-Nov-2009 |
netchild |
Fix minor resource leak in a function.
Reviewed by: luigi MFC after: 1 week
|
197312 |
18-Sep-2009 |
brueffer |
Fix setfib(1) section number.
PR: 133765 Submitted by: Konstantin Zolotukhin <erebus@gorodok.net> MFC after: 3 days
|
195075 |
26-Jun-2009 |
oleg |
- 'burst' description rewritten.
Submitted by: Ben Kaduk Approved by: re (kib)
|
195036 |
26-Jun-2009 |
maxim |
o Kill grammar nits.
PR: docs/136061 Submitted by: Ben Kaduk MFC after: 1 week
|
194930 |
24-Jun-2009 |
oleg |
- fix dummynet 'fast' mode for WF2Q case. - fix printing of pipe profile data. - introduce new pipe parameter: 'burst' - how much data can be sent through pipe bypassing bandwidth limit.
|
193715 |
08-Jun-2009 |
luigi |
Permit the specification of bandwidth values within "profile" files (bandwidth is mandatory when using a profile, so it makes sense to have everything in one place).
Update the manpage accordingly.
Submitted by: Marta Carbone
|
193702 |
08-Jun-2009 |
luigi |
add a missing format in a printf Detected building with gcc 4.3.3
MFC after: 3 days
|
193516 |
05-Jun-2009 |
luigi |
Several ipfw options and actions use a 16-bit argument to indicate pipes, queues, tags, rule numbers and so on. These are all different namespaces, and the only thing they have in common is the fact they use a 16-bit slot to represent the argument.
There is some confusion in the code, mostly for historical reasons, on how the values 0 and 65535 should be used. At the moment, 0 is forbidden almost everywhere, while 65535 is used to represent a 'tablearg' argument, i.e. the result of the most recent table() lookup.
For now, try to use explicit constants for the min and max allowed values, and do not overload the default rule number for that.
Also, make the MTAG_IPFW declaration only visible to the kernel.
NOTE: I think the issue needs to be revisited before 8.0 is out: the 2^16 namespace limit for rule numbers and pipe/queue is annoying, and we can easily bump the limit to 2^32 which gives a lot more flexibility in partitioning the namespace.
MFC after: 5 days
|
193500 |
05-Jun-2009 |
luigi |
remove a printf that was only useful for debugging.
MFC after: 3 days
|
190911 |
11-Apr-2009 |
trhodes |
Kill hard sentence break added in the previous revision.
|
190865 |
09-Apr-2009 |
luigi |
Add emulation of delay profiles, which lets you model various types of MAC overheads such as preambles, link level retransmissions and more.
Note- this commit changes the userland/kernel ABI for pipes (but not for ordinary firewall rules) so you need to rebuild kernel and /sbin/ipfw to use dummynet features.
Please check the manpage for details on the new feature.
The MFC would be trivial but it breaks the ABI, so it will be postponed until after 7.2 is released.
Interested users are welcome to apply the patch manually to their RELENG_7 tree.
Work supported by the European Commission, Projects Onelab and Onelab2 (contract 224263).
|
190851 |
08-Apr-2009 |
maxim |
o Grammar.
|
190846 |
08-Apr-2009 |
luigi |
Various cleanup of text, moving a couple of paragraphs above to avoid referencing undefined terms (humans are not compilers but still care about these things).
Change some .Sh to .Ss to better reflect the structure of the text.
No new content.
|
190799 |
07-Apr-2009 |
trhodes |
Remove contractions, reword a sentence to avoid a double negative, and bump document date for previous change.
OKed by: piso
|
190714 |
05-Apr-2009 |
piso |
Improve a bit reass documentation:
-document fragment handling sysctls -mention some caveats about fragments handling (and to deal with it)
|
190633 |
01-Apr-2009 |
piso |
Implement an ipfw action to reassemble ip packets: reass.
|
190026 |
19-Mar-2009 |
brueffer |
Mdoc style, spelling, grammar and wording fixes. This manpage needs more work.
|
189396 |
05-Mar-2009 |
luigi |
move a variable declaration to the beginning of the block (unfortunately, it is far away; we need to pack this code in a better way).
|
189395 |
05-Mar-2009 |
luigi |
remove some signed/unsigned and one const/!const warning
|
189394 |
05-Mar-2009 |
luigi |
mark a function static, as it is
|
188294 |
07-Feb-2009 |
piso |
Add SCTP NAT support.
Submitted by: CAIA (http://caia.swin.edu.au)
|
188005 |
02-Feb-2009 |
luigi |
Explain that we assume AF_INET and only use the addr and port field from a struct sockaddr_in, so there is no need to initialize sin_len
|
188004 |
02-Feb-2009 |
luigi |
remove duplicate #include
|
187983 |
01-Feb-2009 |
luigi |
put the altq-related functions into a separate file. Minor cleanup of the includes used by the various source files, including annotations of why certain headers are used.
|
187819 |
28-Jan-2009 |
luigi |
Avoid the use of duplicated typedefs -- see the comment for details.
|
187787 |
27-Jan-2009 |
luigi |
fix printing of uint64_t values, so we can use WARNS=2
|
187771 |
27-Jan-2009 |
luigi |
fix wrong variable usage...
|
187770 |
27-Jan-2009 |
luigi |
Put nat and ipv6 support in their own files.
Usual moving of code with no changes from ipfw2.c to the newly created files, and addition of prototypes to ipfw2.h
I have added forward declarations for ipfw_insn_* in ipfw2.h to avoid a global dependency on ip_fw.h
|
187769 |
27-Jan-2009 |
luigi |
Put dummynet-related code in a separate file. To this purpose, add prototypes for global functions in ipfw2.h and move there also the list of tokens used in various places in the code.
|
187768 |
27-Jan-2009 |
luigi |
never mind, for the time being let's stick with WARNS=0 until we sort out all proper printf formats.
|
187767 |
27-Jan-2009 |
luigi |
Start splitting the monster file in smaller blocks.
In this episode: - introduce a common header with a minimal set of common definitions; - bring the main() function and options parser in main.c - rename the main functions with an ipfw_ prefix
No code changes except for the introduction of a global variable, resvd_set_number, which stores the RESVD_SET value from ip_fw.h and is used to remove the dependency of main.c from ip_fw.h (and the subtree of dependencies) for just a single constant.
|
187765 |
27-Jan-2009 |
luigi |
put the usage() function inline, it was only 1 line and used once; slightly reformat the help() text; slightly correct the text for the 'extraneous filename' error message;
|
187764 |
27-Jan-2009 |
luigi |
put all options in a single struct, and document them.
This will allow us to easily restore the original values when processing commands from a file (where each individual line can have its own options).
|
187763 |
27-Jan-2009 |
luigi |
I believe this is safe to build with WARNS=2 now
|
187762 |
27-Jan-2009 |
luigi |
remove a couple of rarely used #define;
change PRINT_UINT from a macro to a function (renaming is postponed to reduce clutter)
|
187716 |
26-Jan-2009 |
luigi |
wrap all malloc/calloc/realloc calls so they exit on failure without having to check in each place.
Remove an wrong strdup from previous commit.
|
187713 |
26-Jan-2009 |
luigi |
Some implementations of getopt() expect that argv[0] is always the program name, and ignore that entry. ipfw2.c code instead skips this entry and starts with options at offset 0, relying on a more tolerant implementation of the library.
This change fixes the issue by always passing a program name in the first entry to getopt. The motivation for this change is to remove a potential compatibility issue should we use a different getopt() implementation in the future.
No functional changes.
Submitted by: Marta Carbone (parts) MFC after: 4 weeks
|
187604 |
22-Jan-2009 |
luigi |
remove some useless #include, document why timeconv.h is needed
MFC after: 3 days
|
187477 |
20-Jan-2009 |
luigi |
Fix a number of (innocuous) warnings, and remove a useless test. There are still several signed/unsigned warnings left, which require a bit more study for a proper fix.
This file has grown beyond reasonable limits.
We really need to split it into separate components (ipv4, ipv6, dummynet, nat, table, userland-kernel communication ...) so we can make mainteinance easier.
MFC after: 1 weeks
|
186298 |
18-Dec-2008 |
piso |
Update the ipfw man page to reflect last change (-q option with nat option).
MFC after: 3 days
|
186297 |
18-Dec-2008 |
piso |
Honor the quiet (-q) option while adding a nat rule.
Submitted by: Andrey V. Elsukov<bu7cher@yandex.ru> MFC after: 3 days
|
183890 |
14-Oct-2008 |
maxim |
o Remove a debug code and restore an accidentally deleted code in a previous commit.
|
183889 |
14-Oct-2008 |
maxim |
o Do nothing in show_nat() for a test mode (-n). This prevents show_nat() from endless loop and makes work ipfw -n nat <...>.
PR: bin/128064 Submitted by: sem MFC after: 1 month
|
183415 |
27-Sep-2008 |
rik |
Fix the build.
Noted by: ganbold@
|
183408 |
27-Sep-2008 |
rik |
* add all keyword for table list & flush actions. * add tables_max sysctl. * add default_rule sysctl.
PR: 127058 (partially)
|
183407 |
27-Sep-2008 |
rik |
Add keyword all in addtion to the table number for the 'list' and the 'flush' actions on tables. Part of PR: 127058.
PR: 127058 (based on) MFC after: 1 month
|
183263 |
22-Sep-2008 |
keramida |
Unbreak the build.
|
183241 |
21-Sep-2008 |
rik |
Add the check of the table number.
|
183228 |
21-Sep-2008 |
rik |
Move table list to a separate function.
|
183209 |
20-Sep-2008 |
rik |
Free allocated memory.
|
183208 |
20-Sep-2008 |
rik |
Remove some unused variables.
|
183206 |
20-Sep-2008 |
rik |
Style(9) the show_nat() function.
|
183205 |
20-Sep-2008 |
rik |
Do not do the useless job for an empty table.
MFC after: 1 month
|
182823 |
06-Sep-2008 |
rik |
Use IPFW_DEFAULT_RULE instead of hardcoded value since now it is available.
MFC after: 5 days.
|
182277 |
27-Aug-2008 |
ivoras |
Trivial typo fix.
Approved by: gnn (mentor)
|
181141 |
01-Aug-2008 |
julian |
Slight wordsmithing. prompted by danger@
|
181140 |
01-Aug-2008 |
julian |
Document the use of the tablearg keyword together with the skipto command.
|
180785 |
24-Jul-2008 |
julian |
Note that setfib is not a terminal rule.
|
178916 |
10-May-2008 |
julian |
Change two variables to size_t to improve portability. Submitted by: Xin Li
|
178888 |
09-May-2008 |
julian |
Add code to allow the system to handle multiple routing tables. This particular implementation is designed to be fully backwards compatible and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4 Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I have some time to work on is "policy based routing", which allows different packet streams to be routed by more than just the destination address.
Constraints: ------------
I want to make some form of this available in the 6.x tree (and by extension 7.x) , but FreeBSD in general needs it so I might as well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to instantiate multiple kernel routing tables (which I will now refer to as "Forwarding Information Bases" or "FIBs" for political correctness reasons). Which FIB a particular packet uses to make the next hop decision can be decided by a number of mechanisms. The policies these mechanisms implement are the "Policies" referred to in "Policy based routing".
One of the constraints I have if I try to back port this work to 6.x is that it must be implemented as a EXTENSION to the existing ABIs in 6.x so that third party applications do not need to be recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that will come with later versions. It will, for example, be limited to 16 tables in the first commit. Implementation method, Compatible version. (part 1) ------------------------------- For this reason I have implemented a "sufficient subset" of a multiple routing table solution in Perforce, and back-ported it to 6.x. (also in Perforce though not always caught up with what I have done in -current/P4). The subset allows a number of FIBs to be defined at compile time (8 is sufficient for my purposes in 6.x) and implements the changes needed to allow IPV4 to use them. I have not done the changes for ipv6 simply because I do not need it, and I do not have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be users with proprietary protocol families, they should continue to work and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB code starts everything off with a single dimensional array of pointers to FIB head structures (One per protocol family), each of which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to extent that array to be a 2 dimensional array, so that instead of protocol family X looking at rt_tables[X] for the table it needs, it looks at rt_tables[Y][X] when for all protocol families except ipv4 Y is always 0. Code that is unaware of the change always just sees the first row of the table, which of course looks just like the one dimensional array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign() are all maintained, but refer only to the first row of the array, so that existing callers in proprietary protocols can continue to do the "right thing". Some new entry points are added, for the exclusive use of ipv4 code called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(), which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called rtalloc_fib() and friends) that check the Address family being looked up and call either rtalloc() (and friends) if the protocol is not IPv4 forcing the action to row 0 or to the appropriate row if it IS IPv4 (and that info is available). These are for calling from code that is not specific to any particular protocol. The way these are implemented would change in the non ABI preserving code to be added later.
One feature of the first version of the code is that for ipv4, the interface routes show up automatically on all the FIBs, so that no matter what FIB you select you always have the basic direct attached hosts available to you. (rtinit() does this automatically).
You CAN delete an interface route from one FIB should you want to but by default it's there. ARP information is also available in each FIB. It's assumed that the same machine would have the same MAC address, regardless of which FIB you are using to get to it.
This brings us as to how the correct FIB is selected for an outgoing IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing has been done to change it, it will be FIB 0. The FIB is changed in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB. Such packets select a FIB from a number associated with the socket/PCB. This in turn is inherited from the process, but can be changed by a socket option. The process in turn inherits it on fork. I have written a utility call setfib that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail but I have not done so. It can be achieved by combining the setfib and jail commands.
2/ packets received on an interface for forwarding. By default these packets would use table 0, (or possibly a number settable in a sysctl(not yet)). but prior to routing the firewall can inspect them (see below). (possibly in the future you may be able to associate a FIB with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily associate a fib with it on a packet by packet basis. A fib assigned to a packet by a packet classifier (such as ipfw) would over-ride a fib associated by a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset or icmp packets). These should use the FIB associated with the packet being reponded to.
6/ Packets generated during encapsulation. gif, tun and other tunnel interfaces will encapsulate using the FIB that was in effect withthe proces that set up the tunnel. thus setfib 1 ifconfig gif0 [tunnel instructions] will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their process, and thus select one FIB or another. messages from the kernel would be associated with the fib they refer to and would only be received by a routing socket associated with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the fact that the array is now 2 dimensional. (It looks in system memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give: a) the number of FIBs compiled in (active) b) the default FIB of the calling process.
Early testing experience: -------------------------
Basically our (IronPort's) appliance does this functionality already using ipfw fwd but that method has some drawbacks.
For example, It can't fully simulate a routing table because it can't influence the socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been remarkably smooth so far. Multiple tables have co-existed with no notable side effects, and packets have been routes accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs in Cisco parlance. it will be interesting to see how that handles it when it suddenly actually does something.
Where to next: --------------------
After committing the ABI compatible version and MFCing it, I'd like to proceed in a forward direction in -current. this will result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per protocol family, all of the same format, and pointed to by the 1 dimensional array is a bit silly. Especially when one considers that there is code that makes assumptions about every protocol having the same internal structures there. Some protocols don't WANT that sort of structure. (for example the whole idea of a netmask is foreign to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the 'domain' structure, along with information pointing the data. instead of having an array of pointers to uniform structures, there would be an array pointing to the 'domain' structures for each protocol address domain (protocol family), and the methods this reached would be called. The methods would have an argument that gives FIB number, but the protocol would be free to ignore it.
When the ABI can be changed it raises the possibilty of the addition of a fib entry into the "struct route". Currently, the structure contains the sockaddr of the desination, and the resulting fib entry. To make this work fully, one could add a fib number so that given an address and a fib, one can find the third element, the fib entry.
Interaction with the ARP layer/ LL layer would need to be revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each) Obtained from: Ironport systems/Cisco
|
176626 |
27-Feb-2008 |
dwmalone |
Dummynet has a limit of 100 slots queue size (or 1MB, if you give the limit in bytes) hard coded into both the kernel and userland. Make both these limits a sysctl, so it is easy to change the limit. If the userland part of ipfw finds that the sysctls don't exist, it will just fall back to the traditional limits.
(100 packets is quite a small limit these days. If you want to test TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.)
Note these sysctls in the man page and warn against increasing them without thinking first.
MFC after: 3 weeks
|
176517 |
24-Feb-2008 |
piso |
Add table/tablearg support to ipfw's nat.
MFC After: 1 week
|
176445 |
21-Feb-2008 |
piso |
-Fix display of nat range. -Whitespace elimination.
Bug spotted by: Luiz Otavio O Souza MFC After: 3 days
|
176393 |
18-Feb-2008 |
piso |
Fix display of multiple nat rules.
Bug spotted by: Luiz Otavio O Souza PR: 120734 MFC After: 3 days
|
176391 |
18-Feb-2008 |
julian |
Instead of using a heuristic to decide whether to display table 'values' as IP addresses, use an explicit argument (-i). This is a 'POLA' issue. This is a low risk change and should be MFC'd to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3. (not sure about 6.2).
Fix suggested by: Eugene Grosbein PR: 120720 MFC After: 3 days
|
176084 |
07-Feb-2008 |
yar |
Add a note that ipfw states do not implicitly match ICMP error messages.
|
175659 |
25-Jan-2008 |
rwatson |
Hide ipfw internal data structures behind IPFW_INTERNAL rather than exposing them to all consumers of ip_fw.h. These structures are used in both ipfw(8) and ipfw(4), but not part of the user<->kernel interface for other applications to use, rather, shared implementation.
MFC after: 3 days Reported by: Paul Vixie <paul at vix dot com>
|
175511 |
20-Jan-2008 |
maxim |
o Fix ipfw(8) command line parser bug: "ipfw nat 1 config if" requires an argument.
PR: bin/119815 Submitted by: Dierk Sacher MFC after: 1 week
|
174713 |
17-Dec-2007 |
oleg |
Calculate p.fs.lookup_step correctly. This should prevent zeroing of w_q_lookup table (used in RED algorithm for (1 - w_q)^t computation).
MFC after: 1 months
|
173920 |
26-Nov-2007 |
danger |
Polish this manual page a bit:
- refer to the dummynet(4) man page only once, later use rather the .Nm macro. - use .Va macro when refering to the sysctl variables - grammar and markup fixes
Reviewed by: keramida, trhodes, ru (roughly) MFC-after: 1 week
|
173706 |
17-Nov-2007 |
oleg |
- New sysctl variable: net.inet.ip.dummynet.io_fast If it is set to zero value (default) dummynet module will try to emulate real link as close as possible (bandwidth & latency): packet will not leave pipe faster than it should be on real link with given bandwidth. (This is original behaviour of dummynet which was altered in previous commit) If it is set to non-zero value only bandwidth is enforced: packet's latency can be lower comparing to real link with given bandwidth.
- Document recently introduced dummynet(4) sysctl variables.
Requested by: luigi, julian MFC after: 3 month
|
173080 |
27-Oct-2007 |
maxim |
o Fix indentation. No functional changes.
|
172818 |
19-Oct-2007 |
rpaulo |
Change IPTOS_CE to IPTOS_ECN_CE.
Approved by: njl (mentor)
|
172801 |
19-Oct-2007 |
rpaulo |
Comply with the removal of IPTOS_CE and IPTOS_ECT. Discussed on freebsd-net with no objections.
Approved by: njl (mentor), rwatson
|
172627 |
14-Oct-2007 |
maxim |
o Fix a typo in ipfw table usage example.
PR: docs/117172 Submitted by: novel MFC after: 1 week
|
172306 |
23-Sep-2007 |
maxim |
o Cosmetic: fix the issue when "ipfw(8) show" produces "not" twice:
$ ipfw -n add 1 allow layer2 not mac-type ip 00001 allow ip from any to any layer2 not not mac-type 0x0800
PR: bin/115372 Submitted by: Andrey V. Elsukov Approved by: re (hrs) MFC after: 3 weeks
|
171989 |
26-Aug-2007 |
maxim |
o Fix bug I introduced in the previous commit (ipfw set extention): pack a set number correctly.
Submitted by: oleg
o Plug a memory leak.
Submitted by: oleg and Andrey V. Elsukov Approved by: re (kensmith) MFC after: 1 week
|
171732 |
05-Aug-2007 |
bz |
Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL. Also rename the related functions in a similar way. There are no functional changes.
For a packet coming in with IPsec tunnel mode, the default is to only call into the firewall with the "outer" IP header and payload.
With this option turned on, in addition to the "outer" parts, the "inner" IP header and payload are passed to the firewall too when going through ip_input() the second time.
The option was never only related to a gif(4) tunnel within an IPsec tunnel and thus the name was very misleading.
Discussed at: BSDCan 2007 Best new name suggested by: rwatson Reviewed by: rwatson Approved by: re (bmah)
|
171723 |
04-Aug-2007 |
csjp |
Remove references to mpsafenet. This option no longer exists.
Approved by: re@ (bmah)
|
170923 |
18-Jun-2007 |
maxim |
o Make ipfw set more robust -- now it is possible: - to show a specific set: ipfw set 3 show - to delete rules from the set: ipfw set 9 delete 100 200 300 - to flush the set: ipfw set 4 flush - to reset rules counters in the set: ipfw set 1 zero
PR: kern/113388 Submitted by: Andrey V. Elsukov Approved by: re (kensmith) MFC after: 6 weeks
|
169424 |
09-May-2007 |
maxim |
o Teach get_mac_addr_mask() to not silently accept incorrect MAC addresses. o Swap a couple of magic 6s by ETHER_ADDR_LEN.
PR: bin/80913 Submitted by: Andrey V. Elsukov MFC after: 1 month
|
169245 |
04-May-2007 |
bz |
Add support for filtering on Routing Header Type 0 and Mobile IPv6 Routing Header Type 2 in addition to filter on the non-differentiated presence of any Routing Header.
MFC after: 3 weeks
|
169139 |
30-Apr-2007 |
maxim |
o Make ipfw(8) show rules with mac/mac-type options correctly.
Before:
$ ipfw -n add 100 count icmp from any to any mac-type 0x01 00100 count icmp 0x0001 $ ipfw -n add 100 count icmp from any to any mac any any 00100 count icmp MAC any any any
After:
$ ipfw -n add 100 count icmp from any to any mac-type 0x01 00100 count icmp from any to any mac-type 0x0001 $ ipfw -n add 100 count icmp from any to any mac any any 00100 count icmp from any to any MAC any any
PR: bin/112244 Submitted by: Andrey V. Elsukov MFC after: 1 month
|
168819 |
17-Apr-2007 |
maxim |
o Add missed w/space in the error message.
Spotted by: Ivan Voras MFC after: 1 week
|
166750 |
15-Feb-2007 |
piso |
Mention the nat command in the synopsis and in the action section.
Approved by: glebius (mentor)
|
165851 |
07-Jan-2007 |
mlaier |
Fix a parsing bug when specifying more than one address with dotted decimal netmask.
Reported by: Igor Anishchuk PR: kern/107565 MFC after: 3 days
|
165648 |
29-Dec-2006 |
piso |
Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:
-ipfw's in kernel nat
-redirect_* and LSNAT support
General information about nat syntax and some examples are available in the ipfw (8) man page. The redirect and LSNAT syntax are identical to natd, so please refer to natd (8) man page.
To enable in kernel nat in rc.conf, two options were added:
o firewall_nat_enable: equivalent to natd_enable
o firewall_nat_interface: equivalent to natd_interface
Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet to continue being checked by the firewall ruleset after being (de)aliased.
NOTA BENE: due to some problems with libalias architecture, in kernel nat won't work with TSO enabled nic, thus you have to disable TSO via ifconfig (ifconfig foo0 -tso).
Approved by: glebius (mentor)
|
163184 |
09-Oct-2006 |
trhodes |
Add a note about rule syntax compared to the shell used so users do not get frustraited when: ipfw add 201 deny ip from any to table(2) in via xl1 returns "Badly placed ( )'s"
PR: 73638
|
163012 |
04-Oct-2006 |
keramida |
When addr/mask examples are given, show both a host and network address, to avoid confusing the users that a full address is always required.
Submitted by: Josh Paetzel <josh@tcbug.org> (through freebsd-doc) MFC after: 3 days
|
162773 |
29-Sep-2006 |
maxim |
o Check for a required "pathname" argument presence.
PR: bin/95146 Submitted by: candy-sendpr@kgc.co.jp MFC after: 3 weeks
|
162395 |
18-Sep-2006 |
ru |
Markup fixes.
|
162363 |
16-Sep-2006 |
jhay |
Check the length of the ipv4 and ipv6 address lists. It must be less than F_LEN_MASK.
MFC after: 5 days
|
162344 |
16-Sep-2006 |
jhay |
Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(), otherwise this command
ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129
turns into icmp6types 1,2,32,33,34,...94,95,128,129
PR: 102422 (part 1) Submitted by: Andrey V. Elsukov <bu7cher at yandex.ru> MFC after: 5 days
|
161550 |
23-Aug-2006 |
dwmalone |
A pipe bandwidth of 10MBits/s should probably be understood as 10Mbits/s not 10MBytes/s.
Submitted by: Gavin McCullagh <gavin.mccullagh@nuim.ie> MFC after: 1 week
|
161483 |
20-Aug-2006 |
dwmalone |
Regigle parens to try and get the intended affect. This should fix people having trouble with the "me6" keyword. Also, we were using inet_pton on the wrong variable in one place.
Reviewed by: mlaier (previous version of patch) Obtained from: Sascha Blank (inet_pton change) MFC after: 1 week
|
161466 |
20-Aug-2006 |
julian |
Fix typo.
|
161456 |
18-Aug-2006 |
julian |
comply with style police
Submitted by: ru MFC after: 1 month
|
161424 |
17-Aug-2006 |
julian |
Allow ipfw to forward to a destination that is specified by a table. for example: fwd tablearg ip from any to table(1) where table 1 has entries of the form: 1.1.1.0/24 10.2.3.4 208.23.2.0/24 router2
This allows trivial implementation of a secondary routing table implemented in the firewall layer.
I expect more work (under discussion with Glebius) to follow this to clean up some of the messy parts of ipfw related to tables.
Reviewed by: Glebius MFC after: 1 month
|
161382 |
17-Aug-2006 |
julian |
Take IP_FIREWALL_EXTENDED out of the man page too. MFC after: 1 week
|
161001 |
05-Aug-2006 |
stefanf |
Use the SLIST_NEXT macro instead of sle_next.
Checked with: cmp(1)
|
160661 |
25-Jul-2006 |
oleg |
Specify correct argument range for tag/untag keywords.
Approved by: glebius (mentor)
|
159636 |
15-Jun-2006 |
oleg |
Add support of 'tablearg' feature for: - 'tag' & 'untag' action parameters. - 'tagged' & 'limit' rule options. Rule examples: pipe 1 tag tablearg ip from table(1) to any allow ip from any to table(2) tagged tablearg allow tcp from table(3) to any 25 setup limit src-addr tablearg
sbin/ipfw/ipfw2.c: 1) new macros GET_UINT_ARG - support of 'tablearg' keyword, argument range checking. PRINT_UINT_ARG - support of 'tablearg' keyword. 2) strtoport(): do not silently truncate/accept invalid port list expressions like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.
Approved by: glebius (mentor) MFC after: 1 month
|
159160 |
02-Jun-2006 |
mlaier |
Print dynamic rules for IPv6 as well.
PR: bin/98349 Submitted by: Mark Andrews MFC after: 2 weeks
|
158879 |
24-May-2006 |
oleg |
Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9). Since tags are kept while packet resides in kernelspace, it's possible to use other kernel facilities (like netgraph nodes) for altering those tags.
Submitted by: Andrey Elsukov <bu7cher at yandex dot ru> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru> Approved by: glebius (mentor) Idea from: OpenBSD PF MFC after: 1 month
|
158553 |
14-May-2006 |
mlaier |
For src/dest parsing take off the netmask before checking for AF with inet_pton. This fixes cases like "fe02::/16".
PR: bin/91245 Reported by: Fredrik Lindberge
|
158492 |
12-May-2006 |
mlaier |
Update manpage for net.inet6.ip6.fw.enable sysctl.
Requested by: bz
|
157335 |
31-Mar-2006 |
julian |
Amazing.. two screwups in one commit. I'm piling on thise pointy hats on top of each other. At least they nest..
|
157332 |
31-Mar-2006 |
julian |
I can't believe that no-one noticed that I broke ipfw table del for over a month! put {} around if clause with multiple statements
|
156315 |
05-Mar-2006 |
ume |
Revert `proto ip' back to the previous behavior. The kernel side of ipfw2 doesn't allow zero as protocol number.
MFC after: 3 days
|
155640 |
14-Feb-2006 |
julian |
oops, mismerge from working sources.. not only add new code, but remove old code!
|
155639 |
14-Feb-2006 |
julian |
Stop ipfw from aborting when asked to delete a table entry that doesn't exist or add one that is already present, if the -q flag is set. Useful for "ipfw -q /dev/stdin" when the command above is invoked from something like python or TCL to feed commands down the throat of ipfw. MFC in: 1 week
|
155263 |
03-Feb-2006 |
ru |
Fix a markup glitch.
|
154301 |
13-Jan-2006 |
glebius |
Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore.
|
154300 |
13-Jan-2006 |
glebius |
Document 'tablearg' keyword.
Wording by: emaste
|
153380 |
13-Dec-2005 |
ru |
[mdoc] add missing space before a punctuation type argument.
|
153374 |
13-Dec-2005 |
glebius |
Add a new feature for optimizining ipfw rulesets - substitution of the action argument with the value obtained from table lookup. The feature is now applicable only to "pipe", "queue", "divert", "tee", "netgraph" and "ngtee" rules.
An example usage:
ipfw pipe 1000 config bw 1000Kbyte/s ipfw pipe 4000 config bw 4000Kbyte/s ipfw table 1 add x.x.x.x 1000 ipfw table 1 add x.x.x.y 4000 ipfw pipe tablearg ip from table(1) to any
In the example above the rule will throw different packets to different pipes.
TODO: - Support "skipto" action, but without searching all rules. - Improve parser, so that it warns about bad rules. These are: - "tablearg" argument to action, but no "table" in the rule. All traffic will be blocked. - "tablearg" argument to action, but "table" searches for entry with a specific value. All traffic will be blocked. - "tablearg" argument to action, and two "table" looks - for src and for dst. The last lookup will match.
|
153266 |
09-Dec-2005 |
glebius |
Cleanup _FreeBSD_version.
|
152923 |
29-Nov-2005 |
ume |
We couldn't specify the rule for filtering tunnel traffic since an IPv6 support was committed:
- Stop treating `ip' and `ipv6' as special in `proto' option as they conflict with /etc/protocols.
- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.
- When protocol is specified as numeric, treat it as it is even it is 41 (ipv6).
- Allow zero for protocol as it is valid number of `ip'.
Still, we cannot specify an IPv6 over an IPv4 tunnel like before such as:
pass ipv6 from any to any
But, now, you can specify it like:
pass ip4 from any to any proto ipv6
PR: kern/89472 Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com> MFC after: 1 week
|
152921 |
29-Nov-2005 |
glebius |
Catch up with ip_dummynet.h rev. 1.38 and fix build.
|
152917 |
29-Nov-2005 |
glebius |
Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(), thus removing a few XXXes. Document the ABI breakage in UPDATING.
|
152568 |
18-Nov-2005 |
ru |
-mdoc sweep.
|
151587 |
23-Oct-2005 |
csjp |
Restore the documentation about uid, gid or prison based rules requiring that debug.mpsafenet be set to 0. It is still possible for dead locks to occur while these filtering options are used due to the layering violation inherent in their implementation.
Discussed: -current, rwatson, glebius
|
150675 |
28-Sep-2005 |
mlaier |
Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.
Reminded by: ru
|
149020 |
13-Aug-2005 |
bz |
* Add dynamic sysctl for net.inet6.ip6.fw. * Correct handling of IPv6 Extension Headers. * Add unreach6 code. * Add logging for IPv6.
Submitted by: sysctl handling derived from patch from ume needed for ip6fw Obtained from: is_icmp6_query and send_reject6 derived from similar functions of netinet6,ip6fw Reviewed by: ume, gnn; silence on ipfw@ Test setup provided by: CK Software GmbH MFC after: 6 days
|
147720 |
01-Jul-2005 |
cperciva |
Bump document date. Remove EOL whitespace introduced in previous commit. Start new line at sentence break in previous commit.
Approved by: re (implicit, fixing a commit made 5 minutes ago)
|
147719 |
01-Jul-2005 |
cperciva |
Document some limitations of uid/gid rules.
Approved by: re (rwatson) MFC after: 3 days
|
147369 |
14-Jun-2005 |
ru |
Markup fixes.
Approved by: re (blanket)
|
147105 |
07-Jun-2005 |
mlaier |
add_proto() now fills proto for us so stop to 'guess' the protocol from the command and rather trust the value add_proto filled in. While here, fix an oversight in the pretty printing of ip6/4 options.
|
146962 |
04-Jun-2005 |
green |
Better explain, then actually implement the IPFW ALTQ-rule first-match policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification.
MFC after: 1 week
|
146894 |
03-Jun-2005 |
mlaier |
Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well. This is the last requirement before we can retire ip6fw.
Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw
|
146464 |
21-May-2005 |
mlaier |
Unbreak handling of "ip[v]6" protocol and option flag. No more segfaults and not every protocol is IPv6.
|
146097 |
11-May-2005 |
glebius |
'ngtee' also depends on net.inet.ip.fw.one_pass.
|
145865 |
04-May-2005 |
glebius |
IPFW version 2 is the only option now in HEAD. Do not confuse users of future releases with instructions about building IPFW2 on RELENG_4.
|
145567 |
26-Apr-2005 |
brooks |
Fix a the previous commit. I wanted to remove the if and always run the body not remove both.
Reported by: ceri Pointy hat: brooks
|
145566 |
26-Apr-2005 |
brooks |
Don't force IPv6 proto to be printed numericaly.
Noticed by: ceri
|
145246 |
18-Apr-2005 |
brooks |
Add IPv6 support to IPFW and Dummynet.
Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
|
144687 |
05-Apr-2005 |
brooks |
Be more specific when complaining about bit masks.
|
142248 |
22-Feb-2005 |
andre |
Bring back the full packet destination manipulation for 'ipfw fwd' with the kernel compile time option:
options IPFIREWALL_FORWARD_EXTENDED
This option has to be specified in addition to IPFIRWALL_FORWARD.
With this option even packets targeted for an IP address local to the host can be redirected. All restrictions to ensure proper behaviour for locally generated packets are turned off. Firewall rules have to be carefully crafted to make sure that things like PMTU discovery do not break.
Document the two kernel options.
PR: kern/71910 PR: kern/73129 MFC after: 1 week
|
141846 |
13-Feb-2005 |
ru |
Expand *n't contractions.
|
141444 |
07-Feb-2005 |
glebius |
Sort SEE ALSO.
Submitted by: ru
|
141366 |
05-Feb-2005 |
glebius |
Document how interaction with ng_ipfw node is configured.
|
141351 |
05-Feb-2005 |
glebius |
Add a ng_ipfw node, implementing a quick and simple interface between ipfw(4) and netgraph(4) facilities.
Reviewed by: andre, brooks, julian
|
140423 |
18-Jan-2005 |
glebius |
Don't print extra " via ", if we have already printed one. While here, slightly style brackets.
PR: misc/75297 MFC after: 1 week
|
140415 |
18-Jan-2005 |
ru |
Sort sections.
|
140285 |
15-Jan-2005 |
ru |
Markup nits.
|
140271 |
15-Jan-2005 |
brooks |
Deprecate unmaintainable uses of strncmp to implement abbreviations. This commit replaces those with two new functions that simplify the code and produce warnings that the syntax is deprecated. A small number of sensible abbreviations may be explicitly added based on user feedback.
There were previously three types of strncmp use in ipfw: - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av to match string or any shortened form of it. I have replaced this with a new function _substrcmp(av, "string") which returns 0 if av is a substring of "string", but emits a warning if av is not exactly "string".
- The next type was two instances of strncmp(av, "by", 2) which allowed the abbreviation of bytes to "by", "byt", etc. Unfortunately, it also supported "bykHUygh&*g&*7*ui". I added a second new function _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but complains if the user doesn't spell out the word "bytes".
- There is also one correct use of strncmp to match "table(" which might have another token after it without a space.
Since I changed all the lines anyway, I also fixed the treatment of strncmp's return as a boolean in many cases. I also modified a few strcmp cases as well to be fully consistent.
|
139987 |
10-Jan-2005 |
ru |
Scheduled mdoc(7) sweep.
|
139821 |
07-Jan-2005 |
brooks |
Write some bit mask limits in hex rather than decimal so they look less magic.
|
138643 |
10-Dec-2004 |
csjp |
Update the IPFW man page to reflect reality. mpsafenet=0 is no longer required when using ucred based rules.
Pointed out by: seanc (thanks!) MFC after: 1 month
|
138072 |
25-Nov-2004 |
brooks |
Remove a duplicate line from an apparent merge error in rev 1.63.
|
137173 |
03-Nov-2004 |
ceri |
Be more clear that "bridged" is a synonym for "layer2".
PR: docs/44400 Submitted by: Constantin Stefanov <cstef at mail dot ru>
|
136788 |
22-Oct-2004 |
andre |
Refuse to unload the ipdivert module unless the 'force' flag is given to kldunload.
Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8) man pages.
|
136335 |
09-Oct-2004 |
csjp |
Add a note to the man page warning users about possible lock order reversals+system lock ups if they are using ucred based rules while running with debug.mpsafenet=1.
I am working on merging a shared locking mechanism into ipfw which should take care of this problem, but it still requires a bit more testing and review.
|
136248 |
08-Oct-2004 |
green |
Reference altq(4) instead of pf.conf(5).
Tip of the hat to: mlaier
|
136247 |
08-Oct-2004 |
green |
Commit forgotten documentation for "diverted" rules.
|
136079 |
03-Oct-2004 |
green |
Remove blindly-copied extra include path.
|
136075 |
03-Oct-2004 |
green |
Add support to IPFW for matching by TCP data length.
|
136074 |
03-Oct-2004 |
green |
Add the documentation for IPFW's diverted(-loopback|-output) matches.
|
136073 |
03-Oct-2004 |
green |
Add support to IPFW for classification based on "diverted" status (that is, input via a divert socket).
|
136072 |
03-Oct-2004 |
green |
Remove accidentally-added O_DIVERTED section.
|
136071 |
03-Oct-2004 |
green |
Add to IPFW the ability to do ALTQ classification/tagging.
|
135554 |
21-Sep-2004 |
csjp |
Since "d" is an array of 32 bit values, it is more correct to change the cast from unsigned int to uint32_t.
Pointed out by: luigi
|
135465 |
19-Sep-2004 |
ru |
Prepare for 5.x soon becoming -STABLE.
Pointed out by: -current users
|
135154 |
13-Sep-2004 |
andre |
Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied and sent to the DIVERT socket while the original packet continues with the next rule. Unlike a normally diverted packet no IP reassembly attemts are made on tee'd packets and they are passed upwards totally unmodified.
Note: This will not be MFC'd to 4.x because of major infrastucture changes.
PR: kern/64240 (and many others collapsed into that one)
|
135089 |
11-Sep-2004 |
csjp |
Currently when ipfw(8) generates the micro-instructions for rules which contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints.
The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT.
The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes.
This may be a MFC candidate for RELENG_5.
Reviewed by: andre Approved by: luigi PR: kern/63961 (partially)
|
135036 |
10-Sep-2004 |
maxim |
o Initialize a local variable and make gcc happy.
PR: bin/71485 Submitted by: Jukka A. Ukkonen
|
134475 |
29-Aug-2004 |
maxim |
o Restore a historical ipfw1 logamount behaviour: rules with 'log' keyword but without 'logamount' limit the amount of their log messages by net.inet.ip.fw.verbose_limit sysctl value.
RELENG_5 candidate.
PR: kern/46080 Submitted by: Dan Pelleg MFC after: 1 week
|
134225 |
23-Aug-2004 |
pjd |
Fix 'show' command for pipes and queues.
PR: bin/70311 Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> MFC after: 3 days
|
133607 |
13-Aug-2004 |
csjp |
Remove trailing whitespace and change "prisoniD" to "prisonID".
Pointed out by: simon Approved by: bmilekic (mentor)
|
133600 |
12-Aug-2004 |
csjp |
Add the ability to associate ipfw rules with a specific prison ID. Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this.
This commit makes the following changes:
- Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes.
This change was a strong motivator behind the ucred caching mechanism in ipfw.
A sample usage of this new functionality could be:
ipfw add count ip from any to any jail 2
It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations.
Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor)
|
133387 |
09-Aug-2004 |
andre |
New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match.
Usage example:
ipfw add deny ip from any to any not antispoof in
Manpage education by: ru
|
132510 |
21-Jul-2004 |
andre |
Extend versrcreach by checking against the rt_flags for RTF_REJECT and RTF_BLACKHOLE as well.
To quote the submitter:
The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute.
Submitted by: James Jun <james@towardex.com>
|
131488 |
02-Jul-2004 |
ru |
Mechanically kill hard sentence breaks.
|
130298 |
10-Jun-2004 |
ru |
Fixed a bug spotted by compiling with -Wall.
|
130281 |
09-Jun-2004 |
ru |
Introduce a new feature to IPFW2: lookup tables. These are useful for handling large sparse address sets. Initial implementation by Vsevolod Lobko <seva@ip.net.ua>, refined by me.
MFC after: 1 week
|
130013 |
02-Jun-2004 |
csjp |
o Move NEED1 macro to the top of the source file.
o Add sanity checking to the firewall delete operation which tells the user that a firewall rule specification is required.
The previous behaviour was to exit without reporting any errors to the user.
Approved by: bmilekic (mentor)
|
129629 |
23-May-2004 |
maxim |
o Fix usage example.
PR: docs/67065 Submitted by: David Syphers
|
129389 |
18-May-2004 |
stefanf |
Remove spurious semicolons.
Approved by: das (mentor) Reviewed by: ipfw@
|
129058 |
09-May-2004 |
csjp |
Remove redundant sanity check before add_mac() when adding mac ipfw rules. The exact same sanity check is performed as the first operation of add_mac(), so there is no sense in doing it twice.
Approved by: bmilekic (mentor) PR: bin/55981
|
128575 |
23-Apr-2004 |
andre |
Add the option versrcreach to verify that a valid route to the source address of a packet exists in the routing table. The default route is ignored because it would match everything and render the check pointless.
This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unrouteable source addresses.
Example:
ipfw add 1000 deny ip from any to any not versrcreach
also known in Cisco-speak as:
ip verify unicast source reachable-via any
Reviewed by: luigi
|
128067 |
09-Apr-2004 |
maxim |
o Fix an incorrect parsing of 0.0.0.0/0 expression.
PR: kern/64778 MFC after: 6 weeks
|
127479 |
27-Mar-2004 |
ceri |
Backout revision 1.140; it seems that the previous version is clear enough.
Requested by: ru
|
127461 |
26-Mar-2004 |
maxim |
o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.
PR: docs/64534 Submitted by: Dmitry Cherkasov MFC after: 1 week
|
127318 |
22-Mar-2004 |
ceri |
Clarify the description of the "established" option.
PR: docs/50391 Submitted by: root@edcsm.jussieu.fr MFC after: 1 week
|
124924 |
24-Jan-2004 |
maxim |
o Pass a correct argument to errx(3).
PR: bin/61846 Submitted by: Eugene Grosbein MFC after: 1 week
|
124858 |
23-Jan-2004 |
mtm |
grammar
|
124554 |
15-Jan-2004 |
maxim |
o -c (compact) flag is ipfw2 feature.
PR: bin/56328 MFC after: 3 days
|
124553 |
15-Jan-2004 |
maxim |
o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.
MFC after: 3 days
|
123804 |
24-Dec-2003 |
maxim |
o Legitimate -f (force) flags for -p (preprocessor) case.
PR: bin/60433 Submitted: Bjoern A. Zeeb MFC after: 3 weeks
|
123495 |
12-Dec-2003 |
luigi |
Add a -b flag to /sbin/ipfw to print only action and comment for each rule, thus omitting the entire body. This makes the output a lot more readable for complex rulesets (provided, of course, you have annotated your ruleset appropriately!)
MFC after: 3 days
|
123096 |
02-Dec-2003 |
sam |
Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate code is compiled in to support the O_IPSEC operator. Previously no support was included and ipsec rules were always matching. Note that we do not return an error when an ipsec rule is added and the kernel does not have IPsec support compiled in; this is done intentionally but we may want to revisit this (document this in the man page).
PR: 58899 Submitted by: Bjoern A. Zeeb Approved by: re (rwatson)
|
121816 |
31-Oct-2003 |
brooks |
Replace the if_name and if_unit members of struct ifnet with new members if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics.
Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
|
120715 |
03-Oct-2003 |
sam |
remove include of route.h now that ip_dummynet.h no longer exposes data structures that have an embedded struct route
Sponsored by: FreeBSD Foundation
|
120473 |
26-Sep-2003 |
rse |
fix typo: s/sytem/system/
|
119947 |
10-Sep-2003 |
roam |
Document the alternate way of matching MAC addresses: by a bitmask.
PR: 56021 Submitted by: Glen Gibb <grg@ridley.unimelb.edu.au> MFC after: 1 month
|
119740 |
04-Sep-2003 |
tmm |
Apply a bandaid to get this working on sparc64 again; the introduction of do_cmd() broke things, because this function assumes that a socklen_t is large enough to hold a pointer. A real solution to this problem would be a rewrite of do_cmd() to treat the optlen parameter consistently and not use it to carry a pointer or integer dependent on the context.
|
119668 |
02-Sep-2003 |
maxim |
Check an arguments count before proceed in sysctl_handler().
PR: bin/56298 Submitted by: Kang Liu <liukang@bjpu.edu.cn> MFC after: 2 weeks
# We need a regression test suit for ipfw(2)/ipfw(8) badly.
|
117868 |
22-Jul-2003 |
luigi |
Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specific
|
117821 |
21-Jul-2003 |
maxim |
o Initialize do_pipe before command parsing.
PR: bin/54649 Submitted by: Andy Gilligan <andy@evo6.org> MFC after: 3 days
|
117655 |
15-Jul-2003 |
luigi |
Userland side of: Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers.
This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change.
Suggested by: Paul Richards
|
117626 |
15-Jul-2003 |
luigi |
Make sure that comments are printed at the end of a rule.
Reported by: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
|
117577 |
14-Jul-2003 |
luigi |
Fix one typo in help() string, remove whitespace at end of line and other minor whitespace changes.
Replace u_char with uint8_t in a few places.
|
117544 |
14-Jul-2003 |
luigi |
ccept of empty lines when reading from a file (this fixes a bug introduced in the latest commits).
Also:
* update the 'ipfw -h' output;
* allow rules of the form "100 add allow ..." i.e. with the index first. (requested by Paul Richards). This was an undocumented ipfw1 behaviour, and it is left undocumented.
and minor code cleanups.
|
117472 |
12-Jul-2003 |
luigi |
Add a '-T' flag to print the timestamp as numeric value instead of converting it with ctime(). This is a lot more convenient for postprocessing.
Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
|
117470 |
12-Jul-2003 |
luigi |
Document the existence of comments in ipfw rules, the new flags handled when reading from a file, and clarify that only numeric values are allowed for icmptypes.
MFC after: 3 days
|
117469 |
12-Jul-2003 |
luigi |
In random order:
* make the code compile with WARNS=5 (at least on i386), mostly by adding 'const' specifier and replacing "void *" with "char *" in places where pointer arithmetic was used. This also spotted a few places where invalid tests (e.g. uint < 0) were used.
* support ranges in "list" and "show" commands. Now you can say
ipfw show 100-1000 4000-8000
which is very convenient when you have large rulesets.
* implement comments in ipfw commands. These are implemented in the kernel as O_NOP commands (which always match) whose body contains the comment string. In userland, a comment is a C++-style comment:
ipfw add allow ip from me to any // i can talk to everybody
The choice of '//' versus '#' is somewhat arbitrary, but because the preprocessor/readfile part of ipfw used to strip away '#', I did not want to change this behaviour.
If a rule only contains a comment
ipfw add 1000 // this rule is just a comment
then it is stored as a 'count' rule (this is also to remind the user that scanning through a rule is expensive).
* improve handling of flags (still to be completed). ipfw_main() was written thinking of 'one rule per ipfw invocation', and so flags are set and never cleared. With readfile/preprocessor support, this changes and certain flags should be reset on each line. For the time being, only fix handling of '-a' which differentiates the "list" and "show" commands.
* rework the preprocessor support -- ipfw_main() already had most of the parsing code, so i have moved in there the only missing bit (stripping away '#' and comments) and removed the parsing from ipfw_readfile(). Also, add some more options (such as -c, -N, -S) to the readfile section.
MFC after: 3 days
|
117334 |
08-Jul-2003 |
dannyboy |
Correct to match reality regarding interface names.
PR: 51006 Submitted by: "Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua> mdoc clue by: "Simon L. Nielsen" <simon@nitro.dk> MFC after: 10 days
|
117329 |
08-Jul-2003 |
luigi |
* introduce a section on SYNTAX to document the handling spaces and comma-separated lists of arguments;
* reword the description of address specifications, to include previous and current changes for address sets and lists;
* document the new '-n' flag.
* update the section on differences between ipfw1 and ipfw2 (this is becoming boring!)
MFC after: 3 days
|
117328 |
08-Jul-2003 |
luigi |
A bunch of changes (mostly syntactic sugar, all backward compatible):
* Make the addr-set size optional (defaults to /24) You can now write 1.2.3.0/24{56-80} or 1.2.3.0{56-80} Also make the parser more strict.
* Support a new format for the list of addresses: 1.2.3.4,5.6.7.8/30,9.10.11.12/22,12.12.12.13, ... which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK
* Allow spaces after commas to make lists of addresses more readable. 1.2.3.4, 5.6.7.8/30, 9.10.11.12/22, 12.12.12.13, ...
* ipfw will now accept full commands as a single argument and strip extra leading/trailing whitespace as below: ipfw "-q add allow ip from 1.2.3.4 to 5.6.7.8, 9.10.11.23 " This should help in moving the body of ipfw into a library that user programs can invoke.
* Cleanup some comments and data structures.
* Do not print rule counters for dynamic rules with ipfw -d list (PR 51182)
* Improve 'ipfw -h' output (PR 46785)
* Add a '-n' flag to test the syntax of commands without actually calling [gs]etsockopt() (PR 44238)
* Support the '-n' flag also with the preprocessors;
Manpage commit to follow.
MFC after: 3 days
|
117241 |
04-Jul-2003 |
luigi |
Implement the 'ipsec' option to match packets coming out of an ipsec tunnel. Should work with both regular and fast ipsec (mutually exclusive). See manpage for more details.
Submitted by: Ari Suutari (ari.suutari@syncrontech.com) Revised by: sam MFC after: 1 week
|
116919 |
27-Jun-2003 |
luigi |
remove extra whitespace and blank lines
|
116777 |
24-Jun-2003 |
luigi |
remove unused file (RELENG_5 and above use ipfw2, the old ipfw1 has been unused and unmaintained for a long time).
|
116770 |
23-Jun-2003 |
luigi |
Split some long lines to fit 80 columns (the code in RELENG_4 was already correct).
|
116716 |
23-Jun-2003 |
luigi |
syntactic sugar: support range notation such as 1.2.3.4/24{5,6,7,10-20,60-90} for set of ip addresses. Previously you needed to specify every address in the range, which was unconvenient and lead to very long lines. Internally the set is still stored in the same way, just the input and output routines are modified.
Manpage update still missing.
Perhaps a similar preprocessing step would be useful for port ranges.
MFC after: 3 days
|
116715 |
23-Jun-2003 |
maxim |
o Fix sets of rules usage example.
PR: docs/53625 Submitted by: Kostyuk Oleg <cub@cub.org.ua> MFC after: 1 week
|
116690 |
22-Jun-2003 |
luigi |
Add support for multiple values and ranges for the "iplen", "ipttl", "ipid" options. This feature has been requested by several users. On passing, fix some minor bugs in the parser. This change is fully backward compatible so if you have an old /sbin/ipfw and a new kernel you are not in trouble (but you need to update /sbin/ipfw if you want to use the new features).
Document the changes in the manpage.
Now you can write things like
ipfw add skipto 1000 iplen 0-500
which some people were asking to give preferential treatment to short packets.
The 'MFC after' is just set as a reminder, because I still need to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately change the size of certain kernel structures; not that it matters a lot since ipfw2 is entirely optional and not the default...)
PR: bin/48015
MFC after: 1 week
|
116438 |
16-Jun-2003 |
maxim |
o Pass a correct argument to printf(3).
PR: bin/51750 Submitted by: Vasil Dimov <vd@datamax.bg> MFC after: 2 weeks
|
115793 |
04-Jun-2003 |
ticso |
Change handling to support strong alignment architectures such as alpha and sparc64.
PR: alpha/50658 Submitted by: rizzo Tested on: alpha
|
112250 |
15-Mar-2003 |
cjc |
Add a 'verrevpath' option that verifies the interface that a packet comes in on is the same interface that we would route out of to get to the packet's source address. Essentially automates an anti-spoofing check using the information in the routing table.
Experimental. The usage and rule format for the feature may still be subject to change.
|
112189 |
13-Mar-2003 |
maxim |
o Partially revert rev. 1.103, fix 'ipfw show': dynamically adjust a width of fields for packets and bytes counters.
PR: bin/47196 Reviewed by: -audit Not objected by: luigi, des
o Use %llu instead of deprecated %qu convert specification for ipfw packets and bytes counters.
Noted by: des MFC after: 1 month
|
111847 |
03-Mar-2003 |
ru |
/modules is gone long ago, use the safe equivalents.
|
110304 |
04-Feb-2003 |
brueffer |
Correct examples for stateful inspection
PR: 47817 Submitted by: Simon L.Nielsen <simon@nitro.dk> Reviewed by: ceri, luigi
|
109126 |
12-Jan-2003 |
dillon |
It turns out that we do not need to add a new ioctl to unbreak a default-to-deny firewall. Simply turning off IPFW via a preexisting sysctl does the job. To make it more apparent (since nobody picked up on this in a week's worth of flames), the boolean sysctl's have been integrated into the /sbin/ipfw command set in an obvious and straightforward manner. For example, you can now do 'ipfw disable firewall' or 'ipfw enable firewall'. This is far easier to remember then the net.inet.ip.fw.enable sysctl.
Reviewed by: imp MFC after: 3 days
|
108691 |
05-Jan-2003 |
keramida |
Fix a reference to the order of SYNOPSIS lines.
Submitted by: Olivier Cherrier <Olivier.Cherrier@cediti.be> on freebsd-net MFC after: 3 days
|
108533 |
01-Jan-2003 |
schweikh |
Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup, especially in troff files.
|
108231 |
23-Dec-2002 |
kbyanc |
Make preprocessor support more generic by passing all command-line options after -p except for the last (the ruleset file to process) to the preprocessor for interpretation. This allows command-line options besides -U and -D to be passed to cpp(1) and m4(1) as well as making it easier to use other preprocessors.
Sponsored By: NTT Multimedia Communications Labs MFC after: 1 week
|
107291 |
26-Nov-2002 |
keramida |
Align timestamps when -t is used in ipfw and ipfw2.
PR: kern/44843 Approved by: re (jhb)
|
107289 |
26-Nov-2002 |
luigi |
Fix a kernel panic with rules of the type
prob 0.5 pipe NN ....
due to the generation of an invalid ipfw instruction sequence. No ABI change, but you need to upgrade /sbin/ipfw to generate the correct code.
Approved by: re
|
107288 |
26-Nov-2002 |
luigi |
Update documentation to match the behaviour of ipfw with respect to net.inet.ip.fw.one_pass. Add to notes to explain the exact behaviour of "prob xxx" and "log" options.
Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c)
|
106505 |
06-Nov-2002 |
maxim |
Kill EOL whitespaces, style(9) fix.
|
106504 |
06-Nov-2002 |
maxim |
Fix UID/GID options parsing.
PR: bin/42579 Submitted by: Belousov Oleg <oleg@belousov.com> Approved by: luigi MFC after: 2 weeks
|
106072 |
28-Oct-2002 |
luigi |
Misc fixes from Chris Pepper, plus additional explainations on dummynet operation.
MFC after: 3 days
|
105887 |
24-Oct-2002 |
mux |
Fix ipfw2 panics on 64-bit platforms.
Quoting luigi:
In order to make the userland code fully 64-bit clean it may be necessary to commit other changes that may or may not cause a minor change in the ABI.
Reviewed by: luigi
|
104975 |
12-Oct-2002 |
seanc |
Increase the max dummynet hash size from 1024 to 65536. Default is still 1024.
Silence on: -net, -ipfw 4weeks+ Reviewed by: dd Approved by: knu (mentor) MFC after: 3 weeks
|
103963 |
25-Sep-2002 |
maxim |
Do not dump core on 'ipfw add unreach': handling null strings in fill_reject_code(). Please note ipfw/ipfw2.c is not affected.
PR: bin/42304 Submitted by: Andy@wantpackets.com MFC after: 1 day
|
103802 |
22-Sep-2002 |
maxim |
o Fix a typo. o Remove EOL spaces.
Submitted by: Harold Gutch <logix@foobar.franken.de> (typo patch) Approved by: luigi MFC after: 3 days
|
103241 |
12-Sep-2002 |
luigi |
Store the port number in "fwd" rules in host format, same as ipfw1 has always done.
Technically, this is the wrong format, but it reduces the diffs in -stable. Someday, when we get rid of ipfw1, I will put the port number in the proper format both in kernel and userland.
MFC after: 3 days (with re@ permission)
|
103094 |
08-Sep-2002 |
blackend |
Typo: s/o packet/on packet/
PR: docs/42543 Submitted by: Michael Lyngbøl <lyngbol@bifrost.lyngbol.dk>
|
102231 |
21-Aug-2002 |
trhodes |
s/filesystem/file system/g as discussed on -developers
|
102209 |
21-Aug-2002 |
luigi |
Whoops, the manpage lied... ipfw2 has always accepted addr:mask specifications.
|
102098 |
19-Aug-2002 |
luigi |
One more (hopefully the last one) step in cleaning up the syntax, following Julian's good suggestion: since you can specify any match pattern as an option, rules now have the following format:
[<proto> from <src> to <dst>] [options]
i.e. the first part is now entirely optional (and left there just for compatibility with ipfw1 rulesets).
Add a "-c" flag to show/list rules in the compact form (i.e. without the "ip from any to any" part) when possible. The default is to include it so that scripts processing ipfw's canonical output will still work. Note that as part of this cleanup (and to remove ambiguity), MAC fields now can only be specified in the options part.
Update the manpage to reflect the syntax.
Clarify the behaviour when a match is attempted on fields which are not present in the packet, e.g. port numbers on non TCP/UDP packets, and the "not" operator is specified. E.g.
ipfw add allow not src-port 80
will match also ICMP packets because they do not have port numbers, so "src-port 80" will fail and "not src-port 80" will succeed. For such cases it is advised to insert further options to prevent undesired results (e.g. in the case above, "ipfw add allow proto tcp not src-port 80").
We definitely need to rewrite the parser using lex and yacc!
|
102087 |
19-Aug-2002 |
luigi |
Major cleanup of the parser and printing routines in an attempt to render the syntax less ambiguous.
Now rules can be in one of these two forms
<action> <protocol> from <src> to <dst> [options] <action> MAC dst-mac src-mac mac-type [options]
however you can now specify MAC and IP header fields as options e.g.
ipfw add allow all from any to any mac-type arp ipfw add allow all from any to any { dst-ip me or src-ip me }
which makes complex expressions a lot easier to write and parse. The "all from any to any" part is there just for backward compatibility.
Manpage updated accordingly.
|
101989 |
16-Aug-2002 |
luigi |
Complete list of differences between ipfw1 and ipfw2.
|
101978 |
16-Aug-2002 |
luigi |
sys/netinet/ip_fw2.c:
Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops for firewall-generated packets (the constant has to go in sys/mbuf.h).
Better comments on keepalive generation, and enforce dyn_rst_lifetime and dyn_fin_lifetime to be less than dyn_keepalive_period.
Enforce limits (up to 64k) on the number of dynamic buckets, and retry allocation with smaller sizes.
Raise default number of dynamic rules to 4096.
Improved handling of set of rules -- now you can atomically enable/disable multiple sets, move rules from one set to another, and swap sets.
sbin/ipfw/ipfw2.c:
userland support for "noerror" pipe attribute.
userland support for sets of rules.
minor improvements on rule parsing and printing.
sbin/ipfw/ipfw.8:
more documentation on ipfw2 extensions, differences from ipfw1 (so we can use the same manpage for both), stateful rules, and some additional examples. Feedback and more examples needed here.
|
101641 |
10-Aug-2002 |
luigi |
Fix one parsing bug introduced by last commit, and correct parsing and printing of or-blocks in address, ports and options lists.
|
101640 |
10-Aug-2002 |
luigi |
Major revision of the ipfw manpage, trying to make it up-to-date with ipfw2 extensions and give examples of use of the new features.
This is just a preliminary commit, where i simply added the basic syntax for the extensions, and clean up the page (e.g. by listing things in alphabetical rather than random order). I would appreciate feedback and possible corrections/extensions by interested parties.
Still missing are a more detailed description of stateful rules (with keepalives), interaction with of stateful rules and natd (don't do that!), examples of use with the recently introduced rule sets.
There is an issue related to the MFC: RELENG_4 still has ipfw as a default, and ipfw2 is optional. We have two options here: MFC this page as ipfw(8) adding a large number of "SORRY NOT IN IPFW" notes, or create a new ipfw2(8) manpage just for -stable users. I am all for the first approach, but of course am listening to your comments.
|
101628 |
10-Aug-2002 |
luigi |
One bugfix and one new feature.
The bugfix (ipfw2.c) makes the handling of port numbers with a dash in the name, e.g. ftp-data, consistent with old ipfw: use \\ before the - to consider it as part of the name and not a range separator.
The new feature (all this description will go in the manpage):
each rule now belongs to one of 32 different sets, which can be optionally specified in the following form:
ipfw add 100 set 23 allow ip from any to any
If "set N" is not specified, the rule belongs to set 0.
Individual sets can be disabled, enabled, and deleted with the commands:
ipfw disable set N ipfw enable set N ipfw delete set N
Enabling/disabling of a set is atomic. Rules belonging to a disabled set are skipped during packet matching, and they are not listed unless you use the '-S' flag in the show/list commands. Note that dynamic rules, once created, are always active until they expire or their parent rule is deleted. Set 31 is reserved for the default rule and cannot be disabled.
All sets are enabled by default. The enable/disable status of the sets can be shown with the command
ipfw show sets
Hopefully, this feature will make life easier to those who want to have atomic ruleset addition/deletion/tests. Examples:
To add a set of rules atomically:
ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18
To delete a set of rules atomically
ipfw disable set 18 ipfw delete set 18 ipfw enable set 18
To test a ruleset and disable it and regain control if something goes wrong:
ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18
here if everything goes well, you press control-C before the "sleep" terminates, and your ruleset will be left active. Otherwise, e.g. if you cannot access your box, the ruleset will be disabled after the sleep terminates.
I think there is only one more thing that one might want, namely a command to assign all rules in set X to set Y, so one can test a ruleset using the above mechanisms, and once it is considered acceptable, make it part of an existing ruleset.
|
101295 |
04-Aug-2002 |
luigi |
Fix generation of check-state rules, which i broke in last commit.
|
101117 |
31-Jul-2002 |
luigi |
Forgot this one: properly initialize an address set when the set size is less than 32 bits (/28 mask or more). Also remove a debugging fprintf().
|
101116 |
31-Jul-2002 |
luigi |
Two bugfixes: + the header file contains two different opcodes (O_IPOPTS and O_IPOPT) for what is the same thing, and sure enough i used one in the kernel and the other one in userland. Be consistent!
+ "keep-state" and "limit" must be the last match pattern in a rule, so no matter how you enter them move them to the end of the rule.
|
100659 |
25-Jul-2002 |
sheldonh |
Add SEE ALSO references to papers handling RED.
|
99909 |
13-Jul-2002 |
luigi |
A bunch of minor fixes:
* accept "icmptype" as an alias for "icmptypes"; * remove an extra whitespace after "log" rules; * print correctly the "limit" masks; * correct a typo in parsing dummynet arguments (this caused a coredump); * do not allow specifying both "check-state" and "limit", they are (and have always been) mutually exclusive; * remove an extra print of the rule before installing it; * make stdout buffered -- otherwise, if you log its output with syslog, you will see one entry for each printf(). Rather unpleasant.
|
99788 |
11-Jul-2002 |
bde |
Uncommented WARNS=0. ipfw2.c is full of printf format errors that are fatal on alphas.
Fixed setting of WARNS. WARNS should never be set unconditionally, since this breaks testing of different WARNS values by setting it at a higher level (e.g., on the command line).
|
99603 |
08-Jul-2002 |
bde |
Fixed some world breakage caused by not updating clients when <timeconv.h> was split off from <time.h>. This became fatal here when -Werror was reenabled.
|
99501 |
06-Jul-2002 |
charnier |
The .Nm utility
|
99475 |
05-Jul-2002 |
luigi |
Implement the last 2-3 missing instructions for ipfw, now it should support all the instructions of the old ipfw.
Fix some bugs in the user interface, /sbin/ipfw.
Please check this code against your rulesets, so i can fix the remaining bugs (if any, i think they will be mostly in /sbin/ipfw).
Once we have done a bit of testing, this code is ready to be MFC'ed, together with a bunch of other changes (glue to ipfw, and also the removal of some global variables) which have been in -current for a couple of weeks now.
MFC after: 7 days
|
98943 |
27-Jun-2002 |
luigi |
The new ipfw code.
This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time.
I have not renamed the header file because it would have required touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
|
96508 |
13-May-2002 |
luigi |
Handle symbolic names for common ethernet types (ip, arp etc.)
Remove custom definitions (IP_FW_TCPF_SYN etc.) of TCP header flags which are the same as the original ones (TH_SYN etc.)
|
96476 |
12-May-2002 |
luigi |
Main functional change is the implementation of matching of MAC header fields as discussed in the commit to ip_fw.c:1.186
On top of this, a ton of non functional changes to clean up the code, write functions to replace sections of code that were replicated multiple times (e.g. the printing or matching of flags and options), splitting long sections of inlined code into separate functions, and the like.
I have tested the code quite a bit, but some typos (using one variable in place of another) might have escaped.
The "embedded manpage" is a bit inconsistent, but i am leaving fixing it for later. The current format makes no sense, it is over 40 lines long and practically unreadable. We can either split it into sections ( ipfw -h options , ipfw -h pipe , ipfw -h queue ...) or remove it altogether and refer to the manpage.
|
96078 |
05-May-2002 |
luigi |
Fix a couple of problems which could cause panics at runtime:
+ setting a bandwidth too large for a pipe (above 2Gbit/s) could cause the internal representation (which is int) to wrap to a negative number, causing an infinite loop in the kernel;
+ (see PR bin/35628): when configuring RED parameters for a queue, the values are not passed to the kernel resulting in panics at runtime (part of the problem here is also that the kernel does not check for valid parameters being passed, but this will be fixed in a separate commit).
These are both critical fixes which need to be merged into 4.6-RELEASE.
MFC after: 1 day
|
95858 |
01-May-2002 |
cjc |
Enlighten those who read the FINE POINTS of the documentation a bit more on how ipfw(8) deals with tiny fragments. While we're at it, add a quick log message to even let people know we dropped a packet. (Note that the second FINE POINT is somewhat redundant given the first, but since the code is there, leave the docs for it.)
MFC after: 1 day
|
89572 |
19-Jan-2002 |
dillon |
I've been meaning to do this for a while. Add an underscore to the time_to_xxx() and xxx_to_time() functions. e.g. _time_to_xxx() instead of time_to_xxx(), to make it more obvious that these are stopgap functions & placemarkers and not meant to create a defacto standard. They will eventually be replaced when a real standard comes out of committee.
|
89218 |
10-Jan-2002 |
ru |
mdoc(7) police: tidy up the markup in revision 1.96.
|
88841 |
03-Jan-2002 |
rwatson |
o Note that packets diverted using a 'divert' socket, and then reinserted by a userland process, will lose a number of packet attributes, including their source interface. This may affect the behavior of later rules, and while not strictly a BUG, may cause unexpected behavior if not clearly documented. A similar note for natd(8) might be desirable.
|
88833 |
02-Jan-2002 |
yar |
Move the discussion of how many times a packet will pass through ipfirewall(4) to the IMPLEMENTATION NOTES section because it considers kernel internals and may confuse newbies if placed at the very beginning of the manpage (where it used to be previously.)
Not objected by: luigi
|
88831 |
02-Jan-2002 |
yar |
Clarify the "show" ipfw(8) command.
PR: docs/31263 Permitted by: luigi
|
88829 |
02-Jan-2002 |
yar |
Fix a typo: wierd -> weird
|
88598 |
28-Dec-2001 |
julian |
Fix documentation to match reality
|
88360 |
21-Dec-2001 |
yar |
Implement matching IP precedence in ipfw(4).
Submitted by: Igor Timkin <ivt@gamma.ru>
|
87952 |
14-Dec-2001 |
rse |
At least once mention the long names of WF2Q+ (Worst-case Fair Weighted Fair Queueing) and RED (Random Early Detection) to both give the reader a hint what they are and to make it easier to find out more information about them.
|
87325 |
04-Dec-2001 |
obrien |
Default to WARNS=2. Binary builds that cannot handle this must explicitly set WARNS=0.
Reviewed by: mike
|
86052 |
04-Nov-2001 |
luigi |
sync the code with the one in stable (mostly formatting changes).
|
85814 |
01-Nov-2001 |
luigi |
Fix a typo in a format string, and fix error checking for missing masks in "limit" rules.
|
85661 |
29-Oct-2001 |
joe |
More white space changes.
|
85660 |
29-Oct-2001 |
joe |
More stylistic tidying.
|
85650 |
29-Oct-2001 |
joe |
Remove training white spaces, and some other style violations.
|
85637 |
28-Oct-2001 |
dillon |
Properly convert long to time_t
|
85613 |
28-Oct-2001 |
joe |
Remove some extraneous spaces from the usage message.
|
84943 |
14-Oct-2001 |
dd |
Repair typo.
PR: 31262 Submitted by: <swear@blarg.net>
|
84299 |
01-Oct-2001 |
ru |
mdoc(7) police: fix markup.
|
84110 |
29-Sep-2001 |
billf |
now that jlemon has added a hash table to lookup locally configured ip addresses (and the macros that ipfw(4) use to lookup data for the 'me' keyword have been converted) remove a comment about using 'me' being a "computationally expensive" operation.
while I'm here, change two instances of "IP number" to "IP address"
|
84058 |
27-Sep-2001 |
luigi |
Two main changes here: + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details.
+ merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages!
MFC after: 1 week
|
83725 |
20-Sep-2001 |
luigi |
A bunch of minor changes to the code (see below) for readability, code size and speed. No new functionality added (yet) apart from a bugfix. MFC will occur in due time and probably in stages.
BUGFIX: fix a problem in old code which prevented reallocation of the hash table for dynamic rules (there is a PR on this).
OTHER CHANGES: minor changes to the internal struct for static and dynamic rules. Requires rebuild of ipfw binary.
Add comments to show how data structures are linked together. (It probably makes no sense to keep the chain pointers separate from actual rule descriptors. They will be hopefully merged soon.
keep a (sysctl-readable) counter for the number of static rules, to speed up IP_FW_GET operations
initial support for a "grace time" for expired connections, so we can set timeouts for closing connections to much shorter times.
merge zero_entry() and resetlog_entry(), they use basically the same code.
clean up and reduce replication of code for removing rules, both for readability and code size.
introduce a separate lifetime for dynamic UDP rules.
fix a problem in old code which prevented reallocation of the hash table for dynamic rules (PR ...)
restructure dynamic rule descriptors
introduce some local variables to avoid multiple dereferencing of pointer chains (reduces code size and hopefully increases speed).
|
83669 |
19-Sep-2001 |
ru |
Non-decimal ``skipto'' rule numbers are meaningless.
Noticed by: "Marc G. Fournier" <scrappy@hub.org> MFC after: 3 days
|
81251 |
07-Aug-2001 |
ru |
mdoc(7) police:
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text. Not only this slows down the mdoc(7) processing significantly, but it also has an undesired (in this case) effect of disabling hyphenation within the entire enclosed block.
|
81199 |
06-Aug-2001 |
ru |
Fixed one more breakage introduced in 1.103 cleanup. ICMP types were reported incorrectly:
# ipfw add allow icmp from any to any icmptypes 0,8
PR: bin/29185 Submitted by: Mike Durian <durian@boogie.com>
|
80856 |
01-Aug-2001 |
obrien |
style(9)
|
80132 |
22-Jul-2001 |
cjc |
Error messaging in ipfw(8) was out of hand, almost 50 lines of usage information for any command line error, the actual error message almost always (and sometimes irretrievably) lost scrolling off the top of the screen. Now just print the error. Give ipfw(8) no arguments for the old usage summary.
Thanks to Lyndon Nerenberg <lyndon@orthanc.ab.ca> for the patch and PR, but I had already done this when ru pointed out the PR.
PR: bin/28729 Approved by: ru MFC after: 1 week
|
79530 |
10-Jul-2001 |
ru |
mdoc(7) police: removed HISTORY info from the .Os call.
|
79510 |
10-Jul-2001 |
cjc |
Fix rule parsing breakage introduced in 1.103 cleanup. 'tcp' and 'icmp' rules could drop into infinite loops when given bad arguments.
Reviewed by: ru, des Approved by: ru
|
79454 |
09-Jul-2001 |
dd |
mdoc(7) police: remove extraneous .Pp before and/or after .Sh.
|
79048 |
01-Jul-2001 |
kris |
Silence format string warnings.
MFC after: 2 weeks
|
77836 |
06-Jun-2001 |
chris |
Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in the checklist.
MFC after: 1 week
|
77739 |
04-Jun-2001 |
des |
Invert the meaning of the -d option (i.e. default to *not* list dynamic rules, but list them if -d was specified).
Avoid listing expired dynamic rules unless the (new) -e option was specified.
If specific rule numbers were listed on the command line, and the -d flag was specified, only list dynamic rules that match the specified rule numbers.
Try to partly clean up the bleeding mess this file has become. If there is any justice in this world, the responsible parties (you know who you are!) should expect to wake up one morning with a horse's head in their bed. The code still looks like spaghetti, but at least now it's *properly intented* spaghetti (hmm? did somebody say "tagliatelle"?).
|
76891 |
20-May-2001 |
dwmalone |
Add a flag to "ipfw show" which supresses the display of dynamic rules. Also, don't show dynamic rules if you only asked to see a certain rule number.
PR: 18550 Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca> Approved by: luigi MFC after: 2 weeks
|
75459 |
13-Apr-2001 |
ru |
Update comment to match ipfw/ipfw.c,v 1.95.
|
75221 |
05-Apr-2001 |
bde |
Fixed some printf format errors (don't assume that ntohl() returns u_long).
|
74815 |
26-Mar-2001 |
ru |
- Backout botched attempt to introduce MANSECT feature. - MAN[1-9] -> MAN.
|
74531 |
20-Mar-2001 |
ru |
Set the default manual section for sbin/ to 8.
|
74333 |
16-Mar-2001 |
ru |
mdoc(7) police: removed hard sentence break introduced in rev 1.82.
|
74319 |
16-Mar-2001 |
dd |
Explain that TCP fragments with an offset of 1 are reported as being dropped by rule -1 if logging is enabled.
PR: 25796 Submitted by: Crist J. Clark <cjclark@alum.mit.edu> Approved by: nik
|
72864 |
22-Feb-2001 |
ru |
Document that the IPFW messages are logged via syslogd(8).
|
72508 |
15-Feb-2001 |
ru |
mdoc(7) police: normalize the construct.
|
72487 |
14-Feb-2001 |
sheldonh |
Fix grammar nit in previous commit.
|
72440 |
13-Feb-2001 |
phk |
Introduce a new feature in IPFW: Check of the source or destination address is configured on a interface. This is useful for routers with dynamic interfaces. It is now possible to say:
0100 allow tcp from any to any established 0200 skipto 1000 tcp from any to any 0300 allow ip from any to any 1000 allow tcp from 1.2.3.4 to me 22 1010 deny tcp from any to me 22 1020 allow tcp from any to any
and not have to worry about the behaviour if dynamic interfaces configure new IP numbers later on.
The check is semi expensive (traverses the interface address list) so it should be protected as in the above example if high performance is a requirement.
|
70826 |
09-Jan-2001 |
rwatson |
o IPFW incorrectly handled filtering in the presence of previously reserved and now allocated TCP flags in incoming packets. This patch stops overloading those bits in the IP firewall rules, and moves colliding flags to a seperate field, ipflg. The IPFW userland management tool, ipfw(8), is updated to reflect this change. New TCP flags related to ECN are now included in tcp.h for reference, although we don't currently implement TCP+ECN.
o To use this fix without completely rebuilding, it is sufficient to copy ip_fw.h and tcp.h into your appropriate include directory, then rebuild the ipfw kernel module, and ipfw tool, and install both. Note that a mismatch between module and userland tool will result in incorrect installation of firewall rules that may have unexpected effects. This is an MFC candidate, following shakedown. This bug does not appear to affect ipfilter.
Reviewed by: security-officer, billf Reported by: Aragon Gouveia <aragon@phat.za.net>
|
70401 |
27-Dec-2000 |
ru |
Prepare for mdoc(7)NG.
|
70152 |
18-Dec-2000 |
ru |
Prepare for mdoc(7)NG.
|
69027 |
22-Nov-2000 |
ru |
mdoc(7) police: do not split author names in the AUTHORS section.
|
68960 |
20-Nov-2000 |
ru |
mdoc(7) police: use the new features of the Nm macro.
|
68754 |
15-Nov-2000 |
ben |
more removal of trailing periods from SEE ALSO.
|
67937 |
30-Oct-2000 |
ru |
IPFW does not discard *any* IP fragments with OFF=1, only TCP ones.
|
67003 |
12-Oct-2000 |
ru |
Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as well, in which case return the rule number back into userland.
PR: bin/18351 Reviewed by: archie, luigi
|
66979 |
11-Oct-2000 |
ru |
Reset globals for every new command read from preprocessed file.
|
66976 |
11-Oct-2000 |
ru |
Only interpret the last command line argument as a file to be preprocessed if it is specified as an absolute pathname.
PR: bin/16179
|
66733 |
06-Oct-2000 |
ru |
Convert this Makefile to the usual style.
|
66732 |
06-Oct-2000 |
ru |
Document the latest firewall knobs.
|
66623 |
04-Oct-2000 |
ru |
Respect the protocol when looking the port up by service name.
PR: 21742
|
66580 |
03-Oct-2000 |
ru |
Do not force argument to ``ipid'' modifier be in hex, and accept value of zero as valid for IP Identification field.
|
66579 |
03-Oct-2000 |
ru |
Fixed the printing of TCP flags.
|
66521 |
02-Oct-2000 |
billf |
Add new fields for more granularity: IP: version, tos, ttl, len, id TCP: seq#, ack#, window size
Reviewed by: silence on freebsd-{net,ipfw}
|
66445 |
29-Sep-2000 |
ru |
Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>
|
64696 |
16-Aug-2000 |
imp |
optreset is declared in unistd.h now.
|
63293 |
17-Jul-2000 |
billf |
Fix a paste-o in the tcpoptions check (not a security problem, just a error in the usage printf())
Reviewed by: rwatson
|
62884 |
10-Jul-2000 |
kris |
Don't call sprintf() with no format string.
|
61761 |
18-Jun-2000 |
billf |
Reorder the "prob" section in the output of list/show so it can be copy/pasted into add without problems.
The previous commit had the other half of this original patch which handled tcpflags/tcpflgs confusion in output/input.
|
61657 |
14-Jun-2000 |
luigi |
Fix behaviour of "ipfw pipe show" -- previous code gave ambiguous data to the userland program (kernel operation was safe, anyways).
|
61570 |
12-Jun-2000 |
ru |
Fixed style bugs of rev 1.66.
|
61420 |
08-Jun-2000 |
dan |
Add tcpoptions to ipfw. This works much in the same way as ipoptions do. It also squashes 99% of packet kiddie synflood orgies. For example, to rate syn packets without MSS,
ipfw pipe 10 config 56Kbit/s queue 10Packets ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss
Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
|
61417 |
08-Jun-2000 |
luigi |
Document new dummynet functionality, namely WF2Q+ and RED
|
61414 |
08-Jun-2000 |
luigi |
userland side of WF2Q+ support in dummynet. Manpage coming later...
|
59919 |
03-May-2000 |
sheldonh |
Remove extraneous Dv macro that slipped in, in rev 1.64.
|
59870 |
01-May-2000 |
asmodai |
Remove unused include, and place sys includes at top, which enabled us to remove this include.
|
59775 |
30-Apr-2000 |
green |
Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a rule that logs without a log limit, use "logamount 0" in addition to "log".
|
57557 |
28-Feb-2000 |
ru |
A huge rewrite of the manual page (mostly -mdoc related).
Reviewed by: luigi, sheldonh
|
57183 |
13-Feb-2000 |
luigi |
Use correct field for dst_port when displaying masks on dynamic pipes.
|
57115 |
10-Feb-2000 |
luigi |
Support and document new stateful ipfw features.
Approved-by: jordan
|
55595 |
08-Jan-2000 |
luigi |
Support per-flow queueing in dummynet. Implement masks on UDP/TCP ports. Large rewrite of the manpage.
Work supported by Akamba Corp.
|
54177 |
06-Dec-1999 |
archie |
Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted, but should continue going through the rule list. This may be fixed in a later version.
I hope to fix this soon in a separate commit.
|
52407 |
20-Oct-1999 |
ru |
Remove one obsoleted entry from the BUGS section.
|
50851 |
03-Sep-1999 |
green |
Make the "uid" and "gid" code better. Now it can detect invalid user names/numbers.
Reviewed by: chris
|
50476 |
28-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
50129 |
21-Aug-1999 |
green |
To christen the brand new security category for syslog, we get IPFW using syslog(3) (log(9)) for its various purposes! This long-awaited change also includes such nice things as: * macros expanding into _two_ comma-delimited arguments! * snprintf! * more snprintf! * linting and criticism by more people than you can shake a stick at! * a slightly more uniform message style than before! and last but not least * no less than 5 rewrites!
Reviewed by: committers
|
49652 |
12-Aug-1999 |
luigi |
Whoops, forgot one line in previous patch.
|
49631 |
11-Aug-1999 |
luigi |
Userland and manual page changes for probabilistic rule match. Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature.
|
49350 |
01-Aug-1999 |
green |
Make ipfw's logging more dynamic. Now, log will use the default limit _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
|
48023 |
19-Jun-1999 |
green |
This is the much-awaited cleaned up version of IPFW [ug]id support. All relevant changes have been made (including ipfw.8).
|
47925 |
15-Jun-1999 |
ru |
Document the usage of escape character in a service name.
PR: 7101 Reminded by: jhs
|
47874 |
11-Jun-1999 |
ru |
Workaround the problem that the first (and only first) port name can't have a dash character (it is treated as a ``range'' operator). One could now use such a name by escaping the ``-'' characters. For example:
# ipfw add 1 count tcp from any to any "ms\-sql\-s" # ipfw add 2 count tcp from any ftp\\-data-ftp to any
PR: 7101
|
47732 |
04-Jun-1999 |
ru |
Fix the parsing of ip addresses on a command line.
PR: 5047 Reviewed by: des Test case: ipfw add allow ip from 127.1 to any
|
47691 |
02-Jun-1999 |
ru |
Spelling corrections for dummynet. Reviewed by: des,luigi
|
47593 |
29-May-1999 |
kris |
Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes, grammatical fixes.
Submitted by: Philippe Charnier
|
47455 |
24-May-1999 |
luigi |
close pr 10889: + add a missing call to dn_rule_delete() when flushing firewall rules, thus preventing possible panics due to dangling pointers (this was already done for single rule deletes). + improve "usage" output in ipfw(8) + add a few checks to ipfw pipe parameters and make it a bit more tolerant of common mistakes (such as specifying kbit instead of Kbit)
PR: kern/10889 Submitted by: Ruslan Ermilov
|
46182 |
29-Apr-1999 |
ghelmer |
Add ICMP types to list of information about each packet.
|
46135 |
28-Apr-1999 |
ghelmer |
Explain when packets are tesed by the firewall rules and what attributes of packets can be tested.
PR: docs/7437
|
45473 |
08-Apr-1999 |
ghelmer |
Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by: Nathan Ahlstrom <nrahlstr@winternet.com>
|
43031 |
22-Jan-1999 |
archie |
Fix bug where 'ipfw list' would choke if there were a large number of rules.
|
43002 |
21-Jan-1999 |
archie |
Fix misleading wording in ipfw(8) man page. PR: docs/9603
|
42073 |
27-Dec-1998 |
luigi |
Remove coredump when running "ipfw pipe" without more arguments. PR: 8937
|
41873 |
16-Dec-1998 |
ghelmer |
Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by: PR docs/7785
|
41795 |
14-Dec-1998 |
luigi |
ipfw changes for dummynet. manpages still missing
|
41576 |
07-Dec-1998 |
archie |
Disallow ipfw "tee" rules until it is actually implemented. PR: bin/8471
|
41308 |
23-Nov-1998 |
joerg |
Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using `variables' to describe frequently used items in the file, like the local IP address(es), interface names etc. Both m4 and cpp are useful and supported; with m4 being a little more unusual to the common C programmer, things like automatic rule numbering can be achieved fairly easy.
While i was at it, i've also untangled some of the ugly style inside main(), and fixed a bug or two (like not being able to use blank lines when running with -q).
A typical call with preprocessor invocation looks like
ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules
Someone should probably add support for this feature to /etc/rc.firewall.
|
39734 |
28-Sep-1998 |
alex |
The flags type was recently changed from u_short to u_int, breaking icmptypes.
PR: 8067 Submitted by: Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com>
While I'm here, staticize functions.
|
38092 |
04-Aug-1998 |
thepish |
PR: 7475 Added support for -q (suppress output) when firewall rules are taken from a file. Solves PR 7475
|
37409 |
06-Jul-1998 |
julian |
Support for IPFW based transparent forwarding. Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified.
/sbin/ipfw must be recompiled!!!
Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
|
36185 |
19-May-1998 |
danny |
Reminded by: Alex Nash Bring man page up to date with -q flag behaviour.
|
36170 |
19-May-1998 |
max |
Typo fix.
|
36065 |
15-May-1998 |
danny |
PR: 6641 Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> Make -q work for zeroing a specific rule.
|
35379 |
22-Apr-1998 |
phk |
When ipfw reads its rules from an input file, the optind variable is not reinitialized to 1 after calling getopt. This results in parsing errors on all but the first rule. An added patch also allows '#' comments at the end of a line.
PR: 6379 Reviewed by: phk Submitted by: Neal Fachan <kneel@ishiboo.com>
|
35100 |
08-Apr-1998 |
cracauer |
(evil) hackers -> crackers
|
34673 |
19-Mar-1998 |
charnier |
.Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.
|
34538 |
13-Mar-1998 |
alex |
Get the arguments to show_usage right (like the MFC'ed code in -stable).
Submitted by: bde
|
33260 |
12-Feb-1998 |
alex |
Alter ipfw's behavior with respect to fragmented packets when the packet offset is non-zero:
- Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags
Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options.
BEWARE: packets that were previously passed may now be rejected, and vice versa.
Reviewed by: Archie Cobbs <archie@whistle.com>
|
32330 |
08-Jan-1998 |
alex |
Bump up packet and byte counters to 64-bit unsigned ints. As a consequence, ipfw's list command now adjusts its output at runtime based on the largest packet/byte counter values.
NOTE: o The ipfw struct has changed requiring a recompile of both kernel and userland ipfw utility.
o This probably should not be brought into 2.2.
PR: 3738
|
32326 |
08-Jan-1998 |
alex |
Format mismatch in error message.
Submitted by: bde
|
32303 |
07-Jan-1998 |
alex |
Support listing/showing specific rules supplied on the command line.
Use error codes from <sysexits.h>.
|
32280 |
06-Jan-1998 |
alex |
Display a better error message and use a non-zero exit code when zero/delete operations fail.
PR: 4231 Reviewed by: Archie Cobbs <archie@whistle.com>
|
31996 |
26-Dec-1997 |
alex |
Put the return value of getopt into an int, not a char.
|
31547 |
05-Dec-1997 |
julian |
Allow ipfw to accept comments and blank lines. This makes ipfw config files a LOT more readable.
|
29988 |
29-Sep-1997 |
wosch |
Sort cross refereces in section SEE ALSO.
|
29271 |
10-Sep-1997 |
peter |
Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on rule 65535
|
29270 |
10-Sep-1997 |
peter |
Fix typo (65434 -> 65534)
|
28506 |
21-Aug-1997 |
danny |
Bring comment on '-a' flag in line with reality.
|
27981 |
08-Aug-1997 |
alex |
Support interface names up to 15 characters in length. In order to accommodate the expanded name, the ICMP types bitmap has been reduced from 256 bits to 32.
A recompile of kernel and user level ipfw is required.
To be merged into 2.2 after a brief period in -current.
PR: bin/4209 Reviewed by: Archie Cobbs <archie@whistle.com>
|
27667 |
25-Jul-1997 |
brian |
Allow service names as the divert/tee arg.
|
26854 |
23-Jun-1997 |
julian |
Allow ipfw to look up service names from /etc/services (or NIS if turned on) note.. this would be dangerous if your ipfw was blocking NIS access :)
Submitted by: archie@whistle.com (Archie Cobbs)
|
26595 |
13-Jun-1997 |
charnier |
Remove __progname. Cosmetic in usage string.
|
26359 |
02-Jun-1997 |
julian |
Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ...
see the man page for a complete description.
|
25832 |
15-May-1997 |
max |
Typo. PR: 3600 Submitted by: Josh Gilliam <soil@quick.net>
|
25824 |
15-May-1997 |
alex |
Minor rewording of the examples section.
|
24359 |
29-Mar-1997 |
imp |
compare return value from getopt against -1 rather than EOF, per the final posix standard on the topic.
|
23399 |
05-Mar-1997 |
bde |
Force null termination after 2 errant strncpy()s.
|
22990 |
22-Feb-1997 |
peter |
Revert $FreeBSD$ to $Id$
|
22535 |
10-Feb-1997 |
danny |
Add '-q' quiet flag for flush/add/zero commands; add 'show' command as synonym for '-a list'; stop SEGV when specifying 'via' with no interface; change 2 instances of strcpy() to strncpy().
This is a candidate for 2.2
|
21789 |
17-Jan-1997 |
jkh |
Adjust spelling of `fw_flg' so this thing compiles again.
|
21785 |
16-Jan-1997 |
adam |
implement "not" keyword for inverting the address logic
|
21673 |
14-Jan-1997 |
jkh |
Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
|
20837 |
23-Dec-1996 |
mpp |
Minor mdoc/style fixes.
|
20287 |
10-Dec-1996 |
wollman |
Fix up programs which expect <net/if.h> to include <sys/time.h> to instead do it themselves. (Some of these programs actually depended on this beyond compiling the definition of struct ifinfo!) Also fix up some other #include messes while we're at it.
|
19436 |
05-Nov-1996 |
jdp |
Fix a spelling error. 2.2 Candidate.
|
18972 |
17-Oct-1996 |
alex |
Issue a warning if the user specifies an invalid interface in a rule. The rule is still added to the chain since the interface may get created later on after loading an LKM.
|
18303 |
15-Sep-1996 |
alex |
Note that -N is only effective when ipfw is displaying chain entries.
|
17976 |
31-Aug-1996 |
nate |
Because 'ipfw flush' is such a dangerous command (given that most firewalls are remote, and this command will kill the network connection to them), prompt the user for confirmation of this command.
Also, add the '-f' flag which ignores the need for confirmation the command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0) assume '-f'.
If anyone is using ipfw flush in scripts it shouldn't affect them, but you may want to change the script to use a 'ipfw -f flush'.
Reviewed by: alex
|
17786 |
23-Aug-1996 |
mpp |
Use the .Fx macro where appropriate.
|
17586 |
13-Aug-1996 |
pst |
Completely rewrite handling of protocol field for firewalls, things are now completely consistent across all IP protocols and should be quite a bit faster.
Use getprotoname() extensively, performed minor cleanups of admin utility. The admin utility could use a good kick in the pants.
Basicly, these were the minimal changes I could make to the code to get it up to tollerable shape. There will be some future commits to clean up the basic architecture of the firewall code, and if I'm feeling ambitious, I may pull in changes like NAT from Linux and make the firewall hooks comletely generic so that a user can either load the ipfw module or the ipfilter module (cf Darren Reed).
Discussed with: fenner & alex
|
17564 |
13-Aug-1996 |
pst |
Fix tcp/udp port ranges
|
17441 |
05-Aug-1996 |
alex |
Filter by IP protocol.
Submitted by: fenner (with modifications by me)
Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
|
17072 |
10-Jul-1996 |
julian |
Adding changes to ipfw and the kernel to support ip packet diversion.. This stuff should not be too destructive if the IPDIVERT is not compiled in.. be aware that this changes the size of the ip_fw struct so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
|
16886 |
02-Jul-1996 |
alex |
Correct definition of 'established' keyword.
|
16820 |
29-Jun-1996 |
alex |
Formatting fixes for 'in' and 'out' while listing.
Prevent ALL protocol from being used with port specifications.
Allow 'via' keyword at any point in the options list. Disallow multiple 'via' specifications.
|
16819 |
29-Jun-1996 |
alex |
Fix port specification syntax.
Submitted by: nate
|
16643 |
23-Jun-1996 |
alex |
Fix address mask calculation when using ':' syntax. Allow a mask of /0 to have the desired effect. Normalize IP addresses that won't match a given mask (i.e. 1.2.3.4/24 becomes 1.2.3.0/24). Submitted by R. Bezuidenhout <rbezuide@mikom.csir.co.za>
Code formatting and "frag" display fixes.
|
16472 |
18-Jun-1996 |
alex |
Set the program name before trying to use it.
Found by: Aage Robekk <aagero@aage.priv.no>
|
16399 |
15-Jun-1996 |
alex |
Fix a typo in the view accounting records example.
|
16380 |
15-Jun-1996 |
alex |
Bring the man page more into line with reality.
|
16267 |
09-Jun-1996 |
alex |
Big sweep over ipfw, picking up where Poul left off:
- Filter based on ICMP types. - Accept interface wildcards (e.g. ppp*). - Resolve service names with the -N option. - Accept host names in 'from' and 'to' specifications - Display chain entry time stamps with the -t option. - Added URG to tcpflags. - Print usage if an unknown tcpflag is used. - Ability to zero individual accounting entries. - Clarify usage of port ranges. - Misc code cleanup.
Closes PRs: 1193, 1220, and 1266.
|
15735 |
11-May-1996 |
phk |
Some cosmetics and some better error-checking. Reviewed by: phk Submitted by: "Daniel O'Callaghan" <danny@panda.hilink.com.au> Submitted by: Archie Cobbs <archie@whistle.com>
|
15025 |
03-Apr-1996 |
phk |
recognize "allow", "accept" and "pass" add new feature for "established"
|
14996 |
02-Apr-1996 |
phk |
A couple of bug-fixes.
Reviewed by: phk Submitted by: "Frank ten Wolde" <franky@pinewood.nl>
|
14233 |
24-Feb-1996 |
phk |
Update to match kernel code.
|
14231 |
24-Feb-1996 |
phk |
A new ipfw program that can set and control the new features. An almost correct usage is printed.
|
14211 |
23-Feb-1996 |
phk |
Update -current ipfw program as well. I hope it all compiles...
|
14089 |
13-Feb-1996 |
phk |
Document that the firewall will no longer reorder the rules.
|
13720 |
29-Jan-1996 |
mpp |
Fix a bunch of spelling errors.
|
13123 |
30-Dec-1995 |
peter |
This commit was generated by cvs2svn to compensate for changes in r13122, which included commits to RCS files with non-trunk default branches.
|
13122 |
30-Dec-1995 |
peter |
recording cvs-1.6 file death
|
11796 |
26-Oct-1995 |
nate |
Convert manpage to -mandoc macros.
Submitted by: Gary Palmer <gary@palmer.demon.co.uk>
Minor cleanup by me in the English.
|
11706 |
23-Oct-1995 |
ugen |
Support all the tcpflag options in firewall. Add reading options from file, now ipfw <filename> will read commands string after string from file , form of strings same as command line interface.
|
11120 |
01-Oct-1995 |
ugen |
Support IP Option smatching in grammar and listing. TcpSyn option removed and will be shortly repoaced by support of all TCP Flags including syn and ack...
|
10502 |
31-Aug-1995 |
gpalmer |
Correct minor nit - to filter out SYN packets, the keyword is `syn' not `tcpsyn' (which matches `tcp' which blocks all tcp packets)
|
10158 |
22-Aug-1995 |
gpalmer |
Add $Id$
|
8871 |
30-May-1995 |
rgrimes |
Remove trailing whitespace.
|
7492 |
30-Mar-1995 |
ugen |
make pass work also as the first keyword (while addf skipped) Reviewed by: Submitted by: Obtained from:
|
6854 |
03-Mar-1995 |
ugen |
Update manpage..BTW,if somebody wit good English would go through it and fix it would be a really good idea.
|
6853 |
03-Mar-1995 |
ugen |
Oops..remove some debugging leftover..
|
6852 |
03-Mar-1995 |
ugen |
Ok..so everybody picking on me that ipfw syntacs is a pain in ...wel.. trying to fix this * from/to/via position indepenndant syntax * "any" for 0/0 host address * addf/addb default keyword in case you skip it.. * pass = accept new action, seems to be somewhat better in particular cases * on = via (as on ed0 instead of via ed0,loook at reject tcp on ed0 from hacker )
|
6763 |
27-Feb-1995 |
ugen |
Fixed manpage..ldeny,lreject and log options are there and others not.. Submitted by: torstenb@FreeBSD.ORG
|
6688 |
24-Feb-1995 |
ugen |
Change utility to accept interface name along with IP as "via" argument
|
6545 |
18-Feb-1995 |
jkh |
ipfirewall.4 is obviously not here anymore! Adjust the Makefile.
|
6522 |
17-Feb-1995 |
ugen |
Finally document "via" feature..
|
6372 |
14-Feb-1995 |
ugen |
Ppl asked to make ipfw smarter..ok.. here it is..
|
6371 |
14-Feb-1995 |
ugen |
Fix for rather stupid bug by which you couldn't set ports for the destination IP addr/port. Nobody reported this btw , while a lot of other things reported- probably ppl does not use destination ports at all????
|
6275 |
09-Feb-1995 |
ugen |
Ok..at least this man page is up to date now To be continued..
|
5539 |
12-Jan-1995 |
ugen |
Utility changes following the facility. We have only one firewall chain and one accounting chain now. No blocking/forwarding so commands changed. Man pages are somewhat out of date and will be updated ASAP.
|
5088 |
13-Dec-1994 |
ugen |
Add interface to clear accounting entry option. Reflect ip_fw structure changes.
|
5084 |
12-Dec-1994 |
ugen |
Add via option,minor changes to interface to reflect internal firewall changes.Check option disabled temporary.
|
5053 |
11-Dec-1994 |
ats |
Changed a reboot(1) to a reboot(8).
|
4848 |
28-Nov-1994 |
ugen |
Interface changes to support additions to firewall.
|
4696 |
20-Nov-1994 |
ugen |
G-d help me to do it right first time.... Minor patch to man page,test.
|
4541 |
17-Nov-1994 |
jkh |
New man pages from Ugen. Delete my old, first attempt. I only hope that the english in Ugen's two replacement pages is not too impenetrable! :-) [Note: Poul - please pull these into the BETA branch along with the other firewall changes]
Submitted by: ugen
|
4524 |
16-Nov-1994 |
jkh |
Latest from Ugen J.S.Antsilevich" <ugen@NetVision.net.il>. Poul, please take this into BETA. Submitted by: ugen
|
4278 |
08-Nov-1994 |
jkh |
More 12th hour fixes from Ugen. Submitted by: ugen
|
4036 |
31-Oct-1994 |
jkh |
Latest changes from Uben. Submitted by: uben
|
3970 |
28-Oct-1994 |
jkh |
Fix up the man page a little more, delete the README that crept in (but I'm actually just as happy to have in the attic, for reference).
|
3966 |
28-Oct-1994 |
jkh |
This commit was generated by cvs2svn to compensate for changes in r3965, which included commits to RCS files with non-trunk default branches.
|