#
346212 |
|
14-Apr-2019 |
ae |
MFC r345264: Add NAT64 CLAT implementation as defined in RFC6877.
CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It is implemented as part of ipfw_nat64 kernel module. When module is loaded or compiled into the kernel, it registers "nat64clat" external action. External action named instance can be created using `create` command and then used in ipfw rules. The create command accepts two IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted, IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used.
# ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in
Obtained from: Yandex LLC Submitted by: Boris N. Lytochkin Relnotes: yes Sponsored by: Yandex LLC
|
#
336040 |
|
06-Jul-2018 |
jamie |
MFC r335921:
Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), sockstat(1), ugidfw(8) These are the last of the jail-aware userland utilities that didn't work with names.
PR: 229266 Differential Revision: D16047
|
#
316446 |
|
03-Apr-2017 |
ae |
MFC r304041: Move logging via BPF support into separate file.
* make interface cloner VNET-aware; * simplify cloner code and use if_clone_simple(); * migrate LOGIF_LOCK() to rmlock; * add ipfw_bpf_mtap2() function to pass mbuf to BPF; * introduce new additional ipfwlog0 pseudo interface. It differs from ipfw0 by DLT type used in bpfattach. This interface is intended to used by ipfw modules to dump packets with additional info attached. Currently pflog format is used. ipfw_bpf_mtap2() function uses second argument to determine which interface use for dumping. If dlen is equal to ETHER_HDR_LEN it uses old ipfw0 interface, if dlen is equal to PFLOG_HDRLEN - ipfwlog0 will be used.
Obtained from: Yandex LLC Sponsored by: Yandex LLC
MFC r304043: Add three helper function to manage tables from external modules.
ipfw_objhash_lookup_table_kidx does lookup kernel index of table; ipfw_ref_table/ipfw_unref_table takes and releases reference to table.
Obtained from: Yandex LLC Sponsored by: Yandex LLC
MFC r304046, 304108: Add ipfw_nat64 module that implements stateless and stateful NAT64.
The module works together with ipfw(4) and implemented as its external action module.
Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.
A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host.
Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation.
A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host.
Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434
MFC r304048: Replace __noinline with special debug macro NAT64NOINLINE.
MFC r304061: Use %ju to print unsigned 64-bit value.
MFC r304076: Make statistics nat64lsn, nat64stl an nptv6 output netstat-like: "@value @description" and fix build due to -Wformat errors.
MFC r304378 (by bz): Try to fix gcc compilation errors (which are right). nat64_getlasthdr() returns an int, which can be -1 in case of error, storing the result in an uint8_t and then comparing to < 0 is not helpful. Do what is done in the rest of the code and make proto an int here as well.
MFC r309187: Fix ICMPv6 Time Exceeded error message translation.
MFC r314718: Use new ipfw_lookup_table() in the nat64 too.
MFC r315204,315233: Use memset with structure size.
|
#
316444 |
|
03-Apr-2017 |
ae |
MFC r303012: Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6 as defined in RFC 6296. The module works together with ipfw(4) and implemented as its external action module. When it is loaded, it registers as eaction and can be used in rules. The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module.
Reviewed by: hrs Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6420
MFC r304049: Add `stats reset` command implementation to NPTv6 module to be able reset statistics counters.
Obtained from: Yandex LLC Sponsored by: Yandex LLC
MFC r304076: Make statistics nat64lsn, nat64stl an nptv6 output netstat-like: "@value @description" and fix build due to -Wformat errors.
MFC r314507: Fix NPTv6 rule counters when one_pass is not enabled.
Consider the rule matching when both @done and @retval values returned from ipfw_run_eaction() are zero. And modify ipfw_nptv6() to return IP_FW_DENY and @done=0 when addresses do not match.
Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
298107 |
|
16-Apr-2016 |
gjb |
Merge the projects/release-pkg branch to head.
This allows packaging the base system with pkg(8), including but not limited to providing the ability to provide upstream binary update possibilities for non-tier-1 architectures.
This merge is a requirement of the 11.0-RELEASE, and as such, thank you to everyone that has tested the project branch.
Documentation in build(7) etc. is still somewhat sparse, but updates to those parts will follow.
Sponsored by: The FreeBSD Foundation
|
#
275030 |
|
25-Nov-2014 |
bapt |
Convert sbin/ to LIBADD Reduce overlinking
|
#
272840 |
|
09-Oct-2014 |
melifaro |
Merge projects/ipfw to HEAD.
Main user-visible changes are related to tables:
* Tables are now identified by names, not numbers. There can be up to 65k tables with up to 63-byte long names. * Tables are now set-aware (default off), so you can switch/move them atomically with rules. * More functionality is supported (swap, lock, limits, user-level lookup, batched add/del) by generic table code. * New table types are added (flow) so you can match multiple packet fields at once. * Ability to add different type of lookup algorithms for particular table type has been added. * New table algorithms are added (cidr:hash, iface:array, number:array and flow:hash) to make certain types of lookup more effective. * Table value are now capable of holding multiple data fields for different tablearg users
Performance changes: * Main ipfw lock was converted to rmlock * Rule counters were separated from rule itself and made per-cpu. * Radix table entries fits into 128 bytes * struct ip_fw is now more compact so more rules will fit into 64 bytes * interface tables uses array of existing ifindexes for faster match
ABI changes: All functionality supported by old ipfw(8) remains functional. Old & new binaries can work together with the following restrictions: * Tables named other than ^\d+$ are shown as table(65535) in ruleset in old binaries
Internal changes:. Changing table ids to numbers resulted in format modification for most sockopt codes. Old sopt format was compact, but very hard to extend (no versioning, inability to add more opcodes), so * All relevant opcodes were converted to TLV-based versioned IP_FW3-based codes. * The remaining opcodes were also converted to be able to eliminate all older opcodes at once * All IP_FW3 handlers uses special API instead of calling sooptcopy* directly to ease adding another communication methods * struct ip_fw is now different for kernel and userland * tablearg value has been changed to 0 to ease future extensions * table "values" are now indexes in special value array which holds extended data for given index * Batched add/delete has been added to tables code * Most changes has been done to permit batched rule addition. * interface tracking API has been added (started on demand) to permit effective interface tables operations * O(1) skipto cache, currently turned off by default at compile-time (eats 512K).
* Several steps has been made towards making libipfw: * most of new functions were separated into "parse/prepare/show and actuall-do-stuff" pieces (already merged). * there are separate functions for parsing text string into "struct ip_fw" and printing "struct ip_fw" to supplied buffer (already merged). * Probably some more less significant/forgotten features
MFC after: 1 month Sponsored by: Yandex LLC
|
#
265420 |
|
06-May-2014 |
imp |
Use src.opts.mk in preference to bsd.own.mk except where we need stuff from the latter.
|
#
261797 |
|
12-Feb-2014 |
glebius |
Fix world build WITHOUT_PF.
Sponsored by: Nginx, Inc.
|
#
204869 |
|
08-Mar-2010 |
luigi |
add back DPADD (removed by mistake in a previous commit)
|
#
204591 |
|
02-Mar-2010 |
luigi |
Bring in the most recent version of ipfw and dummynet, developed and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet.
The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions.
In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ.
Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland.
Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time.
Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits.
CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
|
#
204329 |
|
25-Feb-2010 |
ru |
Fixed dependencies (make checkdpadd).
|
#
194930 |
|
24-Jun-2009 |
oleg |
- fix dummynet 'fast' mode for WF2Q case. - fix printing of pipe profile data. - introduce new pipe parameter: 'burst' - how much data can be sent through pipe bypassing bandwidth limit.
|
#
187983 |
|
01-Feb-2009 |
luigi |
put the altq-related functions into a separate file. Minor cleanup of the includes used by the various source files, including annotations of why certain headers are used.
|
#
187787 |
|
27-Jan-2009 |
luigi |
fix printing of uint64_t values, so we can use WARNS=2
|
#
187770 |
|
27-Jan-2009 |
luigi |
Put nat and ipv6 support in their own files.
Usual moving of code with no changes from ipfw2.c to the newly created files, and addition of prototypes to ipfw2.h
I have added forward declarations for ipfw_insn_* in ipfw2.h to avoid a global dependency on ip_fw.h
|
#
187768 |
|
27-Jan-2009 |
luigi |
never mind, for the time being let's stick with WARNS=0 until we sort out all proper printf formats.
|
#
187767 |
|
27-Jan-2009 |
luigi |
Start splitting the monster file in smaller blocks.
In this episode: - introduce a common header with a minimal set of common definitions; - bring the main() function and options parser in main.c - rename the main functions with an ipfw_ prefix
No code changes except for the introduction of a global variable, resvd_set_number, which stores the RESVD_SET value from ip_fw.h and is used to remove the dependency of main.c from ip_fw.h (and the subtree of dependencies) for just a single constant.
|
#
187763 |
|
27-Jan-2009 |
luigi |
I believe this is safe to build with WARNS=2 now
|
#
136079 |
|
03-Oct-2004 |
green |
Remove blindly-copied extra include path.
|
#
136071 |
|
02-Oct-2004 |
green |
Add to IPFW the ability to do ALTQ classification/tagging.
|
#
99788 |
|
11-Jul-2002 |
bde |
Uncommented WARNS=0. ipfw2.c is full of printf format errors that are fatal on alphas.
Fixed setting of WARNS. WARNS should never be set unconditionally, since this breaks testing of different WARNS values by setting it at a higher level (e.g., on the command line).
|
#
98943 |
|
27-Jun-2002 |
luigi |
The new ipfw code.
This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time.
I have not renamed the header file because it would have required touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
|
#
87325 |
|
04-Dec-2001 |
obrien |
Default to WARNS=2. Binary builds that cannot handle this must explicitly set WARNS=0.
Reviewed by: mike
|
#
74815 |
|
26-Mar-2001 |
ru |
- Backout botched attempt to introduce MANSECT feature. - MAN[1-9] -> MAN.
|
#
74531 |
|
20-Mar-2001 |
ru |
Set the default manual section for sbin/ to 8.
|
#
66733 |
|
06-Oct-2000 |
ru |
Convert this Makefile to the usual style.
|
#
26359 |
|
02-Jun-1997 |
julian |
Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ...
see the man page for a complete description.
|
#
14233 |
|
24-Feb-1996 |
phk |
Update to match kernel code.
|
#
14231 |
|
23-Feb-1996 |
phk |
A new ipfw program that can set and control the new features. An almost correct usage is printed.
|
#
6545 |
|
18-Feb-1995 |
jkh |
ipfirewall.4 is obviously not here anymore! Adjust the Makefile.
|
#
4541 |
|
17-Nov-1994 |
jkh |
New man pages from Ugen. Delete my old, first attempt. I only hope that the english in Ugen's two replacement pages is not too impenetrable! :-) [Note: Poul - please pull these into the BETA branch along with the other firewall changes]
Submitted by: ugen
|
#
3966 |
|
28-Oct-1994 |
jkh |
This commit was generated by cvs2svn to compensate for changes in r3965, which included commits to RCS files with non-trunk default branches.
|
#
3965 |
|
28-Oct-1994 |
jkh |
Add the ipfw command, for IP firewall construction. Submitted by: danny ugen
|