#
c3c81617 |
|
07-Nov-2023 |
Elyes Haouas <ehaouas@noos.fr> |
ipfw: Use nitems(foo) instead of sizeof(foo)/sizeof(foo[0]) Pull Request: https://github.com/freebsd/freebsd-src/pull/888 Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
|
#
d600ad81 |
|
11-Apr-2024 |
Elyes Haouas <ehaouas@noos.fr> |
ipfw: Remove repeated words Remove repeated words in error message. Signed-off-by: Elyes Haouas <ehaouas@noos.fr> Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/887
|
#
b3e76948 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
2b5dd8b8 |
|
15-Jun-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
ipfw: use function return value to fetch insn argument. This is a prerequsite for splitting compile_rule() into smaller chunks. MFC after: 2 weeks
|
#
6a9cfeba |
|
07-Jun-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
ipfw: simplify action case parser Remove "goto charg" from the action parser. This is a prerequisite for the further split of the gigantic compile_rule(). Differential Revision: https://reviews.freebsd.org/D40490 MFC after: 2 weeks
|
#
9f44a47f |
|
11-Jun-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
ipfw(8): add ioctl/instruction generation tests Differential Revision: https://reviews.freebsd.org/D40488 MFC after: 2 weeks
|
#
e4861dc8 |
|
01-Jun-2023 |
Elyes Haouas <ehaouas@noos.fr> |
ipfw/ipfw2: Fix typos Signed-off-by: Elyes Haouas <ehaouas@noos.fr> Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/653
|
#
fc727ad6 |
|
24-Apr-2023 |
Boris Lytochkin <lytboris@gmail.com> |
ipfw: add [fw]mark implementation for ipfw Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal. Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison. Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy. Reviewed By: pauamma_gundo.com Differential Revision: https://reviews.freebsd.org/D39555 MFC after: 1 month
|
#
bdd60b22 |
|
13-Jan-2023 |
Jose Luis Duran <jlduran@gmail.com> |
ipfw: Add missing 'va' code point name Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name. Reviewed By: melifaro, pauamma Differential Revision: https://reviews.freebsd.org/D37508 MFC after: 2 weeks
|
#
05b9737f |
|
17-Aug-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
ipfw: make it possible to specify MTU for "unreach needfrag" action Reviewed by: ae, pauamma Differential revision: https://reviews.freebsd.org/D36140
|
#
81cac390 |
|
04-Jun-2022 |
Arseny Smalyuk <smalukav@gmail.com> |
ipfw: add support radix tables and table lookup for MAC addresses By analogy with IP address matching, add a way to use ipfw radix tables for MAC matching. This is implemented using new ipfw table with mac:radix type. Also there are src-mac and dst-mac lookup commands added. Usage example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100)' ipfw add deny lookup dst-mac 1 Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw filtering on L2. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D35103
|
#
0b95680e |
|
25-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
ipfw: Introduce dnctl Introduce a link to the ipfw command, dnctl, for dummynet configuration. dnctl only handles dummynet configuration, and is part of the effort to support dummynet in pf. /sbin/ipfw continues to accept pipe, queue and sched commands, but these can now also be issued via the new dnctl command. Reviewed by: donner MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30465
|
#
809ad817 |
|
11-Aug-2021 |
Gordon Bergling <gbe@FreeBSD.org> |
ipfw(8): Fix a typo in an error message - s/suport/support/ MFC after: 5 days
|
#
f6f29787 |
|
11-May-2021 |
Lutz Donnerhacke <donner@FreeBSD.org> |
sbin/ipfw: Allow tablearg as hostname Hostnames starting with "tablearg" are considered as a functional argument instead of a literal. Reported by: ae Reviewers: ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30208
|
#
6cb13813 |
|
07-May-2021 |
Lutz Donnerhacke <donner@FreeBSD.org> |
sbin/ipfw: Fix parsing error in table based forward The argument parser does not recognise the optional port for an "tablearg" argument. Fix simplifies the code by make the internal representation expicit for the parser. PR: 252744 MFC: 1 week Reported by: <bugs.freebsd.org@mx.zzux.com> Approved by: nc Tested by: <bugs.freebsd.org@mx.zzux.com> Differential Revision: https://reviews.freebsd.org/D30164
|
#
bf7cc0f9 |
|
30-Apr-2021 |
Lutz Donnerhacke <donner@FreeBSD.org> |
sbin/ipfw: Fix null pointer deference when printing counters ipfw -[tT] prints statistics of the last access. If the rule was never used, the counter might be not exist. This happens unconditionally on inserting a new rule. Avoid printing statistics in this case. PR: 255491 Reported by: Haisheng Zhouz Reviewed by: ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30046
|
#
682c31db |
|
01-Feb-2021 |
Evgeniy Khramtsov <2khramtsov@gmail.com> |
ipfw(8) crashes when ext6hdr option is omitted Verify that the option is passed, error out if it's not. The problem can be trivially triggered with `ipfw add allow ext6hdr`. PR: 253169 Reviewed by: kp@ MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28447
|
#
b876085f |
|
11-Sep-2020 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix compatibility regression after r364117. Properly handle the case, when some opcode keywords follow after the `frag` opcode without additional options. Reported by: Evgeniy Khramtsov <evgeniy at khramtsov org>
|
#
0fa427fe |
|
01-Sep-2020 |
Stefan Eßer <se@FreeBSD.org> |
Change printf format string to include the extra blank This is a follow up change to r364321 after a discussion about the style. All near by places use extra blanks in format strings, and while use of the format string to provide the extra blank may need more cycles than adding 1 to twidth, it generates shorter code and is clearer in the opinion of some reviewers of the previous change. Not objected to by: emaste MFC after: 3 days
|
#
c1b355d3 |
|
17-Aug-2020 |
Ed Maste <emaste@FreeBSD.org> |
ipfw: line up `ipfw -t list` with and without timestamp From the PR: When I run `ipfw -t list` on release/12 or current, I get misaligned output between lines that do and do not have a last match timestamp, like so: 00100 Tue Aug 11 03:03:26 2020 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 (specifically, the "allow" and "deny" strings do not line up) PR: 248608 Submitted by: Taylor Stearns MFC after: 3 days
|
#
825398f9 |
|
11-Aug-2020 |
Gleb Smirnoff <glebius@FreeBSD.org> |
ipfw: make the "frag" keyword accept additional options "mf", "df", "rf" and "offset". This allows to match on specific bits of ip_off field. For compatibility reasons lack of keyword means "offset". Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D26021
|
#
268a20a0 |
|
13-Jul-2020 |
Adrian Chadd <adrian@FreeBSD.org> |
[ipfw] quieten maybe-uninitialized errors in ipfw when compiled under mips-gcc-6.3.0. This is mostly an exercise to set variables to NULL/0 when declared, but one was ensuring a string variable was set before printing it. We should never see "<unknown>" in a printed rule; if we do then this code definitely has some bugs that need addressing.
|
#
165236a1 |
|
13-Jul-2020 |
Mark Johnston <markj@FreeBSD.org> |
ipfw(8): Handle unaligned pointers in pr_u64. struct _ipfw_dyn_rule is defined as packed, and as a result, its uint64_t fields are misaligned on some 32-bit platforms. Since pr_u64() is explicitly supposed to handle this case, avoid using a uint64_t * for the input pointer to make sure that the compiler won't (correctly) warn about the misalignment. Reported by: jenkins MFC with: r363164
|
#
56707bee |
|
13-Jul-2020 |
Mark Johnston <markj@FreeBSD.org> |
ipfw(8): Fix most warnings with the default WARNS level. - Add missing const and static qualifiers. - Avoid shadowing the global "co" by renaming it to "g_co". - Avoid mixing signedness in loop bound checks. - Leave -Wcast-align warnings disabled for now. Reviewed by: ae, melifaro MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D25456
|
#
a3349dd9 |
|
25-Jun-2020 |
Mark Johnston <markj@FreeBSD.org> |
ipfw: Support the literal IPv6 address syntax in the fwd command. Discussed with: rgrimes, Lutz Donnerhacke Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24011
|
#
db1102f2 |
|
23-Mar-2020 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy NAT instance. The NAT44 group of opcodes for IP_FW3 socket option is modern way to control NAT instances and this method can be used in future to switch from numeric to named NAT instances, like was done for ipfw tables. The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control plane that doesn't support versioned operations. This interface will be retired soon. Reviewed by: melifaro MFC after: 10 days Sponsored by: Yandex LLC
|
#
e3bf606c |
|
11-Mar-2020 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Revert r358858 as it breaks some ipfw(8) setups. Reported by: O. Hartmann <o.hartmann@walstatt.org>
|
#
8149b12d |
|
10-Mar-2020 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst(). Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D21812
|
#
c144616b |
|
04-Aug-2019 |
Kyle Evans <kevans@FreeBSD.org> |
ipfw: fix jail option after r348215 r348215 changed jail_getid(3) to validate passed-in jids as active jails (as the function is documented to return -1 if the jail does not exist). This broke the jail option (in some cases?) as the jail historically hasn't needed to exist at the time of rule parsing; jids will get stored and later applied. Fix this caller to attempt to parse *av as a number first and just use it as-is to match historical behavior. jail_getid(3) must still be used in order for name arguments to work, but it's strictly a fallback in case we weren't given a number. Reported and tested by: Ari Suutari <ari stonepile fi> Reviewed by: ae MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D21128
|
#
55507128 |
|
25-Jun-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Restore ipfw(8)'s compact output support broken after r331668. Also modify it a bit. Now -c option omits only 'from any to any' part and works for different protocols (not just for ip). Reported by: Dmitry Selivanov <dseliv at gmail> MFC after: 1 week
|
#
978f2d17 |
|
21-Jun-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "tcpmss" opcode to match the TCP MSS value. With this opcode it is possible to match TCP packets with specified MSS option, whose value corresponds to configured in opcode value. It is allowed to specify single value, range of values, or array of specific values or ranges. E.g. # ipfw add deny log tcp from any to any tcpmss 0-500 Reviewed by: melifaro,bcr Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
761618de |
|
29-Apr-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Handle HAVE_PROTO flag and print "proto" keyword for O_IP4 and O_IP6 opcodes when it is needed. This should fix the problem, when printed by `ipfw show` rule could not be added due to missing "proto" keyword. MFC after: 2 weeks
|
#
5c04f73e |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add NAT64 CLAT implementation as defined in RFC6877. CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It is implemented as part of ipfw_nat64 kernel module. When module is loaded or compiled into the kernel, it registers "nat64clat" external action. External action named instance can be created using `create` command and then used in ipfw rules. The create command accepts two IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted, IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used. # ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in Obtained from: Yandex LLC Submitted by: Boris N. Lytochkin MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC
|
#
a5178bca |
|
21-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Allow use underscores and dots in service names without escaping. PR: 234237 MFC after: 1 week
|
#
a895c1c2 |
|
10-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rework how protocol number is tracked in rule. Save it when O_PROTO opcode will be printed. This should solve the problem, when protocol name is not printed in `ipfw -N show`. Reported by: Claudio Eichenberger <cei at yourshop.com> MFC after: 1 week
|
#
5f9c94c5 |
|
10-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use correct size for IPv4 address in gethostbyaddr(). When u_long is 8 bytes, it returns EINVAL and 'ipfw -N show' doesn't work. Reported by: Claudio Eichenberger <cei at yourshop.com> MFC after: 1 week
|
#
d66f9c86 |
|
04-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ability to request listing and deleting only for dynamic states. This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but after rules reloading some state must be deleted. Added new flag '-D' for such purpose. Retire '-e' flag, since there can not be expired states in the meaning that this flag historically had. Also add "verbose" mode for listing of dynamic states, it can be enabled with '-v' flag and adds additional information to states list. This can be useful for debugging. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC
|
#
427dc1f7 |
|
25-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use correct format specificator to print setdscp action. PR: 232642 MFC after: 3 days
|
#
094d6f8d |
|
21-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add IPFW_RULE_JUSTOPTS flag, that is used by ipfw(8) to mark rule, that was added using "new rule format". And then, when the kernel returns rule with this flag, ipfw(8) can correctly show it. Reported by: lev MFC after: 3 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D17373
|
#
c5bf4b1b |
|
26-Sep-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "src-ip" or "dst-ip" keyword to the output, when we are printing the rest of rule options. Reported by: lev Approved by: re (gjb) MFC after: 1 week
|
#
f4d5e7d8 |
|
10-Aug-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Restore the behaviour changed in r337536, when bad `ipfw delete` command returns error. Now -q option only makes it quiet. And when -f flag is specified, the command will ignore errors and continue executing with next batched command. MFC after: 2 weeks
|
#
e327ad33 |
|
08-Aug-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
If -q flag is specified, do not complain when we are trying to delete nonexistent NAT instance or nonexistent rule. This allows execute batched `delete` commands and do not fail when found nonexistent rule. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
f7c4fdee |
|
09-Jul-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "record-state", "set-limit" and "defer-action" rule options to ipfw. "record-state" is similar to "keep-state", but it doesn't produce implicit O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the same feature as "record-state", it is single opcode without implicit O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic states. When rule with this opcode is matched, the rule's action will not be executed, instead dynamic state will be created. And when this state will be matched by "check-state", then rule action will be executed. This allows create a more complicated rulesets. Submitted by: lev MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D1776
|
#
de68a320 |
|
03-Jul-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), sockstat(1), ugidfw(8) These are the last of the jail-aware userland utilities that didn't work with names. PR: 229266 MFC after: 3 days Differential Revision: D16047
|
#
51d5442f |
|
09-May-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix the printing of rule comments. Change uint8_t type of opcode argument to int in the print_opcode() function. Use negative value to print the rest of opcodes, because zero value is O_NOP, and it can't be uses for this purpose. Reported by: lev MFC after: 1 week
|
#
bd32e335 |
|
12-Apr-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove printing of "not" keyword from print_ip6() function. After r331668 handling of F_NOT flag done in one place by print_instruction() function. Also remove unused argument from print_ip[6]() functions. MFC after: 1 week
|
#
09a6be91 |
|
12-Apr-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove printing of "not" keyword from print_ip() function. After r331668 handling of F_NOT flag done in one place by print_instruction() function. MFC after: 1 week
|
#
aed02679 |
|
27-Mar-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rework ipfw rules parsing and printing code. Introduce show_state structure to keep information about printed opcodes. Split show_static_rule() function into several smaller functions. Make parsing and printing opcodes into several passes. Each printed opcode is marked in show_state structure and will be skipped in next passes. Now show_static_rule() function is simple, it just prints each part of rule separately: action, modifiers, proto, src and dst addresses, options. The main goal of this change is avoiding occurrence of wrong result of `ifpw show` command, that can not be parsed by ipfw(8). Also now it is possible to make some simple static optimizations by reordering of opcodes in the rule. PR: 222705 Discussed with: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
c690824a |
|
23-Dec-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix rule number truncation, use uint16_t type to specify rulenum. PR: 224555 MFC after: 1 week
|
#
33d72c30 |
|
20-Dec-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
Revert r327005 - SPDX tags for license similar to BSD-2-Clause. After consultation with SPDX experts and their matching guidelines[1], the licensing doesn't exactly match the BSD-2-Clause. It yet remains to be determined if they are equivalent or if there is a recognized license that matches but it is safer to just revert the tags. Let this also be a reminder that on FreeBSD, SPDX tags are only advisory and have no legal value (but IANAL). Pointyhat to: pfg Thanks to: Rodney Grimes, Gary O'Neall [1] https://spdx.org/spdx-license-list/matching-guidelines
|
#
d17aef79 |
|
19-Dec-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
SPDX: These are fundamentally BSD-2-Clause. They just omit the introductory line and numbering.
|
#
665c8a2e |
|
26-Nov-2017 |
Michael Tuexen <tuexen@FreeBSD.org> |
Add to ipfw support for sending an SCTP packet containing an ABORT chunk. This is similar to the TCP case. where a TCP RST segment can be sent. There is one limitation: When sending an ABORT in response to an incoming packet, it should be tested if there is no ABORT chunk in the received packet. Currently, it is only checked if the first chunk is an ABORT chunk to avoid parsing the whole packet, which could result in a DOS attack. Thanks to Timo Voelker for helping me to test this patch. Reviewed by: bcr@ (man page part), ae@ (generic, non-SCTP part) Differential Revision: https://reviews.freebsd.org/D13239
|
#
df5be97c |
|
01-May-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Properly initialize ipfw_range_tlv variable to fix possible EINVAL in case when ipfw delete/zero/resetlog command issued for several rules in the loop. Also reorder some variables by size. PR: 218993 MFC after: 1 week
|
#
aac74aea |
|
02-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_pmod kernel module. The module is designed for modification of a packets of any protocols. For now it implements only TCP MSS modification. It adds the external action handler for "tcp-setmss" action. A rule with tcp-setmss action does additional check for protocol and TCP flags. If SYN flag is present, it parses TCP options and modifies MSS option if its value is greater than configured value in the rule. Then it adjustes TCP checksum if needed. After handling the search continues with the next rule. Obtained from: Yandex LLC MFC after: 2 weeks Relnotes: yes Sponsored by: Yandex LLC No objection from: #network Differential Revision: https://reviews.freebsd.org/D10150
|
#
11c56650 |
|
02-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add O_EXTERNAL_DATA opcode support. This opcode can be used to attach some data to external action opcode. And unlike to O_EXTERNAL_INSTANCE opcode, this opcode does not require creating of named instance to pass configuration arguments to external action handler. The data is coming just next to O_EXTERNAL_ACTION opcode. The userlevel part currenly supports formatting for opcode with ipfw_insn size, by default it expects u16 numeric value in the arg1. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
6ed14738 |
|
15-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Change the syntax of ipfw's named states. Since the state name is an optional argument, it often can conflict with other options. To avoid ambiguity now the state name must be prefixed with a colon. Obtained from: Yandex LLC MFC after: 2 week Sponsored by: Yandex LLC
|
#
6d3c367d |
|
28-Dec-2016 |
Marius Strobl <marius@FreeBSD.org> |
Fix a bug in r272840; given that the optlen parameter of setsockopt(2) is a 32-bit socklen_t, do_get3() passes the kernel to access the wrong 32-bit half on big-endian LP64 machines when simply casting the 64-bit size_t optlen to a socklen_t pointer. While at it and given that the intention of do_get3() apparently is to hide/wrap the fact that socket options are used for communication with ipfw(4), change the optlen parameter of do_set3() to be of type size_t and as such more appropriate than uintptr_t, too. MFC after: 3 days
|
#
c99ebe6c |
|
29-Nov-2016 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Fix 'ipfw delete set N': do not emit meaningless 'rule 0 not found' warning if set was already empty. MFC after: 1 week
|
#
757b5d87 |
|
15-Nov-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add missing support of named lookup tables to the IPv6 code. PR: 214419 MFC after: 1 week Sponsored by: Yandex LLC
|
#
4a2ea55b |
|
14-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add an ability to attach comment to check-state rules. MFC after: 1 week
|
#
58d358e5 |
|
14-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Do not warn about ambiguous state name when we inspect a comment token. Reported by: lev
|
#
d8caf56e |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nat64 module that implements stateless and stateful NAT64. The module works together with ipfw(4) and implemented as its external action module. Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation. A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation. A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434
|
#
d6eb9b02 |
|
11-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Restore "nat global" support. Now zero value of arg1 used to specify "tablearg", use the old "tablearg" value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace hardcoded magic number to specify "nat global". Also replace 65535 magic number with corresponding macro. Fix typo in comments. PR: 211256 Tested by: Victor Chernov MFC after: 3 days
|
#
b055e3be |
|
08-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix formatting of setfib opcode. Zero fib is correct value and it conflicts with IP_FW_TARG. Use bprint_uint_arg() only when opcode contains IP_FW_TARG, otherwise just print numeric value with cleared high-order bit. MFC after: 3 days
|
#
78724b52 |
|
08-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix constructing of setdscp opcode with tablearg keyword. setdscp's argument can have zero value that conflicts with IP_FW_TARG value. Always set high-order bit if parser doesn't find tablearg keyword. MFC after: 3 days
|
#
ed22e564 |
|
18-Jul-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add named dynamic states support to ipfw(4). The keep-state, limit and check-state now will have additional argument flowname. This flowname will be assigned to dynamic rule by keep-state or limit opcode. And then can be matched by check-state opcode or O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize compatibility with old rulesets default flowname introduced. It will be assigned to the rules when user has omitted state name in keep-state and check-state opcodes. Also if name is ambiguous (can be evaluated as rule opcode) it will be replaced to default. Reviewed by: julian Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6674
|
#
b867e84e |
|
18-Jul-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6 as defined in RFC 6296. The module works together with ipfw(4) and implemented as its external action module. When it is loaded, it registers as eaction and can be used in rules. The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module. Reviewed by: hrs Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6420
|
#
825f02a9 |
|
17-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Make `ipfw internal olist` output more user friendly. Print object type as string for known types. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
2685841b |
|
17-May-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Make named objects set-aware. Now it is possible to create named objects with the same name in different sets. Add optional manage_sets() callback to objects rewriting framework. It is intended to implement handler for moving and swapping named object's sets. Add ipfw_obj_manage_sets() function that implements generic sets handler. Use new callback to implement sets support for lookup tables. External actions objects are global and they don't support sets. Modify eaction_findbyname() to reflect this. ipfw(8) now may fail to move rules or sets, because some named objects in target set may have conflicting names. Note that ipfw_obj_ntlv type was changed, but since lookup tables actually didn't support sets, this change is harmless. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
b68ac800 |
|
30-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sbin: minor spelling fixes. No functional change.
|
#
2acdf79f |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add External Actions KPI to ipfw(9). It allows implementing loadable kernel modules with new actions and without needing to modify kernel headers and ipfw(8). The module registers its action handler and keyword string, that will be used as action name. Using generic syntax user can add rules with this action. Also ipfw(8) can be easily modified to extend basic syntax for external actions, that become a part base system. Sample modules will coming soon. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
7b34dbe4 |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix output formatting of O_UNREACH6 opcode. Obtained from: Yandex LLC
|
#
7aee4940 |
|
09-Mar-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Set buffer to empty string to prevent duplicated output in some cases. PR: 193888
|
#
23a6c733 |
|
24-Feb-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix bug in filling and handling ipfw's O_DSCP opcode. Due to integer overflow CS4 token was handled as BE. PR: 207459 MFC after: 1 week
|
#
5dc5a0e0 |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Implement `ipfw internal olist` command to list named objects. Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
56afe65c |
|
02-Oct-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix possible segmentation fault. PR: 203494 MFC after: 1 week
|
#
b7684f4b |
|
25-Aug-2015 |
Marcelo Araujo <araujo@FreeBSD.org> |
Code cleanup unused-but-set-variable spotted by gcc. Reviewed by: melifaro Approved by: bapt (mentor) Differential Revision: D3473
|
#
dbe90f04 |
|
12-Aug-2015 |
Dimitry Andric <dim@FreeBSD.org> |
In ipfw2, avoid left-shifting negative integers, which is undefined. While here, make some other arguments to htonl(3) unsigned too. MFC after: 3 days
|
#
0b501d96 |
|
03-Aug-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix ipfw range deletion. Spotted by: ian,julian
|
#
8963c505 |
|
26-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Generalize object reference handling in ipfw rules. No ABI changes.
|
#
dc9fa19b |
|
13-Mar-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Properly initialize scope zone id when next hop address stored directly in the O_FORWARD_IP6 opcode. Use getnameinfo(3) to formatting the IPv6 addresses of such opcodes. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
5d439467 |
|
05-Feb-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Retrieve counters from kernel if rule timstamping is requested. PR: kern/197271 Submitted by: lev Sponsored by: Yandex LLC
|
#
382a5cbf |
|
24-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix displaying non-contiguous netmasks. Found by: ae Sponsored by: Yandex LLC
|
#
6ff33bb6 |
|
18-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Zero rule buffer. * Rename 'read' variable. Pointed by: luigi
|
#
d3de6c1d |
|
17-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix table sets handling. * Simplify formatting. Suggested by: luigi
|
#
6ca0dd05 |
|
12-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Show error when deleting non-existing rule number. Found by: Oleg Ginzburg
|
#
60f485ca |
|
13-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Fix zeroing individual entries via ipfw(8). * Report error and return non-zero exit code if zeroing non-matched entries Found by: Oleg Ginzburg
|
#
6d19a76d |
|
13-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Report error and return non-zero exit code if zeroing non-matched entries. Found by: Oleg Ginzburg
|
#
a552387e |
|
13-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix zeroing individual entries via ipfw(8). Found by: Oleg Ginzburg
|
#
9fe15d06 |
|
10-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Partially fix build on !amd64 Pointed by: bz
|
#
9bb47e70 |
|
06-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Improve "reserved keywords" hack: we can't easily predict (in current parsing model) if the keyword is ipfw(8) reserved keyword or port name. Checking proto database via getprotobyname() consumes a lot of CPU and leads to tens of seconds for parsing large ruleset. Use list of reserved keywords and check them as pre-requisite before doing getprotobyname(). Obtained from: Yandex LLC
|
#
4deb9c92 |
|
05-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix tracked interface list retrieval.
|
#
d91c61c3 |
|
04-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix GCC wardnings.
|
#
77798796 |
|
05-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Return setsockopt() directly. Suggested by: Steven Hartland at killing@multiplay.co.uk.
|
#
b6462881 |
|
05-Sep-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Use per-function errno handling instead of global one. Requested by: luigi
|
#
0cba2b28 |
|
31-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add support for multi-field values inside ipfw tables. This is the last major change in given branch. Kernel changes: * Use 64-bytes structures to hold multi-value variables. * Use shared array to hold values from all tables (assume each table algo is capable of holding 32-byte variables). * Add some placeholders to support per-table value arrays in future. * Use simple eventhandler-style API to ease the process of adding new table items. Currently table addition may required multiple UH drops/ acquires which is quite tricky due to atomic table modificatio/swap support, shared array resize, etc. Deal with it by calling special notifier capable of rolling back state before actually performing swap/resize operations. Original operation then restarts itself after acquiring UH lock. * Bump all objhash users default values to at least 64 * Fix custom hashing inside objhash. Userland changes: * Add support for dumping shared value array via "vlist" internal cmd. * Some small print/fill_flags dixes to support u32 values. * valtype is now bitmask of <skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>. New values can hold distinct values for each of this types. * Provide special "legacy" type which assumes all values are the same. * More helpers/docs following.. Some examples: 3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6 3:41 [1] zfscurr0# ipfw table mimimi info +++ table(mimimi), set(0) +++ kindex: 2, type: addr references: 0, valtype: skipto,limit,ipv4,ipv6 algorithm: addr:radix items: 0, size: 296 3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1 added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1 3:42 [1] zfscurr0# ipfw table mimimi list +++ table(mimimi), set(0) +++ 10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
|
#
e86bb35d |
|
23-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Whitespace/style changes merged from projects/ipfw.
|
#
912430f6 |
|
23-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Merge buffer-printing changes from from projects/ipfw as preparation for branch merge. Requested by: luigi
|
#
40e5f498 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Pass proper table set numbers from userland side. * Ignore them, but honor V_fw_tables_sets value on kernel side.
|
#
f18a707e |
|
13-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Update op3 cmds.
|
#
4df4dada |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move one step further towards libipfw: convert show_static_rule() to bpprint-output style, so one can now output human-readable rule representation to preallocated buffer.
|
#
be695df9 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Update table_handler cmd list * Implement partial cmd matching inside table handler.
|
#
1940fa77 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Change tablearg value to be 0 (try #2). Most of the tablearg-supported opcodes does not accept 0 as valid value: O_TAG, O_TAGGED, O_PIPE, O_QUEUE, O_DIVERT, O_TEE, O_SKIPTO, O_CALLRET, O_NETGRAPH, O_NGTEE, O_NAT treats 0 as invalid input. The rest are O_SETDSCP and O_SETFIB. 'Fix' them by adding high-order bit (0x8000) set for non-tablearg values. Do translation in kernel for old clients (import_rule0 / export_rule0), teach current ipfw(8) binary to add/remove given bit. This change does not affect handling SETDSCP values, but limit O_SETFIB values to 32767 instead of 65k. Since currently we have either old (16) or new (2^32) max fibs, this should not be a big deal: we're definitely OK for former and have to add another opcode to deal with latter, regardless of tablearg value.
|
#
720ee730 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Kernel changes: * Fix buffer calculation for table dumps * Fix IPv6 radix entiries addition broken in r269371. Userland changes: * Fix bug in retrieving statric ruleset * Fix several bugs in retrieving table list
|
#
8bd19212 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Partially revert previous commit: "0" value is perfectly valid for O_SETFIB and O_SETDSCP, so tablearg remains to be 655535 for now.
|
#
2c452b20 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Switch tablearg value from 65535 to 0. * Use u16 table kidx instead of integer on for iface opcode. * Provide compability layer for old clients.
|
#
a73d728d |
|
07-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Kernel changes: * Implement proper checks for switching between global and set-aware tables * Split IP_FW_DEL mess into the following opcodes: * IP_FW_XDEL (del rules matching pattern) * IP_FW_XMOVE (move rules matching pattern to another set) * IP_FW_SET_SWAP (swap between 2 sets) * IP_FW_SET_MOVE (move one set to another one) * IP_FW_SET_ENABLE (enable/disable sets) * Add IP_FW_XZERO / IP_FW_XRESETLOG to finish IP_FW3 migration. * Use unified ipfw_range_tlv as range description for all of the above. * Check dynamic states IFF there was non-zero number of deleted dyn rules, * Del relevant dynamic states with singe traversal instead of per-rule one. Userland changes: * Switch ipfw(8) to use new opcodes.
|
#
358b9d09 |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Move "talist" and "iflist" cmds into newly-create "internal" ipfw(8) cmd. * Add "table X detail" cmd and show detailed algo info there instead of "info".
|
#
4c0c07a5 |
|
01-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Permit limiting number of items in table. Kernel changes: * Add TEI_FLAGS_DONTADD entry flag to indicate that insert is not possible * Support given flag in all algorithms * Add "limit" field to ipfw_xtable_info * Add actual limiting code into add_table_entry() Userland changes: * Add "limit" option as "create" table sub-option. Limit modification is currently impossible. * Print human-readable errors in table enry addition/deletion code.
|
#
914bffb6 |
|
31-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new "flow" table type to support N=1..5-tuple lookups * Add "flow:hash" algorithm Kernel changes: * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups * Add IPFW_TABLE_FLOW table type * Add "struct tflow_entry" as strage for 6-tuple flows * Add "flow:hash" algorithm. Basically it is auto-growing chained hash table. Additionally, we store mask of fields we need to compare in each instance/ * Increase ipfw_obj_tentry size by adding struct tflow_entry * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info * Increase algoname length: 32 -> 64 (algo options passed there as string) * Assume every table type can be customized by flags, use u8 to store "tflags" field. * Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback. * Fix bug in cidr:chash resize procedure. Userland changes: * add "flow table(NAME)" syntax to support n-tuple checking tables. * make fill_flags() separate function to ease working with _s_x arrays * change "table info" output to reflect longer "type" fields Syntax: ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash] Examples: 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' 00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 0:03 [2] zfscurr0# ipfw show 00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 617 59416 allow ip from any to any 0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80 Trying 78.46.89.105... .. 0:04 [2] zfscurr0# ipfw show 00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 682 66733 allow ip from any to any
|
#
b23d5de9 |
|
30-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add number:array algorithm lookup method. Kernel changes: * s/IPFW_TABLE_U32/IPFW_TABLE_NUMBER/ * Force "lookup <port|uid|gid|jid>" to be IPFW_TABLE_NUMBER * Support "lookup" method for number tables * Add number:array algorihm (i32 as key, auto-growing). Userland changes: * Support named tables in "lookup <tag> Table" * Fix handling of "table(NAME,val)" case * Support printing "number" table data.
|
#
68394ec8 |
|
28-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add generic ipfw interface tracking API * Rewrite interface tables to use interface indexes Kernel changes: * Add generic interface tracking API: - ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates state & bumps ref) - ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to update ifindex) - ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer) - ipfw_iface_unref(unlocked, drops reference) Additionally, consumer callbacks are called in interface withdrawal/departure. * Rewrite interface tables to use iface tracking API. Currently tables are implemented the following way: runtime data is stored as sorted array of {ifidx, val} for existing interfaces full data is stored inside namedobj instance (chained hashed table). * Add IP_FW_XIFLIST opcode to dump status of tracked interfaces * Pass @chain ptr to most non-locked algorithm callbacks: (prepare_add, prepare_del, flush_entry ..). This may be needed for better interaction of given algorithm an other ipfw subsystems * Add optional "change_ti" algorithm handler to permit updating of cached table_info pointer (happens in case of table_max resize) * Fix small bug in ipfw_list_tables() * Add badd (insert into sorted array) and bdel (remove from sorted array) funcs Userland changes: * Add "iflist" cmd to print status of currently tracked interface * Add stringnum_cmp for better interface/table names sorting
|
#
7e767c79 |
|
08-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Use different rule structures in kernel/userland. * Switch kernel to use per-cpu counters for rules. * Keep ABI/API. Kernel changes: * Each rules is now exported as TLV with optional extenable counter block (ip_fW_bcounter for base one) and ip_fw_rule for rule&cmd data. * Counters needs to be explicitly requested by IPFW_CFG_GET_COUNTERS flag. * Separate counters from rules in kernel and clean up ip_fw a bit. * Pack each rule in IPFW_TLV_RULE_ENT tlv to ease parsing. * Introduce versioning in container TLV (may be needed in future). * Fix ipfw_cfg_lheader broken u64 alignment. Userland changes: * Use set_mask from cfg header when requesting config * Fix incorrect read accouting in ipfw_show_config() * Use IPFW_RULE_NOOPT flag instead of playing with _pad * Fix "ipfw -d list": do not print counters for dynamic states * Some small fixes
|
#
6447bae6 |
|
06-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Prepare to pass other dynamic states via ipfw_dump_config() Kernel changes: * Change dump format for dynamic states: each state is now stored inside ipfw_obj_dyntlv last dynamic state is indicated by IPFW_DF_LAST flag * Do not perform sooptcopyout() for !SOPT_GET requests. Userland changes: * Introduce foreach_state() function handler to ease work with different states passed by ipfw_dump_config().
|
#
ac35ff17 |
|
03-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fully switch to named tables: Kernel changes: * Introduce ipfw_obj_tentry table entry structure to force u64 alignment. * Support "update-on-existing-key" "add" bahavior (TEI_FLAGS_UPDATED). * Use "subtype" field to distingush between IPv4 and IPv6 table records instead of previous hack. * Add value type (vtype) field for kernel tables. Current types are number,ip and dscp * Fix sets mask retrieval for old binaries * Fix crash while using interface tables Userland changes: * Switch ipfw_table_handler() to use named-only tables. * Add "table NAME create [type {cidr|iface|u32} [valtype {number|ip|dscp}] ..." * Switch ipfw_table_handler to match_token()-based parser. * Switch ipfw_sets_handler to use new ipfw_get_config() for mask retrieval. * Allow ipfw set X table ... syntax to permit using per-set table namespaces.
|
#
6c2997ff |
|
29-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new IP_FW_XADD opcode which permits to a) specify table ids as names b) add multiple rules at once. Partially convert current code for atomic addition of multiple rules.
|
#
2aa75134 |
|
29-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Enable kernel-side rule filtering based on user request. Make do_get3() function return real error.
|
#
563b5ab1 |
|
28-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Suppord showing named tables in ipfw(8) rule listing. Kernel changes: * change base TLV header to be u64 (so size can be u32). * Introduce ipfw_obj_ctlv generc container TLV. * Add IP_FW_XGET opcode which is now used for atomic configuration retrieval. One can specify needed configuration pieces to retrieve via flags field. Currently supported are IPFW_CFG_GET_STATIC (static rules) and IPFW_CFG_GET_STATES (dynamic states). Other configuration pieces (tables, pipes, etc..) support is planned. Userland changes: * Switch ipfw(8) to use new IP_FW_XGET for rule listing. * Split rule listing code get and show pieces. * Make several steps forward towards libipfw: permit printing states and rules(paritally) to supplied buffer. do not die on malloc/kernel failure inside given printing functions. stop assuming cmdline_opts is global symbol.
|
#
f1220db8 |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move further to eliminate next pieces of number-assuming code inside tables. Kernel changes: * Add IP_FW_OBJ_FLUSH opcode (flush table based on its name/set) * Add IP_FW_OBJ_DUMP opcode (dumps table data based on its names/set) * Add IP_FW_OBJ_LISTSIZE / IP_FW_OBJ_LIST opcodes (get list of kernel tables) Userland changes: * move tables code to separate tables.c file * get rid of tables_max * switch "all"/list handling to new opcodes
|
#
9f7d47b0 |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add API to ease adding new algorithms/new tabletypes to ipfw. Kernel-side changelog: * Split general tables code and algorithm-specific table data. Current algorithms (IPv4/IPv6 radix and interface tables radix) moved to new ip_fw_table_algo.c file. Tables code now supports any algorithm implementing the following callbacks: +struct table_algo { + char name[64]; + int idx; + ta_init *init; + ta_destroy *destroy; + table_lookup_t *lookup; + ta_prepare_add *prepare_add; + ta_prepare_del *prepare_del; + ta_add *add; + ta_del *del; + ta_flush_entry *flush_entry; + ta_foreach *foreach; + ta_dump_entry *dump_entry; + ta_dump_xentry *dump_xentry; +}; * Change ->state, ->xstate, ->tabletype fields of ip_fw_chain to ->tablestate pointer (array of 32 bytes structures necessary for runtime lookups (can be probably shrinked to 16 bytes later): +struct table_info { + table_lookup_t *lookup; /* Lookup function */ + void *state; /* Lookup radix/other structure */ + void *xstate; /* eXtended state */ + u_long data; /* Hints for given func */ +}; * Add count method for namedobj instance to ease size calculations * Bump ip_fw3 buffer in ipfw_clt 128->256 bytes. * Improve bitmask resizing on tables_max change. * Remove table numbers checking from most places. * Fix wrong nesting in ipfw_rewrite_table_uidx(). * Add IP_FW_OBJ_LIST opcode (list all objects of given type, currently implemented for IPFW_OBJTYPE_TABLE). * Add IP_FW_OBJ_LISTSIZE (get buffer size to hold IP_FW_OBJ_LIST data, currenly implemented for IPFW_OBJTYPE_TABLE). * Add IP_FW_OBJ_INFO (requests info for one object of given type). Some name changes: s/ipfw_xtable_tlv/ipfw_obj_tlv/ (no table specifics) s/ipfw_xtable_ntlv/ipfw_obj_ntlv/ (no table specifics) Userland changes: * Add do_set3() cmd to ipfw2 to ease dealing with op3-embeded opcodes. * Add/improve support for destroy/info cmds.
|
#
b074b7bb |
|
12-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make ipfw tables use names as used-level identifier internally: * Add namedobject set-aware api capable of searching/allocation objects by their name/idx. * Switch tables code to use string ids for configuration tasks. * Change locking model: most configuration changes are protected with UH lock, runtime-visible are protected with both locks. * Reduce number of arguments passed to ipfw_table_add/del by using separate structure. * Add internal V_fw_tables_sets tunable (set to 0) to prepare for set-aware tables (requires opcodes/client support) * Implement typed table referencing (and tables are implicitly allocated with all state like radix ptrs on reference) * Add "destroy" ipfw(8) using new IP_FW_DELOBJ opcode Namedobj more detailed: * Blackbox api providing methods to add/del/search/enumerate objects * Statically-sized hashes for names/indexes * Per-set bitmask to indicate free indexes * Separate methods for index alloc/delete/resize Basically, there should not be any user-visible changes except the following: * reducing table_max is not supported * flush & add change table type won't work if table is referenced Sponsored by: Yandex LLC
|
#
c3015737 |
|
17-May-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix wrong formatting of 0.0.0.0/X table records in ipfw(8). Add `flags` u16 field to the hole in ipfw_table_xentry structure. Kernel has been guessing address family for supplied record based on xent length size. Userland, however, has been getting fixed-size ipfw_table_xentry structures guessing address family by checking address by IN6_IS_ADDR_V4COMPAT(). Fix this behavior by providing specific IPFW_TCF_INET flag for IPv4 records. PR: bin/189471 Submitted by: Dennis Yusupoff <dyr@smartspb.net> MFC after: 2 weeks
|
#
1058f177 |
|
28-Nov-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Check ipfw table numbers in both user and kernel space before rule addition. Found by: Saychik Pavel <umka@localka.net> MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
4d47b0d6 |
|
27-Nov-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix key lookup in ipfw(8) broken since r232865. Print warning for IPv4 address strings which are valid in inet_aton() but not valid in inet_pton(). (1) Found by: Özkan KIRIK <ozkan.kirik@gmail.com> Submitted by: Ian Smith <smithi@nimnet.asn.au> (1) MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
21278efe |
|
17-May-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix ipfw(8) sets of ipv6 addresses handling. Conditionally use stack buffer instead of calling strdup(). PR: bin/104921 MFC after: 2 weeks
|
#
2d6fcc39 |
|
20-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Remove unused variable.
|
#
ae01d73c |
|
20-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add ipfw support for setting/matching DiffServ codepoints (DSCP). Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after: 2 weeks
|
#
f71133f6 |
|
04-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Do not suddenly fail on some rulesets if -n (syntax check only) is specified and ipfw(4) module is not loaded. MFC after: 2 weeks
|
#
579ed7bd |
|
03-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Implement buffer size checking in ipfw(8) add cmd. PR: bin/65961 Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru> MFC after: 2 weeks
|
#
136b1ada |
|
02-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix ipfw table argument parsing/printing. Fix style. PR: kern/175909 Submitted by: Daniel Hagerty <hag@linnaean.org> MFC after: 2 weeks
|
#
a4a16855 |
|
30-Jul-2012 |
Luigi Rizzo <luigi@FreeBSD.org> |
remove the last __unused instance in sbin/ipfw. This particular function (show_prerequisites() ) we should actually remove the argument from the callers as well, but i'll do it at a later time.
|
#
6a7bb02d |
|
30-Jul-2012 |
Luigi Rizzo <luigi@FreeBSD.org> |
Fix some compile errors at high WARNS, including one for an uninitialized variable. unused parameters and variables are annotated with (void)foo; /* UNUSED */ instead of __unused, because this code needs to build also on linux and windows.
|
#
732d27b3 |
|
25-Mar-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
- Permit number of ipfw tables to be changed in runtime. net.inet.ip.fw.tables_max is now read-write. - Bump IPFW_TABLES_MAX to 65535 Default number of tables is still 128 - Remove IPFW_TABLES_MAX from ipfw(8) code. Sponsored by Yandex LLC Approved by: kib(mentor) MFC after: 2 weeks
|
#
f8bee51a |
|
12-Mar-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
- Add ipfw eXtended tables permitting radix to be used for any kind of keys. - Add support for IPv6 and interface extended tables - Make number of tables to be loader tunable in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table. IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader; New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add host' now assumes 'host' to be interface name instead of hostname. New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value. New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field. Sponsored by Yandex LLC Reviewed by: ae Approved by: ae (mentor) MFC after: 4 weeks
|
#
23ccd3d9 |
|
06-Feb-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Make the 'tcpwin' option of ipfw(8) accept ranges and lists. Submitted by: sem
|
#
4b85a12f |
|
07-Jan-2012 |
Ulrich Spörlein <uqs@FreeBSD.org> |
Spelling fixes for sbin/
|
#
8a006adb |
|
20-Aug-2011 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add support for IPv6 to ipfw fwd: Distinguish IPv4 and IPv6 addresses and optional port numbers in user space to set the option for the correct protocol family. Add support in the kernel for carrying the new IPv6 destination address and port. Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change the address in the IP header. Add support for IPv6 forwarding to a non-local destination. Add a regession test uitilizing VIMAGE to check all 20 possible combinations I could think of. Obtained from: David Dolson at Sandvine Incorporated (original version for ipfw fwd IPv6 support) Sponsored by: Sandvine Incorporated PR: bin/117214 MFC after: 4 weeks Approved by: re (kib)
|
#
e89359c2 |
|
17-Aug-2011 |
John Baldwin <jhb@FreeBSD.org> |
Fix a regression where a rule containing a source port option after a destination IP would incorrectly display the source port as a destination port. Reviewed by: luigi Approved by: re (kib) MFC after: 1 week
|
#
9527ec6e |
|
29-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add new rule actions "call" and "return" to ipfw. They make possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@
|
#
5f301949 |
|
18-Jun-2011 |
Ben Laurie <benl@FreeBSD.org> |
Fix clang warnings. Approved by: philip (mentor)
|
#
1875bbfe |
|
14-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Implement "global" mode for ipfw nat. It is similar to natd(8) "globalport" option for multiple NAT instances. If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged. User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode. PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein
|
#
41b60837 |
|
29-May-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add tablearg support for ipfw setfib. PR: kern/156410 MFC after: 2 weeks
|
#
ffbeadc4 |
|
18-Apr-2011 |
Gleb Smirnoff <glebius@FreeBSD.org> |
More whitespace fixes. Checked with: md5, diff -x -w
|
#
5221106c |
|
18-Apr-2011 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Whitespace fixes. Checked with: md5, diff -w
|
#
ae99fd0e |
|
12-Nov-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
The first customer of the SO_USER_COOKIE option: the "sockarg" ipfw option matches packets associated to a local socket and with a non-zero so_user_cookie value. The value is made available as tablearg, so it can be used as a skipto target or pipe number in ipfw/dummynet rules. Code by Paul Joe, manpage by me. Submitted by: Paul Joe MFC after: 1 week
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
d55ebfbd |
|
19-Apr-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix 64-bit build Reported by: Robert Noland
|
#
37133ba7 |
|
19-Apr-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Slightly different handling of printf/snprintf for unaligned uint64_t, which should improve readability, and also to ease the port to platforms that do not support %llu MFC after: 3 days
|
#
e42bcb87 |
|
11-Apr-2010 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
MFC r206266: Set net.inet6.ip6.fw.enable as well.
|
#
c323a5fa |
|
05-Apr-2010 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Set net.inet6.ip6.fw.enable as well.
|
#
8c5156f3 |
|
24-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix handling of "ipfw set N ..." Submitted by: Marcin Wisnicki
|
#
c72c2330 |
|
24-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix another bug in "ipfw set N ..." Submitted by: Marcin Wisnicki
|
#
8018e843 |
|
23-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
MFC of a large number of ipfw and dummynet fixes and enhancements done in CURRENT over the last 4 months. HEAD and RELENG_8 are almost in sync now for ipfw, dummynet the pfil hooks and related components. Among the most noticeable changes: - r200855 more efficient lookup of skipto rules, and remove O(N) blocks from critical sections in the kernel; - r204591 large restructuring of the dummynet module, with support for multiple scheduling algorithms (4 available so far) See the original commit logs for details. Changes in the kernel/userland ABI should be harmless because the kernel is able to understand previous requests from RELENG_8 and RELENG_7. For this reason, this changeset would be applicable to RELENG_7 as well, but i am not sure if it is worthwhile.
|
#
f2f7c144 |
|
22-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
mfc r205179: print correctly addresses with an OR block
|
#
948165be |
|
22-Mar-2010 |
Gleb Smirnoff <glebius@FreeBSD.org> |
MFC r200183 by luigi: restore setting of sin_len (was removed in 1.146 last february) as it seems that now it is necessary for 'forward' to work outside lo0. Approved by: luigi
|
#
f68f58e5 |
|
15-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
print correctly commands of the form ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 } (note that the above example could be better written as ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8 Submitted by: Riccardo Panicucci
|
#
72662a75 |
|
15-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bits of ip->ip_tos) in a table. This can be useful to direct traffic to different pipes/queues according to the DSCP of the packet, as follows: ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue This change is a no-op (but harmless) until the two-line kernel side is committed, which will happen shortly.
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
c751221a |
|
04-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix handling of sets
|
#
cc4d3c30 |
|
02-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Bring in the most recent version of ipfw and dummynet, developed and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet. The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions. In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ. Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland. Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time. Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits. CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
|
#
472099c4 |
|
15-Dec-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
implement a new match option, lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N which searches the specified field in table N and sets tablearg accordingly. With dst-ip or src-ip the option replicates two existing options. When used with other arguments, the option can be useful to quickly dispatch traffic based on other fields. Work supported by the Onelab project. MFC after: 1 week
|
#
6e47ca1b |
|
06-Dec-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
restore setting of sin_len (was removed in 1.146 last february) as it seems that now it is necessary for 'forward' to work outside lo0. The bug (and fix) was reported on 8.0. This patch probably applies to RELENG_7 as well. It seems that 'pf' has a similar bug. Submitted by: Lytochkin Boris MFC after: 3 days
|
#
91dbeea7 |
|
08-Jun-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
add a missing format in a printf Detected building with gcc 4.3.3 MFC after: 3 days
|
#
b87ce554 |
|
05-Jun-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Several ipfw options and actions use a 16-bit argument to indicate pipes, queues, tags, rule numbers and so on. These are all different namespaces, and the only thing they have in common is the fact they use a 16-bit slot to represent the argument. There is some confusion in the code, mostly for historical reasons, on how the values 0 and 65535 should be used. At the moment, 0 is forbidden almost everywhere, while 65535 is used to represent a 'tablearg' argument, i.e. the result of the most recent table() lookup. For now, try to use explicit constants for the min and max allowed values, and do not overload the default rule number for that. Also, make the MTAG_IPFW declaration only visible to the kernel. NOTE: I think the issue needs to be revisited before 8.0 is out: the 2^16 namespace limit for rule numbers and pipe/queue is annoying, and we can easily bump the limit to 2^32 which gives a lot more flexibility in partitioning the namespace. MFC after: 5 days
|
#
eb2e4119 |
|
01-Apr-2009 |
Paolo Pisati <piso@FreeBSD.org> |
Implement an ipfw action to reassemble ip packets: reass.
|
#
a52e28c7 |
|
02-Feb-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Explain that we assume AF_INET and only use the addr and port field from a struct sockaddr_in, so there is no need to initialize sin_len
|
#
23c608c8 |
|
01-Feb-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
put the altq-related functions into a separate file. Minor cleanup of the includes used by the various source files, including annotations of why certain headers are used.
|
#
50a99912 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix printing of uint64_t values, so we can use WARNS=2
|
#
ead75a59 |
|
26-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Put nat and ipv6 support in their own files. Usual moving of code with no changes from ipfw2.c to the newly created files, and addition of prototypes to ipfw2.h I have added forward declarations for ipfw_insn_* in ipfw2.h to avoid a global dependency on ip_fw.h
|
#
4e9c8ae7 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Put dummynet-related code in a separate file. To this purpose, add prototypes for global functions in ipfw2.h and move there also the list of tokens used in various places in the code.
|
#
3c0c8717 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Start splitting the monster file in smaller blocks. In this episode: - introduce a common header with a minimal set of common definitions; - bring the main() function and options parser in main.c - rename the main functions with an ipfw_ prefix No code changes except for the introduction of a global variable, resvd_set_number, which stores the RESVD_SET value from ip_fw.h and is used to remove the dependency of main.c from ip_fw.h (and the subtree of dependencies) for just a single constant.
|
#
0e22daad |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
put the usage() function inline, it was only 1 line and used once; slightly reformat the help() text; slightly correct the text for the 'extraneous filename' error message;
|
#
db7c5224 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
put all options in a single struct, and document them. This will allow us to easily restore the original values when processing commands from a file (where each individual line can have its own options).
|
#
be39e0b2 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
remove a couple of rarely used #define; change PRINT_UINT from a macro to a function (renaming is postponed to reduce clutter)
|
#
5f356082 |
|
26-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
wrap all malloc/calloc/realloc calls so they exit on failure without having to check in each place. Remove an wrong strdup from previous commit.
|
#
c5620639 |
|
26-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Some implementations of getopt() expect that argv[0] is always the program name, and ignore that entry. ipfw2.c code instead skips this entry and starts with options at offset 0, relying on a more tolerant implementation of the library. This change fixes the issue by always passing a program name in the first entry to getopt. The motivation for this change is to remove a potential compatibility issue should we use a different getopt() implementation in the future. No functional changes. Submitted by: Marta Carbone (parts) MFC after: 4 weeks
|
#
e5dbf736 |
|
22-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
remove some useless #include, document why timeconv.h is needed MFC after: 3 days
|
#
daa9733a |
|
20-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Fix a number of (innocuous) warnings, and remove a useless test. There are still several signed/unsigned warnings left, which require a bit more study for a proper fix. This file has grown beyond reasonable limits. We really need to split it into separate components (ipv4, ipv6, dummynet, nat, table, userland-kernel communication ...) so we can make mainteinance easier. MFC after: 1 weeks
|
#
3fc7bd58 |
|
18-Dec-2008 |
Paolo Pisati <piso@FreeBSD.org> |
Honor the quiet (-q) option while adding a nat rule. Submitted by: Andrey V. Elsukov<bu7cher@yandex.ru> MFC after: 3 days
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
20e58023 |
|
14-Oct-2008 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Remove a debug code and restore an accidentally deleted code in a previous commit.
|
#
92531c02 |
|
14-Oct-2008 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Do nothing in show_nat() for a test mode (-n). This prevents show_nat() from endless loop and makes work ipfw -n nat <...>. PR: bin/128064 Submitted by: sem MFC after: 1 month
|
#
e7ef3e94 |
|
27-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Fix the build. Noted by: ganbold@
|
#
c15c2490 |
|
27-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Add keyword all in addtion to the table number for the 'list' and the 'flush' actions on tables. Part of PR: 127058. PR: 127058 (based on) MFC after: 1 month
|
#
7bf717b7 |
|
21-Sep-2008 |
Giorgos Keramidas <keramida@FreeBSD.org> |
Unbreak the build.
|
#
eba1dd21 |
|
21-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Add the check of the table number.
|
#
5ec36cd6 |
|
20-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Move table list to a separate function.
|
#
b0000a98 |
|
20-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Free allocated memory.
|
#
015002df |
|
20-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Remove some unused variables.
|
#
b88a2fe1 |
|
20-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Style(9) the show_nat() function.
|
#
03d4b38d |
|
20-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Do not do the useless job for an empty table. MFC after: 1 month
|
#
759dd6f7 |
|
06-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
Use IPFW_DEFAULT_RULE instead of hardcoded value since now it is available. MFC after: 5 days.
|
#
05b0fdac |
|
10-May-2008 |
Julian Elischer <julian@FreeBSD.org> |
Change two variables to size_t to improve portability. Submitted by: Xin Li
|
#
8b07e49a |
|
09-May-2008 |
Julian Elischer <julian@FreeBSD.org> |
Add code to allow the system to handle multiple routing tables. This particular implementation is designed to be fully backwards compatible and to be MFC-able to 7.x (and 6.x) Currently the only protocol that can make use of the multiple tables is IPv4 Similar functionality exists in OpenBSD and Linux. From my notes: ----- One thing where FreeBSD has been falling behind, and which by chance I have some time to work on is "policy based routing", which allows different packet streams to be routed by more than just the destination address. Constraints: ------------ I want to make some form of this available in the 6.x tree (and by extension 7.x) , but FreeBSD in general needs it so I might as well do it in -current and back port the portions I need. One of the ways that this can be done is to have the ability to instantiate multiple kernel routing tables (which I will now refer to as "Forwarding Information Bases" or "FIBs" for political correctness reasons). Which FIB a particular packet uses to make the next hop decision can be decided by a number of mechanisms. The policies these mechanisms implement are the "Policies" referred to in "Policy based routing". One of the constraints I have if I try to back port this work to 6.x is that it must be implemented as a EXTENSION to the existing ABIs in 6.x so that third party applications do not need to be recompiled in timespan of the branch. This first version will not have some of the bells and whistles that will come with later versions. It will, for example, be limited to 16 tables in the first commit. Implementation method, Compatible version. (part 1) ------------------------------- For this reason I have implemented a "sufficient subset" of a multiple routing table solution in Perforce, and back-ported it to 6.x. (also in Perforce though not always caught up with what I have done in -current/P4). The subset allows a number of FIBs to be defined at compile time (8 is sufficient for my purposes in 6.x) and implements the changes needed to allow IPV4 to use them. I have not done the changes for ipv6 simply because I do not need it, and I do not have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it. Other protocol families are left untouched and should there be users with proprietary protocol families, they should continue to work and be oblivious to the existence of the extra FIBs. To understand how this is done, one must know that the current FIB code starts everything off with a single dimensional array of pointers to FIB head structures (One per protocol family), each of which in turn points to the trie of routes available to that family. The basic change in the ABI compatible version of the change is to extent that array to be a 2 dimensional array, so that instead of protocol family X looking at rt_tables[X] for the table it needs, it looks at rt_tables[Y][X] when for all protocol families except ipv4 Y is always 0. Code that is unaware of the change always just sees the first row of the table, which of course looks just like the one dimensional array that existed before. The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign() are all maintained, but refer only to the first row of the array, so that existing callers in proprietary protocols can continue to do the "right thing". Some new entry points are added, for the exclusive use of ipv4 code called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(), which have an extra argument which refers the code to the correct row. In addition, there are some new entry points (currently called rtalloc_fib() and friends) that check the Address family being looked up and call either rtalloc() (and friends) if the protocol is not IPv4 forcing the action to row 0 or to the appropriate row if it IS IPv4 (and that info is available). These are for calling from code that is not specific to any particular protocol. The way these are implemented would change in the non ABI preserving code to be added later. One feature of the first version of the code is that for ipv4, the interface routes show up automatically on all the FIBs, so that no matter what FIB you select you always have the basic direct attached hosts available to you. (rtinit() does this automatically). You CAN delete an interface route from one FIB should you want to but by default it's there. ARP information is also available in each FIB. It's assumed that the same machine would have the same MAC address, regardless of which FIB you are using to get to it. This brings us as to how the correct FIB is selected for an outgoing IPV4 packet. Firstly, all packets have a FIB associated with them. if nothing has been done to change it, it will be FIB 0. The FIB is changed in the following ways. Packets fall into one of a number of classes. 1/ locally generated packets, coming from a socket/PCB. Such packets select a FIB from a number associated with the socket/PCB. This in turn is inherited from the process, but can be changed by a socket option. The process in turn inherits it on fork. I have written a utility call setfib that acts a bit like nice.. setfib -3 ping target.example.com # will use fib 3 for ping. It is an obvious extension to make it a property of a jail but I have not done so. It can be achieved by combining the setfib and jail commands. 2/ packets received on an interface for forwarding. By default these packets would use table 0, (or possibly a number settable in a sysctl(not yet)). but prior to routing the firewall can inspect them (see below). (possibly in the future you may be able to associate a FIB with packets received on an interface.. An ifconfig arg, but not yet.) 3/ packets inspected by a packet classifier, which can arbitrarily associate a fib with it on a packet by packet basis. A fib assigned to a packet by a packet classifier (such as ipfw) would over-ride a fib associated by a more default source. (such as cases 1 or 2). 4/ a tcp listen socket associated with a fib will generate accept sockets that are associated with that same fib. 5/ Packets generated in response to some other packet (e.g. reset or icmp packets). These should use the FIB associated with the packet being reponded to. 6/ Packets generated during encapsulation. gif, tun and other tunnel interfaces will encapsulate using the FIB that was in effect withthe proces that set up the tunnel. thus setfib 1 ifconfig gif0 [tunnel instructions] will set the fib for the tunnel to use to be fib 1. Routing messages would be associated with their process, and thus select one FIB or another. messages from the kernel would be associated with the fib they refer to and would only be received by a routing socket associated with that fib. (not yet implemented) In addition Netstat has been edited to be able to cope with the fact that the array is now 2 dimensional. (It looks in system memory using libkvm (!)). Old versions of netstat see only the first FIB. In addition two sysctls are added to give: a) the number of FIBs compiled in (active) b) the default FIB of the calling process. Early testing experience: ------------------------- Basically our (IronPort's) appliance does this functionality already using ipfw fwd but that method has some drawbacks. For example, It can't fully simulate a routing table because it can't influence the socket's choice of local address when a connect() is done. Testing during the generating of these changes has been remarkably smooth so far. Multiple tables have co-existed with no notable side effects, and packets have been routes accordingly. ipfw has grown 2 new keywords: setfib N ip from anay to any count ip from any to any fib N In pf there seems to be a requirement to be able to give symbolic names to the fibs but I do not have that capacity. I am not sure if it is required. SCTP has interestingly enough built in support for this, called VRFs in Cisco parlance. it will be interesting to see how that handles it when it suddenly actually does something. Where to next: -------------------- After committing the ABI compatible version and MFCing it, I'd like to proceed in a forward direction in -current. this will result in some roto-tilling in the routing code. Firstly: the current code's idea of having a separate tree per protocol family, all of the same format, and pointed to by the 1 dimensional array is a bit silly. Especially when one considers that there is code that makes assumptions about every protocol having the same internal structures there. Some protocols don't WANT that sort of structure. (for example the whole idea of a netmask is foreign to appletalk). This needs to be made opaque to the external code. My suggested first change is to add routing method pointers to the 'domain' structure, along with information pointing the data. instead of having an array of pointers to uniform structures, there would be an array pointing to the 'domain' structures for each protocol address domain (protocol family), and the methods this reached would be called. The methods would have an argument that gives FIB number, but the protocol would be free to ignore it. When the ABI can be changed it raises the possibilty of the addition of a fib entry into the "struct route". Currently, the structure contains the sockaddr of the desination, and the resulting fib entry. To make this work fully, one could add a fib number so that given an address and a fib, one can find the third element, the fib entry. Interaction with the ARP layer/ LL layer would need to be revisited as well. Qing Li has been working on this already. This work was sponsored by Ironport Systems/Cisco Reviewed by: several including rwatson, bz and mlair (parts each) Obtained from: Ironport systems/Cisco
|
#
2b2c3b23 |
|
27-Feb-2008 |
David Malone <dwmalone@FreeBSD.org> |
Dummynet has a limit of 100 slots queue size (or 1MB, if you give the limit in bytes) hard coded into both the kernel and userland. Make both these limits a sysctl, so it is easy to change the limit. If the userland part of ipfw finds that the sysctls don't exist, it will just fall back to the traditional limits. (100 packets is quite a small limit these days. If you want to test TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.) Note these sysctls in the man page and warn against increasing them without thinking first. MFC after: 3 weeks
|
#
f94a7fc0 |
|
24-Feb-2008 |
Paolo Pisati <piso@FreeBSD.org> |
Add table/tablearg support to ipfw's nat. MFC After: 1 week
|
#
d956bdf3 |
|
21-Feb-2008 |
Paolo Pisati <piso@FreeBSD.org> |
-Fix display of nat range. -Whitespace elimination. Bug spotted by: Luiz Otavio O Souza MFC After: 3 days
|
#
c879f6ec |
|
18-Feb-2008 |
Paolo Pisati <piso@FreeBSD.org> |
Fix display of multiple nat rules. Bug spotted by: Luiz Otavio O Souza PR: 120734 MFC After: 3 days
|
#
0943a3b7 |
|
18-Feb-2008 |
Julian Elischer <julian@FreeBSD.org> |
Instead of using a heuristic to decide whether to display table 'values' as IP addresses, use an explicit argument (-i). This is a 'POLA' issue. This is a low risk change and should be MFC'd to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3. (not sure about 6.2). Fix suggested by: Eugene Grosbein PR: 120720 MFC After: 3 days
|
#
bb5081a7 |
|
25-Jan-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Hide ipfw internal data structures behind IPFW_INTERNAL rather than exposing them to all consumers of ip_fw.h. These structures are used in both ipfw(8) and ipfw(4), but not part of the user<->kernel interface for other applications to use, rather, shared implementation. MFC after: 3 days Reported by: Paul Vixie <paul at vix dot com>
|
#
8c03c6c0 |
|
20-Jan-2008 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix ipfw(8) command line parser bug: "ipfw nat 1 config if" requires an argument. PR: bin/119815 Submitted by: Dierk Sacher MFC after: 1 week
|
#
d60810f2 |
|
17-Dec-2007 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Calculate p.fs.lookup_step correctly. This should prevent zeroing of w_q_lookup table (used in RED algorithm for (1 - w_q)^t computation). MFC after: 1 months
|
#
f5800732 |
|
27-Oct-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix indentation. No functional changes.
|
#
06d703ef |
|
18-Oct-2007 |
Rui Paulo <rpaulo@FreeBSD.org> |
Comply with the removal of IPTOS_CE and IPTOS_ECT. Discussed on freebsd-net with no objections. Approved by: njl (mentor), rwatson
|
#
087aa087 |
|
23-Sep-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Cosmetic: fix the issue when "ipfw(8) show" produces "not" twice: $ ipfw -n add 1 allow layer2 not mac-type ip 00001 allow ip from any to any layer2 not not mac-type 0x0800 PR: bin/115372 Submitted by: Andrey V. Elsukov Approved by: re (hrs) MFC after: 3 weeks
|
#
4a296ec7 |
|
26-Aug-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix bug I introduced in the previous commit (ipfw set extention): pack a set number correctly. Submitted by: oleg o Plug a memory leak. Submitted by: oleg and Andrey V. Elsukov Approved by: re (kensmith) MFC after: 1 week
|
#
d069a5d4 |
|
18-Jun-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Make ipfw set more robust -- now it is possible: - to show a specific set: ipfw set 3 show - to delete rules from the set: ipfw set 9 delete 100 200 300 - to flush the set: ipfw set 4 flush - to reset rules counters in the set: ipfw set 1 zero PR: kern/113388 Submitted by: Andrey V. Elsukov Approved by: re (kensmith) MFC after: 6 weeks
|
#
bd1d3456 |
|
09-May-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Teach get_mac_addr_mask() to not silently accept incorrect MAC addresses. o Swap a couple of magic 6s by ETHER_ADDR_LEN. PR: bin/80913 Submitted by: Andrey V. Elsukov MFC after: 1 month
|
#
7a92401a |
|
04-May-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add support for filtering on Routing Header Type 0 and Mobile IPv6 Routing Header Type 2 in addition to filter on the non-differentiated presence of any Routing Header. MFC after: 3 weeks
|
#
5b41efdd |
|
30-Apr-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Make ipfw(8) show rules with mac/mac-type options correctly. Before: $ ipfw -n add 100 count icmp from any to any mac-type 0x01 00100 count icmp 0x0001 $ ipfw -n add 100 count icmp from any to any mac any any 00100 count icmp MAC any any any After: $ ipfw -n add 100 count icmp from any to any mac-type 0x01 00100 count icmp from any to any mac-type 0x0001 $ ipfw -n add 100 count icmp from any to any mac any any 00100 count icmp from any to any MAC any any PR: bin/112244 Submitted by: Andrey V. Elsukov MFC after: 1 month
|
#
1d9f903a |
|
17-Apr-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Add missed w/space in the error message. Spotted by: Ivan Voras MFC after: 1 week
|
#
c2221c35 |
|
06-Jan-2007 |
Max Laier <mlaier@FreeBSD.org> |
Fix a parsing bug when specifying more than one address with dotted decimal netmask. Reported by: Igor Anishchuk PR: kern/107565 MFC after: 3 days
|
#
ff2f6fe8 |
|
29-Dec-2006 |
Paolo Pisati <piso@FreeBSD.org> |
Summer of Code 2005: improve libalias - part 2 of 2 With the second (and last) part of my previous Summer of Code work, we get: -ipfw's in kernel nat -redirect_* and LSNAT support General information about nat syntax and some examples are available in the ipfw (8) man page. The redirect and LSNAT syntax are identical to natd, so please refer to natd (8) man page. To enable in kernel nat in rc.conf, two options were added: o firewall_nat_enable: equivalent to natd_enable o firewall_nat_interface: equivalent to natd_interface Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet to continue being checked by the firewall ruleset after being (de)aliased. NOTA BENE: due to some problems with libalias architecture, in kernel nat won't work with TSO enabled nic, thus you have to disable TSO via ifconfig (ifconfig foo0 -tso). Approved by: glebius (mentor)
|
#
c2438409 |
|
29-Sep-2006 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Check for a required "pathname" argument presence. PR: bin/95146 Submitted by: candy-sendpr@kgc.co.jp MFC after: 3 weeks
|
#
268f526c |
|
16-Sep-2006 |
John Hay <jhay@FreeBSD.org> |
Check the length of the ipv4 and ipv6 address lists. It must be less than F_LEN_MASK. MFC after: 5 days
|
#
e7f2ec53 |
|
16-Sep-2006 |
John Hay <jhay@FreeBSD.org> |
Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(), otherwise this command ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129 turns into icmp6types 1,2,32,33,34,...94,95,128,129 PR: 102422 (part 1) Submitted by: Andrey V. Elsukov <bu7cher at yandex.ru> MFC after: 5 days
|
#
cb0bfd9b |
|
23-Aug-2006 |
David Malone <dwmalone@FreeBSD.org> |
A pipe bandwidth of 10MBits/s should probably be understood as 10Mbits/s not 10MBytes/s. Submitted by: Gavin McCullagh <gavin.mccullagh@nuim.ie> MFC after: 1 week
|
#
e28cb025 |
|
20-Aug-2006 |
David Malone <dwmalone@FreeBSD.org> |
Regigle parens to try and get the intended affect. This should fix people having trouble with the "me6" keyword. Also, we were using inet_pton on the wrong variable in one place. Reviewed by: mlaier (previous version of patch) Obtained from: Sascha Blank (inet_pton change) MFC after: 1 week
|
#
afad78e2 |
|
18-Aug-2006 |
Julian Elischer <julian@FreeBSD.org> |
comply with style police Submitted by: ru MFC after: 1 month
|
#
c487be96 |
|
17-Aug-2006 |
Julian Elischer <julian@FreeBSD.org> |
Allow ipfw to forward to a destination that is specified by a table. for example: fwd tablearg ip from any to table(1) where table 1 has entries of the form: 1.1.1.0/24 10.2.3.4 208.23.2.0/24 router2 This allows trivial implementation of a secondary routing table implemented in the firewall layer. I expect more work (under discussion with Glebius) to follow this to clean up some of the messy parts of ipfw related to tables. Reviewed by: Glebius MFC after: 1 month
|
#
299652af |
|
05-Aug-2006 |
Stefan Farfeleder <stefanf@FreeBSD.org> |
Use the SLIST_NEXT macro instead of sle_next. Checked with: cmp(1)
|
#
254c4725 |
|
15-Jun-2006 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Add support of 'tablearg' feature for: - 'tag' & 'untag' action parameters. - 'tagged' & 'limit' rule options. Rule examples: pipe 1 tag tablearg ip from table(1) to any allow ip from any to table(2) tagged tablearg allow tcp from table(3) to any 25 setup limit src-addr tablearg sbin/ipfw/ipfw2.c: 1) new macros GET_UINT_ARG - support of 'tablearg' keyword, argument range checking. PRINT_UINT_ARG - support of 'tablearg' keyword. 2) strtoport(): do not silently truncate/accept invalid port list expressions like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup. Approved by: glebius (mentor) MFC after: 1 month
|
#
81bd0dc0 |
|
01-Jun-2006 |
Max Laier <mlaier@FreeBSD.org> |
Print dynamic rules for IPv6 as well. PR: bin/98349 Submitted by: Mark Andrews MFC after: 2 weeks
|
#
6a7d5cb6 |
|
24-May-2006 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9). Since tags are kept while packet resides in kernelspace, it's possible to use other kernel facilities (like netgraph nodes) for altering those tags. Submitted by: Andrey Elsukov <bu7cher at yandex dot ru> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru> Approved by: glebius (mentor) Idea from: OpenBSD PF MFC after: 1 month
|
#
926bbf90 |
|
13-May-2006 |
Max Laier <mlaier@FreeBSD.org> |
For src/dest parsing take off the netmask before checking for AF with inet_pton. This fixes cases like "fe02::/16". PR: bin/91245 Reported by: Fredrik Lindberge
|
#
905c41b5 |
|
30-Mar-2006 |
Julian Elischer <julian@FreeBSD.org> |
Amazing.. two screwups in one commit. I'm piling on thise pointy hats on top of each other. At least they nest..
|
#
dbadd6b0 |
|
30-Mar-2006 |
Julian Elischer <julian@FreeBSD.org> |
I can't believe that no-one noticed that I broke ipfw table del for over a month! put {} around if clause with multiple statements
|
#
c6ec0226 |
|
05-Mar-2006 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Revert `proto ip' back to the previous behavior. The kernel side of ipfw2 doesn't allow zero as protocol number. MFC after: 3 days
|
#
4f6ac146 |
|
13-Feb-2006 |
Julian Elischer <julian@FreeBSD.org> |
oops, mismerge from working sources.. not only add new code, but remove old code!
|
#
21899082 |
|
13-Feb-2006 |
Julian Elischer <julian@FreeBSD.org> |
Stop ipfw from aborting when asked to delete a table entry that doesn't exist or add one that is already present, if the -q flag is set. Useful for "ipfw -q /dev/stdin" when the command above is invoked from something like python or TCL to feed commands down the throat of ipfw. MFC in: 1 week
|
#
40b1ae9e |
|
12-Dec-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Add a new feature for optimizining ipfw rulesets - substitution of the action argument with the value obtained from table lookup. The feature is now applicable only to "pipe", "queue", "divert", "tee", "netgraph" and "ngtee" rules. An example usage: ipfw pipe 1000 config bw 1000Kbyte/s ipfw pipe 4000 config bw 4000Kbyte/s ipfw table 1 add x.x.x.x 1000 ipfw table 1 add x.x.x.y 4000 ipfw pipe tablearg ip from table(1) to any In the example above the rule will throw different packets to different pipes. TODO: - Support "skipto" action, but without searching all rules. - Improve parser, so that it warns about bad rules. These are: - "tablearg" argument to action, but no "table" in the rule. All traffic will be blocked. - "tablearg" argument to action, but "table" searches for entry with a specific value. All traffic will be blocked. - "tablearg" argument to action, and two "table" looks - for src and for dst. The last lookup will match.
|
#
02d48226 |
|
09-Dec-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Cleanup _FreeBSD_version.
|
#
36c263cc |
|
29-Nov-2005 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
We couldn't specify the rule for filtering tunnel traffic since an IPv6 support was committed: - Stop treating `ip' and `ipv6' as special in `proto' option as they conflict with /etc/protocols. - Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'. - When protocol is specified as numeric, treat it as it is even it is 41 (ipv6). - Allow zero for protocol as it is valid number of `ip'. Still, we cannot specify an IPv6 over an IPv4 tunnel like before such as: pass ipv6 from any to any But, now, you can specify it like: pass ip4 from any to any proto ipv6 PR: kern/89472 Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com> MFC after: 1 week
|
#
e36ffd3b |
|
28-Nov-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Catch up with ip_dummynet.h rev. 1.38 and fix build.
|
#
b090e4ce |
|
29-Nov-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(), thus removing a few XXXes. Document the ABI breakage in UPDATING.
|
#
9066356b |
|
13-Aug-2005 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
* Add dynamic sysctl for net.inet6.ip6.fw. * Correct handling of IPv6 Extension Headers. * Add unreach6 code. * Add logging for IPv6. Submitted by: sysctl handling derived from patch from ume needed for ip6fw Obtained from: is_icmp6_query and send_reject6 derived from similar functions of netinet6,ip6fw Reviewed by: ume, gnn; silence on ipfw@ Test setup provided by: CK Software GmbH MFC after: 6 days
|
#
b730879f |
|
07-Jun-2005 |
Max Laier <mlaier@FreeBSD.org> |
add_proto() now fills proto for us so stop to 'guess' the protocol from the command and rather trust the value add_proto filled in. While here, fix an oversight in the pretty printing of ip6/4 options.
|
#
57cd6d26 |
|
02-Jun-2005 |
Max Laier <mlaier@FreeBSD.org> |
Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well. This is the last requirement before we can retire ip6fw. Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw
|
#
ffa4a586 |
|
20-May-2005 |
Max Laier <mlaier@FreeBSD.org> |
Unbreak handling of "ip[v]6" protocol and option flag. No more segfaults and not every protocol is IPv6.
|
#
d360073b |
|
26-Apr-2005 |
Brooks Davis <brooks@FreeBSD.org> |
Fix a the previous commit. I wanted to remove the if and always run the body not remove both. Reported by: ceri Pointy hat: brooks
|
#
38aede1c |
|
26-Apr-2005 |
Brooks Davis <brooks@FreeBSD.org> |
Don't force IPv6 proto to be printed numericaly. Noticed by: ceri
|
#
8195404b |
|
18-Apr-2005 |
Brooks Davis <brooks@FreeBSD.org> |
Add IPv6 support to IPFW and Dummynet. Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
|
#
776c1005 |
|
05-Apr-2005 |
Brooks Davis <brooks@FreeBSD.org> |
Be more specific when complaining about bit masks.
|
#
670742a1 |
|
04-Feb-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Add a ng_ipfw node, implementing a quick and simple interface between ipfw(4) and netgraph(4) facilities. Reviewed by: andre, brooks, julian
|
#
bd528823 |
|
18-Jan-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Don't print extra " via ", if we have already printed one. While here, slightly style brackets. PR: misc/75297 MFC after: 1 week
|
#
01750186 |
|
14-Jan-2005 |
Brooks Davis <brooks@FreeBSD.org> |
Deprecate unmaintainable uses of strncmp to implement abbreviations. This commit replaces those with two new functions that simplify the code and produce warnings that the syntax is deprecated. A small number of sensible abbreviations may be explicitly added based on user feedback. There were previously three types of strncmp use in ipfw: - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av to match string or any shortened form of it. I have replaced this with a new function _substrcmp(av, "string") which returns 0 if av is a substring of "string", but emits a warning if av is not exactly "string". - The next type was two instances of strncmp(av, "by", 2) which allowed the abbreviation of bytes to "by", "byt", etc. Unfortunately, it also supported "bykHUygh&*g&*7*ui". I added a second new function _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but complains if the user doesn't spell out the word "bytes". - There is also one correct use of strncmp to match "table(" which might have another token after it without a space. Since I changed all the lines anyway, I also fixed the treatment of strncmp's return as a boolean in many cases. I also modified a few strcmp cases as well to be fully consistent.
|
#
610055c9 |
|
06-Jan-2005 |
Brooks Davis <brooks@FreeBSD.org> |
Write some bit mask limits in hex rather than decimal so they look less magic.
|
#
448d1e83 |
|
24-Nov-2004 |
Brooks Davis <brooks@FreeBSD.org> |
Remove a duplicate line from an apparent merge error in rev 1.63.
|
#
17db1a04 |
|
07-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Commit forgotten documentation for "diverted" rules.
|
#
c99ee9e0 |
|
02-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Add support to IPFW for matching by TCP data length.
|
#
6daf7ebd |
|
02-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Add support to IPFW for classification based on "diverted" status (that is, input via a divert socket).
|
#
5599f1b5 |
|
02-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Remove accidentally-added O_DIVERTED section.
|
#
974dfe30 |
|
02-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Add to IPFW the ability to do ALTQ classification/tagging.
|
#
d413c2e4 |
|
21-Sep-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Since "d" is an array of 32 bit values, it is more correct to change the cast from unsigned int to uint32_t. Pointed out by: luigi
|
#
3a27af0d |
|
11-Sep-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Currently when ipfw(8) generates the micro-instructions for rules which contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints. The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT. The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes. This may be a MFC candidate for RELENG_5. Reviewed by: andre Approved by: luigi PR: kern/63961 (partially)
|
#
00ed6609 |
|
10-Sep-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Initialize a local variable and make gcc happy. PR: bin/71485 Submitted by: Jukka A. Ukkonen
|
#
9ec4f2e1 |
|
29-Aug-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Restore a historical ipfw1 logamount behaviour: rules with 'log' keyword but without 'logamount' limit the amount of their log messages by net.inet.ip.fw.verbose_limit sysctl value. RELENG_5 candidate. PR: kern/46080 Submitted by: Dan Pelleg MFC after: 1 week
|
#
c3d6fe74 |
|
23-Aug-2004 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Fix 'show' command for pipes and queues. PR: bin/70311 Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> MFC after: 3 days
|
#
31c88a30 |
|
12-Aug-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Add the ability to associate ipfw rules with a specific prison ID. Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this. This commit makes the following changes: - Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes. This change was a strong motivator behind the ucred caching mechanism in ipfw. A sample usage of this new functionality could be: ipfw add count ip from any to any jail 2 It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations. Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor)
|
#
5f9541ec |
|
09-Aug-2004 |
Andre Oppermann <andre@FreeBSD.org> |
New ipfw option "antispoof": For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. Usage example: ipfw add deny ip from any to any not antispoof in Manpage education by: ru
|
#
1a41a8e4 |
|
10-Jun-2004 |
Ruslan Ermilov <ru@FreeBSD.org> |
Fixed a bug spotted by compiling with -Wall.
|
#
cd8b5ae0 |
|
09-Jun-2004 |
Ruslan Ermilov <ru@FreeBSD.org> |
Introduce a new feature to IPFW2: lookup tables. These are useful for handling large sparse address sets. Initial implementation by Vsevolod Lobko <seva@ip.net.ua>, refined by me. MFC after: 1 week
|
#
04f70834 |
|
02-Jun-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
o Move NEED1 macro to the top of the source file. o Add sanity checking to the firewall delete operation which tells the user that a firewall rule specification is required. The previous behaviour was to exit without reporting any errors to the user. Approved by: bmilekic (mentor)
|
#
c85c1d27 |
|
18-May-2004 |
Stefan Farfeleder <stefanf@FreeBSD.org> |
Remove spurious semicolons. Approved by: das (mentor) Reviewed by: ipfw@
|
#
19d4bece |
|
08-May-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Remove redundant sanity check before add_mac() when adding mac ipfw rules. The exact same sanity check is performed as the first operation of add_mac(), so there is no sense in doing it twice. Approved by: bmilekic (mentor) PR: bin/55981
|
#
22b5770b |
|
23-Apr-2004 |
Andre Oppermann <andre@FreeBSD.org> |
Add the option versrcreach to verify that a valid route to the source address of a packet exists in the routing table. The default route is ignored because it would match everything and render the check pointless. This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unrouteable source addresses. Example: ipfw add 1000 deny ip from any to any not versrcreach also known in Cisco-speak as: ip verify unicast source reachable-via any Reviewed by: luigi
|
#
14533a98 |
|
09-Apr-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix an incorrect parsing of 0.0.0.0/0 expression. PR: kern/64778 MFC after: 6 weeks
|
#
66d217f8 |
|
24-Jan-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Pass a correct argument to errx(3). PR: bin/61846 Submitted by: Eugene Grosbein MFC after: 1 week
|
#
cec4ab6a |
|
24-Dec-2003 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Legitimate -f (force) flags for -p (preprocessor) case. PR: bin/60433 Submitted: Bjoern A. Zeeb MFC after: 3 weeks
|
#
ac6cec51 |
|
12-Dec-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add a -b flag to /sbin/ipfw to print only action and comment for each rule, thus omitting the entire body. This makes the output a lot more readable for complex rulesets (provided, of course, you have annotated your ruleset appropriately!) MFC after: 3 days
|
#
9bf40ede |
|
31-Oct-2003 |
Brooks Davis <brooks@FreeBSD.org> |
Replace the if_name and if_unit members of struct ifnet with new members if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance. This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics. Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
|
#
2091a3fb |
|
03-Oct-2003 |
Sam Leffler <sam@FreeBSD.org> |
remove include of route.h now that ip_dummynet.h no longer exposes data structures that have an embedded struct route Sponsored by: FreeBSD Foundation
|
#
884be75c |
|
04-Sep-2003 |
Thomas Moestl <tmm@FreeBSD.org> |
Apply a bandaid to get this working on sparc64 again; the introduction of do_cmd() broke things, because this function assumes that a socklen_t is large enough to hold a pointer. A real solution to this problem would be a rewrite of do_cmd() to treat the optlen parameter consistently and not use it to carry a pointer or integer dependent on the context.
|
#
1c56ad9b |
|
02-Sep-2003 |
Maxim Konovalov <maxim@FreeBSD.org> |
Check an arguments count before proceed in sysctl_handler(). PR: bin/56298 Submitted by: Kang Liu <liukang@bjpu.edu.cn> MFC after: 2 weeks # We need a regression test suit for ipfw(2)/ipfw(8) badly.
|
#
6fa74f7d |
|
21-Jul-2003 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Initialize do_pipe before command parsing. PR: bin/54649 Submitted by: Andy Gilligan <andy@evo6.org> MFC after: 3 days
|
#
3004afca |
|
15-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Userland side of: Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards
|
#
bbc39c83 |
|
15-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Make sure that comments are printed at the end of a rule. Reported by: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
|
#
f3a126d3 |
|
14-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Fix one typo in help() string, remove whitespace at end of line and other minor whitespace changes. Replace u_char with uint8_t in a few places.
|
#
26bf4d78 |
|
14-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
ccept of empty lines when reading from a file (this fixes a bug introduced in the latest commits). Also: * update the 'ipfw -h' output; * allow rules of the form "100 add allow ..." i.e. with the index first. (requested by Paul Richards). This was an undocumented ipfw1 behaviour, and it is left undocumented. and minor code cleanups.
|
#
1b43a426 |
|
12-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add a '-T' flag to print the timestamp as numeric value instead of converting it with ctime(). This is a lot more convenient for postprocessing. Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
|
#
62ff38ae |
|
12-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
In random order: * make the code compile with WARNS=5 (at least on i386), mostly by adding 'const' specifier and replacing "void *" with "char *" in places where pointer arithmetic was used. This also spotted a few places where invalid tests (e.g. uint < 0) were used. * support ranges in "list" and "show" commands. Now you can say ipfw show 100-1000 4000-8000 which is very convenient when you have large rulesets. * implement comments in ipfw commands. These are implemented in the kernel as O_NOP commands (which always match) whose body contains the comment string. In userland, a comment is a C++-style comment: ipfw add allow ip from me to any // i can talk to everybody The choice of '//' versus '#' is somewhat arbitrary, but because the preprocessor/readfile part of ipfw used to strip away '#', I did not want to change this behaviour. If a rule only contains a comment ipfw add 1000 // this rule is just a comment then it is stored as a 'count' rule (this is also to remind the user that scanning through a rule is expensive). * improve handling of flags (still to be completed). ipfw_main() was written thinking of 'one rule per ipfw invocation', and so flags are set and never cleared. With readfile/preprocessor support, this changes and certain flags should be reset on each line. For the time being, only fix handling of '-a' which differentiates the "list" and "show" commands. * rework the preprocessor support -- ipfw_main() already had most of the parsing code, so i have moved in there the only missing bit (stripping away '#' and comments) and removed the parsing from ipfw_readfile(). Also, add some more options (such as -c, -N, -S) to the readfile section. MFC after: 3 days
|
#
571f8c1b |
|
08-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
A bunch of changes (mostly syntactic sugar, all backward compatible): * Make the addr-set size optional (defaults to /24) You can now write 1.2.3.0/24{56-80} or 1.2.3.0{56-80} Also make the parser more strict. * Support a new format for the list of addresses: 1.2.3.4,5.6.7.8/30,9.10.11.12/22,12.12.12.13, ... which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK * Allow spaces after commas to make lists of addresses more readable. 1.2.3.4, 5.6.7.8/30, 9.10.11.12/22, 12.12.12.13, ... * ipfw will now accept full commands as a single argument and strip extra leading/trailing whitespace as below: ipfw "-q add allow ip from 1.2.3.4 to 5.6.7.8, 9.10.11.23 " This should help in moving the body of ipfw into a library that user programs can invoke. * Cleanup some comments and data structures. * Do not print rule counters for dynamic rules with ipfw -d list (PR 51182) * Improve 'ipfw -h' output (PR 46785) * Add a '-n' flag to test the syntax of commands without actually calling [gs]etsockopt() (PR 44238) * Support the '-n' flag also with the preprocessors; Manpage commit to follow. MFC after: 3 days
|
#
c3e5b9f1 |
|
04-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Implement the 'ipsec' option to match packets coming out of an ipsec tunnel. Should work with both regular and fast ipsec (mutually exclusive). See manpage for more details. Submitted by: Ari Suutari (ari.suutari@syncrontech.com) Revised by: sam MFC after: 1 week
|
#
2bb3712f |
|
27-Jun-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
remove extra whitespace and blank lines
|
#
29c1402a |
|
23-Jun-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Split some long lines to fit 80 columns (the code in RELENG_4 was already correct).
|
#
9ef3f16d |
|
23-Jun-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
syntactic sugar: support range notation such as 1.2.3.4/24{5,6,7,10-20,60-90} for set of ip addresses. Previously you needed to specify every address in the range, which was unconvenient and lead to very long lines. Internally the set is still stored in the same way, just the input and output routines are modified. Manpage update still missing. Perhaps a similar preprocessing step would be useful for port ranges. MFC after: 3 days
|
#
44c884e1 |
|
22-Jun-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add support for multiple values and ranges for the "iplen", "ipttl", "ipid" options. This feature has been requested by several users. On passing, fix some minor bugs in the parser. This change is fully backward compatible so if you have an old /sbin/ipfw and a new kernel you are not in trouble (but you need to update /sbin/ipfw if you want to use the new features). Document the changes in the manpage. Now you can write things like ipfw add skipto 1000 iplen 0-500 which some people were asking to give preferential treatment to short packets. The 'MFC after' is just set as a reminder, because I still need to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately change the size of certain kernel structures; not that it matters a lot since ipfw2 is entirely optional and not the default...) PR: bin/48015 MFC after: 1 week
|
#
c82b8dce |
|
16-Jun-2003 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Pass a correct argument to printf(3). PR: bin/51750 Submitted by: Vasil Dimov <vd@datamax.bg> MFC after: 2 weeks
|
#
330462a3 |
|
03-Jun-2003 |
Bernd Walter <ticso@FreeBSD.org> |
Change handling to support strong alignment architectures such as alpha and sparc64. PR: alpha/50658 Submitted by: rizzo Tested on: alpha
|
#
010dabb0 |
|
14-Mar-2003 |
Crist J. Clark <cjc@FreeBSD.org> |
Add a 'verrevpath' option that verifies the interface that a packet comes in on is the same interface that we would route out of to get to the packet's source address. Essentially automates an anti-spoofing check using the information in the routing table. Experimental. The usage and rule format for the feature may still be subject to change.
|
#
45f61351 |
|
13-Mar-2003 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Partially revert rev. 1.103, fix 'ipfw show': dynamically adjust a width of fields for packets and bytes counters. PR: bin/47196 Reviewed by: -audit Not objected by: luigi, des o Use %llu instead of deprecated %qu convert specification for ipfw packets and bytes counters. Noted by: des MFC after: 1 month
|
#
6690be9e |
|
11-Jan-2003 |
Matthew Dillon <dillon@FreeBSD.org> |
It turns out that we do not need to add a new ioctl to unbreak a default-to-deny firewall. Simply turning off IPFW via a preexisting sysctl does the job. To make it more apparent (since nobody picked up on this in a week's worth of flames), the boolean sysctl's have been integrated into the /sbin/ipfw command set in an obvious and straightforward manner. For example, you can now do 'ipfw disable firewall' or 'ipfw enable firewall'. This is far easier to remember then the net.inet.ip.fw.enable sysctl. Reviewed by: imp MFC after: 3 days
|
#
9d5abbdd |
|
01-Jan-2003 |
Jens Schweikhardt <schweikh@FreeBSD.org> |
Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup, especially in troff files.
|
#
ca6e3cb0 |
|
23-Dec-2002 |
Kelly Yancey <kbyanc@FreeBSD.org> |
Make preprocessor support more generic by passing all command-line options after -p except for the last (the ruleset file to process) to the preprocessor for interpretation. This allows command-line options besides -U and -D to be passed to cpp(1) and m4(1) as well as making it easier to use other preprocessors. Sponsored By: NTT Multimedia Communications Labs MFC after: 1 week
|
#
3d2209ae |
|
26-Nov-2002 |
Giorgos Keramidas <keramida@FreeBSD.org> |
Align timestamps when -t is used in ipfw and ipfw2. PR: kern/44843 Approved by: re (jhb)
|
#
12b5dc6a |
|
26-Nov-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Fix a kernel panic with rules of the type prob 0.5 pipe NN .... due to the generation of an invalid ipfw instruction sequence. No ABI change, but you need to upgrade /sbin/ipfw to generate the correct code. Approved by: re
|
#
a54587ad |
|
06-Nov-2002 |
Maxim Konovalov <maxim@FreeBSD.org> |
Kill EOL whitespaces, style(9) fix.
|
#
d6abaeeb |
|
06-Nov-2002 |
Maxim Konovalov <maxim@FreeBSD.org> |
Fix UID/GID options parsing. PR: bin/42579 Submitted by: Belousov Oleg <oleg@belousov.com> Approved by: luigi MFC after: 2 weeks
|
#
7c697970 |
|
24-Oct-2002 |
Maxime Henrion <mux@FreeBSD.org> |
Fix ipfw2 panics on 64-bit platforms. Quoting luigi: In order to make the userland code fully 64-bit clean it may be necessary to commit other changes that may or may not cause a minor change in the ABI. Reviewed by: luigi
|
#
4f531a53 |
|
11-Sep-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Store the port number in "fwd" rules in host format, same as ipfw1 has always done. Technically, this is the wrong format, but it reduces the diffs in -stable. Someday, when we get rid of ipfw1, I will put the port number in the proper format both in kernel and userland. MFC after: 3 days (with re@ permission)
|
#
5a155b40 |
|
18-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
One more (hopefully the last one) step in cleaning up the syntax, following Julian's good suggestion: since you can specify any match pattern as an option, rules now have the following format: [<proto> from <src> to <dst>] [options] i.e. the first part is now entirely optional (and left there just for compatibility with ipfw1 rulesets). Add a "-c" flag to show/list rules in the compact form (i.e. without the "ip from any to any" part) when possible. The default is to include it so that scripts processing ipfw's canonical output will still work. Note that as part of this cleanup (and to remove ambiguity), MAC fields now can only be specified in the options part. Update the manpage to reflect the syntax. Clarify the behaviour when a match is attempted on fields which are not present in the packet, e.g. port numbers on non TCP/UDP packets, and the "not" operator is specified. E.g. ipfw add allow not src-port 80 will match also ICMP packets because they do not have port numbers, so "src-port 80" will fail and "not src-port 80" will succeed. For such cases it is advised to insert further options to prevent undesired results (e.g. in the case above, "ipfw add allow proto tcp not src-port 80"). We definitely need to rewrite the parser using lex and yacc!
|
#
e706181b |
|
18-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Major cleanup of the parser and printing routines in an attempt to render the syntax less ambiguous. Now rules can be in one of these two forms <action> <protocol> from <src> to <dst> [options] <action> MAC dst-mac src-mac mac-type [options] however you can now specify MAC and IP header fields as options e.g. ipfw add allow all from any to any mac-type arp ipfw add allow all from any to any { dst-ip me or src-ip me } which makes complex expressions a lot easier to write and parse. The "all from any to any" part is there just for backward compatibility. Manpage updated accordingly.
|
#
99e5e645 |
|
16-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
sys/netinet/ip_fw2.c: Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops for firewall-generated packets (the constant has to go in sys/mbuf.h). Better comments on keepalive generation, and enforce dyn_rst_lifetime and dyn_fin_lifetime to be less than dyn_keepalive_period. Enforce limits (up to 64k) on the number of dynamic buckets, and retry allocation with smaller sizes. Raise default number of dynamic rules to 4096. Improved handling of set of rules -- now you can atomically enable/disable multiple sets, move rules from one set to another, and swap sets. sbin/ipfw/ipfw2.c: userland support for "noerror" pipe attribute. userland support for sets of rules. minor improvements on rule parsing and printing. sbin/ipfw/ipfw.8: more documentation on ipfw2 extensions, differences from ipfw1 (so we can use the same manpage for both), stateful rules, and some additional examples. Feedback and more examples needed here.
|
#
8ed2d749 |
|
10-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Fix one parsing bug introduced by last commit, and correct parsing and printing of or-blocks in address, ports and options lists.
|
#
43405724 |
|
09-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
One bugfix and one new feature. The bugfix (ipfw2.c) makes the handling of port numbers with a dash in the name, e.g. ftp-data, consistent with old ipfw: use \\ before the - to consider it as part of the name and not a range separator. The new feature (all this description will go in the manpage): each rule now belongs to one of 32 different sets, which can be optionally specified in the following form: ipfw add 100 set 23 allow ip from any to any If "set N" is not specified, the rule belongs to set 0. Individual sets can be disabled, enabled, and deleted with the commands: ipfw disable set N ipfw enable set N ipfw delete set N Enabling/disabling of a set is atomic. Rules belonging to a disabled set are skipped during packet matching, and they are not listed unless you use the '-S' flag in the show/list commands. Note that dynamic rules, once created, are always active until they expire or their parent rule is deleted. Set 31 is reserved for the default rule and cannot be disabled. All sets are enabled by default. The enable/disable status of the sets can be shown with the command ipfw show sets Hopefully, this feature will make life easier to those who want to have atomic ruleset addition/deletion/tests. Examples: To add a set of rules atomically: ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18 To delete a set of rules atomically ipfw disable set 18 ipfw delete set 18 ipfw enable set 18 To test a ruleset and disable it and regain control if something goes wrong: ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18 here if everything goes well, you press control-C before the "sleep" terminates, and your ruleset will be left active. Otherwise, e.g. if you cannot access your box, the ruleset will be disabled after the sleep terminates. I think there is only one more thing that one might want, namely a command to assign all rules in set X to set Y, so one can test a ruleset using the above mechanisms, and once it is considered acceptable, make it part of an existing ruleset.
|
#
b985a624 |
|
03-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Fix generation of check-state rules, which i broke in last commit.
|
#
61360012 |
|
31-Jul-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Forgot this one: properly initialize an address set when the set size is less than 32 bits (/28 mask or more). Also remove a debugging fprintf().
|
#
52bc23ab |
|
31-Jul-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Two bugfixes: + the header file contains two different opcodes (O_IPOPTS and O_IPOPT) for what is the same thing, and sure enough i used one in the kernel and the other one in userland. Be consistent! + "keep-state" and "limit" must be the last match pattern in a rule, so no matter how you enter them move them to the end of the rule.
|
#
0a7197a8 |
|
13-Jul-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
A bunch of minor fixes: * accept "icmptype" as an alias for "icmptypes"; * remove an extra whitespace after "log" rules; * print correctly the "limit" masks; * correct a typo in parsing dummynet arguments (this caused a coredump); * do not allow specifying both "check-state" and "limit", they are (and have always been) mutually exclusive; * remove an extra print of the rule before installing it; * make stdout buffered -- otherwise, if you log its output with syslog, you will see one entry for each printf(). Rather unpleasant.
|
#
006559a2 |
|
08-Jul-2002 |
Bruce Evans <bde@FreeBSD.org> |
Fixed some world breakage caused by not updating clients when <timeconv.h> was split off from <time.h>. This became fatal here when -Werror was reenabled.
|
#
5e43aef8 |
|
05-Jul-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Implement the last 2-3 missing instructions for ipfw, now it should support all the instructions of the old ipfw. Fix some bugs in the user interface, /sbin/ipfw. Please check this code against your rulesets, so i can fix the remaining bugs (if any, i think they will be mostly in /sbin/ipfw). Once we have done a bit of testing, this code is ready to be MFC'ed, together with a bunch of other changes (glue to ipfw, and also the removal of some global variables) which have been in -current for a couple of weeks now. MFC after: 7 days
|
#
9758b77f |
|
27-Jun-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
|