#
b3e76948 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
9f44a47f |
|
11-Jun-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
ipfw(8): add ioctl/instruction generation tests Differential Revision: https://reviews.freebsd.org/D40488 MFC after: 2 weeks
|
#
3599da15 |
|
22-Nov-2022 |
Goran Mekic <meka@tilda.center> |
ipfw: Fix ipfw/dnctl detection Running "dnctl" vs "/sbin/dnctl" gave different results, because we looked at the entire argv[0] string, rather than the basename. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D37431
|
#
9d406e08 |
|
23-Dec-2021 |
Kristof Provost <kp@FreeBSD.org> |
dnctl: Support reading config from file like ipfw(8) Extend the dnctl (dummynet config) tool to be able to read commands from a file, just like ipfw already does. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33627
|
#
0b95680e |
|
25-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
ipfw: Introduce dnctl Introduce a link to the ipfw command, dnctl, for dummynet configuration. dnctl only handles dummynet configuration, and is part of the effort to support dummynet in pf. /sbin/ipfw continues to accept pipe, queue and sched commands, but these can now also be issued via the new dnctl command. Reviewed by: donner MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30465
|
#
a08cdb6c |
|
02-Feb-2021 |
Neel Chauhan <nc@FreeBSD.org> |
Allow setting alias port ranges in libalias and ipfw. This will allow a system to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user, subnet) can have their own dedicated port aliasing ranges. Reviewed by: donner, kp Approved by: 0mp (mentor), donner, kp Differential Revision: https://reviews.freebsd.org/D23450
|
#
56707bee |
|
13-Jul-2020 |
Mark Johnston <markj@FreeBSD.org> |
ipfw(8): Fix most warnings with the default WARNS level. - Add missing const and static qualifiers. - Avoid shadowing the global "co" by renaming it to "g_co". - Avoid mixing signedness in loop bound checks. - Leave -Wcast-align warnings disabled for now. Reviewed by: ae, melifaro MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D25456
|
#
75b89337 |
|
24-Jan-2020 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw. In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added. This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware. Also, we add a new NAT option to ipfw called unreg_cgn, which is like unreg_only, but also is RFC 6598-aware. The reason for the new flags/options is to avoid breaking existing networks, especially those which rely on RFC 6598 as an external address. Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22877
|
#
5c04f73e |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add NAT64 CLAT implementation as defined in RFC6877. CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It is implemented as part of ipfw_nat64 kernel module. When module is loaded or compiled into the kernel, it registers "nat64clat" external action. External action named instance can be created using `create` command and then used in ipfw rules. The create command accepts two IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted, IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used. # ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in Obtained from: Yandex LLC Submitted by: Boris N. Lytochkin MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC
|
#
d66f9c86 |
|
04-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ability to request listing and deleting only for dynamic states. This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but after rules reloading some state must be deleted. Added new flag '-D' for such purpose. Retire '-e' flag, since there can not be expired states in the meaning that this flag historically had. Also add "verbose" mode for listing of dynamic states, it can be enabled with '-v' flag and adds additional information to states list. This can be useful for debugging. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC
|
#
aed02679 |
|
27-Mar-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rework ipfw rules parsing and printing code. Introduce show_state structure to keep information about printed opcodes. Split show_static_rule() function into several smaller functions. Make parsing and printing opcodes into several passes. Each printed opcode is marked in show_state structure and will be skipped in next passes. Now show_static_rule() function is simple, it just prints each part of rule separately: action, modifiers, proto, src and dst addresses, options. The main goal of this change is avoiding occurrence of wrong result of `ifpw show` command, that can not be parsed by ipfw(8). Also now it is possible to make some simple static optimizations by reordering of opcodes in the rule. PR: 222705 Discussed with: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
33d72c30 |
|
20-Dec-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
Revert r327005 - SPDX tags for license similar to BSD-2-Clause. After consultation with SPDX experts and their matching guidelines[1], the licensing doesn't exactly match the BSD-2-Clause. It yet remains to be determined if they are equivalent or if there is a recognized license that matches but it is safer to just revert the tags. Let this also be a reminder that on FreeBSD, SPDX tags are only advisory and have no legal value (but IANAL). Pointyhat to: pfg Thanks to: Rodney Grimes, Gary O'Neall [1] https://spdx.org/spdx-license-list/matching-guidelines
|
#
d17aef79 |
|
19-Dec-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
SPDX: These are fundamentally BSD-2-Clause. They just omit the introductory line and numbering.
|
#
d8caf56e |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nat64 module that implements stateless and stateful NAT64. The module works together with ipfw(4) and implemented as its external action module. Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation. A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation. A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434
|
#
b867e84e |
|
18-Jul-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6 as defined in RFC 6296. The module works together with ipfw(4) and implemented as its external action module. When it is loaded, it registers as eaction and can be used in rules. The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module. Reviewed by: hrs Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6420
|
#
358b9d09 |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Move "talist" and "iflist" cmds into newly-create "internal" ipfw(8) cmd. * Add "table X detail" cmd and show detailed algo info there instead of "info".
|
#
9d099b4f |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Dump available table algorithms via "ipfw talist" cmd. Kernel changes: * Add type/refcount fields to table algo instances. * Add IP_FW_TABLES_ALIST opcode to export available algorihms to userland. Userland changes: * Fix cores on empty input inside "ipfw table" handler. * Add "ipfw talist" cmd to print availabled kernel algorithms. * Change "table info" output to reflect long algorithm config lines.
|
#
68394ec8 |
|
28-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add generic ipfw interface tracking API * Rewrite interface tables to use interface indexes Kernel changes: * Add generic interface tracking API: - ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates state & bumps ref) - ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to update ifindex) - ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer) - ipfw_iface_unref(unlocked, drops reference) Additionally, consumer callbacks are called in interface withdrawal/departure. * Rewrite interface tables to use iface tracking API. Currently tables are implemented the following way: runtime data is stored as sorted array of {ifidx, val} for existing interfaces full data is stored inside namedobj instance (chained hashed table). * Add IP_FW_XIFLIST opcode to dump status of tracked interfaces * Pass @chain ptr to most non-locked algorithm callbacks: (prepare_add, prepare_del, flush_entry ..). This may be needed for better interaction of given algorithm an other ipfw subsystems * Add optional "change_ti" algorithm handler to permit updating of cached table_info pointer (happens in case of table_max resize) * Fix small bug in ipfw_list_tables() * Add badd (insert into sorted array) and bdel (remove from sorted array) funcs Userland changes: * Add "iflist" cmd to print status of currently tracked interface * Add stringnum_cmp for better interface/table names sorting
|
#
ac35ff17 |
|
03-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fully switch to named tables: Kernel changes: * Introduce ipfw_obj_tentry table entry structure to force u64 alignment. * Support "update-on-existing-key" "add" bahavior (TEI_FLAGS_UPDATED). * Use "subtype" field to distingush between IPv4 and IPv6 table records instead of previous hack. * Add value type (vtype) field for kernel tables. Current types are number,ip and dscp * Fix sets mask retrieval for old binaries * Fix crash while using interface tables Userland changes: * Switch ipfw_table_handler() to use named-only tables. * Add "table NAME create [type {cidr|iface|u32} [valtype {number|ip|dscp}] ..." * Switch ipfw_table_handler to match_token()-based parser. * Switch ipfw_sets_handler to use new ipfw_get_config() for mask retrieval. * Allow ipfw set X table ... syntax to permit using per-set table namespaces.
|
#
4b85a12f |
|
07-Jan-2012 |
Ulrich Spörlein <uqs@FreeBSD.org> |
Spelling fixes for sbin/
|
#
b3608ae1 |
|
03-Jan-2012 |
Ed Schouten <ed@FreeBSD.org> |
Replace index() and rindex() calls with strchr() and strrchr(). The index() and rindex() functions were marked LEGACY in the 2001 revision of POSIX and were subsequently removed from the 2008 revision. The strchr() and strrchr() functions are part of the C standard. This makes the source code a lot more consistent, as most of these C files also call into other str*() routines. In fact, about a dozen already perform strchr() calls.
|
#
9dad7387 |
|
24-Dec-2011 |
Eitan Adler <eadler@FreeBSD.org> |
- Add fallthrough comment Approved by: pluknet Found with: Coverity Prevent(tm) CID: 10125
|
#
3b6dc18e |
|
13-Nov-2011 |
Eitan Adler <eadler@FreeBSD.org> |
- fix duplicate "a a" in some comments Submitted by: eadler Approved by: simon MFC after: 3 days
|
#
0dba401d |
|
29-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Improve error reporting. Use corresponding error message when file to be preprocessed is missing. Also suggest to use absolute pathname if -p option is specified. PR: bin/156653 MFC after: 2 weeks
|
#
71f3650a |
|
06-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Initialize co.use_set variable before parsing each new rule. PR: bin/134975 MFC after: 2 weeks
|
#
796051d6 |
|
06-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Increase buffer size for the command line. PR: bin/125370 Submitted by: sem MFC after: 2 weeks
|
#
5221106c |
|
18-Apr-2011 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Whitespace fixes. Checked with: md5, diff -w
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
c0831342 |
|
12-Apr-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix a buffer overflow with large (100k+) number of input lines. MFC after: 3 days
|
#
8018e843 |
|
23-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
MFC of a large number of ipfw and dummynet fixes and enhancements done in CURRENT over the last 4 months. HEAD and RELENG_8 are almost in sync now for ipfw, dummynet the pfil hooks and related components. Among the most noticeable changes: - r200855 more efficient lookup of skipto rules, and remove O(N) blocks from critical sections in the kernel; - r204591 large restructuring of the dummynet module, with support for multiple scheduling algorithms (4 available so far) See the original commit logs for details. Changes in the kernel/userland ABI should be harmless because the kernel is able to understand previous requests from RELENG_8 and RELENG_7. For this reason, this changeset would be applicable to RELENG_7 as well, but i am not sure if it is worthwhile.
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
64290678 |
|
04-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
reduce diffs with the cross-platform version (windows needs some extra initialization)
|
#
cc4d3c30 |
|
02-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Bring in the most recent version of ipfw and dummynet, developed and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet. The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions. In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ. Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland. Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time. Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits. CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
|
#
eb2e4119 |
|
01-Apr-2009 |
Paolo Pisati <piso@FreeBSD.org> |
Implement an ipfw action to reassemble ip packets: reass.
|
#
1fd3fc69 |
|
05-Mar-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
move a variable declaration to the beginning of the block (unfortunately, it is far away; we need to pack this code in a better way).
|
#
3c0c8717 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Start splitting the monster file in smaller blocks. In this episode: - introduce a common header with a minimal set of common definitions; - bring the main() function and options parser in main.c - rename the main functions with an ipfw_ prefix No code changes except for the introduction of a global variable, resvd_set_number, which stores the RESVD_SET value from ip_fw.h and is used to remove the dependency of main.c from ip_fw.h (and the subtree of dependencies) for just a single constant.
|