aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
diff options
context:
space:
mode:
authorGordon Bergling <gbe@FreeBSD.org>2020-10-03 18:30:01 +0000
committerGordon Bergling <gbe@FreeBSD.org>2020-10-03 18:30:01 +0000
commit8636dd5703dbacff4e8f88385f98c9251526b751 (patch)
treee39eb1358800c3f600e6750b8f9cca50c561a912 /sbin/ipfw
parent9c584fa4bcc29e8741963fd259aa3a63d115d00d (diff)
downloadsrc-8636dd5703dbacff4e8f88385f98c9251526b751.tar.gz
src-8636dd5703dbacff4e8f88385f98c9251526b751.zip
ipfw(8): Bugfixes for some issues reported by mandoc
- whitespace at end of input line - new sentence, new line - skipping paragraph macro: Pp before Pp MFC after: 1 week
Notes
Notes: svn path=/head/; revision=366402
Diffstat (limited to 'sbin/ipfw')
-rw-r--r--sbin/ipfw/ipfw.8109
1 files changed, 61 insertions, 48 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 4a0853274af3..c99a9252c693 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -527,9 +527,9 @@ ipfw add 10 skipto 4000 all from any to any layer2 out
ether_demux and bdg_forward).
.Pp
Also note that only actions
-.Cm allow,
-.Cm deny,
-.Cm netgraph,
+.Cm allow ,
+.Cm deny ,
+.Cm netgraph ,
.Cm ngtee
and related to
.Cm dummynet
@@ -682,7 +682,7 @@ to simulate the effect of multiple paths leading to out-of-order
packet delivery.
.Pp
Note: this condition is checked before any other condition, including
-ones such as
+ones such as
.Cm keep-state
or
.Cm check-state
@@ -991,7 +991,8 @@ It is possible to use the
.Cm tablearg
keyword with a skipto for a
.Em computed
-skipto. Skipto may work either in O(log(N)) or in O(1) depending
+skipto.
+Skipto may work either in O(log(N)) or in O(1) depending
on amount of memory and/or sysctl variables.
See the
.Sx SYSCTL VARIABLES
@@ -1454,7 +1455,7 @@ or a hostname)
and the mask of
.Ar mask ,
specified as allowed by
-.Xr inet_pton.
+.Xr inet_pton .
As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match
fe:*:*:*:0:640:*:*.
This form is advised only for non-contiguous
@@ -1528,7 +1529,8 @@ Alias for
.Cm layer2 .
.It Cm defer-immediate-action | defer-action
A rule with this option will not perform normal action
-upon a match. This option is intended to be used with
+upon a match.
+This option is intended to be used with
.Cm record-state
or
.Cm keep-state
@@ -1539,8 +1541,9 @@ Rules with both
and
.Cm defer-immediate-action
create a dynamic rule and continue with the next rule without actually
-performing the action part of this rule. When the rule is later activated
-via the state table, the action is performed as usual.
+performing the action part of this rule.
+When the rule is later activated via the state table, the action is
+performed as usual.
.It Cm diverted
Matches only packets generated by a divert socket.
.It Cm diverted-loopback
@@ -1604,7 +1607,7 @@ Matches IPv6 packets containing any of the flow labels given in
is a comma separated list of numeric flow labels.
.It Cm frag Ar spec
Matches IPv4 packets whose
-.Cm ip_off
+.Cm ip_off
field contains the comma separated list of IPv4 fragmentation
options specified in
.Ar spec .
@@ -1793,7 +1796,8 @@ packet is found.
The
.Ar :flowname
is used to assign additional to addresses, ports and protocol parameter
-to dynamic rule. It can be used for more accurate matching by
+to dynamic rule.
+It can be used for more accurate matching by
.Cm check-state
rule.
The
@@ -2212,8 +2216,8 @@ One or more entries can be added to a table at once using
command.
Addition of all items are performed atomically.
By default, error in addition of one entry does not influence
-addition of other entries. However, non-zero error code is returned
-in that case.
+addition of other entries.
+However, non-zero error code is returned in that case.
Special
.Cm atomic
keyword may be specified before
@@ -2224,8 +2228,8 @@ One or more entries can be removed from a table at once using
.Cm delete
command.
By default, error in removal of one entry does not influence
-removing of other entries. However, non-zero error code is returned
-in that case.
+removing of other entries.
+However, non-zero error code is returned in that case.
.Pp
It may be possible to check what entry will be found on particular
.Ar table-key
@@ -2983,10 +2987,12 @@ and
are integer numbers specifying thresholds for queue management
(thresholds are computed in bytes if the queue has been defined
in bytes, in slots otherwise).
-The two parameters can also be of the same value if needed. The
+The two parameters can also be of the same value if needed.
+The
.Nm dummynet
also supports the gentle RED variant (gred) and ECN (Explicit Congestion
-Notification) as optional. Three
+Notification) as optional.
+Three
.Xr sysctl 8
variables can be used to control the RED behaviour:
.Bl -tag -width indent
@@ -3266,7 +3272,7 @@ Skip instance in case of global state lookup (see below).
.El
.Pp
Some specials value can be supplied instead of
-.Va nat_number:
+.Va nat_number :
.Bl -tag -width indent
.It Cm global
Looks up translation state in all configured nat instances.
@@ -3370,7 +3376,7 @@ Thus translator host should be configured as IPv4 and IPv6 router.
Also this means, that a packet is handled by firewall twice.
First time an original packet is handled and consumed by translator,
and then it is handled again as translated packet.
-This behavior can be changed by sysctl variable
+This behavior can be changed by sysctl variable
.Va net.inet.ip.fw.nat64_direct_output .
Also translated packet can be tagged using
.Cm tag
@@ -3400,7 +3406,8 @@ in the states table will be dropped by translator.
Make sure that translation rules handle packets, destined to configured prefix.
.It Cm prefix6 Ar ipv6_prefix/length
The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
-to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64.
+to represent IPv4 addresses.
+This IPv6 prefix should be configured in DNS64.
The translator implementation follows RFC6052, that restricts the length of
prefixes to one of following: 32, 40, 48, 56, 64, or 96.
The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
@@ -3475,9 +3482,9 @@ you are able to see each handled packet before and after translation.
.It Cm -log
Turn off logging of all handled packets via BPF.
.It Cm allow_private
-Turn on processing private IPv4 addresses. By default IPv6 packets with
-destinations mapped to private address ranges defined by RFC1918 are not
-processed.
+Turn on processing private IPv4 addresses.
+By default IPv6 packets with destinations mapped to private address ranges
+defined by RFC1918 are not processed.
.It Cm -allow_private
Turn off private address handling in
.Nm nat64
@@ -3493,7 +3500,6 @@ To inspect a states table of stateful NAT64 the following command can be used:
.Ek
.Ed
.Pp
-.Pp
Stateless NAT64 translator doesn't use a states table for translation
and converts IPv4 addresses to IPv6 and vice versa solely based on the
mappings taken from configured lookup tables.
@@ -3514,7 +3520,8 @@ The following parameters can be configured:
.Bl -tag -width indent
.It Cm prefix6 Ar ipv6_prefix/length
The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
-to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64.
+to represent IPv4 addresses.
+This IPv6 prefix should be configured in DNS64.
.It Cm table4 Ar table46
The lookup table
.Ar table46
@@ -3530,9 +3537,9 @@ interface.
.It Cm -log
Turn off logging of all handled packets via BPF.
.It Cm allow_private
-Turn on processing private IPv4 addresses. By default IPv6 packets with
-destinations mapped to private address ranges defined by RFC1918 are not
-processed.
+Turn on processing private IPv4 addresses.
+By default IPv6 packets with destinations mapped to private address ranges
+defined by RFC1918 are not processed.
.It Cm -allow_private
Turn off private address handling in
.Nm nat64
@@ -3544,12 +3551,12 @@ packets differs from stateful translator.
If corresponding addresses was not found in the lookup tables, the packet
will not be dropped and the search continues.
.Pp
-.Pp
.Ss XLAT464 CLAT translation
XLAT464 CLAT NAT64 translator implements client-side stateless translation as
defined in RFC6877 and is very similar to statless NAT64 translator
-explained above. Instead of lookup tables it uses one-to-one mapping
-between IPv4 and IPv6 addresses using configured prefixes.
+explained above.
+Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
+addresses using configured prefixes.
This mode can be used as a replacement of DNS64 service for applications
that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
over IPv6-only networks with help of remote NAT64 translator.
@@ -3571,8 +3578,8 @@ The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
to represent source IPv4 addresses.
.It Cm plat_prefix Ar ipv6_prefix/length
The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
-to represent destination IPv4 addresses. This IPv6 prefix should be configured
-on a remote NAT64 translator.
+to represent destination IPv4 addresses.
+This IPv6 prefix should be configured on a remote NAT64 translator.
.It Cm log
Turn on logging of all handled packets via BPF through
.Ar ipfwlog0
@@ -3580,7 +3587,8 @@ interface.
.It Cm -log
Turn off logging of all handled packets via BPF.
.It Cm allow_private
-Turn on processing private IPv4 addresses. By default
+Turn on processing private IPv4 addresses.
+By default
.Nm nat64clat
instance will not process IPv4 packets with destination address from private
ranges as defined in RFC1918.
@@ -3632,7 +3640,8 @@ and
.Cm ext_if
options are mutually exclusive.
.It Cm prefixlen Ar length
-The length of specified IPv6 prefixes. It must be in range from 8 to 64.
+The length of specified IPv6 prefixes.
+It must be in range from 8 to 64.
.El
.Pp
Note that the prefix translation rules are silently ignored when IPv6 packet
@@ -4086,7 +4095,7 @@ Controls the output method used by
module:
.Bl -tag -width indent
.It Cm 0
-A packet is handled by
+A packet is handled by
.Nm ipfw
twice.
First time an original packet is handled by
@@ -4277,11 +4286,11 @@ ruleset to minimize the amount of work scanning the ruleset.
Your mileage may vary.
.Pp
For more complex scenarios with dynamic rules
-.Cm record-state
+.Cm record-state
and
.Cm defer-action
can be used to precisely control creation and checking of dynamic rules.
-Example of usage of these options are provided in
+Example of usage of these options are provided in
.Sx NETWORK ADDRESS TRANSLATION (NAT)
Section.
.Pp
@@ -4552,21 +4561,24 @@ or it could be split in:
.Dl "ipfw nat 5 config redirect_port tcp"
.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500"
.Pp
-Sometimes you may want to mix NAT and dynamic rules. It could be achieved with
+Sometimes you may want to mix NAT and dynamic rules.
+It could be achieved with
.Cm record-state
and
.Cm defer-action
-options. Problem is, you need to create dynamic rule before NAT and check it
+options.
+Problem is, you need to create dynamic rule before NAT and check it
after NAT actions (or vice versa) to have consistent addresses and ports.
Rule with
.Cm keep-state
option will trigger activation of existing dynamic state, and action of such
-rule will be performed as soon as rule is matched. In case of NAT and
+rule will be performed as soon as rule is matched.
+In case of NAT and
.Cm allow
rule packet need to be passed to NAT, not allowed as soon is possible.
.Pp
-There is example of set of rules to achieve this. Bear in mind that this
-is example only and it is not very useful by itself.
+There is example of set of rules to achieve this.
+Bear in mind that this is example only and it is not very useful by itself.
.Pp
On way out, after all checks place this rules:
.Pp
@@ -4579,10 +4591,11 @@ And on way in there should be something like this:
.Dl "ipfw add check-state"
.Pp
Please note, that first rule on way out doesn't allow packet and doesn't
-execute existing dynamic rules. All it does, create new dynamic rule with
+execute existing dynamic rules.
+All it does, create new dynamic rule with
.Cm allow
-action, if it is not created yet. Later, this dynamic rule is used on way
-in by
+action, if it is not created yet.
+Later, this dynamic rule is used on way in by
.Cm check-state
rule.
.Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
@@ -4593,7 +4606,7 @@ AQM can be configured for
.Nm dummynet
.Cm pipe
or
-.Cm queue.
+.Cm queue .
.Pp
To configure a
.Cm pipe
@@ -4665,7 +4678,7 @@ to 10ms, we do:
.Dl "ipfw sched 1 config pipe 1 type fq_codel target 10ms noecn"
.Pp
Similar to
-.Cm fq_codel,
+.Cm fq_codel ,
to configure
.Cm fq_pie
scheduler using different configurations parameters for traffic from