aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipf
Commit message (Collapse)AuthorAgeFilesLines
* ipfilter: replace defunct home page link with FAQ URLEd Maste2022-11-151-2/+1
| | | | | ipfilter.org disappeared in mid 2004. There is still a FAQ at https://www.phildev.net/ipf so point to that.
* ipfilter: Removed unused ioctl typedefCy Schubert2022-10-091-6/+1
| | | | | | | Defunct operating systems no longer pollute the ipfilter sources. Remove their typedefs. MFC after: 1 week
* ipfilter/libipf: printpool_live() consumer ignores return codeCy Schubert2022-09-222-4/+4
| | | | | | | The single consumer of printpool_live() ignores the return code. Avoid wasting resources on this. MFC after: 2 weeks
* ipfilter/ippool: Return error code when listing a pool failsCy Schubert2022-09-221-26/+37
| | | | | | | | When an internal or other error occurs during the listing of a pool, return an error code when extiting ippool(8). Printing an error to stderr without returning an error code is useless in shell scripts. MFC after: 2 weeks
* ipfilter/ippool: Dump a copy of ippool in ippool.conf formatCy Schubert2022-09-224-6/+27
| | | | | | | Add an ippool(8) option to dump a copy of the inm-memory ippool tables in an ippool(5) format so that it can be reloaded using ippool -f. MFC after: 2 weeks
* ipf.4: Correct a typo in the manual pageGordon Bergling2022-09-041-1/+1
| | | | | | - s/occured/occurred/ MFC after: 3 days
* ipfilter: Support only jails in VNETCy Schubert2022-07-071-1/+3
| | | | | | | | | | | | Jails without VNET have complete access to the ipfilter rules, NAT, pools and logs. This is insecure. Only allow jails to manipulate ipfilter rules, NAT tables and ippools if the jail has its own VNET. Otherwise a jail can affect the global system. This patch brings ipfilter in line with ipfw's support of VNET jails and non-support of non-VNET jails. MFC after: 1 week
* ipnat(5): Fix a double word in the manual pageGordon Bergling2022-04-091-1/+1
| | | | | | - s/be be/be/ MFC after: 3 days
* ipf(5): Fix a typo in the manual pageGordon Bergling2022-04-021-1/+1
| | | | | | - s/accomodate/accommodate/ MFC after: 3 days
* ipfilter: Reliably print the interface nameCy Schubert2022-03-031-9/+5
| | | | | | | | | | | | When printing the interface name from the ipstate_t struct the interface name in is_ifp may not always be avaiable when reading it from kmem (tested on FreeBSD and NetBSD). However the is_ifname (the interface name character string) is almost always available -- it is not available when the source of the packet is a process running on the firewall itself. Rather than print both interface name strings, print only the one. MFC after: 1 week
* ipfilter: Obtain the interface name more efficientlyCy Schubert2022-03-031-2/+2
| | | | | | | | | Rather than use a kmem read to determine the interface name used by a nat_t structure through a pointer, nat_ipfs->netif->if_xname, obtain it directly from nat_ifnames in the nat_t structure itself using the new FORMAT_IF macro. MFC after: 1 week
* ipfilter: Introduce the new FORMAT_IF macroCy Schubert2022-03-031-0/+1
| | | | | | | | | | | | Interface names stored in the ipstate_t and ipnat_t structures can be NULL. This occurs when an application, such as named, is running on the firewall machine itself. For example an application, i.e. named, running on the firewall itself will cause a state table display and NAT mapping display to show a null ingress interface and its egress interface. This is perfectly valid but confusing to human eyes. Rather than print nothing, print "(null)". MFC after: 1 week
* ipfilter: Print protocol when listing NAT table mappingsCy Schubert2022-02-281-0/+17
| | | | | | | | | | | | | NAT table mappings list only the source and destination IP, the source and destinaion port numbers, and their mappings. But the protocol is not listed. Now that Facebook and Google use QUIC, seeing port 443 in in a list of active NAT sessions could mean 443/tcp or 443/udp. This patch adds the protocol to the listing to aid in determining whether HTTPS is TCP or QUIC in a NAT mapping listing. This also helps differentiatinete between other protocols such as ICMP, ESP, and AH in ipnat list of active sessions. MFC after: 1 week
* ipfilter: Restore ipfsyncCy Schubert2022-01-083-0/+1201
| | | | | | | | | ipfsync is a WIP sync daemon designed to be used in a failover scenario. It was removed by 5ee61c7daa511927aae8652d6a3ea78866a50ef8. This commit restores its three files. ipfsync is in my work queue. MFC after: 10 days X-MFC with: 5ee61c7daa511927aae8652d6a3ea78866a50ef8
* ipfilter: Fix manpage typosCy Schubert2022-01-045-6/+6
| | | | | | Reported by: jrtc27 Fixes: 2582ae5740181e0d2bab10003d66ae91c9b56329 MFC after: 1 month
* ipfilter userland: Fix typosCy Schubert2022-01-041-4/+4
| | | | | | Reported by: netchild Fixes: 2582ae5740181e0d2bab10003d66ae91c9b56329 MFC after: 1 month
* ipfilter userland: Fix branch mismergeCy Schubert2022-01-041-44/+27
| | | | | | | | | | | | | | | | The work to ANSIfy and adjust returns to style(9) resulted in a mismerge of a stash when ipfilter was moved from contrib to sbin. An older file replaced WIP at the time, resulting in a regression. The majority of this work was done in 2018 saved as git stashes within a git-svn tree and migrated to the git tree. The regression occurred when the various stashes were sequentially merged to create individual commits, following the ipfilter move to netpfil and sbin. Reported by: jrtc27 Fixes: 2582ae5740181e0d2bab10003d66ae91c9b56329 Pointy hat to: cy MFC after: 1 month
* ipfilter userland: Style(9) requires a space after returnCy Schubert2022-01-04105-778/+778
| | | | | | Reported by: jrtc27 Fixes: 2582ae5740181e0d2bab10003d66ae91c9b56329 MFC after: 1 month
* ipfilter: Fix typosCy Schubert2022-01-041-4/+4
| | | | | | Reported by: jrtc27 Fixes: 2582ae5740181e0d2bab10003d66ae91c9b56329 MFC after: 1 month
* ipfilter userland: Fix whitespace errorsCy Schubert2022-01-046-20/+20
| | | | | | Replace leading spaces with a tabs on affected lines. MFC after: 1 month
* ipfilter userland: Remove trailing whitespaceCy Schubert2022-01-047-14/+14
| | | | MFC after: 1 month
* ipfilter: Adjust userland returns to conform to style(9)Cy Schubert2022-01-04117-948/+965
| | | | | | Adjust ipfilter's userland return statements to conform to style(9). MFC after: 1 month
* ipfilter: INLINE --> inlineCy Schubert2022-01-041-3/+3
| | | | | | | | | Replace the INLINE macro with inline. Some ancient compilers supported __inline__ instead of inline. The INLINE hack compensated for it. Ancient compilers are history. Reported by: glebius MFC after: 1 month
* ipflter: ANSIfy userland function declarationsCy Schubert2022-01-04154-1594/+837
| | | | | | | | | | | Convert ipfilter userland function declarations from K&R to ANSI. This syncs our function declarations with NetBSD hg commit 75edcd7552a0 (apply our changes). Though not copied from NetBSD, this change was partially inspired by NetBSD's work and inspired by style(9). Reviewed by: glebius (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33595
* ipfilter userland: Revert the ipmon part of a6fb9bbea731Cy Schubert2021-12-272-65/+61
| | | | | | | a6fb9bbea731 caused incorrect formatting of ipmon log output. Fixes: a6fb9bbea7318e993dfe0f8a7f00821f79850b26 MFC after: immediately
* ipfilter userland: Path fixup no longer requiredCy Schubert2021-12-275-7/+0
| | | | | | | | Since the move of ipfilter from contrib to sbin adjusting the source path is no longer required. Fixes: 41edb306f05651fcaf6c74f9e3557f59f80292e1 MFC after: 1 month
* ipfilter: Move userland bits to sbinCy Schubert2021-12-20222-9/+46167
| | | | | | | | | | | | | | | | Through fixes and improvements our ipfilter sources have diverged enough to warrant move from contrib into sbin/ipf. Now that I'm planning on implementing MSS clamping as in iptables it makes more sense to move ipfilter to sbin. This is the second of three commits of the ipfilter move. Suggested by glebius on two occaions. Suggested by and discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510
* ipfilter: Move kernel bits to netpfilCy Schubert2021-12-202-2/+2
| | | | | | | | | | | | | | | | Through fixes and improvements our ipfilter sources have diverged enough to warrant move from contrib into sys/netpil. Now that I'm planning on implementing MSS clamping as in iptables it makes more sense to move ipfilter to netpfil. This is the first of three commits the ipfilter move. Suggested by glebius on two occaions. Suggested by and discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510
* ncurses: chase dependency changes in the source treeBaptiste Daroussin2021-10-041-1/+1
| | | | Differential Revision: https://reviews.freebsd.org/D32098
* Create a link to the ipmon.conf.5 man page as documented in ipmon.5.Cy Schubert2019-06-271-0/+1
| | | | | | | | | | Add its corresponding optional removal entry. PR: 238816 MFC after: 1 week Notes: svn path=/head/; revision=349452
* Add the ipmon.5 man page.Cy Schubert2019-06-271-1/+1
| | | | | | | | | | | PR/238816 initially addressed updates to usage() however the PR has morphed into a shopping list of updates to usage() and man pages. PR: 238816 (I added to the list during discussion) MFC after: 1 week Notes: svn path=/head/; revision=349449
* rescue ipf: Remove hacks and link in libipf directly.Bryan Drewery2017-11-101-4/+1
| | | | | | | Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=325632
* DIRDEPS_BUILD: Update dependencies.Bryan Drewery2017-10-318-8/+0
| | | | | | | Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=325188
* Disconnect ipftest and ipresend from the build until it can be verifiedCy Schubert2017-03-141-1/+3
| | | | | | | | | | | that they still work. These utilities have become out of sync with the code in the kernel and need work to bring them back into shape. Most people test on real systems or VMs on real networks. Suggested by: glebius Notes: svn path=/head/; revision=315223
* Revert r315218 so that it may be committed together with r315219.Cy Schubert2017-03-141-3/+1
| | | | Notes: svn path=/head/; revision=315222
* Disconnect ipftest and ipresend from the build until it can be verifiedCy Schubert2017-03-141-1/+3
| | | | | | | | | | | that they still work. These utilities have become out of sync with the code in the kernel and need work to bring them back into shape. Most people test on real systems or VMs on real networks. Sugested by: glebius Notes: svn path=/head/; revision=315218
* sbin: normalize paths using SRCTOP-relative paths or :H when possibleEnji Cooper2017-03-044-12/+12
| | | | | | | | | | This simplifies make logic/output MFC after: 1 month Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=314656
* MFHGlen Barber2016-03-025-76/+0
|\ | | | | | | | | | | | | Sponsored by: The FreeBSD Foundation Notes: svn path=/projects/release-pkg/; revision=296318
| * DIRDEPS_BUILD: Regenerate without local dependencies.Bryan Drewery2016-02-245-76/+0
| | | | | | | | | | | | | | | | | | | | | | These are no longer needed after the recent 'beforebuild: depend' changes and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports skipping 'make depend'. Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=295989
* | Create packages for atm, ccdconfig, devd, ipf, ipfw,Glen Barber2016-02-099-0/+9
|/ | | | | | | | | | | iscsi, natd, nandfs, pf, quotacheck, and routed. Add ping6 and rtsol to the runtime package. Sponsored by: The FreeBSD Foundation Notes: svn path=/projects/release-pkg/; revision=295448
* For INTERNALLIB always add in the corresponding _DP_ and use LIBADD inBryan Drewery2015-12-041-0/+2
| | | | | | | | | | | | the real build file. This lessens the need to define DPADD_<lib> and LDADD_<lib> to just very special cases. Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=291735
* Don't add LIBADD=ipf to libipf itself.Bryan Drewery2015-12-011-0/+2
| | | | | | | | | | This had no real impact since libipf is a static INTERNALLIB. It does conflict with an assertion I am adding for LIBADD though. Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=291621
* Update dependencies after r291406 added libelf to libkvm.Bryan Drewery2015-12-018-0/+8
| | | | | | | | | | | Unfortunately filemon/meta mode tracks all indirect dependencies here since ld(1) is reading libelf when linking in libkvm. Churn would be reduced if this was able to be limited to direct dependencies. Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=291558
* Remove redundant DPSRCS which were already in SRCS.Bryan Drewery2015-11-255-9/+0
| | | | | | | | | | DPSRCS already contains all of SRCS. MFC after: 1 week Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=291329
* META_MODE: For some reason meta mode cannot generate the intermediate tab.cBryan Drewery2015-10-021-6/+18
| | | | | | | | | | | files. Split up all of the targets to be more clear on how they are generated to fix the problem. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=288477
* Add SUBDIR_PARALLEL.Bryan Drewery2015-09-261-1/+2
| | | | | | | | MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=288249
* Remove disconnected directories.Bryan Drewery2015-09-264-68/+0
| | | | | | | | | These were added disconnected in 2005 in r145524. Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=288248
* Update META_MODE dependencies.Bryan Drewery2015-09-171-0/+6
| | | | Notes: svn path=/head/; revision=287905
* Add META_MODE support.Simon J. Gerraty2015-06-139-0/+261
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | Off by default, build behaves normally. WITH_META_MODE we get auto objdir creation, the ability to start build from anywhere in the tree. Still need to add real targets under targets/ to build packages. Differential Revision: D2796 Reviewed by: brooks imp Notes: svn path=/head/; revision=284345
| * dirdeps.mk now sets DEP_RELDIRSimon J. Gerraty2015-06-089-18/+0
| | | | | | | | Notes: svn path=/projects/bmake/; revision=284172