aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Minor grammar fixChris Rees2013-12-211-2/+1
| | | | | | | | | PR: docs/185057 Submitted by: Yuri (yuri@rawbw.com) Approved by: gjb (mentor) Notes: svn path=/head/; revision=259697
* Add net.inet.ip.fw.dyn_keep_states sysctl whichAlexander V. Chernikov2013-12-181-0/+5
| | | | | | | | | | | | | | re-links dynamic states to default rule instead of flushing on rule deletion. This can be useful while performing ruleset reload (think about `atomic` reload via changing sets). Currently it is turned off by default. MFC after: 2 weeks Sponsored by: Yandex LLC Notes: svn path=/head/; revision=259568
* Check ipfw table numbers in both user and kernel space before rule addition.Alexander V. Chernikov2013-11-282-10/+37
| | | | | | | | | Found by: Saychik Pavel <umka@localka.net> MFC after: 2 weeks Sponsored by: Yandex LLC Notes: svn path=/head/; revision=258708
* Fix key lookup in ipfw(8) broken since r232865.Alexander V. Chernikov2013-11-271-2/+13
| | | | | | | | | | | | | Print warning for IPv4 address strings which are valid in inet_aton() but not valid in inet_pton(). (1) Found by: Özkan KIRIK <ozkan.kirik@gmail.com> Submitted by: Ian Smith <smithi@nimnet.asn.au> (1) MFC after: 2 weeks Sponsored by: Yandex LLC Notes: svn path=/head/; revision=258677
* Remove duplicated parapgraph.Stefan Eßer2013-07-241-10/+0
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=253597
* Fix ipfw(8) sets of ipv6 addresses handling.Alexander V. Chernikov2013-05-181-14/+24
| | | | | | | | | | Conditionally use stack buffer instead of calling strdup(). PR: bin/104921 MFC after: 2 weeks Notes: svn path=/head/; revision=250759
* Minor spelling and grammar fixes.Joel Dahl2013-04-111-1/+1
| | | | Notes: svn path=/head/; revision=249375
* Remove EOL whitespace.Joel Dahl2013-03-211-1/+1
| | | | Notes: svn path=/head/; revision=248578
* Remove unused variable.Alexander V. Chernikov2013-03-201-2/+1
| | | | Notes: svn path=/head/; revision=248553
* Add ipfw support for setting/matching DiffServ codepoints (DSCP).Alexander V. Chernikov2013-03-203-0/+221
| | | | | | | | | | | | | | | | | | | | | | | | | Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after: 2 weeks Notes: svn path=/head/; revision=248552
* Do not suddenly fail on some rulesets if -n (syntax check only) is specifiedAlexander V. Chernikov2013-03-041-4/+13
| | | | | | | | | and ipfw(4) module is not loaded. MFC after: 2 weeks Notes: svn path=/head/; revision=247811
* Implement buffer size checking in ipfw(8) add cmd.Alexander V. Chernikov2013-03-033-62/+125
| | | | | | | | | PR: bin/65961 Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru> MFC after: 2 weeks Notes: svn path=/head/; revision=247712
* Fix ipfw table argument parsing/printing.Alexander V. Chernikov2013-03-021-54/+92
| | | | | | | | | | | Fix style. PR: kern/175909 Submitted by: Daniel Hagerty <hag@linnaean.org> MFC after: 2 weeks Notes: svn path=/head/; revision=247666
* Remove the recently added sysctl variable net.pfil.forward.Andrey V. Elsukov2012-11-021-8/+0
| | | | | | | | | | | | Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Suggested by: andre Notes: svn path=/head/; revision=242463
* Remove the IPFIREWALL_FORWARD kernel option and make possible to turnAndrey V. Elsukov2012-10-251-3/+6
| | | | | | | | | | | | on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks Notes: svn path=/head/; revision=242079
* Whitespace fixesAlexander V. Chernikov2012-09-241-13/+13
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=240893
* Permit table to be used as IPv6 address.Alexander V. Chernikov2012-09-241-2/+26
| | | | | | | | Reported by: Serhiy Popov <sergiuspso@ukr.net> MFC after: 2 weeks Notes: svn path=/head/; revision=240892
* Fix grammar in the portion about FIBs. Also, cross-referenceBenjamin Kaduk2012-09-181-9/+11
| | | | | | | | | | setfib(2) instead of setfib(1) for the 16-FIB limit. PR: docs/157452 Approved by: hrs (mentor) Notes: svn path=/head/; revision=240656
* Whitespace cleanup for ipfw.8 -- start each sentence on a new line,Benjamin Kaduk2012-09-181-33/+58
| | | | | | | | | | and put a comma after e.g. and i.e.. While here, wrap long lines. PR: docs/157452 Approved by: hrs (mentor) Notes: svn path=/head/; revision=240628
* Remove unused valuesKevin Lo2012-09-111-3/+3
| | | | Notes: svn path=/head/; revision=240351
* remove the last __unused instance in sbin/ipfw.Luigi Rizzo2012-07-301-1/+2
| | | | | | | | | This particular function (show_prerequisites() ) we should actually remove the argument from the callers as well, but i'll do it at a later time. Notes: svn path=/head/; revision=238903
* Fix some compile errors at high WARNS, including oneLuigi Rizzo2012-07-303-8/+13
| | | | | | | | | | | | for an uninitialized variable. unused parameters and variables are annotated with (void)foo; /* UNUSED */ instead of __unused, because this code needs to build also on linux and windows. Notes: svn path=/head/; revision=238900
* In ipfw(8), make the text about dynamic rules consistent.Isabell Long2012-07-161-3/+5
| | | | | | | | | PR: docs/120539 Approved by: gabor (mentor) MFC after: 5 days Notes: svn path=/head/; revision=238540
* Make ipfw0 logging pseudo-interface clonable. It can be created automaticallyHiroki Sato2012-07-091-2/+17
| | | | | | | | | | by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8) after a boot. Discussed on: freebsd-ipfw@ Notes: svn path=/head/; revision=238277
* - Make ipfw's sched rules case insensitive, for user-friendliness.Isabell Long2012-07-031-5/+6
| | | | | | | | | | | | | | - Add a note to the ipfw(8) man page about the rules no longer being case sensitive. - Fix some typos in the man page. PR: docs/164772 Reviewed by: bz Approved by: gabor (doc mentor, src committer) MFC after: 2 weeks Notes: svn path=/head/; revision=238063
* Update maximum number of tables available in ipfw to reflectAlexander V. Chernikov2012-06-091-2/+2
| | | | | | | | | | changes done in r233478. Approved by: kib(mentor) MFC after: 3 days Notes: svn path=/head/; revision=236824
* mdoc: use Po and Pc macros instead of parens. Also avoid starting a lineJoel Dahl2012-05-121-2/+2
| | | | | | | with Ns. Notes: svn path=/head/; revision=235344
* Remove trailing whitespace per mdoc lint warningEitan Adler2012-03-291-51/+51
| | | | | | | | | | Disussed with: gavin No objection from: doc Approved by: joel MFC after: 3 days Notes: svn path=/head/; revision=233648
* - Permit number of ipfw tables to be changed in runtime.Alexander V. Chernikov2012-03-252-10/+4
| | | | | | | | | | | | | | | | | | net.inet.ip.fw.tables_max is now read-write. - Bump IPFW_TABLES_MAX to 65535 Default number of tables is still 128 - Remove IPFW_TABLES_MAX from ipfw(8) code. Sponsored by Yandex LLC Approved by: kib(mentor) MFC after: 2 weeks Notes: svn path=/head/; revision=233478
* Remove superfluous paragraph macro.Joel Dahl2012-03-251-11/+0
| | | | Notes: svn path=/head/; revision=233458
* - Add ipfw eXtended tables permitting radix to be used for any kind of keys.Alexander V. Chernikov2012-03-122-80/+232
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add support for IPv6 and interface extended tables - Make number of tables to be loader tunable in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table. IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader; New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add host' now assumes 'host' to be interface name instead of hostname. New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value. New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field. Sponsored by Yandex LLC Reviewed by: ae Approved by: ae (mentor) MFC after: 4 weeks Notes: svn path=/head/; revision=232865
* remove some write-only variables.Luigi Rizzo2012-03-011-7/+2
| | | | | | | | There is another block of code that is now useless as the computation is done in the kernel. Notes: svn path=/head/; revision=232347
* Correct capitalization of "Hz" in user-visible text (manpages, printf(),Gavin Atkinson2012-02-281-1/+1
| | | | | | | | | etc). MFC after: 3 days Notes: svn path=/head/; revision=232250
* Bump .Dd for r231076.Gleb Smirnoff2012-02-061-1/+1
| | | | | | | Submitted by: bz Notes: svn path=/head/; revision=231078
* Make the 'tcpwin' option of ipfw(8) accept ranges and lists.Gleb Smirnoff2012-02-062-7/+18
| | | | | | | Submitted by: sem Notes: svn path=/head/; revision=231076
* Spelling fixes for sbin/Ulrich Spörlein2012-01-072-5/+5
| | | | Notes: svn path=/head/; revision=229778
* Replace index() and rindex() calls with strchr() and strrchr().Ed Schouten2012-01-031-5/+5
| | | | | | | | | | | | | The index() and rindex() functions were marked LEGACY in the 2001 revision of POSIX and were subsequently removed from the 2008 revision. The strchr() and strrchr() functions are part of the C standard. This makes the source code a lot more consistent, as most of these C files also call into other str*() routines. In fact, about a dozen already perform strchr() calls. Notes: svn path=/head/; revision=229403
* - Add fallthrough commentEitan Adler2011-12-241-0/+1
| | | | | | | | | Approved by: pluknet Found with: Coverity Prevent(tm) CID: 10125 Notes: svn path=/head/; revision=228871
* Fix parsing of redirect_addr argument.Gleb Smirnoff2011-11-231-1/+2
| | | | | | | | PR: kern/162739 MFC after: 3 days Notes: svn path=/head/; revision=227901
* - fix duplicate "a a" in some commentsEitan Adler2011-11-131-1/+1
| | | | | | | | | Submitted by: eadler Approved by: simon MFC after: 3 days Notes: svn path=/head/; revision=227489
* Note that NAT instance argument can be tablearg.Gleb Smirnoff2011-11-101-2/+2
| | | | | | | | PR: misc/162265 Submitted by: Paul Procacci <pprocacci gmail.com> Notes: svn path=/head/; revision=227419
* Add support for IPv6 to ipfw fwd:Bjoern A. Zeeb2011-08-202-22/+90
| | | | | | | | | | | | | | | | | | | | | | Distinguish IPv4 and IPv6 addresses and optional port numbers in user space to set the option for the correct protocol family. Add support in the kernel for carrying the new IPv6 destination address and port. Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change the address in the IP header. Add support for IPv6 forwarding to a non-local destination. Add a regession test uitilizing VIMAGE to check all 20 possible combinations I could think of. Obtained from: David Dolson at Sandvine Incorporated (original version for ipfw fwd IPv6 support) Sponsored by: Sandvine Incorporated PR: bin/117214 MFC after: 4 weeks Approved by: re (kib) Notes: svn path=/head/; revision=225044
* Fix a regression where a rule containing a source port option after aJohn Baldwin2011-08-171-0/+2
| | | | | | | | | | | | destination IP would incorrectly display the source port as a destination port. Reviewed by: luigi Approved by: re (kib) MFC after: 1 week Notes: svn path=/head/; revision=224942
* Add new rule actions "call" and "return" to ipfw. They makeAndrey V. Elsukov2011-06-293-1/+106
| | | | | | | | | | | | | | | | possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@ Notes: svn path=/head/; revision=223666
* Improve error reporting. Use corresponding error message when file to beAndrey V. Elsukov2011-06-291-4/+11
| | | | | | | | | | | preprocessed is missing. Also suggest to use absolute pathname if -p option is specified. PR: bin/156653 MFC after: 2 weeks Notes: svn path=/head/; revision=223661
* Actually, if code had followed style(9), there would be less stupid errorsGleb Smirnoff2011-06-241-15/+30
| | | | | | | | | like the one fixed in r223416. Noticed by: julian Notes: svn path=/head/; revision=223499
* One more braino from me.Gleb Smirnoff2011-06-221-3/+6
| | | | | | | | Pointy hat to: glebius Submitted by: Alexander V. Chernikov <melifaro ipfw.ru> Notes: svn path=/head/; revision=223416
* Fix clang warnings.Ben Laurie2011-06-181-1/+2
| | | | | | | Approved by: philip (mentor) Notes: svn path=/head/; revision=223262
* - Fix my braino in the 220835, when I used strtok(). It isn'tGleb Smirnoff2011-06-171-14/+32
| | | | | | | | | | | | | | applicable here, since modifies the string. Switch to strchr(). - Restore support for undocumented optional parameters of redir_port and redir_proto, that were disabled in 220835. - While here, change !isalpha() checks on optinal parameters for isdigit(). Submitted by: Alexander V. Chernikov <melifaro ipfw.ru> PR: kern/143653 Notes: svn path=/head/; revision=223185
* Implement "global" mode for ipfw nat. It is similar to natd(8)Andrey V. Elsukov2011-06-144-7/+45
| | | | | | | | | | | | | | | | | | | "globalport" option for multiple NAT instances. If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged. User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode. PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein Notes: svn path=/head/; revision=223080
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-25 19:44:08 +0000