aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.Max Laier2005-09-281-4/+4
| | | | | | | Reminded by: ru Notes: svn path=/head/; revision=150675
* * Add dynamic sysctl for net.inet6.ip6.fw.Bjoern A. Zeeb2005-08-132-3/+89
| | | | | | | | | | | | | | | | * Correct handling of IPv6 Extension Headers. * Add unreach6 code. * Add logging for IPv6. Submitted by: sysctl handling derived from patch from ume needed for ip6fw Obtained from: is_icmp6_query and send_reject6 derived from similar functions of netinet6,ip6fw Reviewed by: ume, gnn; silence on ipfw@ Test setup provided by: CK Software GmbH MFC after: 6 days Notes: svn path=/head/; revision=149020
* Bump document date. Remove EOL whitespace introduced in previousColin Percival2005-07-011-3/+4
| | | | | | | | | commit. Start new line at sentence break in previous commit. Approved by: re (implicit, fixing a commit made 5 minutes ago) Notes: svn path=/head/; revision=147720
* Document some limitations of uid/gid rules.Colin Percival2005-07-011-0/+11
| | | | | | | | Approved by: re (rwatson) MFC after: 3 days Notes: svn path=/head/; revision=147719
* Markup fixes.Ruslan Ermilov2005-06-141-4/+4
| | | | | | | Approved by: re (blanket) Notes: svn path=/head/; revision=147369
* add_proto() now fills proto for us so stop to 'guess' the protocol from theMax Laier2005-06-071-5/+2
| | | | | | | | command and rather trust the value add_proto filled in. While here, fix an oversight in the pretty printing of ip6/4 options. Notes: svn path=/head/; revision=147105
* Better explain, then actually implement the IPFW ALTQ-rule first-matchBrian Feldman2005-06-041-2/+13
| | | | | | | | | | | policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week Notes: svn path=/head/; revision=146962
* Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.Max Laier2005-06-032-26/+71
| | | | | | | | | | | This is the last requirement before we can retire ip6fw. Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw Notes: svn path=/head/; revision=146894
* Unbreak handling of "ip[v]6" protocol and option flag. No more segfaultsMax Laier2005-05-211-2/+1
| | | | | | | and not every protocol is IPv6. Notes: svn path=/head/; revision=146464
* 'ngtee' also depends on net.inet.ip.fw.one_pass.Gleb Smirnoff2005-05-111-1/+3
| | | | Notes: svn path=/head/; revision=146097
* IPFW version 2 is the only option now in HEAD. Do not confuseGleb Smirnoff2005-05-041-45/+0
| | | | | | | | users of future releases with instructions about building IPFW2 on RELENG_4. Notes: svn path=/head/; revision=145865
* Fix a the previous commit. I wanted to remove the if and always run theBrooks Davis2005-04-261-0/+1
| | | | | | | | | | body not remove both. Reported by: ceri Pointy hat: brooks Notes: svn path=/head/; revision=145567
* Don't force IPv6 proto to be printed numericaly.Brooks Davis2005-04-261-2/+0
| | | | | | | Noticed by: ceri Notes: svn path=/head/; revision=145566
* Add IPv6 support to IPFW and Dummynet.Brooks Davis2005-04-182-65/+820
| | | | | | | Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi) Notes: svn path=/head/; revision=145246
* Be more specific when complaining about bit masks.Brooks Davis2005-04-051-2/+2
| | | | Notes: svn path=/head/; revision=144687
* Bring back the full packet destination manipulation for 'ipfw fwd'Andre Oppermann2005-02-221-1/+14
| | | | | | | | | | | | | | | | | | | | | | | with the kernel compile time option: options IPFIREWALL_FORWARD_EXTENDED This option has to be specified in addition to IPFIRWALL_FORWARD. With this option even packets targeted for an IP address local to the host can be redirected. All restrictions to ensure proper behaviour for locally generated packets are turned off. Firewall rules have to be carefully crafted to make sure that things like PMTU discovery do not break. Document the two kernel options. PR: kern/71910 PR: kern/73129 MFC after: 1 week Notes: svn path=/head/; revision=142248
* Expand *n't contractions.Ruslan Ermilov2005-02-131-4/+4
| | | | Notes: svn path=/head/; revision=141846
* Sort SEE ALSO.Gleb Smirnoff2005-02-071-1/+1
| | | | | | | Submitted by: ru Notes: svn path=/head/; revision=141444
* Document how interaction with ng_ipfw node is configured.Gleb Smirnoff2005-02-051-2/+23
| | | | Notes: svn path=/head/; revision=141366
* Add a ng_ipfw node, implementing a quick and simple interface betweenGleb Smirnoff2005-02-051-0/+22
| | | | | | | | | ipfw(4) and netgraph(4) facilities. Reviewed by: andre, brooks, julian Notes: svn path=/head/; revision=141351
* Don't print extra " via ", if we have already printed one. While here,Gleb Smirnoff2005-01-181-4/+6
| | | | | | | | | | slightly style brackets. PR: misc/75297 MFC after: 1 week Notes: svn path=/head/; revision=140423
* Sort sections.Ruslan Ermilov2005-01-181-27/+27
| | | | Notes: svn path=/head/; revision=140415
* Markup nits.Ruslan Ermilov2005-01-151-16/+14
| | | | Notes: svn path=/head/; revision=140285
* Deprecate unmaintainable uses of strncmp to implement abbreviations.Brooks Davis2005-01-151-60/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit replaces those with two new functions that simplify the code and produce warnings that the syntax is deprecated. A small number of sensible abbreviations may be explicitly added based on user feedback. There were previously three types of strncmp use in ipfw: - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av to match string or any shortened form of it. I have replaced this with a new function _substrcmp(av, "string") which returns 0 if av is a substring of "string", but emits a warning if av is not exactly "string". - The next type was two instances of strncmp(av, "by", 2) which allowed the abbreviation of bytes to "by", "byt", etc. Unfortunately, it also supported "bykHUygh&*g&*7*ui". I added a second new function _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but complains if the user doesn't spell out the word "bytes". - There is also one correct use of strncmp to match "table(" which might have another token after it without a space. Since I changed all the lines anyway, I also fixed the treatment of strncmp's return as a boolean in many cases. I also modified a few strcmp cases as well to be fully consistent. Notes: svn path=/head/; revision=140271
* Scheduled mdoc(7) sweep.Ruslan Ermilov2005-01-101-1/+2
| | | | Notes: svn path=/head/; revision=139987
* Write some bit mask limits in hex rather than decimal so they look lessBrooks Davis2005-01-071-2/+2
| | | | | | | magic. Notes: svn path=/head/; revision=139821
* Update the IPFW man page to reflect reality. mpsafenet=0 is no longerChristian S.J. Peron2004-12-101-10/+0
| | | | | | | | | | required when using ucred based rules. Pointed out by: seanc (thanks!) MFC after: 1 month Notes: svn path=/head/; revision=138643
* Remove a duplicate line from an apparent merge error in rev 1.63.Brooks Davis2004-11-251-1/+0
| | | | Notes: svn path=/head/; revision=138072
* Be more clear that "bridged" is a synonym for "layer2".Ceri Davies2004-11-031-1/+2
| | | | | | | | PR: docs/44400 Submitted by: Constantin Stefanov <cstef at mail dot ru> Notes: svn path=/head/; revision=137173
* Refuse to unload the ipdivert module unless the 'force' flag is given to ↵Andre Oppermann2004-10-221-4/+4
| | | | | | | | | | kldunload. Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8) man pages. Notes: svn path=/head/; revision=136788
* Add a note to the man page warning users about possible lock orderChristian S.J. Peron2004-10-091-0/+10
| | | | | | | | | | | | reversals+system lock ups if they are using ucred based rules while running with debug.mpsafenet=1. I am working on merging a shared locking mechanism into ipfw which should take care of this problem, but it still requires a bit more testing and review. Notes: svn path=/head/; revision=136335
* Reference altq(4) instead of pf.conf(5).Brian Feldman2004-10-081-2/+2
| | | | | | | Tip of the hat to: mlaier Notes: svn path=/head/; revision=136248
* Commit forgotten documentation for "diverted" rules.Brian Feldman2004-10-081-1/+2
| | | | Notes: svn path=/head/; revision=136247
* Remove blindly-copied extra include path.Brian Feldman2004-10-031-1/+0
| | | | Notes: svn path=/head/; revision=136079
* Add support to IPFW for matching by TCP data length.Brian Feldman2004-10-032-0/+29
| | | | Notes: svn path=/head/; revision=136075
* Add the documentation for IPFW's diverted(-loopback|-output) matches.Brian Feldman2004-10-031-0/+8
| | | | Notes: svn path=/head/; revision=136074
* Add support to IPFW for classification based on "diverted" statusBrian Feldman2004-10-031-0/+35
| | | | | | | (that is, input via a divert socket). Notes: svn path=/head/; revision=136073
* Remove accidentally-added O_DIVERTED section.Brian Feldman2004-10-031-17/+0
| | | | Notes: svn path=/head/; revision=136072
* Add to IPFW the ability to do ALTQ classification/tagging.Brian Feldman2004-10-033-33/+258
| | | | Notes: svn path=/head/; revision=136071
* Since "d" is an array of 32 bit values, it is moreChristian S.J. Peron2004-09-211-1/+1
| | | | | | | | | correct to change the cast from unsigned int to uint32_t. Pointed out by: luigi Notes: svn path=/head/; revision=135554
* Prepare for 5.x soon becoming -STABLE.Ruslan Ermilov2004-09-191-8/+8
| | | | | | | Pointed out by: -current users Notes: svn path=/head/; revision=135465
* Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copiedAndre Oppermann2004-09-131-13/+2
| | | | | | | | | | | | | and sent to the DIVERT socket while the original packet continues with the next rule. Unlike a normally diverted packet no IP reassembly attemts are made on tee'd packets and they are passed upwards totally unmodified. Note: This will not be MFC'd to 4.x because of major infrastucture changes. PR: kern/64240 (and many others collapsed into that one) Notes: svn path=/head/; revision=135154
* Currently when ipfw(8) generates the micro-instructions for rules whichChristian S.J. Peron2004-09-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints. The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT. The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes. This may be a MFC candidate for RELENG_5. Reviewed by: andre Approved by: luigi PR: kern/63961 (partially) Notes: svn path=/head/; revision=135089
* o Initialize a local variable and make gcc happy.Maxim Konovalov2004-09-101-0/+2
| | | | | | | | PR: bin/71485 Submitted by: Jukka A. Ukkonen Notes: svn path=/head/; revision=135036
* o Restore a historical ipfw1 logamount behaviour: rules with 'log'Maxim Konovalov2004-08-291-0/+7
| | | | | | | | | | | | | | keyword but without 'logamount' limit the amount of their log messages by net.inet.ip.fw.verbose_limit sysctl value. RELENG_5 candidate. PR: kern/46080 Submitted by: Dan Pelleg MFC after: 1 week Notes: svn path=/head/; revision=134475
* Fix 'show' command for pipes and queues.Pawel Jakub Dawidek2004-08-231-1/+7
| | | | | | | | | PR: bin/70311 Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> MFC after: 3 days Notes: svn path=/head/; revision=134225
* Remove trailing whitespace and change "prisoniD" to "prisonID".Christian S.J. Peron2004-08-131-2/+2
| | | | | | | | Pointed out by: simon Approved by: bmilekic (mentor) Notes: svn path=/head/; revision=133607
* Add the ability to associate ipfw rules with a specific prison ID.Christian S.J. Peron2004-08-122-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this. This commit makes the following changes: - Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes. This change was a strong motivator behind the ucred caching mechanism in ipfw. A sample usage of this new functionality could be: ipfw add count ip from any to any jail 2 It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations. Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor) Notes: svn path=/head/; revision=133600
* New ipfw option "antispoof":Andre Oppermann2004-08-092-3/+49
| | | | | | | | | | | | | | | | | | For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. Usage example: ipfw add deny ip from any to any not antispoof in Manpage education by: ru Notes: svn path=/head/; revision=133387
* Extend versrcreach by checking against the rt_flags for RTF_REJECT andAndre Oppermann2004-07-211-2/+2
| | | | | | | | | | | | | | | | | | | | | RTF_BLACKHOLE as well. To quote the submitter: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Submitted by: James Jun <james@towardex.com> Notes: svn path=/head/; revision=132510
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-03 02:39:58 +0000