aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Allow setting alias port ranges in libalias and ipfw. This will allow a systemNeel Chauhan2021-02-024-1/+47
| | | | | | | | | to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user, subnet) can have their own dedicated port aliasing ranges. Reviewed by: donner, kp Approved by: 0mp (mentor), donner, kp Differential Revision: https://reviews.freebsd.org/D23450
* ipfw(8) crashes when ext6hdr option is omittedEvgeniy Khramtsov2021-02-011-0/+1
| | | | | | | | | | Verify that the option is passed, error out if it's not. The problem can be trivially triggered with `ipfw add allow ext6hdr`. PR: 253169 Reviewed by: kp@ MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28447
* ipfw(8): Fix a few mandoc related issuesGordon Bergling2020-12-191-48/+50
| | | | | | | | | | | | | | | | - no blank before trailing delimiter - missing section argument: Xr inet_pton - skipping paragraph macro: Pp before Ss - unusual Xr order: syslogd after sysrc - tab in filled text There were a few multiline NAT examples which used the .Dl macro with tabs. I converted them to .Bd, which is a more suitable macro for that case. MFC after: 1 week Notes: svn path=/head/; revision=368804
* ipfw(8): Bugfixes for some issues reported by mandocGordon Bergling2020-10-031-48/+61
| | | | | | | | | | | - whitespace at end of input line - new sentence, new line - skipping paragraph macro: Pp before Pp MFC after: 1 week Notes: svn path=/head/; revision=366402
* Fix compatibility regression after r364117.Andrey V. Elsukov2020-09-111-9/+16
| | | | | | | | | | Properly handle the case, when some opcode keywords follow after the `frag` opcode without additional options. Reported by: Evgeniy Khramtsov <evgeniy at khramtsov org> Notes: svn path=/head/; revision=365628
* Change printf format string to include the extra blankStefan Eßer2020-09-011-1/+1
| | | | | | | | | | | | | | This is a follow up change to r364321 after a discussion about the style. All near by places use extra blanks in format strings, and while use of the format string to provide the extra blank may need more cycles than adding 1 to twidth, it generates shorter code and is clearer in the opinion of some reviewers of the previous change. Not objected to by: emaste MFC after: 3 days Notes: svn path=/head/; revision=365030
* ipfw(8): Fix typo in man pageFernando Apesteguía2020-08-211-2/+2
| | | | | | | | | | s/exmaple/example Approved by: manpages (gbe@) Differential Revision: https://reviews.freebsd.org/D26147 Notes: svn path=/head/; revision=364459
* ipfw: line up `ipfw -t list` with and without timestampEd Maste2020-08-171-1/+1
| | | | | | | | | | | | | | | | | | | From the PR: When I run `ipfw -t list` on release/12 or current, I get misaligned output between lines that do and do not have a last match timestamp, like so: 00100 Tue Aug 11 03:03:26 2020 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 (specifically, the "allow" and "deny" strings do not line up) PR: 248608 Submitted by: Taylor Stearns MFC after: 3 days Notes: svn path=/head/; revision=364321
* ipfw: make the "frag" keyword accept additional options "mf",Gleb Smirnoff2020-08-112-10/+43
| | | | | | | | | | | | | "df", "rf" and "offset". This allows to match on specific bits of ip_off field. For compatibility reasons lack of keyword means "offset". Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D26021 Notes: svn path=/head/; revision=364117
* Fix SIGSEGV in ipfw(8) when NAT64 prefix length is omitted.Andrey V. Elsukov2020-08-052-0/+6
| | | | | | | | | Submitted by: Evgeniy Khramtsov <evgeniy at khramtsov org> MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D25734 Notes: svn path=/head/; revision=363904
* [ipfw] quieten maybe-uninitialized errors in ipfw when compiled under ↵Adrian Chadd2020-07-144-11/+10
| | | | | | | | | | | | mips-gcc-6.3.0. This is mostly an exercise to set variables to NULL/0 when declared, but one was ensuring a string variable was set before printing it. We should never see "<unknown>" in a printed rule; if we do then this code definitely has some bugs that need addressing. Notes: svn path=/head/; revision=363173
* ipfw(8): Handle unaligned pointers in pr_u64.Mark Johnston2020-07-132-2/+2
| | | | | | | | | | | | | | struct _ipfw_dyn_rule is defined as packed, and as a result, its uint64_t fields are misaligned on some 32-bit platforms. Since pr_u64() is explicitly supposed to handle this case, avoid using a uint64_t * for the input pointer to make sure that the compiler won't (correctly) warn about the misalignment. Reported by: jenkins MFC with: r363164 Notes: svn path=/head/; revision=363166
* ipfw(8): Fix most warnings with the default WARNS level.Mark Johnston2020-07-1313-282/+308
| | | | | | | | | | | | | | - Add missing const and static qualifiers. - Avoid shadowing the global "co" by renaming it to "g_co". - Avoid mixing signedness in loop bound checks. - Leave -Wcast-align warnings disabled for now. Reviewed by: ae, melifaro MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D25456 Notes: svn path=/head/; revision=363164
* ipfw: Support the literal IPv6 address syntax in the fwd command.Mark Johnston2020-06-251-24/+35
| | | | | | | | | | Discussed with: rgrimes, Lutz Donnerhacke Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24011 Notes: svn path=/head/; revision=362619
* ipfw(8): In fill_ip6(), use a single statement for both "me" and "me6".Mark Johnston2020-06-241-7/+2
| | | | | | | | | | Submitted by: Neel Chauhan <neel AT neelc DOT org> Reviewed by: rgrimes, Lutz Donnerhacke MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24403 Notes: svn path=/head/; revision=362582
* Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroyAndrey V. Elsukov2020-03-243-7/+30
| | | | | | | | | | | | | | | | | | | NAT instance. The NAT44 group of opcodes for IP_FW3 socket option is modern way to control NAT instances and this method can be used in future to switch from numeric to named NAT instances, like was done for ipfw tables. The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control plane that doesn't support versioned operations. This interface will be retired soon. Reviewed by: melifaro MFC after: 10 days Sponsored by: Yandex LLC Notes: svn path=/head/; revision=359271
* Revert r358858 as it breaks some ipfw(8) setups.Alexander V. Chernikov2020-03-111-6/+8
| | | | | | | Reported by: O. Hartmann <o.hartmann@walstatt.org> Notes: svn path=/head/; revision=358871
* Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst().Alexander V. Chernikov2020-03-101-8/+6
| | | | | | | | | Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D21812 Notes: svn path=/head/; revision=358858
* ipfw nat: add missing bits after r357092 (RFC 6598/Carrier Grade NAT)Eugene Grosbein2020-02-121-0/+4
| | | | | | | | | | Submitted by: Neel Chauhan <neel AT neelc DOT org> Reviewed by: Lutz Donnerhacke MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D23448 Notes: svn path=/head/; revision=357787
* Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.Alexander V. Chernikov2020-01-244-3/+11
| | | | | | | | | | | | | | | | In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added. This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware. Also, we add a new NAT option to ipfw called unreg_cgn, which is like unreg_only, but also is RFC 6598-aware. The reason for the new flags/options is to avoid breaking existing networks, especially those which rely on RFC 6598 as an external address. Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22877 Notes: svn path=/head/; revision=357092
* Use strlcat().Xin LI2019-11-301-1/+1
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=355222
* Explicitly initialize the memory buffer to store O_ICMP6TYPE opcode.Andrey V. Elsukov2019-10-151-0/+1
| | | | | | | | | | | | | | | | By default next_cmd() initializes only first u32 of opcode. O_ICMP6TYPE opcode has array of bit masks to store corresponding ICMPv6 types. An opcode that precedes O_ICMP6TYPE, e.g. O_IP6_DST, can have variable length and during opcode filling it can modify memory that will be used by O_ICMP6TYPE opcode. Without explicit initialization this leads to creation of wrong opcode. Reported by: Boris N. Lytochkin Obtained from: Yandex LLC MFC after: 3 days Notes: svn path=/head/; revision=353545
* ipfw: fix jail option after r348215Kyle Evans2019-08-051-3/+18
| | | | | | | | | | | | | | | | | | | | | r348215 changed jail_getid(3) to validate passed-in jids as active jails (as the function is documented to return -1 if the jail does not exist). This broke the jail option (in some cases?) as the jail historically hasn't needed to exist at the time of rule parsing; jids will get stored and later applied. Fix this caller to attempt to parse *av as a number first and just use it as-is to match historical behavior. jail_getid(3) must still be used in order for name arguments to work, but it's strictly a fallback in case we weren't given a number. Reported and tested by: Ari Suutari <ari stonepile fi> Reviewed by: ae MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D21128 Notes: svn path=/head/; revision=350576
* Restore ipfw(8)'s compact output support broken after r331668.Andrey V. Elsukov2019-06-251-0/+6
| | | | | | | | | | | Also modify it a bit. Now -c option omits only 'from any to any' part and works for different protocols (not just for ip). Reported by: Dmitry Selivanov <dseliv at gmail> MFC after: 1 week Notes: svn path=/head/; revision=349364
* Add "tcpmss" opcode to match the TCP MSS value.Andrey V. Elsukov2019-06-213-6/+23
| | | | | | | | | | | | | | | | | With this opcode it is possible to match TCP packets with specified MSS option, whose value corresponds to configured in opcode value. It is allowed to specify single value, range of values, or array of specific values or ranges. E.g. # ipfw add deny log tcp from any to any tcpmss 0-500 Reviewed by: melifaro,bcr Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC Notes: svn path=/head/; revision=349267
* Remove unused token that was added in r348235.Andrey V. Elsukov2019-05-271-1/+0
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=348301
* Add `missing` and `or-flush` options to "ipfw table <NAME> create"Andrey V. Elsukov2019-05-243-7/+45
| | | | | | | | | | | | | | | | command to simplify firewall reloading. The `missing` option suppresses EEXIST error code, but does check that existing table has the same parameters as new one. The `or-flush` option implies `missing` option and additionally does flush for table if it is already exist. Submitted by: lev MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D18339 Notes: svn path=/head/; revision=348235
* Handle HAVE_PROTO flag and print "proto" keyword for O_IP4 and O_IP6Andrey V. Elsukov2019-04-291-0/+4
| | | | | | | | | | | opcodes when it is needed. This should fix the problem, when printed by `ipfw show` rule could not be added due to missing "proto" keyword. MFC after: 2 weeks Notes: svn path=/head/; revision=346885
* Typo fix in ipfw.8: amd -> andBenedict Reuschling2019-04-211-2/+2
| | | | | | | | | | | | | | | There is an (obvious) typo in the following sentence: "Please note, that keep-state amd limit imply implicit check-state for ..." Replace the "amd" with "and", bump .Dd. PR: 237438 Submitted by: michael@galassi.us MFC after: 3 days Notes: svn path=/head/; revision=346490
* Remove extra spaces.Andrey V. Elsukov2019-03-191-2/+2
| | | | | | | MFC after: 1 month Notes: svn path=/head/; revision=345294
* Reapply r345274 with build fixes for 32-bit architectures.Andrey V. Elsukov2019-03-193-82/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345293
* Revert r345274. It appears that not all 32-bit architectures haveAndrey V. Elsukov2019-03-183-72/+81
| | | | | | | necessary CK primitives. Notes: svn path=/head/; revision=345275
* Update NAT64LSN implementation:Andrey V. Elsukov2019-03-183-81/+72
| | | | | | | | | | | | | | | | | | | | | | | | o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345274
* Add NAT64 CLAT implementation as defined in RFC6877.Andrey V. Elsukov2019-03-186-1/+616
| | | | | | | | | | | | | | | | | | | | | | | | CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It is implemented as part of ipfw_nat64 kernel module. When module is loaded or compiled into the kernel, it registers "nat64clat" external action. External action named instance can be created using `create` command and then used in ipfw rules. The create command accepts two IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted, IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used. # ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in Obtained from: Yandex LLC Submitted by: Boris N. Lytochkin MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345264
* Add SPDX-License-Identifier and update year in copyright.Andrey V. Elsukov2019-03-182-6/+8
| | | | | | | MFC after: 1 month Notes: svn path=/head/; revision=345263
* Modify struct nat64_config.Andrey V. Elsukov2019-03-184-11/+51
| | | | | | | | | | | | | | | | | | | | | | | | Add second IPv6 prefix to generic config structure and rename another fields to conform to RFC6877. Now it contains two prefixes and length: PLAT is provider-side translator that translates N:1 global IPv6 addresses to global IPv4 addresses. CLAT is customer-side translator (XLAT) that algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses. Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn) translators. Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept prefix length and use plat_plen to specify prefix length. Retire net.inet.ip.fw.nat64_allow_private sysctl variable. Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to configure this ability separately for each NAT64 instance. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345262
* Fix typos and caps for ipfw(8) man page.Guangyuan Yang2019-03-011-16/+16
| | | | | | | | | MFC after: 3 days PR: 236030 Submitted by: olgeni Notes: svn path=/head/; revision=344709
* Grammar tweaks in ipfw manual page.Tom Rhodes2019-02-281-4/+4
| | | | Notes: svn path=/head/; revision=344665
* Fix build of r343877Bryan Drewery2019-02-071-2/+4
| | | | | | | | | MFC after: 2 weeks X-MFC-with: r343877 Pointyhat to: bdrewery Notes: svn path=/head/; revision=343880
* ipfw table list: Fix showing header outside of 'all'.Bryan Drewery2019-02-071-3/+5
| | | | | | | | | | | Properly pass down is_all to table_show_list(). This restores the behavior before r272840 so that only 'ipfw table all list' shows the headers. MFC after: 2 weeks Relnotes: yes Notes: svn path=/head/; revision=343877
* Allow use underscores and dots in service names without escaping.Andrey V. Elsukov2018-12-211-1/+2
| | | | | | | | PR: 234237 MFC after: 1 week Notes: svn path=/head/; revision=342298
* Rework how protocol number is tracked in rule. Save it when O_PROTOAndrey V. Elsukov2018-12-101-10/+6
| | | | | | | | | | | opcode will be printed. This should solve the problem, when protocol name is not printed in `ipfw -N show`. Reported by: Claudio Eichenberger <cei at yourshop.com> MFC after: 1 week Notes: svn path=/head/; revision=341799
* Use correct size for IPv4 address in gethostbyaddr().Andrey V. Elsukov2018-12-101-1/+2
| | | | | | | | | | When u_long is 8 bytes, it returns EINVAL and 'ipfw -N show' doesn't work. Reported by: Claudio Eichenberger <cei at yourshop.com> MFC after: 1 week Notes: svn path=/head/; revision=341798
* Add ability to request listing and deleting only for dynamic states.Andrey V. Elsukov2018-12-044-25/+61
| | | | | | | | | | | | | | | | | | | | This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but after rules reloading some state must be deleted. Added new flag '-D' for such purpose. Retire '-e' flag, since there can not be expired states in the meaning that this flag historically had. Also add "verbose" mode for listing of dynamic states, it can be enabled with '-v' flag and adds additional information to states list. This can be useful for debugging. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC Notes: svn path=/head/; revision=341472
* Small language fix after r340978.Eugene Grosbein2018-11-261-1/+1
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=340979
* ipfw.8: add new section to EXAMPLES:Eugene Grosbein2018-11-261-0/+51
| | | | | | | | | | | SELECTIVE MIRRORING If your network has network traffic analyzer connected to your host directly via dedicated interface or remotely via RSPAN vlan, you can selectively mirror some ethernet layer2 frames to the analyzer. ... Notes: svn path=/head/; revision=340978
* Fix a minor typo in ipfw(8) manual page.Guangyuan Yang2018-11-231-1/+1
| | | | | | | | | PR: 230747 Submitted by: f.toscan@hotmail.it MFC after: 1 week Notes: svn path=/head/; revision=340792
* Fix incorrect DSCP value range from 0..64 to 0..63.Guangyuan Yang2018-11-211-2/+2
| | | | | | | | | | PR: 232786 Submitted by: Sergey Akhmatov <sergey@akhmatov.ru> Reviewed by: AllanJude MFC after: 1 week Notes: svn path=/head/; revision=340717
* Make multiline APPLY_MASK() macro to be function-like.Andrey V. Elsukov2018-11-201-1/+1
| | | | | | | | Reported by: cem MFC after: 1 week Notes: svn path=/head/; revision=340689
* Fix part of the SYNOPSIS documenting LIST OF RULES AND PREPROCESSINGEugene Grosbein2018-11-131-11/+11
| | | | | | | | | | that is still referred as last section of the SYNOPSIS later but was erroneously situated in the section IN-KERNEL NAT. MFC after: 1 month Notes: svn path=/head/; revision=340394