aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* ipfw: Add SPDX-License-Identifier tagTuukka Pasanen4 days1-0/+2
| | | | | | Reviewed by: emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D55273
* ipfw.8: document how to delete nat configuration instanceEugene Grosbein2025-12-281-1/+15
| | | | MFC after: 3 days
* ipfw.8: fix misprint after previous changeEugene Grosbein2025-12-281-1/+1
| | | | | | | rulese -> ruleset MFC after: 3 days X-MFC-with: a7b8a5d37bcb0009297962137bfb6c6570e5af12
* ipfw.8: fix documentation bug for setmarkEugene Grosbein2025-12-281-2/+6
| | | | | | | | | | | | A mark set with "setmark" keyword is intended to be "sticky" and documented as such but in fact it is not yet, as current implementation lacks "sticky" feature and its implementation will be not MFC'd, most probably. Correct the manual page until the implementation improved. MFC after: 3 days Discussed with: Boris Lytochkin <lytboris@gmail.com> (author)
* ipfw: create a bpf tap point for every log ruleGleb Smirnoff2025-12-152-12/+26
| | | | | | | | | | | Dynamically allocate bpf tap points for every rule that has "log". The name is "ipfw%u", where %u is substituted to the rule number. The default catch all "ipfw0" tap still exists for compatibility and it will catch packets in case if there are no bpf listeners on a per-rule tap. Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D53877
* ipfw: create "ipfw0" and "ipfwlog0" bpf tapping points without ifnet(9)Gleb Smirnoff2025-12-151-29/+9
| | | | | | | As a free bonus the tapping points are now able to match packet direction. Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D53875
* ipsec: Fix typos in references to IPsec's ESPMateusz Piotrowski2025-12-042-3/+3
| | | | | | | | | | | | ESP is "Encapsulating Security Payload", not "Encapsulated Security Payload". This patch fixes all the place in the tree I could find with `grep -i encapsulated security`. MFC after: 3 days Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D53769
* ipfw: Remove more unused IP_FW_* casesEd Maste2025-10-271-5/+1
| | | | | | | | | | All of the do_cmd() calls are in dummynet.c and specify the socket option at compile time; none of these removed cases are used in ipfw after the v3 work. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D53378
* ipfw: Correct error messageEd Maste2025-10-271-1/+1
| | | | | | | | | The failed allocation in the error pertains to IP_FW_XADD, not IP_FW_ADD. Reviewed by: ae Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D53359
* ipfw: Remove IP_DUMMYNET_GET caseEd Maste2025-10-251-1/+1
| | | | | | | | IP_DUMMYNET_GET is no longer used in ipfw(1). Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D53348
* ipfw: Update warning/error setsockopt referencesEd Maste2025-10-241-2/+2
| | | | | | | | | Dummynet v3 switched to IP_DUMMYNET3 but did not update these warnings/errors. Fixes: cc4d3c30ea28 ("Bring in the most recent version of ipfw and dummynet, developed") Sponsored by: The FreeBSD Foundation Differential Revision: sbin/ipfw/ipfw2.c
* ipfw: do not use errno value for error reportingBoris Lytochkin2025-10-141-3/+0
| | | | | | | | | | | table_do_modify_record() already uses errno value on error. Also this fixes problem when `ipfw table add` returns ENOTTY that is unrelated to operation. Tested by: dhw Fixes: 09025a714708 MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D53050
* tests/ipfw: Update regression tests to match new 32-bit size rule numbersOlivier Cochard2025-10-031-12/+13
| | | | | | | | Commit 4a77657cbc01 increased the size of several opcodes to ipfw_insn_u32. Approved by: ae Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D52876
* ipfw: Add tests for the NPTv6 rule parserDag-Erling Smørgrav2025-08-253-0/+111
|
* ipfw: Fix segfault in NPTv6 rule parserSeyed Pouria Mousavizadeh Tehrani2025-08-251-23/+26
| | | | | | | | | | | | If the user specified a prefix length with either the internal or external prefix, we'd jump to check_prefix where we'd dereference p which was most likely uninitialized. Instead, store the various prefix lengths separately and check them all after the loop. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D50597
* ipfw: Fix broken length checks on routing messagesJohn Baldwin2025-04-221-8/+10
| | | | | | | | | | | | | | | | | | | | | | | | Subtracting unsigned and signed types of the same rank yields an unsigned value that is never less than 0. Rewrite the checks to use the pattern of 'if (msglen < <desired size>)' instead of 'if (msglen - <desired_size> < 0)' to avoid the subtraction. To avoid adding lots of casts to appease -Wsign-compare, use a separate ssize_t variable for the return value of read(2) and convert msglen to size_t. While here, fix the first check against the size of the route message header which was inverted and would have rejected all valid messages if not for the unsigned vs signed bug causing all of the checks to be broken. sbin/ipfw/ipfw2.c: In function 'ipfw_rtsock_monitor': sbin/ipfw/ipfw2.c:6088:43: error: comparison of unsigned expression in '< 0' is always false [-Werror=type-limits] 6088 | if (sizeof(*hdr) - msglen < 0) | ^ Reported by: GCC -Wtype-limits Fixes: 3c76623ad553 ("ipfw: add 'internal monitor' subcommand to capture rtsock messages.")
* ipfw: fix buildAndrey V. Elsukov2025-04-181-2/+2
| | | | | | cast to unsigned type to fix warning. Fixes: 3c76623ad553
* ipfw: add 'internal monitor' subcommand to capture rtsock messages.Andrey V. Elsukov2025-04-183-3/+148
| | | | | | | | | This command is similar to route(8) monitor subcommand. It can be used for debugging rules in run-time. Also add __pritflike() to bprintf function and fix some related bugs. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* ipfw: document logdst opcodeAndrey V. Elsukov2025-04-181-27/+71
| | | | | | | | | Also fix some problems reported by mandoc -T lint. Add a comment describing the format of rtsock messages. Submitted by: Boris Lytochkin <lytboris at gmail com> Obtained from: Yandex LLC Sponsored by: Yandex LLC
* ipfw: migrate ipfw to 32-bit size rule numbersAndrey V. Elsukov2025-03-035-190/+443
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes ABI due to the changed opcodes and includes the following: * rule numbers and named object indexes converted to 32-bits * all hardcoded maximum rule number was replaced with IPFW_DEFAULT_RULE macro * now it is possible to grow maximum numbers or rules in build time * several opcodes converted to ipfw_insn_u32 to keep rulenum: O_CALL, O_SKIPTO * call stack modified to keep u32 rulenum. The behaviour of O_CALL opcode was changed to avoid possible packets looping. Now when call stack is overflowed or mbuf tag allocation failed, a packet will be dropped instead of skipping to next rule. * 'return' action now have two modes to specify return point: 'next-rulenum' and 'next-rule' * new lookup key added for O_IP_DST_LOOKUP opcode 'lookup rulenum' * several opcodes converted to keep u32 named object indexes in special structure ipfw_insn_kidx * tables related opcodes modified to use two structures: ipfw_insn_kidx and ipfw_insn_table * added ability for table value matching for specific value type in 'table(name,valtype=value)' opcode * dynamic states and eaction code converted to use u32 rulenum and named objects indexes * added insntod() and insntoc() macros to cast to specific ipfw instruction type * default sockopt version was changed to IP_FW3_OPVER=1 * FreeBSD 7-11 rule format support was removed * added ability to generate special rtsock messages via log opcode * added IP_FW_SKIPTO_CACHE sockopt to enable/disable skipto cache. It helps to reduce overhead when many rules are modified in batch. * added ability to keep NAT64LSN states during sets swapping Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D46183
* ipfw: make 'ipfw show' output compatible with 'ipfw add' commandAndrey V. Elsukov2025-02-111-0/+7
| | | | | | | | | | | | | | If rule was added in compact form and rule body is empty, print 'proto ip' opcode to be compatible with ipfw(8) syntax parser. Before: $ ipfw add allow proto ip 000700 allow After: $ ipfw add allow proto ip 000700 allow proto ip MFC after: 1 week
* ipfw : Enable support for EIM NATDamjan Jovanovic2024-12-064-2/+31
| | | | | | | | Enable support for endpoint-independent mapping ("full cone NAT") via Libalias's UDP NAT. Reviewed by: igoro, thj Differential Revision: https://reviews.freebsd.org/D46689D
* Remove residual blank line at start of MakefileWarner Losh2024-07-151-1/+0
| | | | | | | This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix
* ipfw: correctly report table manipulation errorsBen Wilber2024-05-101-2/+3
| | | | | | | | Let ipfw(8) report the actual error instead of the error that may have come from calling printf(). Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/1221
* ipfw: Use nitems(foo) instead of sizeof(foo)/sizeof(foo[0])Elyes Haouas2024-04-292-4/+4
| | | | | Pull Request: https://github.com/freebsd/freebsd-src/pull/888 Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
* ipfw: Remove repeated wordsElyes Haouas2024-04-111-1/+1
| | | | | | | | Remove repeated words in error message. Signed-off-by: Elyes Haouas <ehaouas@noos.fr> Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/887
* dummynet: add simple gilbert-elliott channel modelRichard Scheffenegger2023-12-172-13/+70
| | | | | | | | | | | Have a simple Gilbert-Elliott channel model in dummynet to mimick correlated loss behavior of realistic environments. This allows simpler testing of burst-loss environments. Reviewed By: tuexen, kp, pauamma_gundo.com, #manpages Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D42980
* sbin: Automated cleanup of cdefs and other formattingWarner Losh2023-11-274-4/+0
| | | | | | | | | | | | | | | | Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
* ipfw.8: Adjust section for loader tunablesZhenlei Huang2023-09-281-11/+11
| | | | | | | | | | Move the descriptions of loader tunables from section 'SYSCTL VARIABLES' to section 'LOADER TUNABLES'. See also 49197c391b3d (ipfw: Add sysctl flag CTLFLAG_TUN to loader tunables). MFC after: 2 days Differential Revision: https://reviews.freebsd.org/D41981
* Remove $FreeBSD$: two-line nroff patternWarner Losh2023-08-161-2/+0
| | | | Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
* Remove $FreeBSD$: one-line sh patternWarner Losh2023-08-162-2/+0
| | | | Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
* Remove $FreeBSD$: one-line .c patternWarner Losh2023-08-164-8/+0
| | | | Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
* Remove $FreeBSD$: two-line .h patternWarner Losh2023-08-168-16/+0
| | | | Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
* ipfw: Remove set but unused variables.John Baldwin2023-06-276-14/+7
| | | | | Reported by: GCC Differential Revision: https://reviews.freebsd.org/D40654
* ipfw: add state/comment testsAlexander V. Chernikov2023-06-161-2/+61
|
* ipfw: use function return value to fetch insn argument.Alexander V. Chernikov2023-06-153-22/+17
| | | | | | | This is a prerequsite for splitting compile_rule() into smaller chunks. MFC after: 2 weeks
* ipfw: add eaction testsAlexander V. Chernikov2023-06-151-0/+33
| | | | MFC after: 2 weeks
* ipfw: simplify action case parserAlexander V. Chernikov2023-06-131-32/+74
| | | | | | | | | Remove "goto charg" from the action parser. This is a prerequisite for the further split of the gigantic compile_rule(). Differential Revision: https://reviews.freebsd.org/D40490 MFC after: 2 weeks
* ipfw(8): add ioctl/instruction generation testsAlexander V. Chernikov2023-06-135-5/+454
| | | | | Differential Revision: https://reviews.freebsd.org/D40488 MFC after: 2 weeks
* ipfw/ipfw2: Fix typosElyes Haouas2023-06-021-1/+1
| | | | | | Signed-off-by: Elyes Haouas <ehaouas@noos.fr> Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/653
* spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSDWarner Losh2023-05-123-3/+3
| | | | | | | | | The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
* ipfw: add [fw]mark implementation for ipfwBoris Lytochkin2023-04-254-37/+156
| | | | | | | | | | | | | | | | Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal. Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison. Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy. Reviewed By: pauamma_gundo.com Differential Revision: https://reviews.freebsd.org/D39555 MFC after: 1 month
* ipfw.8: improve description for interface matchingEugene Grosbein2023-04-251-4/+22
| | | | | | | | The manual describes "if*" form only while kernel uses fnmatch(3) and allows use for more versatile shell-like patterns. Note that explicitly and provide an example. MFC after: 3 days
* Update/fix Makefile.depend for userlandSimon J. Gerraty2023-04-191-1/+1
|
* ipfw.8: there never was a "skip-action" actionCeri Davies2023-01-251-2/+2
| | | | | | | | It was renamed during review of D1776 but this entry slipped through. PR: 243284 Reported by: pprocacci@gmail.com Obtained from: Chad Jacob Milios <milios@ccsys.com>
* ipfw: Add missing 'va' code point nameJose Luis Duran2023-01-132-1/+4
| | | | | | | | Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name. Reviewed By: melifaro, pauamma Differential Revision: https://reviews.freebsd.org/D37508 MFC after: 2 weeks
* ipfw: Fix ipfw/dnctl detectionGoran Mekic2022-11-221-1/+2
| | | | | | | | Running "dnctl" vs "/sbin/dnctl" gave different results, because we looked at the entire argv[0] string, rather than the basename. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D37431
* ipfw: make it possible to specify MTU for "unreach needfrag" actionGleb Smirnoff2022-08-172-2/+23
| | | | | Reviewed by: ae, pauamma Differential revision: https://reviews.freebsd.org/D36140
* ipfw: add support radix tables and table lookup for MAC addressesArseny Smalyuk2022-06-044-39/+162
| | | | | | | | | | | | | | | | | | | | | | | | By analogy with IP address matching, add a way to use ipfw radix tables for MAC matching. This is implemented using new ipfw table with mac:radix type. Also there are src-mac and dst-mac lookup commands added. Usage example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100)' ipfw add deny lookup dst-mac 1 Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw filtering on L2. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D35103
* ipfw.8: spell "layer2" consistently throughout the manual pageEugene Grosbein2022-05-131-3/+3
| | | | MFC after: 1 week
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-22 12:09:46 +0000