diff options
| author | melifaro <melifaro@FreeBSD.org> | 2012-03-12 14:07:57 +0000 |
|---|---|---|
| committer | melifaro <melifaro@FreeBSD.org> | 2012-03-12 14:07:57 +0000 |
| commit | c614ff641f951a75a93d083b1980b4bd3480b949 (patch) | |
| tree | bc4e5f2db723245d6f66a54bec8c2de91cede71d /sbin/ipfw/ipfw.8 | |
| parent | 4861f7911395459349e837d48f6d239d6c1e80d7 (diff) | |
| download | FreeBSD-src-c614ff641f951a75a93d083b1980b4bd3480b949.zip FreeBSD-src-c614ff641f951a75a93d083b1980b4bd3480b949.tar.gz | |
- Add ipfw eXtended tables permitting radix to be used for any kind of keys.
- Add support for IPv6 and interface extended tables
- Make number of tables to be loader tunable in range 0..65534.
- Use IP_FW3 opcode for all new extended table cmds
No ABI changes are introduced. Old userland will see valid tables for
IPv4 tables and no entries otherwise. Flush works for any table.
IP_FW3 socket option is used to encapsulate all new opcodes:
/* IP_FW3 header/opcodes */
typedef struct _ip_fw3_opheader {
uint16_t opcode; /* Operation opcode */
uint16_t reserved[3]; /* Align to 64-bit boundary */
} ip_fw3_opheader;
New opcodes added:
IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST
ipfw(8) table argument parsing behavior is changed:
'ipfw table 999 add host' now assumes 'host' to be interface name instead of
hostname.
New tunable:
net.inet.ip.fw.tables_max controls number of table supported by ipfw in given
VNET instance. 128 is still the default value.
New syntax:
ipfw add skipto tablearg ip from any to any via table(42) in
ipfw add skipto tablearg ip from any to any via table(4242) out
This is a bit hackish, special interface name '\1' is used to signal interface
table number is passed in p.glob field.
Sponsored by Yandex LLC
Reviewed by: ae
Approved by: ae (mentor)
MFC after: 4 weeks
Diffstat (limited to 'sbin/ipfw/ipfw.8')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 6293d73..dba23f4 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 6, 2012 +.Dd March 9, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -1539,7 +1539,7 @@ and they are always printed as hexadecimal (unless the option is used, in which case symbolic resolution will be attempted). .It Cm proto Ar protocol Matches packets with the corresponding IP protocol. -.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any +.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar table Ns Pq Ar number Ns Op , Ns Ar value | Ar ipno | Ar any Matches packets received, transmitted or going through, respectively, the interface specified by exact name .Ns No ( Ar ifX Ns No ), @@ -1738,22 +1738,21 @@ connected networks instead of all source addresses. .El .Sh LOOKUP TABLES Lookup tables are useful to handle large sparse sets of -addresses or other search keys (e.g. ports, jail IDs). -In the rest of this section we will use the term ``address'' -to mean any unsigned value of up to 32-bit. -There may be up to 128 different lookup tables, numbered 0 to 127. +addresses or other search keys (e.g. ports, jail IDs, interface names). +In the rest of this section we will use the term ``address''. +There may be up to 4096 different lookup tables, numbered 0 to 4095. .Pp Each entry is represented by an .Ar addr Ns Op / Ns Ar masklen and will match all addresses with base .Ar addr -(specified as an IP address, a hostname or an unsigned integer) +(specified as an IPv4/IPv6 address, a hostname or an unsigned integer) and mask width of .Ar masklen bits. If .Ar masklen -is not specified, it defaults to 32. +is not specified, it defaults to 32 for IPv4 and 128 for IPv6. When looking up an IP address in a table, the most specific entry will match. Associated with each entry is a 32-bit unsigned @@ -1776,7 +1775,8 @@ Internally, each table is stored in a Radix tree, the same way as the routing table (see .Xr route 4 ) . .Pp -Lookup tables currently support only ports, jail IDs and IPv4 addresses. +Lookup tables currently support only ports, jail IDs, IPv4/IPv6 addresses +and interface names. Wildcards is not supported for interface names. .Pp The .Cm tablearg @@ -2579,6 +2579,22 @@ instances. See .Sx SYSCTL VARIABLES for more info. +.Sh LOADER TUNABLES +Tunables can be set in +.Xr loader 8 +prompt, +.Xr loader.conf 5 +or +.Xr kenv 1 +before ipfw module gets loaded. +.Bl -tag -width indent +.It Va net.inet.ip.fw.default_to_accept: No 0 +Defines ipfw last rule behavior. This value overrides +.Cd "options IPFW_DEFAULT_TO_(ACCEPT|DENY)" +from kernel configuration file. +.It Va net.inet.ip.fw.tables_max: No 128 +Defines number of tables available in ipfw. Number cannot exceed 65534. +.El .Sh SYSCTL VARIABLES A set of .Xr sysctl 8 @@ -3112,6 +3128,16 @@ action, the table entries may include hostnames and IP addresses. .Dl "ipfw table 1 add 192.168.0.0/27 router1.dmz" .Dl "..." .Dl "ipfw add 100 fwd tablearg ip from any to table(1)" +.Pp +In the following example per-interface firewall is created: +.Pp +.Dl "ipfw table 10 add vlan20 12000" +.Dl "ipfw table 10 add vlan30 13000" +.Dl "ipfw table 20 add vlan20 22000" +.Dl "ipfw table 20 add vlan30 23000" +.Dl ".." +.Dl "ipfw add 100 ipfw skipto tablearg ip from any to any recv 'table(10)' in" +.Dl "ipfw add 200 ipfw skipto tablearg ip from any to any xmit 'table(10)' out" .Ss SETS OF RULES To add a set of rules atomically, e.g.\& set 18: .Pp |
