diff options
Diffstat (limited to 'sbin/ipfw')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 30 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw2.c | 42 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw2.h | 1 | ||||
| -rw-r--r-- | sbin/ipfw/main.c | 5 | ||||
| -rw-r--r-- | sbin/ipfw/nat.c | 69 |
5 files changed, 107 insertions, 40 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 710996b..4a22320 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 27, 2010 +.Dd June 14, 2011 .Dt IPFW 8 .Os .Sh NAME @@ -871,13 +871,16 @@ for more information on and .Cm ngtee actions. -.It Cm setfib Ar fibnum +.It Cm setfib Ar fibnum | tablearg The packet is tagged so as to use the FIB (routing table) .Ar fibnum in any subsequent forwarding decisions. Initially this is limited to the values 0 through 15, see .Xr setfib 1 . Processing continues at the next rule. +It is possible to use the +.Cm tablearg +keyword with a setfib. If tablearg value is not within compiled FIB range packet fib is set to 0. .It Cm reass Queue and reassemble ip fragments. If the packet is not fragmented, counters are updated and processing continues with the next rule. @@ -1711,7 +1714,7 @@ is used. The .Cm tablearg argument can be used with the following actions: -.Cm nat, pipe , queue, divert, tee, netgraph, ngtee, fwd, skipto +.Cm nat, pipe , queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, action parameters: .Cm tag, untag, rule options: @@ -2432,6 +2435,27 @@ Reset table of the packet aliasing engine on address change. Reverse the way libalias handles aliasing. .It Cm proxy_only Obey transparent proxy rules only, packet aliasing is not performed. +.It Cm skip_global +Skip instance in case of global state lookup (see below). +.El +.Pp +Some specials value can be supplied instead of +.Va nat_number: +.Bl -tag -width indent +.It Cm global +Looks up translation state in all configured nat instances. +If an entry is found, packet is aliased according to that entry. +If no entry was found in any of the instances, packet is passed unchanged, +and no new entry will be created. +See section +.Sx MULTIPLE INSTANCES +in +.Xr natd 8 +for more information. +.It Cm tablearg +Uses argument supplied in lookup table. See +.Sx LOOKUP TABLES +section below for more information on lookup tables. .El .Pp To let the packet continue after being (de)aliased, set the sysctl variable diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index ad871fe..64e5eb1 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -21,6 +21,7 @@ */ #include <sys/types.h> +#include <sys/param.h> #include <sys/socket.h> #include <sys/sockio.h> #include <sys/sysctl.h> @@ -1121,8 +1122,11 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) break; case O_NAT: - PRINT_UINT_ARG("nat ", cmd->arg1); - break; + if (cmd->arg1 != 0) + PRINT_UINT_ARG("nat ", cmd->arg1); + else + printf("nat global"); + break; case O_SETFIB: PRINT_UINT_ARG("setfib ", cmd->arg1); @@ -2738,9 +2742,14 @@ ipfw_add(char *av[]) break; case TOK_NAT: - action->opcode = O_NAT; - action->len = F_INSN_SIZE(ipfw_insn_nat); - goto chkarg; + action->opcode = O_NAT; + action->len = F_INSN_SIZE(ipfw_insn_nat); + if (_substrcmp(*av, "global") == 0) { + action->arg1 = 0; + av++; + break; + } else + goto chkarg; case TOK_QUEUE: action->opcode = O_QUEUE; @@ -2835,14 +2844,19 @@ chkarg: size_t intsize = sizeof(int); action->opcode = O_SETFIB; - NEED1("missing fib number"); - action->arg1 = strtoul(*av, NULL, 10); - if (sysctlbyname("net.fibs", &numfibs, &intsize, NULL, 0) == -1) - errx(EX_DATAERR, "fibs not suported.\n"); - if (action->arg1 >= numfibs) /* Temporary */ - errx(EX_DATAERR, "fib too large.\n"); - av++; - break; + NEED1("missing fib number"); + if (_substrcmp(*av, "tablearg") == 0) { + action->arg1 = IP_FW_TABLEARG; + } else { + action->arg1 = strtoul(*av, NULL, 10); + if (sysctlbyname("net.fibs", &numfibs, &intsize, + NULL, 0) == -1) + errx(EX_DATAERR, "fibs not suported.\n"); + if (action->arg1 >= numfibs) /* Temporary */ + errx(EX_DATAERR, "fib too large.\n"); + } + av++; + break; } case TOK_REASS: @@ -3554,7 +3568,7 @@ read_options: } if (lookup_key[j] <= 0) errx(EX_USAGE, "format: cannot lookup on %s", *av); - c->d[1] = j; // i converted to option + __PAST_END(c->d, 1) = j; // i converted to option av++; cmd->arg1 = strtoul(*av, &p, 0); if (p && *p) diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h index c9f8687..9562f32 100644 --- a/sbin/ipfw/ipfw2.h +++ b/sbin/ipfw/ipfw2.h @@ -178,6 +178,7 @@ enum tokens { TOK_DENY_INC, TOK_SAME_PORTS, TOK_UNREG_ONLY, + TOK_SKIP_GLOBAL, TOK_RESET_ADDR, TOK_ALIAS_REV, TOK_PROXY_ONLY, diff --git a/sbin/ipfw/main.c b/sbin/ipfw/main.c index fb3f3fb..109b62b 100644 --- a/sbin/ipfw/main.c +++ b/sbin/ipfw/main.c @@ -356,6 +356,7 @@ ipfw_main(int oldac, char **oldav) */ co.do_nat = 0; co.do_pipe = 0; + co.use_set = 0; if (!strncmp(*av, "nat", strlen(*av))) co.do_nat = 1; else if (!strncmp(*av, "pipe", strlen(*av))) @@ -444,7 +445,7 @@ static void ipfw_readfile(int ac, char *av[]) { #define MAX_ARGS 32 - char buf[BUFSIZ]; + char buf[4096]; char *progname = av[0]; /* original program name */ const char *cmd = NULL; /* preprocessor name, if any */ const char *filename = av[ac-1]; /* file to read */ @@ -552,7 +553,7 @@ ipfw_readfile(int ac, char *av[]) } } - while (fgets(buf, BUFSIZ, f)) { /* read commands */ + while (fgets(buf, sizeof(buf), f)) { /* read commands */ char linename[20]; char *args[2]; diff --git a/sbin/ipfw/nat.c b/sbin/ipfw/nat.c index 0331d383..ecb5d8a 100644 --- a/sbin/ipfw/nat.c +++ b/sbin/ipfw/nat.c @@ -53,6 +53,7 @@ static struct _s_x nat_params[] = { { "deny_in", TOK_DENY_INC }, { "same_ports", TOK_SAME_PORTS }, { "unreg_only", TOK_UNREG_ONLY }, + { "skip_global", TOK_SKIP_GLOBAL }, { "reset", TOK_RESET_ADDR }, { "reverse", TOK_ALIAS_REV }, { "proxy_only", TOK_PROXY_ONLY }, @@ -314,14 +315,19 @@ static int estimate_redir_addr(int *ac, char ***av) { size_t space = sizeof(struct cfg_redir); - char *sep; + char *sep = **av; + u_int c = 0; - if ((sep = strtok(**av, ",")) != NULL) { - space += sizeof(struct cfg_spool); - while ((sep = strtok(NULL, ",")) != NULL) - space += sizeof(struct cfg_spool); + while ((sep = strchr(sep, ',')) != NULL) { + c++; + sep++; } + if (c > 0) + c++; + + space += c * sizeof(struct cfg_spool); + return (space); } @@ -369,14 +375,19 @@ static int estimate_redir_port(int *ac, char ***av) { size_t space = sizeof(struct cfg_redir); - char *sep; + char *sep = **av; + u_int c = 0; - if ((sep = strtok(**av, ",")) != NULL) { - space += sizeof(struct cfg_spool); - while ((sep = strtok(NULL, ",")) != NULL) - space += sizeof(struct cfg_spool); + while ((sep = strchr(sep, ',')) != NULL) { + c++; + sep++; } + if (c > 0) + c++; + + space += c * sizeof(struct cfg_spool); + return (space); } @@ -464,10 +475,10 @@ setup_redir_port(char *buf, int *ac, char ***av) * Extract remote address and optionally port. */ /* - * NB: isalpha(**av) => we've to check that next parameter is really an + * NB: isdigit(**av) => we've to check that next parameter is really an * option for this redirect entry, else stop here processing arg[cv]. */ - if (*ac != 0 && !isalpha(***av)) { + if (*ac != 0 && isdigit(***av)) { if ((sep = strchr(**av, ':')) != NULL) { if (StrToAddrAndPortRange(**av, &r->raddr, protoName, &portRange) != 0) @@ -583,7 +594,7 @@ setup_redir_proto(char *buf, int *ac, char ***av) r->raddr.s_addr = INADDR_ANY; } else { /* see above in setup_redir_port() */ - if (!isalpha(***av)) { + if (isdigit(***av)) { StrToAddr(**av, &r->paddr); (*av)++; (*ac)--; @@ -591,7 +602,7 @@ setup_redir_proto(char *buf, int *ac, char ***av) * Extract optional remote address. */ /* see above in setup_redir_port() */ - if (*ac != 0 && !isalpha(***av)) { + if (*ac != 0 && isdigit(***av)) { StrToAddr(**av, &r->raddr); (*av)++; (*ac)--; } @@ -628,6 +639,9 @@ print_nat_config(unsigned char *buf) } else if (n->mode & PKT_ALIAS_SAME_PORTS) { printf(" same_ports"); n->mode &= ~PKT_ALIAS_SAME_PORTS; + } else if (n->mode & PKT_ALIAS_SKIP_GLOBAL) { + printf(" skip_global"); + n->mode &= ~PKT_ALIAS_SKIP_GLOBAL; } else if (n->mode & PKT_ALIAS_UNREGISTERED_ONLY) { printf(" unreg_only"); n->mode &= ~PKT_ALIAS_UNREGISTERED_ONLY; @@ -721,16 +735,18 @@ ipfw_config_nat(int ac, char **av) { struct cfg_nat *n; /* Nat instance configuration. */ int i, off, tok, ac1; - char *id, *buf, **av1; + char *id, *buf, **av1, *end; size_t len; av++; ac--; /* Nat id. */ - if (ac && isdigit(**av)) { - id = *av; - ac--; av++; - } else + if (ac == 0) errx(EX_DATAERR, "missing nat id"); + id = *av; + i = (int)strtol(id, &end, 0); + if (i <= 0 || *end != '\0') + errx(EX_DATAERR, "illegal nat id: %s", id); + av++; ac--; if (ac == 0) errx(EX_DATAERR, "missing option"); @@ -744,10 +760,11 @@ ipfw_config_nat(int ac, char **av) case TOK_IP: case TOK_IF: ac1--; av1++; - break; + break; case TOK_ALOG: case TOK_DENY_INC: case TOK_SAME_PORTS: + case TOK_SKIP_GLOBAL: case TOK_UNREG_ONLY: case TOK_RESET_ADDR: case TOK_ALIAS_REV: @@ -767,6 +784,9 @@ ipfw_config_nat(int ac, char **av) av1++; ac1--; len += estimate_redir_port(&ac1, &av1); av1 += 2; ac1 -= 2; + /* Skip optional remoteIP/port */ + if (ac1 != 0 && isdigit(**av1)) + av1++; ac1--; break; case TOK_REDIR_PROTO: if (ac1 < 2) @@ -774,6 +794,11 @@ ipfw_config_nat(int ac, char **av) "not enough arguments"); len += sizeof(struct cfg_redir); av1 += 2; ac1 -= 2; + /* Skip optional remoteIP/port */ + if (ac1 != 0 && isdigit(**av1)) + av1++; ac1--; + if (ac1 != 0 && isdigit(**av1)) + av1++; ac1--; break; default: errx(EX_DATAERR, "unrecognised option ``%s''", av1[-1]); @@ -787,7 +812,6 @@ ipfw_config_nat(int ac, char **av) off = sizeof(*n); memset(buf, 0, len); n = (struct cfg_nat *)buf; - i = atoi(id); n->id = i; while (ac > 0) { @@ -820,6 +844,9 @@ ipfw_config_nat(int ac, char **av) case TOK_UNREG_ONLY: n->mode |= PKT_ALIAS_UNREGISTERED_ONLY; break; + case TOK_SKIP_GLOBAL: + n->mode |= PKT_ALIAS_SKIP_GLOBAL; + break; case TOK_RESET_ADDR: n->mode |= PKT_ALIAS_RESET_ON_ADDR_CHANGE; break; |
