summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw/ipfw.c
Commit message (Collapse)AuthorAgeFilesLines
* I've been meaning to do this for a while. Add an underscore to thedillon2002-01-191-1/+1
| | | | | | | | time_to_xxx() and xxx_to_time() functions. e.g. _time_to_xxx() instead of time_to_xxx(), to make it more obvious that these are stopgap functions & placemarkers and not meant to create a defacto standard. They will eventually be replaced when a real standard comes out of committee.
* Implement matching IP precedence in ipfw(4).yar2001-12-211-0/+21
| | | | Submitted by: Igor Timkin <ivt@gamma.ru>
* sync the code with the one in stable (mostly formatting changes).luigi2001-11-041-26/+27
|
* Fix a typo in a format string, and fix error checking for missingluigi2001-11-011-6/+5
| | | | masks in "limit" rules.
* More white space changes.joe2001-10-291-3/+3
|
* More stylistic tidying.joe2001-10-291-20/+21
|
* Remove training white spaces, and some other style violations.joe2001-10-291-90/+90
|
* Properly convert long to time_tdillon2001-10-281-1/+2
|
* Remove some extraneous spaces from the usage message.joe2001-10-281-1/+1
|
* Two main changes here:luigi2001-09-271-19/+61
| | | | | | | | | | | | | | | + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details. + merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages! MFC after: 1 week
* A bunch of minor changes to the code (see below) for readability, code sizeluigi2001-09-201-8/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and speed. No new functionality added (yet) apart from a bugfix. MFC will occur in due time and probably in stages. BUGFIX: fix a problem in old code which prevented reallocation of the hash table for dynamic rules (there is a PR on this). OTHER CHANGES: minor changes to the internal struct for static and dynamic rules. Requires rebuild of ipfw binary. Add comments to show how data structures are linked together. (It probably makes no sense to keep the chain pointers separate from actual rule descriptors. They will be hopefully merged soon. keep a (sysctl-readable) counter for the number of static rules, to speed up IP_FW_GET operations initial support for a "grace time" for expired connections, so we can set timeouts for closing connections to much shorter times. merge zero_entry() and resetlog_entry(), they use basically the same code. clean up and reduce replication of code for removing rules, both for readability and code size. introduce a separate lifetime for dynamic UDP rules. fix a problem in old code which prevented reallocation of the hash table for dynamic rules (PR ...) restructure dynamic rule descriptors introduce some local variables to avoid multiple dereferencing of pointer chains (reduces code size and hopefully increases speed).
* Non-decimal ``skipto'' rule numbers are meaningless.ru2001-09-191-1/+1
| | | | | Noticed by: "Marc G. Fournier" <scrappy@hub.org> MFC after: 3 days
* Fixed one more breakage introduced in 1.103 cleanup.ru2001-08-061-1/+2
| | | | | | | | | ICMP types were reported incorrectly: # ipfw add allow icmp from any to any icmptypes 0,8 PR: bin/29185 Submitted by: Mike Durian <durian@boogie.com>
* style(9)obrien2001-08-011-1/+1
|
* Error messaging in ipfw(8) was out of hand, almost 50 lines of usagecjc2001-07-221-109/+114
| | | | | | | | | | | | | | information for any command line error, the actual error message almost always (and sometimes irretrievably) lost scrolling off the top of the screen. Now just print the error. Give ipfw(8) no arguments for the old usage summary. Thanks to Lyndon Nerenberg <lyndon@orthanc.ab.ca> for the patch and PR, but I had already done this when ru pointed out the PR. PR: bin/28729 Approved by: ru MFC after: 1 week
* Fix rule parsing breakage introduced in 1.103 cleanup. 'tcp' andcjc2001-07-101-5/+8
| | | | | | | 'icmp' rules could drop into infinite loops when given bad arguments. Reviewed by: ru, des Approved by: ru
* Silence format string warnings.kris2001-07-011-11/+11
| | | | MFC after: 2 weeks
* Invert the meaning of the -d option (i.e. default to *not* list dynamic rules,des2001-06-041-1115/+1152
| | | | | | | | | | | | | | | but list them if -d was specified). Avoid listing expired dynamic rules unless the (new) -e option was specified. If specific rule numbers were listed on the command line, and the -d flag was specified, only list dynamic rules that match the specified rule numbers. Try to partly clean up the bleeding mess this file has become. If there is any justice in this world, the responsible parties (you know who you are!) should expect to wake up one morning with a horse's head in their bed. The code still looks like spaghetti, but at least now it's *properly intented* spaghetti (hmm? did somebody say "tagliatelle"?).
* Add a flag to "ipfw show" which supresses the display of dynamicdwmalone2001-05-201-2/+7
| | | | | | | | | | rules. Also, don't show dynamic rules if you only asked to see a certain rule number. PR: 18550 Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca> Approved by: luigi MFC after: 2 weeks
* Update comment to match ipfw/ipfw.c,v 1.95.ru2001-04-131-3/+2
|
* Fixed some printf format errors (don't assume that ntohl() returns u_long).bde2001-04-051-2/+2
|
* Introduce a new feature in IPFW: Check of the source or destinationphk2001-02-131-40/+59
| | | | | | | | | | | | | | | | | | | address is configured on a interface. This is useful for routers with dynamic interfaces. It is now possible to say: 0100 allow tcp from any to any established 0200 skipto 1000 tcp from any to any 0300 allow ip from any to any 1000 allow tcp from 1.2.3.4 to me 22 1010 deny tcp from any to me 22 1020 allow tcp from any to any and not have to worry about the behaviour if dynamic interfaces configure new IP numbers later on. The check is semi expensive (traverses the interface address list) so it should be protected as in the above example if high performance is a requirement.
* o IPFW incorrectly handled filtering in the presence of previouslyrwatson2001-01-091-3/+2
| | | | | | | | | | | | | | | | | | | | reserved and now allocated TCP flags in incoming packets. This patch stops overloading those bits in the IP firewall rules, and moves colliding flags to a seperate field, ipflg. The IPFW userland management tool, ipfw(8), is updated to reflect this change. New TCP flags related to ECN are now included in tcp.h for reference, although we don't currently implement TCP+ECN. o To use this fix without completely rebuilding, it is sufficient to copy ip_fw.h and tcp.h into your appropriate include directory, then rebuild the ipfw kernel module, and ipfw tool, and install both. Note that a mismatch between module and userland tool will result in incorrect installation of firewall rules that may have unexpected effects. This is an MFC candidate, following shakedown. This bug does not appear to affect ipfilter. Reviewed by: security-officer, billf Reported by: Aragon Gouveia <aragon@phat.za.net>
* Allow for IP_FW_ADD to be used in getsockopt(2) incarnation asru2000-10-121-3/+3
| | | | | | | well, in which case return the rule number back into userland. PR: bin/18351 Reviewed by: archie, luigi
* Reset globals for every new command read from preprocessed file.ru2000-10-111-12/+14
|
* Only interpret the last command line argument as a file toru2000-10-111-1/+1
| | | | | | be preprocessed if it is specified as an absolute pathname. PR: bin/16179
* Document the latest firewall knobs.ru2000-10-061-1/+1
|
* Respect the protocol when looking the port up by service name.ru2000-10-041-15/+22
| | | | PR: 21742
* Do not force argument to ``ipid'' modifier be in hex, andru2000-10-031-9/+11
| | | | accept value of zero as valid for IP Identification field.
* Fixed the printing of TCP flags.ru2000-10-031-1/+1
|
* Add new fields for more granularity:billf2000-10-021-6/+169
| | | | | | | IP: version, tos, ttl, len, id TCP: seq#, ack#, window size Reviewed by: silence on freebsd-{net,ipfw}
* optreset is declared in unistd.h now.imp2000-08-161-1/+0
|
* Fix a paste-o in the tcpoptions check (not a security problem, just abillf2000-07-171-1/+1
| | | | | | error in the usage printf()) Reviewed by: rwatson
* Don't call sprintf() with no format string.kris2000-07-101-1/+1
|
* Reorder the "prob" section in the output of list/show so it can be copy/pastedbillf2000-06-181-5/+6
| | | | | | | into add without problems. The previous commit had the other half of this original patch which handled tcpflags/tcpflgs confusion in output/input.
* Fix behaviour of "ipfw pipe show" -- previous code gaveluigi2000-06-141-6/+6
| | | | | ambiguous data to the userland program (kernel operation was safe, anyways).
* Add tcpoptions to ipfw. This works much in the same way as ipoptions do.dan2000-06-081-5/+69
| | | | | | | | | | It also squashes 99% of packet kiddie synflood orgies. For example, to rate syn packets without MSS, ipfw pipe 10 config 56Kbit/s queue 10Packets ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
* userland side of WF2Q+ support in dummynet.luigi2000-06-081-102/+315
| | | | Manpage coming later...
* Remove unused include, and place sys includes at top, which enabledasmodai2000-05-011-3/+2
| | | | us to remove this include.
* Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make agreen2000-04-301-4/+6
| | | | rule that logs without a log limit, use "logamount 0" in addition to "log".
* Use correct field for dst_port when displaying masks on dynamic pipes.luigi2000-02-131-1/+1
|
* Support and document new stateful ipfw features.luigi2000-02-101-13/+131
| | | | Approved-by: jordan
* Support per-flow queueing in dummynet.luigi2000-01-081-10/+146
| | | | | | | Implement masks on UDP/TCP ports. Large rewrite of the manpage. Work supported by Akamba Corp.
* Turn on 'ipfw tee'. Update man page. Please note (from the man page):archie1999-12-061-3/+0
| | | | | | | | Packets that match a tee rule should not be immediately accepted, but should continue going through the rule list. This may be fixed in a later version. I hope to fix this soon in a separate commit.
* Make the "uid" and "gid" code better. Now it can detect invalid usergreen1999-09-031-4/+20
| | | | | | names/numbers. Reviewed by: chris
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Whoops, forgot one line in previous patch.luigi1999-08-121-1/+2
|
* Userland and manual page changes for probabilistic rule match.luigi1999-08-111-3/+19
| | | | | | Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature.
* Make ipfw's logging more dynamic. Now, log will use the default limitgreen1999-08-011-3/+72
| | | | | | | | | | | | | _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
* This is the much-awaited cleaned up version of IPFW [ug]id support.green1999-06-191-1/+49
| | | | All relevant changes have been made (including ipfw.8).
OpenPOWER on IntegriCloud