summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw/ipfw.c
Commit message (Collapse)AuthorAgeFilesLines
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Whoops, forgot one line in previous patch.luigi1999-08-121-1/+2
|
* Userland and manual page changes for probabilistic rule match.luigi1999-08-111-3/+19
| | | | | | Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature.
* Make ipfw's logging more dynamic. Now, log will use the default limitgreen1999-08-011-3/+72
| | | | | | | | | | | | | _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
* This is the much-awaited cleaned up version of IPFW [ug]id support.green1999-06-191-1/+49
| | | | All relevant changes have been made (including ipfw.8).
* Workaround the problem that the first (and only first) port nameru1999-06-111-9/+26
| | | | | | | | | | | can't have a dash character (it is treated as a ``range'' operator). One could now use such a name by escaping the ``-'' characters. For example: # ipfw add 1 count tcp from any to any "ms\-sql\-s" # ipfw add 2 count tcp from any ftp\\-data-ftp to any PR: 7101
* Fix the parsing of ip addresses on a command line.ru1999-06-041-7/+7
| | | | | | PR: 5047 Reviewed by: des Test case: ipfw add allow ip from 127.1 to any
* Spelling corrections for dummynet.ru1999-06-021-4/+5
| | | | Reviewed by: des,luigi
* Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,kris1999-05-291-9/+10
| | | | | | grammatical fixes. Submitted by: Philippe Charnier
* close pr 10889:luigi1999-05-241-13/+27
| | | | | | | | | | | | + add a missing call to dn_rule_delete() when flushing firewall rules, thus preventing possible panics due to dangling pointers (this was already done for single rule deletes). + improve "usage" output in ipfw(8) + add a few checks to ipfw pipe parameters and make it a bit more tolerant of common mistakes (such as specifying kbit instead of Kbit) PR: kern/10889 Submitted by: Ruslan Ermilov
* Fix bug where 'ipfw list' would choke if there were a large number of rules.archie1999-01-221-79/+95
|
* Remove coredump when running "ipfw pipe" without more arguments.luigi1998-12-271-1/+4
| | | | PR: 8937
* ipfw changes for dummynet. manpages still missingluigi1998-12-141-2/+155
|
* Disallow ipfw "tee" rules until it is actually implemented.archie1998-12-071-5/+8
| | | | PR: bin/8471
* Preprocessor support for `ipfw [-q] ... file'.joerg1998-11-231-14/+113
| | | | | | | | | | | | | | | | | | | This allows for more flexible ipfw configuration files using `variables' to describe frequently used items in the file, like the local IP address(es), interface names etc. Both m4 and cpp are useful and supported; with m4 being a little more unusual to the common C programmer, things like automatic rule numbering can be achieved fairly easy. While i was at it, i've also untangled some of the ugly style inside main(), and fixed a bug or two (like not being able to use blank lines when running with -q). A typical call with preprocessor invocation looks like ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules Someone should probably add support for this feature to /etc/rc.firewall.
* The flags type was recently changed from u_short to u_int, breakingalex1998-09-281-10/+10
| | | | | | | | | icmptypes. PR: 8067 Submitted by: Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com> While I'm here, staticize functions.
* PR: 7475thepish1998-08-041-6/+9
| | | | | Added support for -q (suppress output) when firewall rules are taken from a file. Solves PR 7475
* Support for IPFW based transparent forwarding.julian1998-07-061-2/+31
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* PR: 6641danny1998-05-151-2/+2
| | | | | Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> Make -q work for zeroing a specific rule.
* When ipfw reads its rules from an input file, the optind variable isphk1998-04-221-1/+5
| | | | | | | | | | not reinitialized to 1 after calling getopt. This results in parsing errors on all but the first rule. An added patch also allows '#' comments at the end of a line. PR: 6379 Reviewed by: phk Submitted by: Neal Fachan <kneel@ishiboo.com>
* Get the arguments to show_usage right (like the MFC'ed code in -stable).alex1998-03-131-3/+3
| | | | Submitted by: bde
* Alter ipfw's behavior with respect to fragmented packets when the packetalex1998-02-121-2/+11
| | | | | | | | | | | | | | | | | | | offset is non-zero: - Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options. BEWARE: packets that were previously passed may now be rejected, and vice versa. Reviewed by: Archie Cobbs <archie@whistle.com>
* Bump up packet and byte counters to 64-bit unsigned ints. As aalex1998-01-081-14/+32
| | | | | | | | | | | | | consequence, ipfw's list command now adjusts its output at runtime based on the largest packet/byte counter values. NOTE: o The ipfw struct has changed requiring a recompile of both kernel and userland ipfw utility. o This probably should not be brought into 2.2. PR: 3738
* Format mismatch in error message.alex1998-01-081-2/+2
| | | | Submitted by: bde
* Support listing/showing specific rules supplied on the command line.alex1998-01-071-29/+72
| | | | Use error codes from <sysexits.h>.
* Display a better error message and use a non-zero exit code whenalex1998-01-061-5/+16
| | | | | | | zero/delete operations fail. PR: 4231 Reviewed by: Archie Cobbs <archie@whistle.com>
* Put the return value of getopt into an int, not a char.alex1997-12-261-5/+4
|
* Allow ipfw to accept comments and blank lines.julian1997-12-051-1/+5
| | | | This makes ipfw config files a LOT more readable.
* Support interface names up to 15 characters in length. In order toalex1997-08-081-4/+4
| | | | | | | | | | | | accommodate the expanded name, the ICMP types bitmap has been reduced from 256 bits to 32. A recompile of kernel and user level ipfw is required. To be merged into 2.2 after a brief period in -current. PR: bin/4209 Reviewed by: Archie Cobbs <archie@whistle.com>
* Allow service names as the divert/tee arg.brian1997-07-251-5/+19
|
* Allow ipfw to look up service names from /etc/services (or NIS if turned on)julian1997-06-231-8/+39
| | | | | | note.. this would be dangerous if your ipfw was blocking NIS access :) Submitted by: archie@whistle.com (Archie Cobbs)
* Remove __progname. Cosmetic in usage string.charnier1997-06-131-11/+6
|
* Submitted by: Whistle Communications (archie Cobbs)julian1997-06-021-217/+405
| | | | | | | | | | | | | | | these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same. The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ... see the man page for a complete description.
* compare return value from getopt against -1 rather than EOF, per the finalimp1997-03-291-2/+2
| | | | posix standard on the topic.
* Force null termination after 2 errant strncpy()s.bde1997-03-051-1/+3
|
* Revert $FreeBSD$ to $Id$peter1997-02-221-1/+1
|
* Add '-q' quiet flag for flush/add/zero commands; add 'show' command asdanny1997-02-101-7/+21
| | | | | | | synonym for '-a list'; stop SEGV when specifying 'via' with no interface; change 2 instances of strcpy() to strncpy(). This is a candidate for 2.2
* Adjust spelling of `fw_flg' so this thing compiles again.jkh1997-01-171-2/+2
|
* implement "not" keyword for inverting the address logicadam1997-01-161-2/+12
|
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Fix up programs which expect <net/if.h> to include <sys/time.h> to insteadwollman1996-12-101-9/+13
| | | | | | do it themselves. (Some of these programs actually depended on this beyond compiling the definition of struct ifinfo!) Also fix up some other #include messes while we're at it.
* Issue a warning if the user specifies an invalid interface in a rule.alex1996-10-171-1/+25
| | | | | The rule is still added to the chain since the interface may get created later on after loading an LKM.
* Because 'ipfw flush' is such a dangerous command (given that mostnate1996-08-311-7/+36
| | | | | | | | | | | | | | firewalls are remote, and this command will kill the network connection to them), prompt the user for confirmation of this command. Also, add the '-f' flag which ignores the need for confirmation the command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0) assume '-f'. If anyone is using ipfw flush in scripts it shouldn't affect them, but you may want to change the script to use a 'ipfw -f flush'. Reviewed by: alex
* Completely rewrite handling of protocol field for firewalls, things arepst1996-08-131-105/+55
| | | | | | | | | | | | | | | | | now completely consistent across all IP protocols and should be quite a bit faster. Use getprotoname() extensively, performed minor cleanups of admin utility. The admin utility could use a good kick in the pants. Basicly, these were the minimal changes I could make to the code to get it up to tollerable shape. There will be some future commits to clean up the basic architecture of the firewall code, and if I'm feeling ambitious, I may pull in changes like NAT from Linux and make the firewall hooks comletely generic so that a user can either load the ipfw module or the ipfilter module (cf Darren Reed). Discussed with: fenner & alex
* Fix tcp/udp port rangespst1996-08-131-3/+3
|
* Filter by IP protocol.alex1996-08-051-20/+59
| | | | | | Submitted by: fenner (with modifications by me) Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
* Adding changes to ipfw and the kernel to support ip packet diversion..julian1996-07-101-20/+38
| | | | | | This stuff should not be too destructive if the IPDIVERT is not compiled in.. be aware that this changes the size of the ip_fw struct so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
* Formatting fixes for 'in' and 'out' while listing.alex1996-06-291-22/+32
| | | | | | | Prevent ALL protocol from being used with port specifications. Allow 'via' keyword at any point in the options list. Disallow multiple 'via' specifications.
* Fix address mask calculation when using ':' syntax. Allow a maskalex1996-06-231-13/+23
| | | | | | | | of /0 to have the desired effect. Normalize IP addresses that won't match a given mask (i.e. 1.2.3.4/24 becomes 1.2.3.0/24). Submitted by R. Bezuidenhout <rbezuide@mikom.csir.co.za> Code formatting and "frag" display fixes.
* Set the program name before trying to use it.alex1996-06-181-3/+3
| | | | Found by: Aage Robekk <aagero@aage.priv.no>
OpenPOWER on IntegriCloud