summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw/ipfw2.c
Commit message (Collapse)AuthorAgeFilesLines
* Merge r258708, r258711, r260247, r261117.melifaro2014-05-081-10/+35
| | | | | | | | | | | | | | | | | | | | r258708: Check ipfw table numbers in both user and kernel space before rule addition. Found by: Saychik Pavel <umka@localka.net> r258711: Simplify O_NAT opcode handling. r260247: Use rnh_matchaddr instead of rnh_lookup for longest-prefix match. rnh_lookup is effectively the same as rnh_matchaddr if called with empy network mask. r261117: Reorder struct ip_fw_chain: * move rarely-used fields down * move uh_lock to different cacheline * remove some usused fields
* Merge r258677.melifaro2014-05-081-2/+13
| | | | | | | | | Fix key lookup in ipfw(8) broken since r232865. Print warning for IPv4 address strings which are valid in inet_aton() but not valid in inet_pton(). (1) Found by: Özkan KIRIK <ozkan.kirik@gmail.com> Submitted by: Ian Smith <smithi@nimnet.asn.au> (1)
* Fix ipfw(8) sets of ipv6 addresses handling.melifaro2013-05-181-14/+24
| | | | | | | Conditionally use stack buffer instead of calling strdup(). PR: bin/104921 MFC after: 2 weeks
* Remove unused variable.melifaro2013-03-201-2/+1
|
* Add ipfw support for setting/matching DiffServ codepoints (DSCP).melifaro2013-03-201-0/+137
| | | | | | | | | | | | | | | | | | | | | | Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after: 2 weeks
* Do not suddenly fail on some rulesets if -n (syntax check only) is specifiedmelifaro2013-03-041-4/+13
| | | | | | and ipfw(4) module is not loaded. MFC after: 2 weeks
* Implement buffer size checking in ipfw(8) add cmd.melifaro2013-03-031-51/+103
| | | | | | PR: bin/65961 Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru> MFC after: 2 weeks
* Fix ipfw table argument parsing/printing.melifaro2013-03-021-54/+92
| | | | | | | | Fix style. PR: kern/175909 Submitted by: Daniel Hagerty <hag@linnaean.org> MFC after: 2 weeks
* remove the last __unused instance in sbin/ipfw.luigi2012-07-301-1/+2
| | | | | | This particular function (show_prerequisites() ) we should actually remove the argument from the callers as well, but i'll do it at a later time.
* Fix some compile errors at high WARNS, including oneluigi2012-07-301-2/+3
| | | | | | | | | for an uninitialized variable. unused parameters and variables are annotated with (void)foo; /* UNUSED */ instead of __unused, because this code needs to build also on linux and windows.
* - Permit number of ipfw tables to be changed in runtime.melifaro2012-03-251-9/+3
| | | | | | | | | | | | | | | net.inet.ip.fw.tables_max is now read-write. - Bump IPFW_TABLES_MAX to 65535 Default number of tables is still 128 - Remove IPFW_TABLES_MAX from ipfw(8) code. Sponsored by Yandex LLC Approved by: kib(mentor) MFC after: 2 weeks
* - Add ipfw eXtended tables permitting radix to be used for any kind of keys.melifaro2012-03-121-71/+197
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add support for IPv6 and interface extended tables - Make number of tables to be loader tunable in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table. IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader; New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add host' now assumes 'host' to be interface name instead of hostname. New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value. New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field. Sponsored by Yandex LLC Reviewed by: ae Approved by: ae (mentor) MFC after: 4 weeks
* Make the 'tcpwin' option of ipfw(8) accept ranges and lists.glebius2012-02-061-3/+12
| | | | Submitted by: sem
* Spelling fixes for sbin/uqs2012-01-071-4/+4
|
* Add support for IPv6 to ipfw fwd:bz2011-08-201-20/+88
| | | | | | | | | | | | | | | | | | | Distinguish IPv4 and IPv6 addresses and optional port numbers in user space to set the option for the correct protocol family. Add support in the kernel for carrying the new IPv6 destination address and port. Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change the address in the IP header. Add support for IPv6 forwarding to a non-local destination. Add a regession test uitilizing VIMAGE to check all 20 possible combinations I could think of. Obtained from: David Dolson at Sandvine Incorporated (original version for ipfw fwd IPv6 support) Sponsored by: Sandvine Incorporated PR: bin/117214 MFC after: 4 weeks Approved by: re (kib)
* Fix a regression where a rule containing a source port option after ajhb2011-08-171-0/+2
| | | | | | | | | destination IP would incorrectly display the source port as a destination port. Reviewed by: luigi Approved by: re (kib) MFC after: 1 week
* Add new rule actions "call" and "return" to ipfw. They makeae2011-06-291-0/+16
| | | | | | | | | | | | | possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@
* Fix clang warnings.benl2011-06-181-1/+2
| | | | Approved by: philip (mentor)
* Implement "global" mode for ipfw nat. It is similar to natd(8)ae2011-06-141-5/+13
| | | | | | | | | | | | | | | | "globalport" option for multiple NAT instances. If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged. User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode. PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein
* Add tablearg support for ipfw setfib.ae2011-05-301-8/+13
| | | | | PR: kern/156410 MFC after: 2 weeks
* More whitespace fixes.glebius2011-04-181-10/+10
| | | | Checked with: md5, diff -x -w
* Whitespace fixes.glebius2011-04-181-18/+17
| | | | Checked with: md5, diff -w
* The first customer of the SO_USER_COOKIE option:luigi2010-11-121-0/+7
| | | | | | | | | | | | the "sockarg" ipfw option matches packets associated to a local socket and with a non-zero so_user_cookie value. The value is made available as tablearg, so it can be used as a skipto target or pipe number in ipfw/dummynet rules. Code by Paul Joe, manpage by me. Submitted by: Paul Joe MFC after: 1 week
* fix 64-bit buildluigi2010-04-191-2/+4
| | | | Reported by: Robert Noland
* Slightly different handling of printf/snprintf for unaligned uint64_t,luigi2010-04-191-31/+35
| | | | | | | which should improve readability, and also to ease the port to platforms that do not support %llu MFC after: 3 days
* Set net.inet6.ip6.fw.enable as well.ume2010-04-061-0/+2
|
* fix another bug in "ipfw set N ..."luigi2010-03-241-1/+1
| | | | Submitted by: Marcin Wisnicki
* print correctly commands of the formluigi2010-03-151-8/+17
| | | | | | | | | | ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 } (note that the above example could be better written as ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8 Submitted by: Riccardo Panicucci
* Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bitsluigi2010-03-151-2/+3
| | | | | | | | | | of ip->ip_tos) in a table. This can be useful to direct traffic to different pipes/queues according to the DSCP of the packet, as follows: ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue This change is a no-op (but harmless) until the two-line kernel side is committed, which will happen shortly.
* fix handling of setsluigi2010-03-041-5/+13
|
* Bring in the most recent version of ipfw and dummynet, developedluigi2010-03-021-150/+161
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet. The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions. In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ. Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland. Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time. Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits. CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
* implement a new match option,luigi2009-12-151-0/+45
| | | | | | | | | | | | | | lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N which searches the specified field in table N and sets tablearg accordingly. With dst-ip or src-ip the option replicates two existing options. When used with other arguments, the option can be useful to quickly dispatch traffic based on other fields. Work supported by the Onelab project. MFC after: 1 week
* restore setting of sin_len (was removed in 1.146 last february) asluigi2009-12-061-1/+3
| | | | | | | | | | it seems that now it is necessary for 'forward' to work outside lo0. The bug (and fix) was reported on 8.0. This patch probably applies to RELENG_7 as well. It seems that 'pf' has a similar bug. Submitted by: Lytochkin Boris MFC after: 3 days
* add a missing format in a printfluigi2009-06-081-1/+1
| | | | | | Detected building with gcc 4.3.3 MFC after: 3 days
* Several ipfw options and actions use a 16-bit argument to indicateluigi2009-06-051-3/+3
| | | | | | | | | | | | | | | | | | | | | | | pipes, queues, tags, rule numbers and so on. These are all different namespaces, and the only thing they have in common is the fact they use a 16-bit slot to represent the argument. There is some confusion in the code, mostly for historical reasons, on how the values 0 and 65535 should be used. At the moment, 0 is forbidden almost everywhere, while 65535 is used to represent a 'tablearg' argument, i.e. the result of the most recent table() lookup. For now, try to use explicit constants for the min and max allowed values, and do not overload the default rule number for that. Also, make the MTAG_IPFW declaration only visible to the kernel. NOTE: I think the issue needs to be revisited before 8.0 is out: the 2^16 namespace limit for rule numbers and pipe/queue is annoying, and we can easily bump the limit to 2^32 which gives a lot more flexibility in partitioning the namespace. MFC after: 5 days
* Implement an ipfw action to reassemble ip packets: reass.piso2009-04-011-0/+9
|
* Explain that we assume AF_INET and only use the addr and port fieldluigi2009-02-021-1/+4
| | | | from a struct sockaddr_in, so there is no need to initialize sin_len
* put the altq-related functions into a separate file.luigi2009-02-011-115/+5
| | | | | Minor cleanup of the includes used by the various source files, including annotations of why certain headers are used.
* fix printing of uint64_t values, so we can use WARNS=2luigi2009-01-271-2/+12
|
* Put nat and ipv6 support in their own files.luigi2009-01-271-1317/+2
| | | | | | | | Usual moving of code with no changes from ipfw2.c to the newly created files, and addition of prototypes to ipfw2.h I have added forward declarations for ipfw_insn_* in ipfw2.h to avoid a global dependency on ip_fw.h
* Put dummynet-related code in a separate file.luigi2009-01-271-785/+11
| | | | | To this purpose, add prototypes for global functions in ipfw2.h and move there also the list of tokens used in various places in the code.
* Start splitting the monster file in smaller blocks.luigi2009-01-271-588/+36
| | | | | | | | | | | | In this episode: - introduce a common header with a minimal set of common definitions; - bring the main() function and options parser in main.c - rename the main functions with an ipfw_ prefix No code changes except for the introduction of a global variable, resvd_set_number, which stores the RESVD_SET value from ip_fw.h and is used to remove the dependency of main.c from ip_fw.h (and the subtree of dependencies) for just a single constant.
* put the usage() function inline, it was only 1 line and used once;luigi2009-01-271-19/+10
| | | | | slightly reformat the help() text; slightly correct the text for the 'extraneous filename' error message;
* put all options in a single struct, and document them.luigi2009-01-271-126/+146
| | | | | This will allow us to easily restore the original values when processing commands from a file (where each individual line can have its own options).
* remove a couple of rarely used #define;luigi2009-01-271-13/+12
| | | | | change PRINT_UINT from a macro to a function (renaming is postponed to reduce clutter)
* wrap all malloc/calloc/realloc calls so they exit on failureluigi2009-01-261-23/+33
| | | | | | without having to check in each place. Remove an wrong strdup from previous commit.
* Some implementations of getopt() expect that argv[0] is always theluigi2009-01-261-27/+42
| | | | | | | | | | | | | | | | program name, and ignore that entry. ipfw2.c code instead skips this entry and starts with options at offset 0, relying on a more tolerant implementation of the library. This change fixes the issue by always passing a program name in the first entry to getopt. The motivation for this change is to remove a potential compatibility issue should we use a different getopt() implementation in the future. No functional changes. Submitted by: Marta Carbone (parts) MFC after: 4 weeks
* remove some useless #include,luigi2009-01-221-8/+2
| | | | | | document why timeconv.h is needed MFC after: 3 days
* Fix a number of (innocuous) warnings, and remove a useless test.luigi2009-01-201-18/+18
| | | | | | | | | | | | | There are still several signed/unsigned warnings left, which require a bit more study for a proper fix. This file has grown beyond reasonable limits. We really need to split it into separate components (ipv4, ipv6, dummynet, nat, table, userland-kernel communication ...) so we can make mainteinance easier. MFC after: 1 weeks
* Honor the quiet (-q) option while adding a nat rule.piso2008-12-181-4/+6
| | | | | Submitted by: Andrey V. Elsukov<bu7cher@yandex.ru> MFC after: 3 days
OpenPOWER on IntegriCloud