| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
enough.
Requested by: ru
|
| |
|
|
|
|
| |
PR: docs/64534
Submitted by: Dmitry Cherkasov
MFC after: 1 week
|
| |
|
|
|
|
| |
PR: docs/50391
Submitted by: root@edcsm.jussieu.fr
MFC after: 1 week
|
| |
|
|
|
|
| |
PR: bin/61846
Submitted by: Eugene Grosbein
MFC after: 1 week
|
| | |
|
| |
|
|
|
| |
PR: bin/56328
MFC after: 3 days
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
| |
PR: bin/60433
Submitted: Bjoern A. Zeeb
MFC after: 3 weeks
|
| |
|
|
|
|
|
|
| |
rule, thus omitting the entire body.
This makes the output a lot more readable for complex rulesets
(provided, of course, you have annotated your ruleset appropriately!)
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
| |
code is compiled in to support the O_IPSEC operator. Previously no
support was included and ipsec rules were always matching. Note that
we do not return an error when an ipsec rule is added and the kernel
does not have IPsec support compiled in; this is done intentionally
but we may want to revisit this (document this in the man page).
PR: 58899
Submitted by: Bjoern A. Zeeb
Approved by: re (rwatson)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.
Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)
|
| |
|
|
|
|
| |
data structures that have an embedded struct route
Sponsored by: FreeBSD Foundation
|
| | |
|
| |
|
|
|
|
| |
PR: 56021
Submitted by: Glen Gibb <grg@ridley.unimelb.edu.au>
MFC after: 1 month
|
| |
|
|
|
|
|
|
| |
of do_cmd() broke things, because this function assumes that a socklen_t
is large enough to hold a pointer.
A real solution to this problem would be a rewrite of do_cmd() to
treat the optlen parameter consistently and not use it to carry
a pointer or integer dependent on the context.
|
| |
|
|
|
|
|
|
| |
PR: bin/56298
Submitted by: Kang Liu <liukang@bjpu.edu.cn>
MFC after: 2 weeks
# We need a regression test suit for ipfw(2)/ipfw(8) badly.
|
| | |
|
| |
|
|
|
|
| |
PR: bin/54649
Submitted by: Andy Gilligan <andy@evo6.org>
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.
This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.
Suggested by: Paul Richards
|
| |
|
|
| |
Reported by: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
|
| |
|
|
|
|
| |
other minor whitespace changes.
Replace u_char with uint8_t in a few places.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
introduced in the latest commits).
Also:
* update the 'ipfw -h' output;
* allow rules of the form "100 add allow ..." i.e. with the index first.
(requested by Paul Richards). This was an undocumented ipfw1 behaviour,
and it is left undocumented.
and minor code cleanups.
|
| |
|
|
|
|
|
| |
of converting it with ctime(). This is a lot more convenient for
postprocessing.
Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
|
| |
|
|
|
|
|
| |
the new flags handled when reading from a file,
and clarify that only numeric values are allowed for icmptypes.
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* make the code compile with WARNS=5 (at least on i386), mostly
by adding 'const' specifier and replacing "void *" with "char *"
in places where pointer arithmetic was used.
This also spotted a few places where invalid tests (e.g. uint < 0)
were used.
* support ranges in "list" and "show" commands. Now you can say
ipfw show 100-1000 4000-8000
which is very convenient when you have large rulesets.
* implement comments in ipfw commands. These are implemented in the
kernel as O_NOP commands (which always match) whose body contains
the comment string. In userland, a comment is a C++-style comment:
ipfw add allow ip from me to any // i can talk to everybody
The choice of '//' versus '#' is somewhat arbitrary, but because
the preprocessor/readfile part of ipfw used to strip away '#',
I did not want to change this behaviour.
If a rule only contains a comment
ipfw add 1000 // this rule is just a comment
then it is stored as a 'count' rule (this is also to remind
the user that scanning through a rule is expensive).
* improve handling of flags (still to be completed).
ipfw_main() was written thinking of 'one rule per ipfw invocation',
and so flags are set and never cleared. With readfile/preprocessor
support, this changes and certain flags should be reset on each
line. For the time being, only fix handling of '-a' which
differentiates the "list" and "show" commands.
* rework the preprocessor support -- ipfw_main() already had most
of the parsing code, so i have moved in there the only missing
bit (stripping away '#' and comments) and removed the parsing
from ipfw_readfile().
Also, add some more options (such as -c, -N, -S) to the readfile
section.
MFC after: 3 days
|
| |
|
|
|
|
|
| |
PR: 51006
Submitted by: "Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua>
mdoc clue by: "Simon L. Nielsen" <simon@nitro.dk>
MFC after: 10 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
spaces and comma-separated lists of arguments;
* reword the description of address specifications, to include
previous and current changes for address sets and lists;
* document the new '-n' flag.
* update the section on differences between ipfw1 and ipfw2
(this is becoming boring!)
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Make the addr-set size optional (defaults to /24)
You can now write 1.2.3.0/24{56-80} or 1.2.3.0{56-80}
Also make the parser more strict.
* Support a new format for the list of addresses:
1.2.3.4,5.6.7.8/30,9.10.11.12/22,12.12.12.13, ...
which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK
* Allow spaces after commas to make lists of addresses more readable.
1.2.3.4, 5.6.7.8/30, 9.10.11.12/22, 12.12.12.13, ...
* ipfw will now accept full commands as a single argument and strip
extra leading/trailing whitespace as below:
ipfw "-q add allow ip from 1.2.3.4 to 5.6.7.8, 9.10.11.23 "
This should help in moving the body of ipfw into a library
that user programs can invoke.
* Cleanup some comments and data structures.
* Do not print rule counters for dynamic rules with ipfw -d list
(PR 51182)
* Improve 'ipfw -h' output (PR 46785)
* Add a '-n' flag to test the syntax of commands without actually
calling [gs]etsockopt() (PR 44238)
* Support the '-n' flag also with the preprocessors;
Manpage commit to follow.
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.
Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week
|
| | |
|
| |
|
|
| |
has been unused and unmaintained for a long time).
|
| |
|
|
| |
was already correct).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.2.3.4/24{5,6,7,10-20,60-90}
for set of ip addresses.
Previously you needed to specify every address in the range, which
was unconvenient and lead to very long lines.
Internally the set is still stored in the same way, just the
input and output routines are modified.
Manpage update still missing.
Perhaps a similar preprocessing step would be useful for port ranges.
MFC after: 3 days
|
| |
|
|
|
|
| |
PR: docs/53625
Submitted by: Kostyuk Oleg <cub@cub.org.ua>
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"ipid" options. This feature has been requested by several users.
On passing, fix some minor bugs in the parser. This change is fully
backward compatible so if you have an old /sbin/ipfw and a new
kernel you are not in trouble (but you need to update /sbin/ipfw
if you want to use the new features).
Document the changes in the manpage.
Now you can write things like
ipfw add skipto 1000 iplen 0-500
which some people were asking to give preferential treatment to
short packets.
The 'MFC after' is just set as a reminder, because I still need
to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately
change the size of certain kernel structures; not that it matters
a lot since ipfw2 is entirely optional and not the default...)
PR: bin/48015
MFC after: 1 week
|
| |
|
|
|
|
| |
PR: bin/51750
Submitted by: Vasil Dimov <vd@datamax.bg>
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
sparc64.
PR: alpha/50658
Submitted by: rizzo
Tested on: alpha
|
| |
|
|
|
|
|
|
|
| |
comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.
Experimental. The usage and rule format for the feature may still be
subject to change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
width of fields for packets and bytes counters.
PR: bin/47196
Reviewed by: -audit
Not objected by: luigi, des
o Use %llu instead of deprecated %qu convert specification for ipfw
packets and bytes counters.
Noted by: des
MFC after: 1 month
|
| | |
|
| |
|
|
|
|
| |
PR: 47817
Submitted by: Simon L.Nielsen <simon@nitro.dk>
Reviewed by: ceri, luigi
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
default-to-deny firewall. Simply turning off IPFW via a preexisting
sysctl does the job. To make it more apparent (since nobody picked up
on this in a week's worth of flames), the boolean sysctl's have been
integrated into the /sbin/ipfw command set in an obvious and straightforward
manner. For example, you can now do 'ipfw disable firewall' or
'ipfw enable firewall'. This is far easier to remember then the
net.inet.ip.fw.enable sysctl.
Reviewed by: imp
MFC after: 3 days
|
| |
|
|
|
|
| |
Submitted by: Olivier Cherrier <Olivier.Cherrier@cediti.be>
on freebsd-net
MFC after: 3 days
|
| |
|
|
| |
especially in troff files.
|
| |
|
|
|
|
|
|
|
|
| |
after -p except for the last (the ruleset file to process) to the
preprocessor for interpretation. This allows command-line options besides
-U and -D to be passed to cpp(1) and m4(1) as well as making it easier to
use other preprocessors.
Sponsored By: NTT Multimedia Communications Labs
MFC after: 1 week
|
| |
|
|
|
| |
PR: kern/44843
Approved by: re (jhb)
|
| |
|
|
|
|
|
|
|
|
| |
prob 0.5 pipe NN ....
due to the generation of an invalid ipfw instruction sequence.
No ABI change, but you need to upgrade /sbin/ipfw to generate the
correct code.
Approved by: re
|
| |
|
|
|
|
|
|
| |
to net.inet.ip.fw.one_pass.
Add to notes to explain the exact behaviour of "prob xxx" and "log"
options.
Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c)
|
| | |
|
| |
|
|
|
|
|
| |
PR: bin/42579
Submitted by: Belousov Oleg <oleg@belousov.com>
Approved by: luigi
MFC after: 2 weeks
|
