| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
PR: 31262
Submitted by: <swear@blarg.net>
|
| |
|
|
|
|
|
|
|
|
| |
addresses (and the macros that ipfw(4) use to lookup data for the 'me'
keyword have been converted) remove a comment about using 'me' being a
"computationally expensive" operation.
while I'm here, change two instances of "IP number" to "IP address"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
+ implement "limit" rules, which permit to limit the number of sessions
between certain host pairs (according to masks). These are a special
type of stateful rules, which might be of interest in some cases.
See the ipfw manpage for details.
+ merge the list pointers and ipfw rule descriptors in the kernel, so
the code is smaller, faster and more readable. This patch basically
consists in replacing "foo->rule->bar" with "rule->bar" all over
the place.
I have been willing to do this for ages!
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and speed. No new functionality added (yet) apart from a bugfix.
MFC will occur in due time and probably in stages.
BUGFIX: fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (there is a PR on this).
OTHER CHANGES: minor changes to the internal struct for static and dynamic rules.
Requires rebuild of ipfw binary.
Add comments to show how data structures are linked together.
(It probably makes no sense to keep the chain pointers separate
from actual rule descriptors. They will be hopefully merged soon.
keep a (sysctl-readable) counter for the number of static rules,
to speed up IP_FW_GET operations
initial support for a "grace time" for expired connections, so we
can set timeouts for closing connections to much shorter times.
merge zero_entry() and resetlog_entry(), they use basically the
same code.
clean up and reduce replication of code for removing rules,
both for readability and code size.
introduce a separate lifetime for dynamic UDP rules.
fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (PR ...)
restructure dynamic rule descriptors
introduce some local variables to avoid multiple dereferencing of
pointer chains (reduces code size and hopefully increases speed).
|
|
|
|
|
| |
Noticed by: "Marc G. Fournier" <scrappy@hub.org>
MFC after: 3 days
|
|
|
|
|
|
|
| |
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
|
|
|
|
|
|
|
|
|
| |
ICMP types were reported incorrectly:
# ipfw add allow icmp from any to any icmptypes 0,8
PR: bin/29185
Submitted by: Mike Durian <durian@boogie.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
information for any command line error, the actual error message
almost always (and sometimes irretrievably) lost scrolling off the top
of the screen. Now just print the error. Give ipfw(8) no arguments for
the old usage summary.
Thanks to Lyndon Nerenberg <lyndon@orthanc.ab.ca> for the patch and
PR, but I had already done this when ru pointed out the PR.
PR: bin/28729
Approved by: ru
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
'icmp' rules could drop into infinite loops when given bad arguments.
Reviewed by: ru, des
Approved by: ru
|
| |
|
|
|
|
| |
MFC after: 2 weeks
|
|
|
|
|
|
| |
checklist.
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
but list them if -d was specified).
Avoid listing expired dynamic rules unless the (new) -e option was specified.
If specific rule numbers were listed on the command line, and the -d flag was
specified, only list dynamic rules that match the specified rule numbers.
Try to partly clean up the bleeding mess this file has become. If there is
any justice in this world, the responsible parties (you know who you are!)
should expect to wake up one morning with a horse's head in their bed. The
code still looks like spaghetti, but at least now it's *properly intented*
spaghetti (hmm? did somebody say "tagliatelle"?).
|
|
|
|
|
|
|
|
|
|
| |
rules. Also, don't show dynamic rules if you only asked to see a
certain rule number.
PR: 18550
Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Approved by: luigi
MFC after: 2 weeks
|
| |
|
| |
|
|
|
|
| |
- MAN[1-9] -> MAN.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
dropped by rule -1 if logging is enabled.
PR: 25796
Submitted by: Crist J. Clark <cjclark@alum.mit.edu>
Approved by: nik
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
address is configured on a interface. This is useful for routers with
dynamic interfaces. It is now possible to say:
0100 allow tcp from any to any established
0200 skipto 1000 tcp from any to any
0300 allow ip from any to any
1000 allow tcp from 1.2.3.4 to me 22
1010 deny tcp from any to me 22
1020 allow tcp from any to any
and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.
The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reserved and now allocated TCP flags in incoming packets. This patch
stops overloading those bits in the IP firewall rules, and moves
colliding flags to a seperate field, ipflg. The IPFW userland
management tool, ipfw(8), is updated to reflect this change. New TCP
flags related to ECN are now included in tcp.h for reference, although
we don't currently implement TCP+ECN.
o To use this fix without completely rebuilding, it is sufficient to copy
ip_fw.h and tcp.h into your appropriate include directory, then rebuild
the ipfw kernel module, and ipfw tool, and install both. Note that a
mismatch between module and userland tool will result in incorrect
installation of firewall rules that may have unexpected effects. This
is an MFC candidate, following shakedown. This bug does not appear
to affect ipfilter.
Reviewed by: security-officer, billf
Reported by: Aragon Gouveia <aragon@phat.za.net>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
well, in which case return the rule number back into userland.
PR: bin/18351
Reviewed by: archie, luigi
|
| |
|
|
|
|
|
|
| |
be preprocessed if it is specified as an absolute pathname.
PR: bin/16179
|
| |
|
| |
|
|
|
|
| |
PR: 21742
|
|
|
|
| |
accept value of zero as valid for IP Identification field.
|
| |
|
|
|
|
|
|
|
| |
IP: version, tos, ttl, len, id
TCP: seq#, ack#, window size
Reviewed by: silence on freebsd-{net,ipfw}
|
|
|
|
| |
Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>
|
| |
|
|
|
|
|
|
| |
error in the usage printf())
Reviewed by: rwatson
|
| |
|
|
|
|
|
|
|
| |
into add without problems.
The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
|
|
|
|
|
| |
ambiguous data to the userland program (kernel operation was
safe, anyways).
|
| |
|