summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Repair typo.dd2001-10-141-1/+1
| | | | | PR: 31262 Submitted by: <swear@blarg.net>
* mdoc(7) police: fix markup.ru2001-10-011-56/+27
|
* now that jlemon has added a hash table to lookup locally configured ipbillf2001-09-291-3/+2
| | | | | | | | addresses (and the macros that ipfw(4) use to lookup data for the 'me' keyword have been converted) remove a comment about using 'me' being a "computationally expensive" operation. while I'm here, change two instances of "IP number" to "IP address"
* Two main changes here:luigi2001-09-272-36/+102
| | | | | | | | | | | | | | | + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details. + merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages! MFC after: 1 week
* A bunch of minor changes to the code (see below) for readability, code sizeluigi2001-09-201-8/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and speed. No new functionality added (yet) apart from a bugfix. MFC will occur in due time and probably in stages. BUGFIX: fix a problem in old code which prevented reallocation of the hash table for dynamic rules (there is a PR on this). OTHER CHANGES: minor changes to the internal struct for static and dynamic rules. Requires rebuild of ipfw binary. Add comments to show how data structures are linked together. (It probably makes no sense to keep the chain pointers separate from actual rule descriptors. They will be hopefully merged soon. keep a (sysctl-readable) counter for the number of static rules, to speed up IP_FW_GET operations initial support for a "grace time" for expired connections, so we can set timeouts for closing connections to much shorter times. merge zero_entry() and resetlog_entry(), they use basically the same code. clean up and reduce replication of code for removing rules, both for readability and code size. introduce a separate lifetime for dynamic UDP rules. fix a problem in old code which prevented reallocation of the hash table for dynamic rules (PR ...) restructure dynamic rule descriptors introduce some local variables to avoid multiple dereferencing of pointer chains (reduces code size and hopefully increases speed).
* Non-decimal ``skipto'' rule numbers are meaningless.ru2001-09-191-1/+1
| | | | | Noticed by: "Marc G. Fournier" <scrappy@hub.org> MFC after: 3 days
* mdoc(7) police:ru2001-08-071-22/+12
| | | | | | | Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text. Not only this slows down the mdoc(7) processing significantly, but it also has an undesired (in this case) effect of disabling hyphenation within the entire enclosed block.
* Fixed one more breakage introduced in 1.103 cleanup.ru2001-08-061-1/+2
| | | | | | | | | ICMP types were reported incorrectly: # ipfw add allow icmp from any to any icmptypes 0,8 PR: bin/29185 Submitted by: Mike Durian <durian@boogie.com>
* style(9)obrien2001-08-011-1/+1
|
* Error messaging in ipfw(8) was out of hand, almost 50 lines of usagecjc2001-07-221-109/+114
| | | | | | | | | | | | | | information for any command line error, the actual error message almost always (and sometimes irretrievably) lost scrolling off the top of the screen. Now just print the error. Give ipfw(8) no arguments for the old usage summary. Thanks to Lyndon Nerenberg <lyndon@orthanc.ab.ca> for the patch and PR, but I had already done this when ru pointed out the PR. PR: bin/28729 Approved by: ru MFC after: 1 week
* mdoc(7) police: removed HISTORY info from the .Os call.ru2001-07-101-1/+1
|
* Fix rule parsing breakage introduced in 1.103 cleanup. 'tcp' andcjc2001-07-101-5/+8
| | | | | | | 'icmp' rules could drop into infinite loops when given bad arguments. Reviewed by: ru, des Approved by: ru
* mdoc(7) police: remove extraneous .Pp before and/or after .Sh.dd2001-07-091-1/+0
|
* Silence format string warnings.kris2001-07-011-11/+11
| | | | MFC after: 2 weeks
* Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in thechris2001-06-061-0/+3
| | | | | | checklist. MFC after: 1 week
* Invert the meaning of the -d option (i.e. default to *not* list dynamic rules,des2001-06-042-1119/+1160
| | | | | | | | | | | | | | | but list them if -d was specified). Avoid listing expired dynamic rules unless the (new) -e option was specified. If specific rule numbers were listed on the command line, and the -d flag was specified, only list dynamic rules that match the specified rule numbers. Try to partly clean up the bleeding mess this file has become. If there is any justice in this world, the responsible parties (you know who you are!) should expect to wake up one morning with a horse's head in their bed. The code still looks like spaghetti, but at least now it's *properly intented* spaghetti (hmm? did somebody say "tagliatelle"?).
* Add a flag to "ipfw show" which supresses the display of dynamicdwmalone2001-05-202-3/+10
| | | | | | | | | | rules. Also, don't show dynamic rules if you only asked to see a certain rule number. PR: 18550 Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca> Approved by: luigi MFC after: 2 weeks
* Update comment to match ipfw/ipfw.c,v 1.95.ru2001-04-131-3/+2
|
* Fixed some printf format errors (don't assume that ntohl() returns u_long).bde2001-04-051-2/+2
|
* - Backout botched attempt to introduce MANSECT feature.ru2001-03-261-0/+1
| | | | - MAN[1-9] -> MAN.
* Set the default manual section for sbin/ to 8.ru2001-03-201-1/+0
|
* mdoc(7) police: removed hard sentence break introduced in rev 1.82.ru2001-03-161-1/+2
|
* Explain that TCP fragments with an offset of 1 are reported as beingdd2001-03-161-1/+2
| | | | | | | | dropped by rule -1 if logging is enabled. PR: 25796 Submitted by: Crist J. Clark <cjclark@alum.mit.edu> Approved by: nik
* Document that the IPFW messages are logged via syslogd(8).ru2001-02-221-1/+11
|
* mdoc(7) police: normalize the construct.ru2001-02-151-5/+1
|
* Fix grammar nit in previous commit.sheldonh2001-02-141-1/+1
|
* Introduce a new feature in IPFW: Check of the source or destinationphk2001-02-132-40/+73
| | | | | | | | | | | | | | | | | | | address is configured on a interface. This is useful for routers with dynamic interfaces. It is now possible to say: 0100 allow tcp from any to any established 0200 skipto 1000 tcp from any to any 0300 allow ip from any to any 1000 allow tcp from 1.2.3.4 to me 22 1010 deny tcp from any to me 22 1020 allow tcp from any to any and not have to worry about the behaviour if dynamic interfaces configure new IP numbers later on. The check is semi expensive (traverses the interface address list) so it should be protected as in the above example if high performance is a requirement.
* o IPFW incorrectly handled filtering in the presence of previouslyrwatson2001-01-091-3/+2
| | | | | | | | | | | | | | | | | | | | reserved and now allocated TCP flags in incoming packets. This patch stops overloading those bits in the IP firewall rules, and moves colliding flags to a seperate field, ipflg. The IPFW userland management tool, ipfw(8), is updated to reflect this change. New TCP flags related to ECN are now included in tcp.h for reference, although we don't currently implement TCP+ECN. o To use this fix without completely rebuilding, it is sufficient to copy ip_fw.h and tcp.h into your appropriate include directory, then rebuild the ipfw kernel module, and ipfw tool, and install both. Note that a mismatch between module and userland tool will result in incorrect installation of firewall rules that may have unexpected effects. This is an MFC candidate, following shakedown. This bug does not appear to affect ipfilter. Reviewed by: security-officer, billf Reported by: Aragon Gouveia <aragon@phat.za.net>
* Prepare for mdoc(7)NG.ru2000-12-271-4/+1
|
* Prepare for mdoc(7)NG.ru2000-12-181-4/+4
|
* mdoc(7) police: do not split author names in the AUTHORS section.ru2000-11-221-1/+2
|
* mdoc(7) police: use the new features of the Nm macro.ru2000-11-201-11/+11
|
* more removal of trailing periods from SEE ALSO.ben2000-11-151-1/+1
|
* IPFW does not discard *any* IP fragments with OFF=1, only TCP ones.ru2000-10-301-3/+6
|
* Allow for IP_FW_ADD to be used in getsockopt(2) incarnation asru2000-10-121-3/+3
| | | | | | | well, in which case return the rule number back into userland. PR: bin/18351 Reviewed by: archie, luigi
* Reset globals for every new command read from preprocessed file.ru2000-10-111-12/+14
|
* Only interpret the last command line argument as a file toru2000-10-112-5/+7
| | | | | | be preprocessed if it is specified as an absolute pathname. PR: bin/16179
* Convert this Makefile to the usual style.ru2000-10-061-3/+3
|
* Document the latest firewall knobs.ru2000-10-062-32/+91
|
* Respect the protocol when looking the port up by service name.ru2000-10-041-15/+22
| | | | PR: 21742
* Do not force argument to ``ipid'' modifier be in hex, andru2000-10-031-9/+11
| | | | accept value of zero as valid for IP Identification field.
* Fixed the printing of TCP flags.ru2000-10-031-1/+1
|
* Add new fields for more granularity:billf2000-10-021-6/+169
| | | | | | | IP: version, tos, ttl, len, id TCP: seq#, ack#, window size Reviewed by: silence on freebsd-{net,ipfw}
* Document that net.inet.ip.fw.one_pass only affects dummynet(4).ru2000-09-291-3/+5
| | | | Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>
* optreset is declared in unistd.h now.imp2000-08-161-1/+0
|
* Fix a paste-o in the tcpoptions check (not a security problem, just abillf2000-07-171-1/+1
| | | | | | error in the usage printf()) Reviewed by: rwatson
* Don't call sprintf() with no format string.kris2000-07-101-1/+1
|
* Reorder the "prob" section in the output of list/show so it can be copy/pastedbillf2000-06-181-5/+6
| | | | | | | into add without problems. The previous commit had the other half of this original patch which handled tcpflags/tcpflgs confusion in output/input.
* Fix behaviour of "ipfw pipe show" -- previous code gaveluigi2000-06-141-6/+6
| | | | | ambiguous data to the userland program (kernel operation was safe, anyways).
* Fixed style bugs of rev 1.66.ru2000-06-121-35/+81
|
OpenPOWER on IntegriCloud