summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Remove trailing whitespace per mdoc lint warningeadler2012-03-291-51/+51
| | | | | | | Disussed with: gavin No objection from: doc Approved by: joel MFC after: 3 days
* - Permit number of ipfw tables to be changed in runtime.melifaro2012-03-252-10/+4
| | | | | | | | | | | | | | | net.inet.ip.fw.tables_max is now read-write. - Bump IPFW_TABLES_MAX to 65535 Default number of tables is still 128 - Remove IPFW_TABLES_MAX from ipfw(8) code. Sponsored by Yandex LLC Approved by: kib(mentor) MFC after: 2 weeks
* Remove superfluous paragraph macro.joel2012-03-251-11/+0
|
* - Add ipfw eXtended tables permitting radix to be used for any kind of keys.melifaro2012-03-122-80/+232
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add support for IPv6 and interface extended tables - Make number of tables to be loader tunable in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table. IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader; New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add host' now assumes 'host' to be interface name instead of hostname. New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value. New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field. Sponsored by Yandex LLC Reviewed by: ae Approved by: ae (mentor) MFC after: 4 weeks
* remove some write-only variables.luigi2012-03-011-7/+2
| | | | | There is another block of code that is now useless as the computation is done in the kernel.
* Correct capitalization of "Hz" in user-visible text (manpages, printf(),gavin2012-02-281-1/+1
| | | | | | etc). MFC after: 3 days
* Bump .Dd for r231076.glebius2012-02-061-1/+1
| | | | Submitted by: bz
* Make the 'tcpwin' option of ipfw(8) accept ranges and lists.glebius2012-02-062-7/+18
| | | | Submitted by: sem
* Spelling fixes for sbin/uqs2012-01-072-5/+5
|
* Replace index() and rindex() calls with strchr() and strrchr().ed2012-01-031-5/+5
| | | | | | | | | | The index() and rindex() functions were marked LEGACY in the 2001 revision of POSIX and were subsequently removed from the 2008 revision. The strchr() and strrchr() functions are part of the C standard. This makes the source code a lot more consistent, as most of these C files also call into other str*() routines. In fact, about a dozen already perform strchr() calls.
* - Add fallthrough commenteadler2011-12-241-0/+1
| | | | | | Approved by: pluknet Found with: Coverity Prevent(tm) CID: 10125
* Fix parsing of redirect_addr argument.glebius2011-11-231-1/+2
| | | | | PR: kern/162739 MFC after: 3 days
* - fix duplicate "a a" in some commentseadler2011-11-131-1/+1
| | | | | | Submitted by: eadler Approved by: simon MFC after: 3 days
* Note that NAT instance argument can be tablearg.glebius2011-11-101-2/+2
| | | | | PR: misc/162265 Submitted by: Paul Procacci <pprocacci gmail.com>
* Add support for IPv6 to ipfw fwd:bz2011-08-202-22/+90
| | | | | | | | | | | | | | | | | | | Distinguish IPv4 and IPv6 addresses and optional port numbers in user space to set the option for the correct protocol family. Add support in the kernel for carrying the new IPv6 destination address and port. Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change the address in the IP header. Add support for IPv6 forwarding to a non-local destination. Add a regession test uitilizing VIMAGE to check all 20 possible combinations I could think of. Obtained from: David Dolson at Sandvine Incorporated (original version for ipfw fwd IPv6 support) Sponsored by: Sandvine Incorporated PR: bin/117214 MFC after: 4 weeks Approved by: re (kib)
* Fix a regression where a rule containing a source port option after ajhb2011-08-171-0/+2
| | | | | | | | | destination IP would incorrectly display the source port as a destination port. Reviewed by: luigi Approved by: re (kib) MFC after: 1 week
* Add new rule actions "call" and "return" to ipfw. They makeae2011-06-293-1/+106
| | | | | | | | | | | | | possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@
* Improve error reporting. Use corresponding error message when file to beae2011-06-291-4/+11
| | | | | | | | preprocessed is missing. Also suggest to use absolute pathname if -p option is specified. PR: bin/156653 MFC after: 2 weeks
* Actually, if code had followed style(9), there would be less stupid errorsglebius2011-06-241-15/+30
| | | | | | like the one fixed in r223416. Noticed by: julian
* One more braino from me.glebius2011-06-221-3/+6
| | | | | Pointy hat to: glebius Submitted by: Alexander V. Chernikov <melifaro ipfw.ru>
* Fix clang warnings.benl2011-06-181-1/+2
| | | | Approved by: philip (mentor)
* - Fix my braino in the 220835, when I used strtok(). It isn'tglebius2011-06-171-14/+32
| | | | | | | | | | | applicable here, since modifies the string. Switch to strchr(). - Restore support for undocumented optional parameters of redir_port and redir_proto, that were disabled in 220835. - While here, change !isalpha() checks on optinal parameters for isdigit(). Submitted by: Alexander V. Chernikov <melifaro ipfw.ru> PR: kern/143653
* Implement "global" mode for ipfw nat. It is similar to natd(8)ae2011-06-144-7/+45
| | | | | | | | | | | | | | | | "globalport" option for multiple NAT instances. If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged. User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode. PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein
* Check nat id a bit more strictly.ae2011-06-141-6/+7
|
* Initialize co.use_set variable before parsing each new rule.ae2011-06-061-0/+1
| | | | | PR: bin/134975 MFC after: 2 weeks
* Increase buffer size for the command line.ae2011-06-061-2/+2
| | | | | | PR: bin/125370 Submitted by: sem MFC after: 2 weeks
* Add tablearg support for ipfw setfib.ae2011-05-302-11/+19
| | | | | PR: kern/156410 MFC after: 2 weeks
* mdoc:pluknet2011-05-171-2/+2
| | | | | - use a proper macro for interface name ipfw0. - add missing section number for bpf cross reference.
* Rewrite NAT configuration parser, so that memory allocation size isglebius2011-04-191-186/+189
| | | | | | calculated dynamically. PR: kern/143653
* More whitespace fixes.glebius2011-04-184-41/+41
| | | | Checked with: md5, diff -x -w
* Whitespace fixes.glebius2011-04-186-268/+266
| | | | Checked with: md5, diff -w
* The first customer of the SO_USER_COOKIE option:luigi2010-11-123-0/+19
| | | | | | | | | | | | the "sockarg" ipfw option matches packets associated to a local socket and with a non-zero so_user_cookie value. The value is made available as tablearg, so it can be used as a skipto target or pipe number in ipfw/dummynet rules. Code by Paul Joe, manpage by me. Submitted by: Paul Joe MFC after: 1 week
* mdoc: make pages render with mandocuqs2010-10-211-2/+1
| | | | | | It's a bit more pedantic regarding .Bl list elements. This has an added benefit of unbreaking the ipfw(8) manpage, where groff was silently skipping one list element.
* document logging through bpfluigi2010-10-131-13/+18
|
* mdoc: drop redundant .Pp and .LP callsuqs2010-10-081-2/+0
| | | | They have no effect when coming in pairs, or before .Bl/.Bd
* Fix incorrect usage of 'assure' and 'insure'.brucec2010-08-281-1/+1
| | | | Approved by: rrs (mentor)
* expand_number(3) takes a uint64_t * now.des2010-08-191-1/+1
| | | | MFC after: 3 weeks
* Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki whilejoel2010-08-161-2/+2
| | | | | | translating these manual pages. Minor corrections by me. Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>
* Document that the "ngtee" action no longer accepts packet, andglebius2010-07-271-4/+2
| | | | | | | | thus don't depend on one_pass flag anymore. This is a POLA violation, but it is quite difficult to restore the old behavior with new code. Also, the new behavior matches behavior of the older "tee" action, and this is more intuitive.
* better printing of headers when listing flowsluigi2010-07-151-8/+18
|
* fix 64-bit buildluigi2010-04-191-2/+4
| | | | Reported by: Robert Noland
* Slightly different handling of printf/snprintf for unaligned uint64_t,luigi2010-04-193-36/+40
| | | | | | | which should improve readability, and also to ease the port to platforms that do not support %llu MFC after: 3 days
* fix a buffer overflow with large (100k+) number of input lines.luigi2010-04-121-2/+2
| | | | MFC after: 3 days
* Set net.inet6.ip6.fw.enable as well.ume2010-04-061-0/+2
|
* fix another bug in "ipfw set N ..."luigi2010-03-241-1/+1
| | | | Submitted by: Marcin Wisnicki
* Tweak language to make one point potentially clearer for non-native spekersgavin2010-03-201-2/+2
| | | | | PR: bin/121424 Submitted by: "Julian H. Stacey" <jhs berklix.org>
* accept lower case m as a synonym for Mega (bit/s or bytes/s).luigi2010-03-151-1/+1
|
* print correctly commands of the formluigi2010-03-151-8/+17
| | | | | | | | | | ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 } (note that the above example could be better written as ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8 Submitted by: Riccardo Panicucci
* + implement (two lines) the kernel side of 'lookup dscp N' to use theluigi2010-03-151-4/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | dscp as a search key in table lookups; + (re)implement a sysctl variable to control the expire frequency of pipes and queues when they become empty; + add 'queue number' as optional part of the flow_id. This can be enabled with the command queue X config mask queue ... and makes it possible to support priority-based schedulers, where packets should be grouped according to the priority and not some fields in the 5-tuple. This is implemented as follows: - redefine a field in the ipfw_flow_id (in sys/netinet/ip_fw.h) but without changing the size or shape of the structure, so there are no ABI changes. On passing, also document how other fields are used, and remove some useless assignments in ip_fw2.c - implement small changes in the userland code to set/read the field; - revise the functions in ip_dummynet.c to manipulate masks so they also handle the additional field; There are no ABI changes in this commit.
* Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bitsluigi2010-03-152-2/+4
| | | | | | | | | | of ip->ip_tos) in a table. This can be useful to direct traffic to different pipes/queues according to the DSCP of the packet, as follows: ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue This change is a no-op (but harmless) until the two-line kernel side is committed, which will happen shortly.
OpenPOWER on IntegriCloud