summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Bump document date. Remove EOL whitespace introduced in previouscperciva2005-07-011-3/+4
| | | | | | commit. Start new line at sentence break in previous commit. Approved by: re (implicit, fixing a commit made 5 minutes ago)
* Document some limitations of uid/gid rules.cperciva2005-07-011-0/+11
| | | | | Approved by: re (rwatson) MFC after: 3 days
* Markup fixes.ru2005-06-141-4/+4
| | | | Approved by: re (blanket)
* add_proto() now fills proto for us so stop to 'guess' the protocol from themlaier2005-06-071-5/+2
| | | | | command and rather trust the value add_proto filled in. While here, fix an oversight in the pretty printing of ip6/4 options.
* Better explain, then actually implement the IPFW ALTQ-rule first-matchgreen2005-06-041-2/+13
| | | | | | | | policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week
* Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.mlaier2005-06-032-26/+71
| | | | | | | | This is the last requirement before we can retire ip6fw. Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw
* Unbreak handling of "ip[v]6" protocol and option flag. No more segfaultsmlaier2005-05-211-2/+1
| | | | and not every protocol is IPv6.
* 'ngtee' also depends on net.inet.ip.fw.one_pass.glebius2005-05-111-1/+3
|
* IPFW version 2 is the only option now in HEAD. Do not confuseglebius2005-05-041-45/+0
| | | | | users of future releases with instructions about building IPFW2 on RELENG_4.
* Fix a the previous commit. I wanted to remove the if and always run thebrooks2005-04-261-0/+1
| | | | | | | body not remove both. Reported by: ceri Pointy hat: brooks
* Don't force IPv6 proto to be printed numericaly.brooks2005-04-261-2/+0
| | | | Noticed by: ceri
* Add IPv6 support to IPFW and Dummynet.brooks2005-04-182-65/+820
| | | | Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
* Be more specific when complaining about bit masks.brooks2005-04-051-2/+2
|
* Bring back the full packet destination manipulation for 'ipfw fwd'andre2005-02-221-1/+14
| | | | | | | | | | | | | | | | | | | | with the kernel compile time option: options IPFIREWALL_FORWARD_EXTENDED This option has to be specified in addition to IPFIRWALL_FORWARD. With this option even packets targeted for an IP address local to the host can be redirected. All restrictions to ensure proper behaviour for locally generated packets are turned off. Firewall rules have to be carefully crafted to make sure that things like PMTU discovery do not break. Document the two kernel options. PR: kern/71910 PR: kern/73129 MFC after: 1 week
* Expand *n't contractions.ru2005-02-131-4/+4
|
* Sort SEE ALSO.glebius2005-02-071-1/+1
| | | | Submitted by: ru
* Document how interaction with ng_ipfw node is configured.glebius2005-02-051-2/+23
|
* Add a ng_ipfw node, implementing a quick and simple interface betweenglebius2005-02-051-0/+22
| | | | | | ipfw(4) and netgraph(4) facilities. Reviewed by: andre, brooks, julian
* Don't print extra " via ", if we have already printed one. While here,glebius2005-01-181-4/+6
| | | | | | | slightly style brackets. PR: misc/75297 MFC after: 1 week
* Sort sections.ru2005-01-181-27/+27
|
* Markup nits.ru2005-01-151-16/+14
|
* Deprecate unmaintainable uses of strncmp to implement abbreviations.brooks2005-01-151-60/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | This commit replaces those with two new functions that simplify the code and produce warnings that the syntax is deprecated. A small number of sensible abbreviations may be explicitly added based on user feedback. There were previously three types of strncmp use in ipfw: - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av to match string or any shortened form of it. I have replaced this with a new function _substrcmp(av, "string") which returns 0 if av is a substring of "string", but emits a warning if av is not exactly "string". - The next type was two instances of strncmp(av, "by", 2) which allowed the abbreviation of bytes to "by", "byt", etc. Unfortunately, it also supported "bykHUygh&*g&*7*ui". I added a second new function _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but complains if the user doesn't spell out the word "bytes". - There is also one correct use of strncmp to match "table(" which might have another token after it without a space. Since I changed all the lines anyway, I also fixed the treatment of strncmp's return as a boolean in many cases. I also modified a few strcmp cases as well to be fully consistent.
* Scheduled mdoc(7) sweep.ru2005-01-101-1/+2
|
* Write some bit mask limits in hex rather than decimal so they look lessbrooks2005-01-071-2/+2
| | | | magic.
* Update the IPFW man page to reflect reality. mpsafenet=0 is no longercsjp2004-12-101-10/+0
| | | | | | | required when using ucred based rules. Pointed out by: seanc (thanks!) MFC after: 1 month
* Remove a duplicate line from an apparent merge error in rev 1.63.brooks2004-11-251-1/+0
|
* Be more clear that "bridged" is a synonym for "layer2".ceri2004-11-031-1/+2
| | | | | PR: docs/44400 Submitted by: Constantin Stefanov <cstef at mail dot ru>
* Refuse to unload the ipdivert module unless the 'force' flag is given to ↵andre2004-10-221-4/+4
| | | | | | | kldunload. Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8) man pages.
* Add a note to the man page warning users about possible lock ordercsjp2004-10-091-0/+10
| | | | | | | | | reversals+system lock ups if they are using ucred based rules while running with debug.mpsafenet=1. I am working on merging a shared locking mechanism into ipfw which should take care of this problem, but it still requires a bit more testing and review.
* Reference altq(4) instead of pf.conf(5).green2004-10-081-2/+2
| | | | Tip of the hat to: mlaier
* Commit forgotten documentation for "diverted" rules.green2004-10-081-1/+2
|
* Remove blindly-copied extra include path.green2004-10-031-1/+0
|
* Add support to IPFW for matching by TCP data length.green2004-10-032-0/+29
|
* Add the documentation for IPFW's diverted(-loopback|-output) matches.green2004-10-031-0/+8
|
* Add support to IPFW for classification based on "diverted" statusgreen2004-10-031-0/+35
| | | | (that is, input via a divert socket).
* Remove accidentally-added O_DIVERTED section.green2004-10-031-17/+0
|
* Add to IPFW the ability to do ALTQ classification/tagging.green2004-10-033-33/+258
|
* Since "d" is an array of 32 bit values, it is morecsjp2004-09-211-1/+1
| | | | | | correct to change the cast from unsigned int to uint32_t. Pointed out by: luigi
* Prepare for 5.x soon becoming -STABLE.ru2004-09-191-8/+8
| | | | Pointed out by: -current users
* Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copiedandre2004-09-131-13/+2
| | | | | | | | | | and sent to the DIVERT socket while the original packet continues with the next rule. Unlike a normally diverted packet no IP reassembly attemts are made on tee'd packets and they are passed upwards totally unmodified. Note: This will not be MFC'd to 4.x because of major infrastucture changes. PR: kern/64240 (and many others collapsed into that one)
* Currently when ipfw(8) generates the micro-instructions for rules whichcsjp2004-09-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints. The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT. The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes. This may be a MFC candidate for RELENG_5. Reviewed by: andre Approved by: luigi PR: kern/63961 (partially)
* o Initialize a local variable and make gcc happy.maxim2004-09-101-0/+2
| | | | | PR: bin/71485 Submitted by: Jukka A. Ukkonen
* o Restore a historical ipfw1 logamount behaviour: rules with 'log'maxim2004-08-291-0/+7
| | | | | | | | | | | keyword but without 'logamount' limit the amount of their log messages by net.inet.ip.fw.verbose_limit sysctl value. RELENG_5 candidate. PR: kern/46080 Submitted by: Dan Pelleg MFC after: 1 week
* Fix 'show' command for pipes and queues.pjd2004-08-231-1/+7
| | | | | | PR: bin/70311 Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> MFC after: 3 days
* Remove trailing whitespace and change "prisoniD" to "prisonID".csjp2004-08-131-2/+2
| | | | | Pointed out by: simon Approved by: bmilekic (mentor)
* Add the ability to associate ipfw rules with a specific prison ID.csjp2004-08-122-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this. This commit makes the following changes: - Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes. This change was a strong motivator behind the ucred caching mechanism in ipfw. A sample usage of this new functionality could be: ipfw add count ip from any to any jail 2 It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations. Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor)
* New ipfw option "antispoof":andre2004-08-092-3/+49
| | | | | | | | | | | | | | | For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. Usage example: ipfw add deny ip from any to any not antispoof in Manpage education by: ru
* Extend versrcreach by checking against the rt_flags for RTF_REJECT andandre2004-07-211-2/+2
| | | | | | | | | | | | | | | | | | RTF_BLACKHOLE as well. To quote the submitter: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Submitted by: James Jun <james@towardex.com>
* Mechanically kill hard sentence breaks.ru2004-07-021-38/+56
|
* Fixed a bug spotted by compiling with -Wall.ru2004-06-101-1/+1
|
OpenPOWER on IntegriCloud