summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Fix a markup glitch.ru2006-02-031-1/+1
|
* Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore.glebius2006-01-131-139/+6
|
* Document 'tablearg' keyword.glebius2006-01-131-1/+31
| | | | Wording by: emaste
* [mdoc] add missing space before a punctuation type argument.ru2005-12-131-1/+1
|
* Add a new feature for optimizining ipfw rulesets - substitution of theglebius2005-12-131-46/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | action argument with the value obtained from table lookup. The feature is now applicable only to "pipe", "queue", "divert", "tee", "netgraph" and "ngtee" rules. An example usage: ipfw pipe 1000 config bw 1000Kbyte/s ipfw pipe 4000 config bw 4000Kbyte/s ipfw table 1 add x.x.x.x 1000 ipfw table 1 add x.x.x.y 4000 ipfw pipe tablearg ip from table(1) to any In the example above the rule will throw different packets to different pipes. TODO: - Support "skipto" action, but without searching all rules. - Improve parser, so that it warns about bad rules. These are: - "tablearg" argument to action, but no "table" in the rule. All traffic will be blocked. - "tablearg" argument to action, but "table" searches for entry with a specific value. All traffic will be blocked. - "tablearg" argument to action, and two "table" looks - for src and for dst. The last lookup will match.
* Cleanup _FreeBSD_version.glebius2005-12-091-3/+0
|
* We couldn't specify the rule for filtering tunnel traffic since anume2005-11-292-16/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | IPv6 support was committed: - Stop treating `ip' and `ipv6' as special in `proto' option as they conflict with /etc/protocols. - Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'. - When protocol is specified as numeric, treat it as it is even it is 41 (ipv6). - Allow zero for protocol as it is valid number of `ip'. Still, we cannot specify an IPv6 over an IPv4 tunnel like before such as: pass ipv6 from any to any But, now, you can specify it like: pass ip4 from any to any proto ipv6 PR: kern/89472 Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com> MFC after: 1 week
* Catch up with ip_dummynet.h rev. 1.38 and fix build.glebius2005-11-291-2/+2
|
* Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),glebius2005-11-291-1/+1
| | | | | thus removing a few XXXes. Document the ABI breakage in UPDATING.
* -mdoc sweep.ru2005-11-181-3/+4
|
* Restore the documentation about uid, gid or prison based rules requiringcsjp2005-10-231-0/+10
| | | | | | | | that debug.mpsafenet be set to 0. It is still possible for dead locks to occur while these filtering options are used due to the layering violation inherent in their implementation. Discussed: -current, rwatson, glebius
* Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.mlaier2005-09-281-4/+4
| | | | Reminded by: ru
* * Add dynamic sysctl for net.inet6.ip6.fw.bz2005-08-132-3/+89
| | | | | | | | | | | | | * Correct handling of IPv6 Extension Headers. * Add unreach6 code. * Add logging for IPv6. Submitted by: sysctl handling derived from patch from ume needed for ip6fw Obtained from: is_icmp6_query and send_reject6 derived from similar functions of netinet6,ip6fw Reviewed by: ume, gnn; silence on ipfw@ Test setup provided by: CK Software GmbH MFC after: 6 days
* Bump document date. Remove EOL whitespace introduced in previouscperciva2005-07-011-3/+4
| | | | | | commit. Start new line at sentence break in previous commit. Approved by: re (implicit, fixing a commit made 5 minutes ago)
* Document some limitations of uid/gid rules.cperciva2005-07-011-0/+11
| | | | | Approved by: re (rwatson) MFC after: 3 days
* Markup fixes.ru2005-06-141-4/+4
| | | | Approved by: re (blanket)
* add_proto() now fills proto for us so stop to 'guess' the protocol from themlaier2005-06-071-5/+2
| | | | | command and rather trust the value add_proto filled in. While here, fix an oversight in the pretty printing of ip6/4 options.
* Better explain, then actually implement the IPFW ALTQ-rule first-matchgreen2005-06-041-2/+13
| | | | | | | | policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week
* Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.mlaier2005-06-032-26/+71
| | | | | | | | This is the last requirement before we can retire ip6fw. Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw
* Unbreak handling of "ip[v]6" protocol and option flag. No more segfaultsmlaier2005-05-211-2/+1
| | | | and not every protocol is IPv6.
* 'ngtee' also depends on net.inet.ip.fw.one_pass.glebius2005-05-111-1/+3
|
* IPFW version 2 is the only option now in HEAD. Do not confuseglebius2005-05-041-45/+0
| | | | | users of future releases with instructions about building IPFW2 on RELENG_4.
* Fix a the previous commit. I wanted to remove the if and always run thebrooks2005-04-261-0/+1
| | | | | | | body not remove both. Reported by: ceri Pointy hat: brooks
* Don't force IPv6 proto to be printed numericaly.brooks2005-04-261-2/+0
| | | | Noticed by: ceri
* Add IPv6 support to IPFW and Dummynet.brooks2005-04-182-65/+820
| | | | Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
* Be more specific when complaining about bit masks.brooks2005-04-051-2/+2
|
* Bring back the full packet destination manipulation for 'ipfw fwd'andre2005-02-221-1/+14
| | | | | | | | | | | | | | | | | | | | with the kernel compile time option: options IPFIREWALL_FORWARD_EXTENDED This option has to be specified in addition to IPFIRWALL_FORWARD. With this option even packets targeted for an IP address local to the host can be redirected. All restrictions to ensure proper behaviour for locally generated packets are turned off. Firewall rules have to be carefully crafted to make sure that things like PMTU discovery do not break. Document the two kernel options. PR: kern/71910 PR: kern/73129 MFC after: 1 week
* Expand *n't contractions.ru2005-02-131-4/+4
|
* Sort SEE ALSO.glebius2005-02-071-1/+1
| | | | Submitted by: ru
* Document how interaction with ng_ipfw node is configured.glebius2005-02-051-2/+23
|
* Add a ng_ipfw node, implementing a quick and simple interface betweenglebius2005-02-051-0/+22
| | | | | | ipfw(4) and netgraph(4) facilities. Reviewed by: andre, brooks, julian
* Don't print extra " via ", if we have already printed one. While here,glebius2005-01-181-4/+6
| | | | | | | slightly style brackets. PR: misc/75297 MFC after: 1 week
* Sort sections.ru2005-01-181-27/+27
|
* Markup nits.ru2005-01-151-16/+14
|
* Deprecate unmaintainable uses of strncmp to implement abbreviations.brooks2005-01-151-60/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | This commit replaces those with two new functions that simplify the code and produce warnings that the syntax is deprecated. A small number of sensible abbreviations may be explicitly added based on user feedback. There were previously three types of strncmp use in ipfw: - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av to match string or any shortened form of it. I have replaced this with a new function _substrcmp(av, "string") which returns 0 if av is a substring of "string", but emits a warning if av is not exactly "string". - The next type was two instances of strncmp(av, "by", 2) which allowed the abbreviation of bytes to "by", "byt", etc. Unfortunately, it also supported "bykHUygh&*g&*7*ui". I added a second new function _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but complains if the user doesn't spell out the word "bytes". - There is also one correct use of strncmp to match "table(" which might have another token after it without a space. Since I changed all the lines anyway, I also fixed the treatment of strncmp's return as a boolean in many cases. I also modified a few strcmp cases as well to be fully consistent.
* Scheduled mdoc(7) sweep.ru2005-01-101-1/+2
|
* Write some bit mask limits in hex rather than decimal so they look lessbrooks2005-01-071-2/+2
| | | | magic.
* Update the IPFW man page to reflect reality. mpsafenet=0 is no longercsjp2004-12-101-10/+0
| | | | | | | required when using ucred based rules. Pointed out by: seanc (thanks!) MFC after: 1 month
* Remove a duplicate line from an apparent merge error in rev 1.63.brooks2004-11-251-1/+0
|
* Be more clear that "bridged" is a synonym for "layer2".ceri2004-11-031-1/+2
| | | | | PR: docs/44400 Submitted by: Constantin Stefanov <cstef at mail dot ru>
* Refuse to unload the ipdivert module unless the 'force' flag is given to ↵andre2004-10-221-4/+4
| | | | | | | kldunload. Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8) man pages.
* Add a note to the man page warning users about possible lock ordercsjp2004-10-091-0/+10
| | | | | | | | | reversals+system lock ups if they are using ucred based rules while running with debug.mpsafenet=1. I am working on merging a shared locking mechanism into ipfw which should take care of this problem, but it still requires a bit more testing and review.
* Reference altq(4) instead of pf.conf(5).green2004-10-081-2/+2
| | | | Tip of the hat to: mlaier
* Commit forgotten documentation for "diverted" rules.green2004-10-081-1/+2
|
* Remove blindly-copied extra include path.green2004-10-031-1/+0
|
* Add support to IPFW for matching by TCP data length.green2004-10-032-0/+29
|
* Add the documentation for IPFW's diverted(-loopback|-output) matches.green2004-10-031-0/+8
|
* Add support to IPFW for classification based on "diverted" statusgreen2004-10-031-0/+35
| | | | (that is, input via a divert socket).
* Remove accidentally-added O_DIVERTED section.green2004-10-031-17/+0
|
* Add to IPFW the ability to do ALTQ classification/tagging.green2004-10-033-33/+258
|
OpenPOWER on IntegriCloud