summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* MFC r288528:ae2015-10-121-1/+1
| | | | | | Fix possible segmentation fault. PR: 203494
* MFC r286702:dim2015-09-221-4/+4
| | | | | In ipfw2, avoid left-shifting negative integers, which is undefined. While here, make some other arguments to htonl(3) unsigned too.
* MFC r266310melifaro2015-09-181-1/+1
| | | | | | | | | | | | | | Fix wrong formatting of 0.0.0.0/X table records in ipfw(8). Add `flags` u16 field to the hole in ipfw_table_xentry structure. Kernel has been guessing address family for supplied record based on xent length size. Userland, however, has been getting fixed-size ipfw_table_xentry structures guessing address family by checking address by IN6_IS_ADDR_V4COMPAT(). Fix this behavior by providing specific IPFW_TCF_INET flag for IPv4 records. PR: bin/189471,kern/200169
* MFC 277714:jhb2015-02-061-3/+3
| | | | | | | natd(8) will work with an unconfigured interface and effectively not do anything until the interface is assigned an address. This fixes ipfw_nat to do the same by using an IP of INADDR_ANY instead of aborting the nat setup if the requested interface is not yet configured.
* Merge r258708, r258711, r260247, r261117.melifaro2014-05-082-10/+37
| | | | | | | | | | | | | | | | | | | | r258708: Check ipfw table numbers in both user and kernel space before rule addition. Found by: Saychik Pavel <umka@localka.net> r258711: Simplify O_NAT opcode handling. r260247: Use rnh_matchaddr instead of rnh_lookup for longest-prefix match. rnh_lookup is effectively the same as rnh_matchaddr if called with empy network mask. r261117: Reorder struct ip_fw_chain: * move rarely-used fields down * move uh_lock to different cacheline * remove some usused fields
* Merge r258677.melifaro2014-05-081-2/+13
| | | | | | | | | Fix key lookup in ipfw(8) broken since r232865. Print warning for IPv4 address strings which are valid in inet_aton() but not valid in inet_pton(). (1) Found by: Özkan KIRIK <ozkan.kirik@gmail.com> Submitted by: Ian Smith <smithi@nimnet.asn.au> (1)
* Bulk sync of pf changes from head, in attempt to fixup broken build Iglebius2014-03-122-2/+13
| | | | | | | | | made in r263029. Merge r257186,257215,257349,259736,261797. These changesets split pfvar.h into several smaller headers and make userland utilities to include only some of them.
* Remove duplicated parapgraph.se2013-07-241-10/+0
| | | | MFC after: 3 days
* Fix ipfw(8) sets of ipv6 addresses handling.melifaro2013-05-181-14/+24
| | | | | | | Conditionally use stack buffer instead of calling strdup(). PR: bin/104921 MFC after: 2 weeks
* Minor spelling and grammar fixes.joel2013-04-111-1/+1
|
* Remove EOL whitespace.joel2013-03-211-1/+1
|
* Remove unused variable.melifaro2013-03-201-2/+1
|
* Add ipfw support for setting/matching DiffServ codepoints (DSCP).melifaro2013-03-203-0/+221
| | | | | | | | | | | | | | | | | | | | | | Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after: 2 weeks
* Do not suddenly fail on some rulesets if -n (syntax check only) is specifiedmelifaro2013-03-041-4/+13
| | | | | | and ipfw(4) module is not loaded. MFC after: 2 weeks
* Implement buffer size checking in ipfw(8) add cmd.melifaro2013-03-033-62/+125
| | | | | | PR: bin/65961 Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru> MFC after: 2 weeks
* Fix ipfw table argument parsing/printing.melifaro2013-03-021-54/+92
| | | | | | | | Fix style. PR: kern/175909 Submitted by: Daniel Hagerty <hag@linnaean.org> MFC after: 2 weeks
* Remove the recently added sysctl variable net.pfil.forward.ae2012-11-021-8/+0
| | | | | | | | | Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Suggested by: andre
* Remove the IPFIREWALL_FORWARD kernel option and make possible to turnae2012-10-251-3/+6
| | | | | | | | | on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
* Whitespace fixesmelifaro2012-09-241-13/+13
| | | | MFC after: 2 weeks
* Permit table to be used as IPv6 address.melifaro2012-09-241-2/+26
| | | | | Reported by: Serhiy Popov <sergiuspso@ukr.net> MFC after: 2 weeks
* Fix grammar in the portion about FIBs. Also, cross-referencebjk2012-09-181-9/+11
| | | | | | | setfib(2) instead of setfib(1) for the 16-FIB limit. PR: docs/157452 Approved by: hrs (mentor)
* Whitespace cleanup for ipfw.8 -- start each sentence on a new line,bjk2012-09-181-33/+58
| | | | | | | and put a comma after e.g. and i.e.. While here, wrap long lines. PR: docs/157452 Approved by: hrs (mentor)
* Remove unused valueskevlo2012-09-111-3/+3
|
* remove the last __unused instance in sbin/ipfw.luigi2012-07-301-1/+2
| | | | | | This particular function (show_prerequisites() ) we should actually remove the argument from the callers as well, but i'll do it at a later time.
* Fix some compile errors at high WARNS, including oneluigi2012-07-303-8/+13
| | | | | | | | | for an uninitialized variable. unused parameters and variables are annotated with (void)foo; /* UNUSED */ instead of __unused, because this code needs to build also on linux and windows.
* In ipfw(8), make the text about dynamic rules consistent.issyl02012-07-161-3/+5
| | | | | | PR: docs/120539 Approved by: gabor (mentor) MFC after: 5 days
* Make ipfw0 logging pseudo-interface clonable. It can be created automaticallyhrs2012-07-091-2/+17
| | | | | | | by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8) after a boot. Discussed on: freebsd-ipfw@
* - Make ipfw's sched rules case insensitive, for user-friendliness.issyl02012-07-031-5/+6
| | | | | | | | | | | - Add a note to the ipfw(8) man page about the rules no longer being case sensitive. - Fix some typos in the man page. PR: docs/164772 Reviewed by: bz Approved by: gabor (doc mentor, src committer) MFC after: 2 weeks
* Update maximum number of tables available in ipfw to reflectmelifaro2012-06-091-2/+2
| | | | | | | changes done in r233478. Approved by: kib(mentor) MFC after: 3 days
* mdoc: use Po and Pc macros instead of parens. Also avoid starting a linejoel2012-05-121-2/+2
| | | | with Ns.
* Remove trailing whitespace per mdoc lint warningeadler2012-03-291-51/+51
| | | | | | | Disussed with: gavin No objection from: doc Approved by: joel MFC after: 3 days
* - Permit number of ipfw tables to be changed in runtime.melifaro2012-03-252-10/+4
| | | | | | | | | | | | | | | net.inet.ip.fw.tables_max is now read-write. - Bump IPFW_TABLES_MAX to 65535 Default number of tables is still 128 - Remove IPFW_TABLES_MAX from ipfw(8) code. Sponsored by Yandex LLC Approved by: kib(mentor) MFC after: 2 weeks
* Remove superfluous paragraph macro.joel2012-03-251-11/+0
|
* - Add ipfw eXtended tables permitting radix to be used for any kind of keys.melifaro2012-03-122-80/+232
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add support for IPv6 and interface extended tables - Make number of tables to be loader tunable in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table. IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader; New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add host' now assumes 'host' to be interface name instead of hostname. New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value. New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field. Sponsored by Yandex LLC Reviewed by: ae Approved by: ae (mentor) MFC after: 4 weeks
* remove some write-only variables.luigi2012-03-011-7/+2
| | | | | There is another block of code that is now useless as the computation is done in the kernel.
* Correct capitalization of "Hz" in user-visible text (manpages, printf(),gavin2012-02-281-1/+1
| | | | | | etc). MFC after: 3 days
* Bump .Dd for r231076.glebius2012-02-061-1/+1
| | | | Submitted by: bz
* Make the 'tcpwin' option of ipfw(8) accept ranges and lists.glebius2012-02-062-7/+18
| | | | Submitted by: sem
* Spelling fixes for sbin/uqs2012-01-072-5/+5
|
* Replace index() and rindex() calls with strchr() and strrchr().ed2012-01-031-5/+5
| | | | | | | | | | The index() and rindex() functions were marked LEGACY in the 2001 revision of POSIX and were subsequently removed from the 2008 revision. The strchr() and strrchr() functions are part of the C standard. This makes the source code a lot more consistent, as most of these C files also call into other str*() routines. In fact, about a dozen already perform strchr() calls.
* - Add fallthrough commenteadler2011-12-241-0/+1
| | | | | | Approved by: pluknet Found with: Coverity Prevent(tm) CID: 10125
* Fix parsing of redirect_addr argument.glebius2011-11-231-1/+2
| | | | | PR: kern/162739 MFC after: 3 days
* - fix duplicate "a a" in some commentseadler2011-11-131-1/+1
| | | | | | Submitted by: eadler Approved by: simon MFC after: 3 days
* Note that NAT instance argument can be tablearg.glebius2011-11-101-2/+2
| | | | | PR: misc/162265 Submitted by: Paul Procacci <pprocacci gmail.com>
* Add support for IPv6 to ipfw fwd:bz2011-08-202-22/+90
| | | | | | | | | | | | | | | | | | | Distinguish IPv4 and IPv6 addresses and optional port numbers in user space to set the option for the correct protocol family. Add support in the kernel for carrying the new IPv6 destination address and port. Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change the address in the IP header. Add support for IPv6 forwarding to a non-local destination. Add a regession test uitilizing VIMAGE to check all 20 possible combinations I could think of. Obtained from: David Dolson at Sandvine Incorporated (original version for ipfw fwd IPv6 support) Sponsored by: Sandvine Incorporated PR: bin/117214 MFC after: 4 weeks Approved by: re (kib)
* Fix a regression where a rule containing a source port option after ajhb2011-08-171-0/+2
| | | | | | | | | destination IP would incorrectly display the source port as a destination port. Reviewed by: luigi Approved by: re (kib) MFC after: 1 week
* Add new rule actions "call" and "return" to ipfw. They makeae2011-06-293-1/+106
| | | | | | | | | | | | | possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@
* Improve error reporting. Use corresponding error message when file to beae2011-06-291-4/+11
| | | | | | | | preprocessed is missing. Also suggest to use absolute pathname if -p option is specified. PR: bin/156653 MFC after: 2 weeks
* Actually, if code had followed style(9), there would be less stupid errorsglebius2011-06-241-15/+30
| | | | | | like the one fixed in r223416. Noticed by: julian
* One more braino from me.glebius2011-06-221-3/+6
| | | | | Pointy hat to: glebius Submitted by: Alexander V. Chernikov <melifaro ipfw.ru>
OpenPOWER on IntegriCloud