| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Fix possible segmentation fault.
PR: 203494
|
|
|
|
|
| |
In ipfw2, avoid left-shifting negative integers, which is undefined.
While here, make some other arguments to htonl(3) unsigned too.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix wrong formatting of 0.0.0.0/X table records in ipfw(8).
Add `flags` u16 field to the hole in ipfw_table_xentry structure.
Kernel has been guessing address family for supplied record based
on xent length size.
Userland, however, has been getting fixed-size ipfw_table_xentry structures
guessing address family by checking address by IN6_IS_ADDR_V4COMPAT().
Fix this behavior by providing specific IPFW_TCF_INET flag for IPv4 records.
PR: bin/189471,kern/200169
|
|
|
|
|
|
|
| |
natd(8) will work with an unconfigured interface and effectively not do
anything until the interface is assigned an address. This fixes
ipfw_nat to do the same by using an IP of INADDR_ANY instead of
aborting the nat setup if the requested interface is not yet configured.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r258708:
Check ipfw table numbers in both user and kernel space before rule addition.
Found by: Saychik Pavel <umka@localka.net>
r258711:
Simplify O_NAT opcode handling.
r260247:
Use rnh_matchaddr instead of rnh_lookup for longest-prefix match.
rnh_lookup is effectively the same as rnh_matchaddr if called with
empy network mask.
r261117:
Reorder struct ip_fw_chain:
* move rarely-used fields down
* move uh_lock to different cacheline
* remove some usused fields
|
|
|
|
|
|
|
|
|
| |
Fix key lookup in ipfw(8) broken since r232865.
Print warning for IPv4 address strings which are valid in
inet_aton() but not valid in inet_pton(). (1)
Found by: Özkan KIRIK <ozkan.kirik@gmail.com>
Submitted by: Ian Smith <smithi@nimnet.asn.au> (1)
|
|
|
|
|
|
|
|
|
| |
made in r263029.
Merge r257186,257215,257349,259736,261797.
These changesets split pfvar.h into several smaller headers and make
userland utilities to include only some of them.
|
|
|
|
| |
MFC after: 3 days
|
|
|
|
|
|
|
| |
Conditionally use stack buffer instead of calling strdup().
PR: bin/104921
MFC after: 2 weeks
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting DSCP support is done via O_SETDSCP which works for both
IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4.
Dscp can be specified by name (AFXY, CSX, BE, EF), by value
(0..63) or via tablearg.
Matching DSCP is done via another opcode (O_DSCP) which accepts several
classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words).
Many people made their variants of this patch, the ones I'm aware of are
(in alphabetic order):
Dmitrii Tejblum
Marcelo Araujo
Roman Bogorodskiy (novel)
Sergey Matveichuk (sem)
Sergey Ryabin
PR: kern/102471, kern/121122
MFC after: 2 weeks
|
|
|
|
|
|
| |
and ipfw(4) module is not loaded.
MFC after: 2 weeks
|
|
|
|
|
|
| |
PR: bin/65961
Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru>
MFC after: 2 weeks
|
|
|
|
|
|
|
|
| |
Fix style.
PR: kern/175909
Submitted by: Daniel Hagerty <hag@linnaean.org>
MFC after: 2 weeks
|
|
|
|
|
|
|
|
|
| |
Instead, add protocol specific mbuf flags M_IP_NEXTHOP and
M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain
contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup
only when this flag is set.
Suggested by: andre
|
|
|
|
|
|
|
|
|
| |
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC
Discussed with: net@
MFC after: 2 weeks
|
|
|
|
| |
MFC after: 2 weeks
|
|
|
|
|
| |
Reported by: Serhiy Popov <sergiuspso@ukr.net>
MFC after: 2 weeks
|
|
|
|
|
|
|
| |
setfib(2) instead of setfib(1) for the 16-FIB limit.
PR: docs/157452
Approved by: hrs (mentor)
|
|
|
|
|
|
|
| |
and put a comma after e.g. and i.e.. While here, wrap long lines.
PR: docs/157452
Approved by: hrs (mentor)
|
| |
|
|
|
|
|
|
| |
This particular function (show_prerequisites() ) we should actually
remove the argument from the callers as well, but i'll do it at a
later time.
|
|
|
|
|
|
|
|
|
| |
for an uninitialized variable.
unused parameters and variables are annotated with
(void)foo; /* UNUSED */
instead of __unused, because this code needs to build
also on linux and windows.
|
|
|
|
|
|
| |
PR: docs/120539
Approved by: gabor (mentor)
MFC after: 5 days
|
|
|
|
|
|
|
| |
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.
Discussed on: freebsd-ipfw@
|
|
|
|
|
|
|
|
|
|
|
| |
- Add a note to the ipfw(8) man page about the rules no longer being
case sensitive.
- Fix some typos in the man page.
PR: docs/164772
Reviewed by: bz
Approved by: gabor (doc mentor, src committer)
MFC after: 2 weeks
|
|
|
|
|
|
|
| |
changes done in r233478.
Approved by: kib(mentor)
MFC after: 3 days
|
|
|
|
| |
with Ns.
|
|
|
|
|
|
|
| |
Disussed with: gavin
No objection from: doc
Approved by: joel
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
net.inet.ip.fw.tables_max is now read-write.
- Bump IPFW_TABLES_MAX to 65535
Default number of tables is still 128
- Remove IPFW_TABLES_MAX from ipfw(8) code.
Sponsored by Yandex LLC
Approved by: kib(mentor)
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add support for IPv6 and interface extended tables
- Make number of tables to be loader tunable in range 0..65534.
- Use IP_FW3 opcode for all new extended table cmds
No ABI changes are introduced. Old userland will see valid tables for
IPv4 tables and no entries otherwise. Flush works for any table.
IP_FW3 socket option is used to encapsulate all new opcodes:
/* IP_FW3 header/opcodes */
typedef struct _ip_fw3_opheader {
uint16_t opcode; /* Operation opcode */
uint16_t reserved[3]; /* Align to 64-bit boundary */
} ip_fw3_opheader;
New opcodes added:
IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST
ipfw(8) table argument parsing behavior is changed:
'ipfw table 999 add host' now assumes 'host' to be interface name instead of
hostname.
New tunable:
net.inet.ip.fw.tables_max controls number of table supported by ipfw in given
VNET instance. 128 is still the default value.
New syntax:
ipfw add skipto tablearg ip from any to any via table(42) in
ipfw add skipto tablearg ip from any to any via table(4242) out
This is a bit hackish, special interface name '\1' is used to signal interface
table number is passed in p.glob field.
Sponsored by Yandex LLC
Reviewed by: ae
Approved by: ae (mentor)
MFC after: 4 weeks
|
|
|
|
|
| |
There is another block of code that is now useless as the computation
is done in the kernel.
|
|
|
|
|
|
| |
etc).
MFC after: 3 days
|
|
|
|
| |
Submitted by: bz
|
|
|
|
| |
Submitted by: sem
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The index() and rindex() functions were marked LEGACY in the 2001
revision of POSIX and were subsequently removed from the 2008 revision.
The strchr() and strrchr() functions are part of the C standard.
This makes the source code a lot more consistent, as most of these C
files also call into other str*() routines. In fact, about a dozen
already perform strchr() calls.
|
|
|
|
|
|
| |
Approved by: pluknet
Found with: Coverity Prevent(tm)
CID: 10125
|
|
|
|
|
| |
PR: kern/162739
MFC after: 3 days
|
|
|
|
|
|
| |
Submitted by: eadler
Approved by: simon
MFC after: 3 days
|
|
|
|
|
| |
PR: misc/162265
Submitted by: Paul Procacci <pprocacci gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Distinguish IPv4 and IPv6 addresses and optional port numbers in
user space to set the option for the correct protocol family.
Add support in the kernel for carrying the new IPv6 destination
address and port.
Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change
the address in the IP header.
Add support for IPv6 forwarding to a non-local destination.
Add a regession test uitilizing VIMAGE to check all 20 possible
combinations I could think of.
Obtained from: David Dolson at Sandvine Incorporated
(original version for ipfw fwd IPv6 support)
Sponsored by: Sandvine Incorporated
PR: bin/117214
MFC after: 4 weeks
Approved by: re (kib)
|
|
|
|
|
|
|
|
|
| |
destination IP would incorrectly display the source port as a destination
port.
Reviewed by: luigi
Approved by: re (kib)
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
possible to organize subroutines with rules.
The "call" action saves the current rule number in the internal
stack and rules processing continues from the first rule with
specified number (similar to skipto action). If later a rule with
"return" action is encountered, the processing returns to the first
rule with number of "call" rule saved in the stack plus one or higher.
Submitted by: Vadim Goncharov
Discussed by: ipfw@, luigi@
|
|
|
|
|
|
|
|
| |
preprocessed is missing. Also suggest to use absolute pathname if -p option
is specified.
PR: bin/156653
MFC after: 2 weeks
|
|
|
|
|
|
| |
like the one fixed in r223416.
Noticed by: julian
|
|
|
|
|
| |
Pointy hat to: glebius
Submitted by: Alexander V. Chernikov <melifaro ipfw.ru>
|