summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Remove trailing whitespace and change "prisoniD" to "prisonID".csjp2004-08-131-2/+2
| | | | | Pointed out by: simon Approved by: bmilekic (mentor)
* Add the ability to associate ipfw rules with a specific prison ID.csjp2004-08-122-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this. This commit makes the following changes: - Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes. This change was a strong motivator behind the ucred caching mechanism in ipfw. A sample usage of this new functionality could be: ipfw add count ip from any to any jail 2 It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations. Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor)
* New ipfw option "antispoof":andre2004-08-092-3/+49
| | | | | | | | | | | | | | | For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. Usage example: ipfw add deny ip from any to any not antispoof in Manpage education by: ru
* Extend versrcreach by checking against the rt_flags for RTF_REJECT andandre2004-07-211-2/+2
| | | | | | | | | | | | | | | | | | RTF_BLACKHOLE as well. To quote the submitter: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Submitted by: James Jun <james@towardex.com>
* Mechanically kill hard sentence breaks.ru2004-07-021-38/+56
|
* Fixed a bug spotted by compiling with -Wall.ru2004-06-101-1/+1
|
* Introduce a new feature to IPFW2: lookup tables. These are usefulru2004-06-092-4/+169
| | | | | | | for handling large sparse address sets. Initial implementation by Vsevolod Lobko <seva@ip.net.ua>, refined by me. MFC after: 1 week
* o Move NEED1 macro to the top of the source file.csjp2004-06-021-6/+6
| | | | | | | | | | | o Add sanity checking to the firewall delete operation which tells the user that a firewall rule specification is required. The previous behaviour was to exit without reporting any errors to the user. Approved by: bmilekic (mentor)
* o Fix usage example.maxim2004-05-231-1/+1
| | | | | PR: docs/67065 Submitted by: David Syphers
* Remove spurious semicolons.stefanf2004-05-181-2/+2
| | | | | Approved by: das (mentor) Reviewed by: ipfw@
* Remove redundant sanity check before add_mac() when addingcsjp2004-05-091-2/+0
| | | | | | | | | mac ipfw rules. The exact same sanity check is performed as the first operation of add_mac(), so there is no sense in doing it twice. Approved by: bmilekic (mentor) PR: bin/55981
* Add the option versrcreach to verify that a valid route to theandre2004-04-232-2/+28
| | | | | | | | | | | | | | | | | | | | source address of a packet exists in the routing table. The default route is ignored because it would match everything and render the check pointless. This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unrouteable source addresses. Example: ipfw add 1000 deny ip from any to any not versrcreach also known in Cisco-speak as: ip verify unicast source reachable-via any Reviewed by: luigi
* o Fix an incorrect parsing of 0.0.0.0/0 expression.maxim2004-04-091-1/+1
| | | | | PR: kern/64778 MFC after: 6 weeks
* Backout revision 1.140; it seems that the previous version is clearceri2004-03-271-2/+1
| | | | | | enough. Requested by: ru
* o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.maxim2004-03-261-1/+1
| | | | | | PR: docs/64534 Submitted by: Dmitry Cherkasov MFC after: 1 week
* Clarify the description of the "established" option.ceri2004-03-221-1/+2
| | | | | | PR: docs/50391 Submitted by: root@edcsm.jussieu.fr MFC after: 1 week
* o Pass a correct argument to errx(3).maxim2004-01-241-1/+1
| | | | | | PR: bin/61846 Submitted by: Eugene Grosbein MFC after: 1 week
* grammarmtm2004-01-231-6/+6
|
* o -c (compact) flag is ipfw2 feature.maxim2004-01-151-0/+2
| | | | | PR: bin/56328 MFC after: 3 days
* o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.maxim2004-01-151-0/+3
| | | | MFC after: 3 days
* o Legitimate -f (force) flags for -p (preprocessor) case.maxim2003-12-242-4/+9
| | | | | | PR: bin/60433 Submitted: Bjoern A. Zeeb MFC after: 3 weeks
* Add a -b flag to /sbin/ipfw to print only action and comment for eachluigi2003-12-122-2/+24
| | | | | | | | rule, thus omitting the entire body. This makes the output a lot more readable for complex rulesets (provided, of course, you have annotated your ruleset appropriately!) MFC after: 3 days
* Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriatesam2003-12-021-1/+8
| | | | | | | | | | | | code is compiled in to support the O_IPSEC operator. Previously no support was included and ipsec rules were always matching. Note that we do not return an error when an ipsec rule is added and the kernel does not have IPsec support compiled in; this is done intentionally but we may want to revisit this (document this in the man page). PR: 58899 Submitted by: Bjoern A. Zeeb Approved by: re (rwatson)
* Replace the if_name and if_unit members of struct ifnet with new membersbrooks2003-10-311-15/+5
| | | | | | | | | | | | | if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance. This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics. Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
* remove include of route.h now that ip_dummynet.h no longer exposessam2003-10-031-1/+0
| | | | | | data structures that have an embedded struct route Sponsored by: FreeBSD Foundation
* fix typo: s/sytem/system/rse2003-09-261-1/+1
|
* Document the alternate way of matching MAC addresses: by a bitmask.roam2003-09-101-2/+22
| | | | | | PR: 56021 Submitted by: Glen Gibb <grg@ridley.unimelb.edu.au> MFC after: 1 month
* Apply a bandaid to get this working on sparc64 again; the introductiontmm2003-09-041-4/+4
| | | | | | | | of do_cmd() broke things, because this function assumes that a socklen_t is large enough to hold a pointer. A real solution to this problem would be a rewrite of do_cmd() to treat the optlen parameter consistently and not use it to carry a pointer or integer dependent on the context.
* Check an arguments count before proceed in sysctl_handler().maxim2003-09-021-1/+1
| | | | | | | | PR: bin/56298 Submitted by: Kang Liu <liukang@bjpu.edu.cn> MFC after: 2 weeks # We need a regression test suit for ipfw(2)/ipfw(8) badly.
* Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specificluigi2003-07-221-0/+4
|
* o Initialize do_pipe before command parsing.maxim2003-07-211-0/+1
| | | | | | PR: bin/54649 Submitted by: Andy Gilligan <andy@evo6.org> MFC after: 3 days
* Userland side of:luigi2003-07-152-14/+22
| | | | | | | | | | | | | | Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards
* Make sure that comments are printed at the end of a rule.luigi2003-07-151-2/+4
| | | | Reported by: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
* Fix one typo in help() string, remove whitespace at end of line andluigi2003-07-141-24/+23
| | | | | | other minor whitespace changes. Replace u_char with uint8_t in a few places.
* ccept of empty lines when reading from a file (this fixes a bugluigi2003-07-141-25/+52
| | | | | | | | | | | | | | introduced in the latest commits). Also: * update the 'ipfw -h' output; * allow rules of the form "100 add allow ..." i.e. with the index first. (requested by Paul Richards). This was an undocumented ipfw1 behaviour, and it is left undocumented. and minor code cleanups.
* Add a '-T' flag to print the timestamp as numeric value insteadluigi2003-07-122-5/+14
| | | | | | | of converting it with ctime(). This is a lot more convenient for postprocessing. Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
* Document the existence of comments in ipfw rules,luigi2003-07-121-4/+11
| | | | | | | the new flags handled when reading from a file, and clarify that only numeric values are allowed for icmptypes. MFC after: 3 days
* In random order:luigi2003-07-121-218/+277
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * make the code compile with WARNS=5 (at least on i386), mostly by adding 'const' specifier and replacing "void *" with "char *" in places where pointer arithmetic was used. This also spotted a few places where invalid tests (e.g. uint < 0) were used. * support ranges in "list" and "show" commands. Now you can say ipfw show 100-1000 4000-8000 which is very convenient when you have large rulesets. * implement comments in ipfw commands. These are implemented in the kernel as O_NOP commands (which always match) whose body contains the comment string. In userland, a comment is a C++-style comment: ipfw add allow ip from me to any // i can talk to everybody The choice of '//' versus '#' is somewhat arbitrary, but because the preprocessor/readfile part of ipfw used to strip away '#', I did not want to change this behaviour. If a rule only contains a comment ipfw add 1000 // this rule is just a comment then it is stored as a 'count' rule (this is also to remind the user that scanning through a rule is expensive). * improve handling of flags (still to be completed). ipfw_main() was written thinking of 'one rule per ipfw invocation', and so flags are set and never cleared. With readfile/preprocessor support, this changes and certain flags should be reset on each line. For the time being, only fix handling of '-a' which differentiates the "list" and "show" commands. * rework the preprocessor support -- ipfw_main() already had most of the parsing code, so i have moved in there the only missing bit (stripping away '#' and comments) and removed the parsing from ipfw_readfile(). Also, add some more options (such as -c, -N, -S) to the readfile section. MFC after: 3 days
* Correct to match reality regarding interface names.dannyboy2003-07-081-3/+7
| | | | | | | PR: 51006 Submitted by: "Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua> mdoc clue by: "Simon L. Nielsen" <simon@nitro.dk> MFC after: 10 days
* * introduce a section on SYNTAX to document the handlingluigi2003-07-081-44/+77
| | | | | | | | | | | | | | spaces and comma-separated lists of arguments; * reword the description of address specifications, to include previous and current changes for address sets and lists; * document the new '-n' flag. * update the section on differences between ipfw1 and ipfw2 (this is becoming boring!) MFC after: 3 days
* A bunch of changes (mostly syntactic sugar, all backward compatible):luigi2003-07-081-251/+383
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Make the addr-set size optional (defaults to /24) You can now write 1.2.3.0/24{56-80} or 1.2.3.0{56-80} Also make the parser more strict. * Support a new format for the list of addresses: 1.2.3.4,5.6.7.8/30,9.10.11.12/22,12.12.12.13, ... which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK * Allow spaces after commas to make lists of addresses more readable. 1.2.3.4, 5.6.7.8/30, 9.10.11.12/22, 12.12.12.13, ... * ipfw will now accept full commands as a single argument and strip extra leading/trailing whitespace as below: ipfw "-q add allow ip from 1.2.3.4 to 5.6.7.8, 9.10.11.23 " This should help in moving the body of ipfw into a library that user programs can invoke. * Cleanup some comments and data structures. * Do not print rule counters for dynamic rules with ipfw -d list (PR 51182) * Improve 'ipfw -h' output (PR 46785) * Add a '-n' flag to test the syntax of commands without actually calling [gs]etsockopt() (PR 44238) * Support the '-n' flag also with the preprocessors; Manpage commit to follow. MFC after: 3 days
* Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.luigi2003-07-042-0/+22
| | | | | | | | | Should work with both regular and fast ipsec (mutually exclusive). See manpage for more details. Submitted by: Ari Suutari (ari.suutari@syncrontech.com) Revised by: sam MFC after: 1 week
* remove extra whitespace and blank linesluigi2003-06-271-5/+2
|
* remove unused file (RELENG_5 and above use ipfw2, the old ipfw1luigi2003-06-241-2667/+0
| | | | has been unused and unmaintained for a long time).
* Split some long lines to fit 80 columns (the code in RELENG_4luigi2003-06-231-5/+10
| | | | was already correct).
* syntactic sugar: support range notation such asluigi2003-06-231-5/+32
| | | | | | | | | | | | | | | 1.2.3.4/24{5,6,7,10-20,60-90} for set of ip addresses. Previously you needed to specify every address in the range, which was unconvenient and lead to very long lines. Internally the set is still stored in the same way, just the input and output routines are modified. Manpage update still missing. Perhaps a similar preprocessing step would be useful for port ranges. MFC after: 3 days
* o Fix sets of rules usage example.maxim2003-06-231-4/+4
| | | | | | PR: docs/53625 Submitted by: Kostyuk Oleg <cub@cub.org.ua> MFC after: 1 week
* Add support for multiple values and ranges for the "iplen", "ipttl",luigi2003-06-222-29/+91
| | | | | | | | | | | | | | | | | | | | | | | | | | "ipid" options. This feature has been requested by several users. On passing, fix some minor bugs in the parser. This change is fully backward compatible so if you have an old /sbin/ipfw and a new kernel you are not in trouble (but you need to update /sbin/ipfw if you want to use the new features). Document the changes in the manpage. Now you can write things like ipfw add skipto 1000 iplen 0-500 which some people were asking to give preferential treatment to short packets. The 'MFC after' is just set as a reminder, because I still need to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately change the size of certain kernel structures; not that it matters a lot since ipfw2 is entirely optional and not the default...) PR: bin/48015 MFC after: 1 week
* o Pass a correct argument to printf(3).maxim2003-06-161-3/+4
| | | | | | PR: bin/51750 Submitted by: Vasil Dimov <vd@datamax.bg> MFC after: 2 weeks
* Change handling to support strong alignment architectures such as alpha andticso2003-06-041-12/+34
| | | | | | | | sparc64. PR: alpha/50658 Submitted by: rizzo Tested on: alpha
OpenPOWER on IntegriCloud