summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* o Teach get_mac_addr_mask() to not silently accept incorrect MACmaxim2007-05-091-22/+38
| | | | | | | | | addresses. o Swap a couple of magic 6s by ETHER_ADDR_LEN. PR: bin/80913 Submitted by: Andrey V. Elsukov MFC after: 1 month
* Add support for filtering on Routing Header Type 0 andbz2007-05-042-3/+25
| | | | | | | Mobile IPv6 Routing Header Type 2 in addition to filter on the non-differentiated presence of any Routing Header. MFC after: 3 weeks
* o Make ipfw(8) show rules with mac/mac-type options correctly.maxim2007-04-301-36/+17
| | | | | | | | | | | | | | | | | | | | Before: $ ipfw -n add 100 count icmp from any to any mac-type 0x01 00100 count icmp 0x0001 $ ipfw -n add 100 count icmp from any to any mac any any 00100 count icmp MAC any any any After: $ ipfw -n add 100 count icmp from any to any mac-type 0x01 00100 count icmp from any to any mac-type 0x0001 $ ipfw -n add 100 count icmp from any to any mac any any 00100 count icmp from any to any MAC any any PR: bin/112244 Submitted by: Andrey V. Elsukov MFC after: 1 month
* o Add missed w/space in the error message.maxim2007-04-171-1/+1
| | | | | Spotted by: Ivan Voras MFC after: 1 week
* Mention the nat command in the synopsis and in the action section.piso2007-02-151-0/+13
| | | | Approved by: glebius (mentor)
* Fix a parsing bug when specifying more than one address with dotted decimalmlaier2007-01-071-2/+8
| | | | | | | | netmask. Reported by: Igor Anishchuk PR: kern/107565 MFC after: 3 days
* Summer of Code 2005: improve libalias - part 2 of 2piso2006-12-292-9/+1022
| | | | | | | | | | | | | | | | | | | | | | | | | | | | With the second (and last) part of my previous Summer of Code work, we get: -ipfw's in kernel nat -redirect_* and LSNAT support General information about nat syntax and some examples are available in the ipfw (8) man page. The redirect and LSNAT syntax are identical to natd, so please refer to natd (8) man page. To enable in kernel nat in rc.conf, two options were added: o firewall_nat_enable: equivalent to natd_enable o firewall_nat_interface: equivalent to natd_interface Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet to continue being checked by the firewall ruleset after being (de)aliased. NOTA BENE: due to some problems with libalias architecture, in kernel nat won't work with TSO enabled nic, thus you have to disable TSO via ifconfig (ifconfig foo0 -tso). Approved by: glebius (mentor)
* Add a note about rule syntax compared to the shell used so users do not gettrhodes2006-10-091-0/+4
| | | | | | | | frustraited when: ipfw add 201 deny ip from any to table(2) in via xl1 returns "Badly placed ( )'s" PR: 73638
* When addr/mask examples are given, show both a host and networkkeramida2006-10-041-5/+6
| | | | | | | | address, to avoid confusing the users that a full address is always required. Submitted by: Josh Paetzel <josh@tcbug.org> (through freebsd-doc) MFC after: 3 days
* o Check for a required "pathname" argument presence.maxim2006-09-291-0/+2
| | | | | | PR: bin/95146 Submitted by: candy-sendpr@kgc.co.jp MFC after: 3 weeks
* Markup fixes.ru2006-09-181-2/+4
|
* Check the length of the ipv4 and ipv6 address lists. It must be lessjhay2006-09-161-0/+4
| | | | | | than F_LEN_MASK. MFC after: 5 days
* Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),jhay2006-09-161-1/+1
| | | | | | | | | | | | otherwise this command ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129 turns into icmp6types 1,2,32,33,34,...94,95,128,129 PR: 102422 (part 1) Submitted by: Andrey V. Elsukov <bu7cher at yandex.ru> MFC after: 5 days
* A pipe bandwidth of 10MBits/s should probablydwmalone2006-08-231-1/+2
| | | | | | | be understood as 10Mbits/s not 10MBytes/s. Submitted by: Gavin McCullagh <gavin.mccullagh@nuim.ie> MFC after: 1 week
* Regigle parens to try and get the intended affect. This should fix peopledwmalone2006-08-201-6/+6
| | | | | | | | | having trouble with the "me6" keyword. Also, we were using inet_pton on the wrong variable in one place. Reviewed by: mlaier (previous version of patch) Obtained from: Sascha Blank (inet_pton change) MFC after: 1 week
* Fix typo.julian2006-08-201-1/+1
|
* comply with style policejulian2006-08-182-18/+19
| | | | | Submitted by: ru MFC after: 1 month
* Allow ipfw to forward to a destination that is specified by a table.julian2006-08-172-11/+60
| | | | | | | | | | | | | | | | | for example: fwd tablearg ip from any to table(1) where table 1 has entries of the form: 1.1.1.0/24 10.2.3.4 208.23.2.0/24 router2 This allows trivial implementation of a secondary routing table implemented in the firewall layer. I expect more work (under discussion with Glebius) to follow this to clean up some of the messy parts of ipfw related to tables. Reviewed by: Glebius MFC after: 1 month
* Take IP_FIREWALL_EXTENDED out of the man page too.julian2006-08-171-8/+0
| | | | MFC after: 1 week
* Use the SLIST_NEXT macro instead of sle_next.stefanf2006-08-051-2/+2
| | | | Checked with: cmp(1)
* Specify correct argument range for tag/untag keywords.oleg2006-07-251-2/+2
| | | | Approved by: glebius (mentor)
* Add support of 'tablearg' feature for:oleg2006-06-152-80/+128
| | | | | | | | | | | | | | | | | | | - 'tag' & 'untag' action parameters. - 'tagged' & 'limit' rule options. Rule examples: pipe 1 tag tablearg ip from table(1) to any allow ip from any to table(2) tagged tablearg allow tcp from table(3) to any 25 setup limit src-addr tablearg sbin/ipfw/ipfw2.c: 1) new macros GET_UINT_ARG - support of 'tablearg' keyword, argument range checking. PRINT_UINT_ARG - support of 'tablearg' keyword. 2) strtoport(): do not silently truncate/accept invalid port list expressions like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup. Approved by: glebius (mentor) MFC after: 1 month
* Print dynamic rules for IPv6 as well.mlaier2006-06-021-5/+15
| | | | | | PR: bin/98349 Submitted by: Mark Andrews MFC after: 2 weeks
* Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).oleg2006-05-242-9/+133
| | | | | | | | | | | Since tags are kept while packet resides in kernelspace, it's possible to use other kernel facilities (like netgraph nodes) for altering those tags. Submitted by: Andrey Elsukov <bu7cher at yandex dot ru> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru> Approved by: glebius (mentor) Idea from: OpenBSD PF MFC after: 1 month
* For src/dest parsing take off the netmask before checking for AF withmlaier2006-05-141-15/+31
| | | | | | | inet_pton. This fixes cases like "fe02::/16". PR: bin/91245 Reported by: Fredrik Lindberge
* Update manpage for net.inet6.ip6.fw.enable sysctl.mlaier2006-05-121-2/+4
| | | | Requested by: bz
* Amazing.. two screwups in one commit.julian2006-03-311-1/+2
| | | | | I'm piling on thise pointy hats on top of each other. At least they nest..
* I can't believe that no-one noticed that I broke ipfw table deljulian2006-03-311-1/+2
| | | | | for over a month! put {} around if clause with multiple statements
* Revert `proto ip' back to the previous behavior. The kernel side ofume2006-03-052-5/+3
| | | | | | ipfw2 doesn't allow zero as protocol number. MFC after: 3 days
* oops, mismerge from working sources.. not only add new code,julian2006-02-141-2/+0
| | | | but remove old code!
* Stop ipfw from aborting when asked to delete a table entry thatjulian2006-02-142-1/+13
| | | | | | | | doesn't exist or add one that is already present, if the -q flag is set. Useful for "ipfw -q /dev/stdin" when the command above is invoked from something like python or TCL to feed commands down the throat of ipfw. MFC in: 1 week
* Fix a markup glitch.ru2006-02-031-1/+1
|
* Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore.glebius2006-01-131-139/+6
|
* Document 'tablearg' keyword.glebius2006-01-131-1/+31
| | | | Wording by: emaste
* [mdoc] add missing space before a punctuation type argument.ru2005-12-131-1/+1
|
* Add a new feature for optimizining ipfw rulesets - substitution of theglebius2005-12-131-46/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | action argument with the value obtained from table lookup. The feature is now applicable only to "pipe", "queue", "divert", "tee", "netgraph" and "ngtee" rules. An example usage: ipfw pipe 1000 config bw 1000Kbyte/s ipfw pipe 4000 config bw 4000Kbyte/s ipfw table 1 add x.x.x.x 1000 ipfw table 1 add x.x.x.y 4000 ipfw pipe tablearg ip from table(1) to any In the example above the rule will throw different packets to different pipes. TODO: - Support "skipto" action, but without searching all rules. - Improve parser, so that it warns about bad rules. These are: - "tablearg" argument to action, but no "table" in the rule. All traffic will be blocked. - "tablearg" argument to action, but "table" searches for entry with a specific value. All traffic will be blocked. - "tablearg" argument to action, and two "table" looks - for src and for dst. The last lookup will match.
* Cleanup _FreeBSD_version.glebius2005-12-091-3/+0
|
* We couldn't specify the rule for filtering tunnel traffic since anume2005-11-292-16/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | IPv6 support was committed: - Stop treating `ip' and `ipv6' as special in `proto' option as they conflict with /etc/protocols. - Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'. - When protocol is specified as numeric, treat it as it is even it is 41 (ipv6). - Allow zero for protocol as it is valid number of `ip'. Still, we cannot specify an IPv6 over an IPv4 tunnel like before such as: pass ipv6 from any to any But, now, you can specify it like: pass ip4 from any to any proto ipv6 PR: kern/89472 Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com> MFC after: 1 week
* Catch up with ip_dummynet.h rev. 1.38 and fix build.glebius2005-11-291-2/+2
|
* Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),glebius2005-11-291-1/+1
| | | | | thus removing a few XXXes. Document the ABI breakage in UPDATING.
* -mdoc sweep.ru2005-11-181-3/+4
|
* Restore the documentation about uid, gid or prison based rules requiringcsjp2005-10-231-0/+10
| | | | | | | | that debug.mpsafenet be set to 0. It is still possible for dead locks to occur while these filtering options are used due to the layering violation inherent in their implementation. Discussed: -current, rwatson, glebius
* Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.mlaier2005-09-281-4/+4
| | | | Reminded by: ru
* * Add dynamic sysctl for net.inet6.ip6.fw.bz2005-08-132-3/+89
| | | | | | | | | | | | | * Correct handling of IPv6 Extension Headers. * Add unreach6 code. * Add logging for IPv6. Submitted by: sysctl handling derived from patch from ume needed for ip6fw Obtained from: is_icmp6_query and send_reject6 derived from similar functions of netinet6,ip6fw Reviewed by: ume, gnn; silence on ipfw@ Test setup provided by: CK Software GmbH MFC after: 6 days
* Bump document date. Remove EOL whitespace introduced in previouscperciva2005-07-011-3/+4
| | | | | | commit. Start new line at sentence break in previous commit. Approved by: re (implicit, fixing a commit made 5 minutes ago)
* Document some limitations of uid/gid rules.cperciva2005-07-011-0/+11
| | | | | Approved by: re (rwatson) MFC after: 3 days
* Markup fixes.ru2005-06-141-4/+4
| | | | Approved by: re (blanket)
* add_proto() now fills proto for us so stop to 'guess' the protocol from themlaier2005-06-071-5/+2
| | | | | command and rather trust the value add_proto filled in. While here, fix an oversight in the pretty printing of ip6/4 options.
* Better explain, then actually implement the IPFW ALTQ-rule first-matchgreen2005-06-041-2/+13
| | | | | | | | policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week
* Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.mlaier2005-06-032-26/+71
| | | | | | | | This is the last requirement before we can retire ip6fw. Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw
OpenPOWER on IntegriCloud