summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Enlighten those who read the FINE POINTS of the documentation a bitcjc2002-05-011-3/+14
| | | | | | | | | more on how ipfw(8) deals with tiny fragments. While we're at it, add a quick log message to even let people know we dropped a packet. (Note that the second FINE POINT is somewhat redundant given the first, but since the code is there, leave the docs for it.) MFC after: 1 day
* I've been meaning to do this for a while. Add an underscore to thedillon2002-01-191-1/+1
| | | | | | | | time_to_xxx() and xxx_to_time() functions. e.g. _time_to_xxx() instead of time_to_xxx(), to make it more obvious that these are stopgap functions & placemarkers and not meant to create a defacto standard. They will eventually be replaced when a real standard comes out of committee.
* mdoc(7) police: tidy up the markup in revision 1.96.ru2002-01-101-5/+12
|
* o Note that packets diverted using a 'divert' socket, and thenrwatson2002-01-031-0/+9
| | | | | | | | reinserted by a userland process, will lose a number of packet attributes, including their source interface. This may affect the behavior of later rules, and while not strictly a BUG, may cause unexpected behavior if not clearly documented. A similar note for natd(8) might be desirable.
* Move the discussion of how many times a packet will pass throughyar2002-01-021-20/+18
| | | | | | | | ipfirewall(4) to the IMPLEMENTATION NOTES section because it considers kernel internals and may confuse newbies if placed at the very beginning of the manpage (where it used to be previously.) Not objected by: luigi
* Clarify the "show" ipfw(8) command.yar2002-01-021-2/+6
| | | | | PR: docs/31263 Permitted by: luigi
* Fix a typo: wierd -> weirdyar2002-01-021-1/+1
|
* Fix documentation to match realityjulian2001-12-281-7/+15
|
* Implement matching IP precedence in ipfw(4).yar2001-12-212-0/+24
| | | | Submitted by: Igor Timkin <ivt@gamma.ru>
* At least once mention the long names of WF2Q+ (Worst-case Fair Weightedrse2001-12-141-2/+2
| | | | | | Fair Queueing) and RED (Random Early Detection) to both give the reader a hint what they are and to make it easier to find out more information about them.
* Default to WARNS=2.obrien2001-12-041-1/+1
| | | | | | Binary builds that cannot handle this must explicitly set WARNS=0. Reviewed by: mike
* sync the code with the one in stable (mostly formatting changes).luigi2001-11-041-26/+27
|
* Fix a typo in a format string, and fix error checking for missingluigi2001-11-011-6/+5
| | | | masks in "limit" rules.
* More white space changes.joe2001-10-291-3/+3
|
* More stylistic tidying.joe2001-10-291-20/+21
|
* Remove training white spaces, and some other style violations.joe2001-10-291-90/+90
|
* Properly convert long to time_tdillon2001-10-281-1/+2
|
* Remove some extraneous spaces from the usage message.joe2001-10-281-1/+1
|
* Repair typo.dd2001-10-141-1/+1
| | | | | PR: 31262 Submitted by: <swear@blarg.net>
* mdoc(7) police: fix markup.ru2001-10-011-56/+27
|
* now that jlemon has added a hash table to lookup locally configured ipbillf2001-09-291-3/+2
| | | | | | | | addresses (and the macros that ipfw(4) use to lookup data for the 'me' keyword have been converted) remove a comment about using 'me' being a "computationally expensive" operation. while I'm here, change two instances of "IP number" to "IP address"
* Two main changes here:luigi2001-09-272-36/+102
| | | | | | | | | | | | | | | + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details. + merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages! MFC after: 1 week
* A bunch of minor changes to the code (see below) for readability, code sizeluigi2001-09-201-8/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and speed. No new functionality added (yet) apart from a bugfix. MFC will occur in due time and probably in stages. BUGFIX: fix a problem in old code which prevented reallocation of the hash table for dynamic rules (there is a PR on this). OTHER CHANGES: minor changes to the internal struct for static and dynamic rules. Requires rebuild of ipfw binary. Add comments to show how data structures are linked together. (It probably makes no sense to keep the chain pointers separate from actual rule descriptors. They will be hopefully merged soon. keep a (sysctl-readable) counter for the number of static rules, to speed up IP_FW_GET operations initial support for a "grace time" for expired connections, so we can set timeouts for closing connections to much shorter times. merge zero_entry() and resetlog_entry(), they use basically the same code. clean up and reduce replication of code for removing rules, both for readability and code size. introduce a separate lifetime for dynamic UDP rules. fix a problem in old code which prevented reallocation of the hash table for dynamic rules (PR ...) restructure dynamic rule descriptors introduce some local variables to avoid multiple dereferencing of pointer chains (reduces code size and hopefully increases speed).
* Non-decimal ``skipto'' rule numbers are meaningless.ru2001-09-191-1/+1
| | | | | Noticed by: "Marc G. Fournier" <scrappy@hub.org> MFC after: 3 days
* mdoc(7) police:ru2001-08-071-22/+12
| | | | | | | Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text. Not only this slows down the mdoc(7) processing significantly, but it also has an undesired (in this case) effect of disabling hyphenation within the entire enclosed block.
* Fixed one more breakage introduced in 1.103 cleanup.ru2001-08-061-1/+2
| | | | | | | | | ICMP types were reported incorrectly: # ipfw add allow icmp from any to any icmptypes 0,8 PR: bin/29185 Submitted by: Mike Durian <durian@boogie.com>
* style(9)obrien2001-08-011-1/+1
|
* Error messaging in ipfw(8) was out of hand, almost 50 lines of usagecjc2001-07-221-109/+114
| | | | | | | | | | | | | | information for any command line error, the actual error message almost always (and sometimes irretrievably) lost scrolling off the top of the screen. Now just print the error. Give ipfw(8) no arguments for the old usage summary. Thanks to Lyndon Nerenberg <lyndon@orthanc.ab.ca> for the patch and PR, but I had already done this when ru pointed out the PR. PR: bin/28729 Approved by: ru MFC after: 1 week
* mdoc(7) police: removed HISTORY info from the .Os call.ru2001-07-101-1/+1
|
* Fix rule parsing breakage introduced in 1.103 cleanup. 'tcp' andcjc2001-07-101-5/+8
| | | | | | | 'icmp' rules could drop into infinite loops when given bad arguments. Reviewed by: ru, des Approved by: ru
* mdoc(7) police: remove extraneous .Pp before and/or after .Sh.dd2001-07-091-1/+0
|
* Silence format string warnings.kris2001-07-011-11/+11
| | | | MFC after: 2 weeks
* Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in thechris2001-06-061-0/+3
| | | | | | checklist. MFC after: 1 week
* Invert the meaning of the -d option (i.e. default to *not* list dynamic rules,des2001-06-042-1119/+1160
| | | | | | | | | | | | | | | but list them if -d was specified). Avoid listing expired dynamic rules unless the (new) -e option was specified. If specific rule numbers were listed on the command line, and the -d flag was specified, only list dynamic rules that match the specified rule numbers. Try to partly clean up the bleeding mess this file has become. If there is any justice in this world, the responsible parties (you know who you are!) should expect to wake up one morning with a horse's head in their bed. The code still looks like spaghetti, but at least now it's *properly intented* spaghetti (hmm? did somebody say "tagliatelle"?).
* Add a flag to "ipfw show" which supresses the display of dynamicdwmalone2001-05-202-3/+10
| | | | | | | | | | rules. Also, don't show dynamic rules if you only asked to see a certain rule number. PR: 18550 Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca> Approved by: luigi MFC after: 2 weeks
* Update comment to match ipfw/ipfw.c,v 1.95.ru2001-04-131-3/+2
|
* Fixed some printf format errors (don't assume that ntohl() returns u_long).bde2001-04-051-2/+2
|
* - Backout botched attempt to introduce MANSECT feature.ru2001-03-261-0/+1
| | | | - MAN[1-9] -> MAN.
* Set the default manual section for sbin/ to 8.ru2001-03-201-1/+0
|
* mdoc(7) police: removed hard sentence break introduced in rev 1.82.ru2001-03-161-1/+2
|
* Explain that TCP fragments with an offset of 1 are reported as beingdd2001-03-161-1/+2
| | | | | | | | dropped by rule -1 if logging is enabled. PR: 25796 Submitted by: Crist J. Clark <cjclark@alum.mit.edu> Approved by: nik
* Document that the IPFW messages are logged via syslogd(8).ru2001-02-221-1/+11
|
* mdoc(7) police: normalize the construct.ru2001-02-151-5/+1
|
* Fix grammar nit in previous commit.sheldonh2001-02-141-1/+1
|
* Introduce a new feature in IPFW: Check of the source or destinationphk2001-02-132-40/+73
| | | | | | | | | | | | | | | | | | | address is configured on a interface. This is useful for routers with dynamic interfaces. It is now possible to say: 0100 allow tcp from any to any established 0200 skipto 1000 tcp from any to any 0300 allow ip from any to any 1000 allow tcp from 1.2.3.4 to me 22 1010 deny tcp from any to me 22 1020 allow tcp from any to any and not have to worry about the behaviour if dynamic interfaces configure new IP numbers later on. The check is semi expensive (traverses the interface address list) so it should be protected as in the above example if high performance is a requirement.
* o IPFW incorrectly handled filtering in the presence of previouslyrwatson2001-01-091-3/+2
| | | | | | | | | | | | | | | | | | | | reserved and now allocated TCP flags in incoming packets. This patch stops overloading those bits in the IP firewall rules, and moves colliding flags to a seperate field, ipflg. The IPFW userland management tool, ipfw(8), is updated to reflect this change. New TCP flags related to ECN are now included in tcp.h for reference, although we don't currently implement TCP+ECN. o To use this fix without completely rebuilding, it is sufficient to copy ip_fw.h and tcp.h into your appropriate include directory, then rebuild the ipfw kernel module, and ipfw tool, and install both. Note that a mismatch between module and userland tool will result in incorrect installation of firewall rules that may have unexpected effects. This is an MFC candidate, following shakedown. This bug does not appear to affect ipfilter. Reviewed by: security-officer, billf Reported by: Aragon Gouveia <aragon@phat.za.net>
* Prepare for mdoc(7)NG.ru2000-12-271-4/+1
|
* Prepare for mdoc(7)NG.ru2000-12-181-4/+4
|
* mdoc(7) police: do not split author names in the AUTHORS section.ru2000-11-221-1/+2
|
* mdoc(7) police: use the new features of the Nm macro.ru2000-11-201-11/+11
|
OpenPOWER on IntegriCloud