summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Bring back support for checking tables via "ipfw -n".melifaro2015-05-191-18/+80
| | | | | | | | | | | | | | | | Currently we have different table key types which can easily interfere with each other (numbers and IPv4 address, interface names and hostnames, flows and hostnames/addresses). This conflicts are solved by [auto-]creating _typed_ tables, so after table is created, only keys of given type can be inserted to that table. ipfw(8) consults with kernel about key/value type for particular table so it knows key/value interpretation. However, we have 2 cases (adding entries to non-existing table and parsing configuration file via `ipfw -n`) when kernel is unable to provide us table info we need. Fix the latter case by partially importing old `table_fill_xentry()` parse function responsible for guessing key type. Sponsored by: Yandex LLC
* Correctly print valtype for empty bitmask.melifaro2015-05-061-0/+1
|
* Generalize object reference handling in ipfw rules.melifaro2015-04-263-76/+118
| | | | No ABI changes.
* Fix use-after-free.melifaro2015-04-191-3/+2
| | | | | Reported by: Coverity Scan, pfg CID: 1245747
* Properly initialize scope zone id when next hop address storedae2015-03-131-5/+8
| | | | | | | | directly in the O_FORWARD_IP6 opcode. Use getnameinfo(3) to formatting the IPv6 addresses of such opcodes. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Fix `ipfw fwd tablearg'. Use dedicated field nh4 in struct table_valueae2015-03-132-9/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | to obtain IPv4 next hop address in tablearg case. Add `fwd tablearg' support for IPv6. ipfw(8) uses INADDR_ANY as next hop address in O_FORWARD_IP opcode for specifying tablearg case. For IPv6 we still use this opcode, but when packet identified as IPv6 packet, we obtain next hop address from dedicated field nh6 in struct table_value. Replace hopstore field in struct ip_fw_args with anonymous union and add hopstore6 field. Use this field to copy tablearg value for IPv6. Replace spare1 field in struct table_value with zoneid. Use it to keep scope zone id for link-local IPv6 addresses. Since spare1 was used internally, replace spare0 array with two variables spare0 and spare1. Use getaddrinfo(3)/getnameinfo(3) functions for parsing and formatting IPv6 addresses in table_value. Use zoneid field in struct table_value to store sin6_scope_id value. Since the kernel still uses embedded scope zone id to represent link-local addresses, convert next_hop6 address into this form before return from pfil processing. This also fixes in6_localip() check for link-local addresses. Differential Revision: https://reviews.freebsd.org/D2015 Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Retrieve counters from kernel if rule timstamping is requested.melifaro2015-02-051-2/+4
| | | | | | PR: kern/197271 Submitted by: lev Sponsored by: Yandex LLC
* natd(8) will work with an unconfigured interface and effectively not dojhb2015-01-251-3/+3
| | | | | | | | | | anything until the interface is assigned an address. This fixes ipfw_nat to do the same by using an IP of INADDR_ANY instead of aborting the nat setup if the requested interface is not yet configured. Differential Revision: https://reviews.freebsd.org/D1539 Reviewed by: melifaro, glebius, gnn MFC after: 1 week
* mdoc: remove EOL whitespace.joel2014-12-291-4/+4
|
* Convert sbin/ to LIBADDbapt2014-11-251-2/+1
| | | | Reduce overlinking
* Misc mdoc fixes:joel2014-11-231-2/+1
| | | | | | | | - Remove superfluous paragraph macros. - Remove/fix empty or incorrect macros. - Sort sections into conventional order. - Terminate quoted strings properly. - Remove EOL whitespace.
* Fix documentation issue.melifaro2014-10-241-2/+2
| | | | | PR: 194581 Submitted by: madpilot
* Fix displaying non-contiguous netmasks.melifaro2014-10-241-3/+4
| | | | | Found by: ae Sponsored by: Yandex LLC
* * Zero rule buffer.melifaro2014-10-181-6/+7
| | | | | | * Rename 'read' variable. Pointed by: luigi
* * Fix table sets handling.melifaro2014-10-172-3/+4
| | | | | | * Simplify formatting. Suggested by: luigi
* Show error when deleting non-existing rule number.melifaro2014-10-131-2/+9
| | | | Found by: Oleg Ginzburg
* * Fix zeroing individual entries via ipfw(8).melifaro2014-10-131-1/+11
| | | | | | * Report error and return non-zero exit code if zeroing non-matched entries Found by: Oleg Ginzburg
* Partially fix build on !amd64melifaro2014-10-102-3/+3
| | | | Pointed by: bz
* * Fix use-after-free in table printing code.melifaro2014-10-091-5/+6
| | | | * Fix showing human-readable error in table cmds code.
* Sync to HEAD@r272609.melifaro2014-10-061-4/+25
|\
| * Improve "reserved keywords" hack:melifaro2014-10-061-4/+25
| | | | | | | | | | | | | | | | | | | | | | we can't easily predict (in current parsing model) if the keyword is ipfw(8) reserved keyword or port name. Checking proto database via getprotobyname() consumes a lot of CPU and leads to tens of seconds for parsing large ruleset. Use list of reserved keywords and check them as pre-requisite before doing getprotobyname(). Obtained from: Yandex LLC
| * Whitespace/style changes merged from projects/ipfw.melifaro2014-08-231-1/+1
| |
| * Merge buffer-printing changes from from projects/ipfw as preparationmelifaro2014-08-235-365/+532
| | | | | | | | | | | | for branch merge. Requested by: luigi
* | Fix tracked interface list retrieval.melifaro2014-10-051-1/+1
| |
* | Fix GCC wardnings.melifaro2014-10-042-4/+5
| |
* | Document new table values.melifaro2014-10-031-45/+47
| | | | | | | | Sponsored by: Yandex LLC
* | Make ipfw_nat module use IP_FW3 codes.melifaro2014-09-071-116/+241
| | | | | | | | | | | | | | | | | | | | | | | | | | Kernel changes: * Split kernel/userland nat structures eliminating IPFW_INTERNAL hack. * Add IP_FW_NAT44_* codes resemblin old ones. * Assume that instances can be named (no kernel support currently). * Use both UH+WLOCK locks for all configuration changes. * Provide full ABI support for old sockopts. Userland changes: * Use IP_FW_NAT44_* codes for nat operations. * Remove undocumented ability to show ranges of nat "log" entries.
* | Change copyrights to the proper one.melifaro2014-09-051-7/+3
| |
* | Return setsockopt() directly.melifaro2014-09-051-4/+1
| | | | | | | | Suggested by: Steven Hartland at killing@multiplay.co.uk.
* | Use per-function errno handling instead of global one.melifaro2014-09-052-50/+36
| | | | | | | | Requested by: luigi
* | Add support for multi-field values inside ipfw tables.melifaro2014-08-313-137/+390
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the last major change in given branch. Kernel changes: * Use 64-bytes structures to hold multi-value variables. * Use shared array to hold values from all tables (assume each table algo is capable of holding 32-byte variables). * Add some placeholders to support per-table value arrays in future. * Use simple eventhandler-style API to ease the process of adding new table items. Currently table addition may required multiple UH drops/ acquires which is quite tricky due to atomic table modificatio/swap support, shared array resize, etc. Deal with it by calling special notifier capable of rolling back state before actually performing swap/resize operations. Original operation then restarts itself after acquiring UH lock. * Bump all objhash users default values to at least 64 * Fix custom hashing inside objhash. Userland changes: * Add support for dumping shared value array via "vlist" internal cmd. * Some small print/fill_flags dixes to support u32 values. * valtype is now bitmask of <skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>. New values can hold distinct values for each of this types. * Provide special "legacy" type which assumes all values are the same. * More helpers/docs following.. Some examples: 3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6 3:41 [1] zfscurr0# ipfw table mimimi info +++ table(mimimi), set(0) +++ kindex: 2, type: addr references: 0, valtype: skipto,limit,ipv4,ipv6 algorithm: addr:radix items: 0, size: 296 3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1 added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1 3:42 [1] zfscurr0# ipfw table mimimi list +++ table(mimimi), set(0) +++ 10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
* | Make room for multi-type values in struct tentry.melifaro2014-08-151-4/+4
| |
* | Replace "cidr" table type with "addr" type.melifaro2014-08-142-18/+17
| | | | | | | | Suggested by: luigi
* | * Document internal commands.melifaro2014-08-142-4/+27
| | | | | | | | | | * Do not require/set default table type if algo name is specified. * Add TA_FLAG_READONLY option for algorithms.
* | Sync to HEAD@r269943.melifaro2014-08-131-2/+1
|\ \ | |/
| * mdoc: remove superfluous paragraph macros.joel2014-06-231-1/+0
| |
| * use .Mt to mark up email addresses consistently (part1)bapt2014-06-201-1/+1
| | | | | | | | | | PR: 191174 Submitted by: Franco Fichtner <franco@lastsummer.de>
* | Document table set-awareness in ipfw(8).melifaro2014-08-131-18/+38
| |
* | * Pass proper table set numbers from userland side.melifaro2014-08-131-6/+8
| | | | | | | | * Ignore them, but honor V_fw_tables_sets value on kernel side.
* | Update op3 cmds.melifaro2014-08-131-34/+10
| |
* | * Do not crash on incorrect "flow" type inputs.melifaro2014-08-131-5/+16
| | | | | | | | * Do not auto-create tables for operations other than add.
* | Document most of the changes that have happened.melifaro2014-08-131-55/+260
| |
* | Move one step further towards libipfw: convert show_static_rule() tomelifaro2014-08-123-202/+192
| | | | | | | | | | bpprint-output style, so one can now output human-readable rule representation to preallocated buffer.
* | * Update table_handler cmd listmelifaro2014-08-123-16/+57
| | | | | | | | * Implement partial cmd matching inside table handler.
* | Change tablearg value to be 0 (try #2).melifaro2014-08-122-11/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Most of the tablearg-supported opcodes does not accept 0 as valid value: O_TAG, O_TAGGED, O_PIPE, O_QUEUE, O_DIVERT, O_TEE, O_SKIPTO, O_CALLRET, O_NETGRAPH, O_NGTEE, O_NAT treats 0 as invalid input. The rest are O_SETDSCP and O_SETFIB. 'Fix' them by adding high-order bit (0x8000) set for non-tablearg values. Do translation in kernel for old clients (import_rule0 / export_rule0), teach current ipfw(8) binary to add/remove given bit. This change does not affect handling SETDSCP values, but limit O_SETFIB values to 32767 instead of 65k. Since currently we have either old (16) or new (2^32) max fibs, this should not be a big deal: we're definitely OK for former and have to add another opcode to deal with latter, regardless of tablearg value.
* | * Add the abilify to lock/unlock given table from changes.melifaro2014-08-112-5/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Example: # ipfw table si lock # ipfw table si info +++ table(si), set(0) +++ kindex: 0, type: cidr, locked valtype: number, references: 0 algorithm: cidr:radix items: 0, size: 288 # ipfw table si add 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Adding record failed: table is locked # ipfw table si unlock # ipfw table si add 4.5.6.7 added: 4.5.6.7/32 0 # ipfw table si lock # ipfw table si delete 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Deleting record failed: table is locked # ipfw table si unlock # ipfw table si delete 4.5.6.7 deleted: 4.5.6.7/32 0
* | * Add support for batched add/delete for ipfw tablesmelifaro2014-08-112-43/+184
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add support for atomic batches add (all or none). * Fix panic on deleting non-existing entry in radix algo. Examples: # si is empty # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 added: 1.1.1.1/32 1111 added: 2.2.2.2/32 2222 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 4444 ipfw: Adding record failed: record already exists ^^^^^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444 # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 5.5.5.5/32 5555 added(reverted): 3.3.3.3/32 3333 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 5555 ipfw: Adding record failed: record already exists ^^^^^ Returns error and reverts added records # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444
* | Kernel changes:melifaro2014-08-082-17/+27
| | | | | | | | | | | | | | | | | | * Fix buffer calculation for table dumps * Fix IPv6 radix entiries addition broken in r269371. Userland changes: * Fix bug in retrieving statric ruleset * Fix several bugs in retrieving table list
* | Partially revert previous commit:melifaro2014-08-081-8/+8
| | | | | | | | | | "0" value is perfectly valid for O_SETFIB and O_SETDSCP, so tablearg remains to be 655535 for now.
* | * Switch tablearg value from 65535 to 0.melifaro2014-08-081-10/+10
| | | | | | | | | | * Use u16 table kidx instead of integer on for iface opcode. * Provide compability layer for old clients.
OpenPOWER on IntegriCloud