summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Refuse to unload the ipdivert module unless the 'force' flag is given to ↵andre2004-10-221-4/+4
| | | | | | | kldunload. Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8) man pages.
* Add a note to the man page warning users about possible lock ordercsjp2004-10-091-0/+10
| | | | | | | | | reversals+system lock ups if they are using ucred based rules while running with debug.mpsafenet=1. I am working on merging a shared locking mechanism into ipfw which should take care of this problem, but it still requires a bit more testing and review.
* Reference altq(4) instead of pf.conf(5).green2004-10-081-2/+2
| | | | Tip of the hat to: mlaier
* Commit forgotten documentation for "diverted" rules.green2004-10-081-1/+2
|
* Remove blindly-copied extra include path.green2004-10-031-1/+0
|
* Add support to IPFW for matching by TCP data length.green2004-10-032-0/+29
|
* Add the documentation for IPFW's diverted(-loopback|-output) matches.green2004-10-031-0/+8
|
* Add support to IPFW for classification based on "diverted" statusgreen2004-10-031-0/+35
| | | | (that is, input via a divert socket).
* Remove accidentally-added O_DIVERTED section.green2004-10-031-17/+0
|
* Add to IPFW the ability to do ALTQ classification/tagging.green2004-10-033-33/+258
|
* Since "d" is an array of 32 bit values, it is morecsjp2004-09-211-1/+1
| | | | | | correct to change the cast from unsigned int to uint32_t. Pointed out by: luigi
* Prepare for 5.x soon becoming -STABLE.ru2004-09-191-8/+8
| | | | Pointed out by: -current users
* Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copiedandre2004-09-131-13/+2
| | | | | | | | | | and sent to the DIVERT socket while the original packet continues with the next rule. Unlike a normally diverted packet no IP reassembly attemts are made on tee'd packets and they are passed upwards totally unmodified. Note: This will not be MFC'd to 4.x because of major infrastucture changes. PR: kern/64240 (and many others collapsed into that one)
* Currently when ipfw(8) generates the micro-instructions for rules whichcsjp2004-09-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints. The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT. The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes. This may be a MFC candidate for RELENG_5. Reviewed by: andre Approved by: luigi PR: kern/63961 (partially)
* o Initialize a local variable and make gcc happy.maxim2004-09-101-0/+2
| | | | | PR: bin/71485 Submitted by: Jukka A. Ukkonen
* o Restore a historical ipfw1 logamount behaviour: rules with 'log'maxim2004-08-291-0/+7
| | | | | | | | | | | keyword but without 'logamount' limit the amount of their log messages by net.inet.ip.fw.verbose_limit sysctl value. RELENG_5 candidate. PR: kern/46080 Submitted by: Dan Pelleg MFC after: 1 week
* Fix 'show' command for pipes and queues.pjd2004-08-231-1/+7
| | | | | | PR: bin/70311 Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> MFC after: 3 days
* Remove trailing whitespace and change "prisoniD" to "prisonID".csjp2004-08-131-2/+2
| | | | | Pointed out by: simon Approved by: bmilekic (mentor)
* Add the ability to associate ipfw rules with a specific prison ID.csjp2004-08-122-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this. This commit makes the following changes: - Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes. This change was a strong motivator behind the ucred caching mechanism in ipfw. A sample usage of this new functionality could be: ipfw add count ip from any to any jail 2 It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations. Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor)
* New ipfw option "antispoof":andre2004-08-092-3/+49
| | | | | | | | | | | | | | | For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. Usage example: ipfw add deny ip from any to any not antispoof in Manpage education by: ru
* Extend versrcreach by checking against the rt_flags for RTF_REJECT andandre2004-07-211-2/+2
| | | | | | | | | | | | | | | | | | RTF_BLACKHOLE as well. To quote the submitter: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Submitted by: James Jun <james@towardex.com>
* Mechanically kill hard sentence breaks.ru2004-07-021-38/+56
|
* Fixed a bug spotted by compiling with -Wall.ru2004-06-101-1/+1
|
* Introduce a new feature to IPFW2: lookup tables. These are usefulru2004-06-092-4/+169
| | | | | | | for handling large sparse address sets. Initial implementation by Vsevolod Lobko <seva@ip.net.ua>, refined by me. MFC after: 1 week
* o Move NEED1 macro to the top of the source file.csjp2004-06-021-6/+6
| | | | | | | | | | | o Add sanity checking to the firewall delete operation which tells the user that a firewall rule specification is required. The previous behaviour was to exit without reporting any errors to the user. Approved by: bmilekic (mentor)
* o Fix usage example.maxim2004-05-231-1/+1
| | | | | PR: docs/67065 Submitted by: David Syphers
* Remove spurious semicolons.stefanf2004-05-181-2/+2
| | | | | Approved by: das (mentor) Reviewed by: ipfw@
* Remove redundant sanity check before add_mac() when addingcsjp2004-05-091-2/+0
| | | | | | | | | mac ipfw rules. The exact same sanity check is performed as the first operation of add_mac(), so there is no sense in doing it twice. Approved by: bmilekic (mentor) PR: bin/55981
* Add the option versrcreach to verify that a valid route to theandre2004-04-232-2/+28
| | | | | | | | | | | | | | | | | | | | source address of a packet exists in the routing table. The default route is ignored because it would match everything and render the check pointless. This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unrouteable source addresses. Example: ipfw add 1000 deny ip from any to any not versrcreach also known in Cisco-speak as: ip verify unicast source reachable-via any Reviewed by: luigi
* o Fix an incorrect parsing of 0.0.0.0/0 expression.maxim2004-04-091-1/+1
| | | | | PR: kern/64778 MFC after: 6 weeks
* Backout revision 1.140; it seems that the previous version is clearceri2004-03-271-2/+1
| | | | | | enough. Requested by: ru
* o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.maxim2004-03-261-1/+1
| | | | | | PR: docs/64534 Submitted by: Dmitry Cherkasov MFC after: 1 week
* Clarify the description of the "established" option.ceri2004-03-221-1/+2
| | | | | | PR: docs/50391 Submitted by: root@edcsm.jussieu.fr MFC after: 1 week
* o Pass a correct argument to errx(3).maxim2004-01-241-1/+1
| | | | | | PR: bin/61846 Submitted by: Eugene Grosbein MFC after: 1 week
* grammarmtm2004-01-231-6/+6
|
* o -c (compact) flag is ipfw2 feature.maxim2004-01-151-0/+2
| | | | | PR: bin/56328 MFC after: 3 days
* o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.maxim2004-01-151-0/+3
| | | | MFC after: 3 days
* o Legitimate -f (force) flags for -p (preprocessor) case.maxim2003-12-242-4/+9
| | | | | | PR: bin/60433 Submitted: Bjoern A. Zeeb MFC after: 3 weeks
* Add a -b flag to /sbin/ipfw to print only action and comment for eachluigi2003-12-122-2/+24
| | | | | | | | rule, thus omitting the entire body. This makes the output a lot more readable for complex rulesets (provided, of course, you have annotated your ruleset appropriately!) MFC after: 3 days
* Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriatesam2003-12-021-1/+8
| | | | | | | | | | | | code is compiled in to support the O_IPSEC operator. Previously no support was included and ipsec rules were always matching. Note that we do not return an error when an ipsec rule is added and the kernel does not have IPsec support compiled in; this is done intentionally but we may want to revisit this (document this in the man page). PR: 58899 Submitted by: Bjoern A. Zeeb Approved by: re (rwatson)
* Replace the if_name and if_unit members of struct ifnet with new membersbrooks2003-10-311-15/+5
| | | | | | | | | | | | | if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance. This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics. Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
* remove include of route.h now that ip_dummynet.h no longer exposessam2003-10-031-1/+0
| | | | | | data structures that have an embedded struct route Sponsored by: FreeBSD Foundation
* fix typo: s/sytem/system/rse2003-09-261-1/+1
|
* Document the alternate way of matching MAC addresses: by a bitmask.roam2003-09-101-2/+22
| | | | | | PR: 56021 Submitted by: Glen Gibb <grg@ridley.unimelb.edu.au> MFC after: 1 month
* Apply a bandaid to get this working on sparc64 again; the introductiontmm2003-09-041-4/+4
| | | | | | | | of do_cmd() broke things, because this function assumes that a socklen_t is large enough to hold a pointer. A real solution to this problem would be a rewrite of do_cmd() to treat the optlen parameter consistently and not use it to carry a pointer or integer dependent on the context.
* Check an arguments count before proceed in sysctl_handler().maxim2003-09-021-1/+1
| | | | | | | | PR: bin/56298 Submitted by: Kang Liu <liukang@bjpu.edu.cn> MFC after: 2 weeks # We need a regression test suit for ipfw(2)/ipfw(8) badly.
* Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specificluigi2003-07-221-0/+4
|
* o Initialize do_pipe before command parsing.maxim2003-07-211-0/+1
| | | | | | PR: bin/54649 Submitted by: Andy Gilligan <andy@evo6.org> MFC after: 3 days
* Userland side of:luigi2003-07-152-14/+22
| | | | | | | | | | | | | | Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards
* Make sure that comments are printed at the end of a rule.luigi2003-07-151-2/+4
| | | | Reported by: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
OpenPOWER on IntegriCloud