summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Be more specific when complaining about bit masks.brooks2005-04-051-2/+2
|
* Bring back the full packet destination manipulation for 'ipfw fwd'andre2005-02-221-1/+14
| | | | | | | | | | | | | | | | | | | | with the kernel compile time option: options IPFIREWALL_FORWARD_EXTENDED This option has to be specified in addition to IPFIRWALL_FORWARD. With this option even packets targeted for an IP address local to the host can be redirected. All restrictions to ensure proper behaviour for locally generated packets are turned off. Firewall rules have to be carefully crafted to make sure that things like PMTU discovery do not break. Document the two kernel options. PR: kern/71910 PR: kern/73129 MFC after: 1 week
* Expand *n't contractions.ru2005-02-131-4/+4
|
* Sort SEE ALSO.glebius2005-02-071-1/+1
| | | | Submitted by: ru
* Document how interaction with ng_ipfw node is configured.glebius2005-02-051-2/+23
|
* Add a ng_ipfw node, implementing a quick and simple interface betweenglebius2005-02-051-0/+22
| | | | | | ipfw(4) and netgraph(4) facilities. Reviewed by: andre, brooks, julian
* Don't print extra " via ", if we have already printed one. While here,glebius2005-01-181-4/+6
| | | | | | | slightly style brackets. PR: misc/75297 MFC after: 1 week
* Sort sections.ru2005-01-181-27/+27
|
* Markup nits.ru2005-01-151-16/+14
|
* Deprecate unmaintainable uses of strncmp to implement abbreviations.brooks2005-01-151-60/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | This commit replaces those with two new functions that simplify the code and produce warnings that the syntax is deprecated. A small number of sensible abbreviations may be explicitly added based on user feedback. There were previously three types of strncmp use in ipfw: - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av to match string or any shortened form of it. I have replaced this with a new function _substrcmp(av, "string") which returns 0 if av is a substring of "string", but emits a warning if av is not exactly "string". - The next type was two instances of strncmp(av, "by", 2) which allowed the abbreviation of bytes to "by", "byt", etc. Unfortunately, it also supported "bykHUygh&*g&*7*ui". I added a second new function _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but complains if the user doesn't spell out the word "bytes". - There is also one correct use of strncmp to match "table(" which might have another token after it without a space. Since I changed all the lines anyway, I also fixed the treatment of strncmp's return as a boolean in many cases. I also modified a few strcmp cases as well to be fully consistent.
* Scheduled mdoc(7) sweep.ru2005-01-101-1/+2
|
* Write some bit mask limits in hex rather than decimal so they look lessbrooks2005-01-071-2/+2
| | | | magic.
* Update the IPFW man page to reflect reality. mpsafenet=0 is no longercsjp2004-12-101-10/+0
| | | | | | | required when using ucred based rules. Pointed out by: seanc (thanks!) MFC after: 1 month
* Remove a duplicate line from an apparent merge error in rev 1.63.brooks2004-11-251-1/+0
|
* Be more clear that "bridged" is a synonym for "layer2".ceri2004-11-031-1/+2
| | | | | PR: docs/44400 Submitted by: Constantin Stefanov <cstef at mail dot ru>
* Refuse to unload the ipdivert module unless the 'force' flag is given to ↵andre2004-10-221-4/+4
| | | | | | | kldunload. Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8) man pages.
* Add a note to the man page warning users about possible lock ordercsjp2004-10-091-0/+10
| | | | | | | | | reversals+system lock ups if they are using ucred based rules while running with debug.mpsafenet=1. I am working on merging a shared locking mechanism into ipfw which should take care of this problem, but it still requires a bit more testing and review.
* Reference altq(4) instead of pf.conf(5).green2004-10-081-2/+2
| | | | Tip of the hat to: mlaier
* Commit forgotten documentation for "diverted" rules.green2004-10-081-1/+2
|
* Remove blindly-copied extra include path.green2004-10-031-1/+0
|
* Add support to IPFW for matching by TCP data length.green2004-10-032-0/+29
|
* Add the documentation for IPFW's diverted(-loopback|-output) matches.green2004-10-031-0/+8
|
* Add support to IPFW for classification based on "diverted" statusgreen2004-10-031-0/+35
| | | | (that is, input via a divert socket).
* Remove accidentally-added O_DIVERTED section.green2004-10-031-17/+0
|
* Add to IPFW the ability to do ALTQ classification/tagging.green2004-10-033-33/+258
|
* Since "d" is an array of 32 bit values, it is morecsjp2004-09-211-1/+1
| | | | | | correct to change the cast from unsigned int to uint32_t. Pointed out by: luigi
* Prepare for 5.x soon becoming -STABLE.ru2004-09-191-8/+8
| | | | Pointed out by: -current users
* Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copiedandre2004-09-131-13/+2
| | | | | | | | | | and sent to the DIVERT socket while the original packet continues with the next rule. Unlike a normally diverted packet no IP reassembly attemts are made on tee'd packets and they are passed upwards totally unmodified. Note: This will not be MFC'd to 4.x because of major infrastucture changes. PR: kern/64240 (and many others collapsed into that one)
* Currently when ipfw(8) generates the micro-instructions for rules whichcsjp2004-09-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints. The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT. The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes. This may be a MFC candidate for RELENG_5. Reviewed by: andre Approved by: luigi PR: kern/63961 (partially)
* o Initialize a local variable and make gcc happy.maxim2004-09-101-0/+2
| | | | | PR: bin/71485 Submitted by: Jukka A. Ukkonen
* o Restore a historical ipfw1 logamount behaviour: rules with 'log'maxim2004-08-291-0/+7
| | | | | | | | | | | keyword but without 'logamount' limit the amount of their log messages by net.inet.ip.fw.verbose_limit sysctl value. RELENG_5 candidate. PR: kern/46080 Submitted by: Dan Pelleg MFC after: 1 week
* Fix 'show' command for pipes and queues.pjd2004-08-231-1/+7
| | | | | | PR: bin/70311 Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> MFC after: 3 days
* Remove trailing whitespace and change "prisoniD" to "prisonID".csjp2004-08-131-2/+2
| | | | | Pointed out by: simon Approved by: bmilekic (mentor)
* Add the ability to associate ipfw rules with a specific prison ID.csjp2004-08-122-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this. This commit makes the following changes: - Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes. This change was a strong motivator behind the ucred caching mechanism in ipfw. A sample usage of this new functionality could be: ipfw add count ip from any to any jail 2 It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations. Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor)
* New ipfw option "antispoof":andre2004-08-092-3/+49
| | | | | | | | | | | | | | | For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. Usage example: ipfw add deny ip from any to any not antispoof in Manpage education by: ru
* Extend versrcreach by checking against the rt_flags for RTF_REJECT andandre2004-07-211-2/+2
| | | | | | | | | | | | | | | | | | RTF_BLACKHOLE as well. To quote the submitter: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Submitted by: James Jun <james@towardex.com>
* Mechanically kill hard sentence breaks.ru2004-07-021-38/+56
|
* Fixed a bug spotted by compiling with -Wall.ru2004-06-101-1/+1
|
* Introduce a new feature to IPFW2: lookup tables. These are usefulru2004-06-092-4/+169
| | | | | | | for handling large sparse address sets. Initial implementation by Vsevolod Lobko <seva@ip.net.ua>, refined by me. MFC after: 1 week
* o Move NEED1 macro to the top of the source file.csjp2004-06-021-6/+6
| | | | | | | | | | | o Add sanity checking to the firewall delete operation which tells the user that a firewall rule specification is required. The previous behaviour was to exit without reporting any errors to the user. Approved by: bmilekic (mentor)
* o Fix usage example.maxim2004-05-231-1/+1
| | | | | PR: docs/67065 Submitted by: David Syphers
* Remove spurious semicolons.stefanf2004-05-181-2/+2
| | | | | Approved by: das (mentor) Reviewed by: ipfw@
* Remove redundant sanity check before add_mac() when addingcsjp2004-05-091-2/+0
| | | | | | | | | mac ipfw rules. The exact same sanity check is performed as the first operation of add_mac(), so there is no sense in doing it twice. Approved by: bmilekic (mentor) PR: bin/55981
* Add the option versrcreach to verify that a valid route to theandre2004-04-232-2/+28
| | | | | | | | | | | | | | | | | | | | source address of a packet exists in the routing table. The default route is ignored because it would match everything and render the check pointless. This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unrouteable source addresses. Example: ipfw add 1000 deny ip from any to any not versrcreach also known in Cisco-speak as: ip verify unicast source reachable-via any Reviewed by: luigi
* o Fix an incorrect parsing of 0.0.0.0/0 expression.maxim2004-04-091-1/+1
| | | | | PR: kern/64778 MFC after: 6 weeks
* Backout revision 1.140; it seems that the previous version is clearceri2004-03-271-2/+1
| | | | | | enough. Requested by: ru
* o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.maxim2004-03-261-1/+1
| | | | | | PR: docs/64534 Submitted by: Dmitry Cherkasov MFC after: 1 week
* Clarify the description of the "established" option.ceri2004-03-221-1/+2
| | | | | | PR: docs/50391 Submitted by: root@edcsm.jussieu.fr MFC after: 1 week
* o Pass a correct argument to errx(3).maxim2004-01-241-1/+1
| | | | | | PR: bin/61846 Submitted by: Eugene Grosbein MFC after: 1 week
* grammarmtm2004-01-231-6/+6
|
OpenPOWER on IntegriCloud