| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
PR: kern/156410
MFC after: 2 weeks
|
|
|
|
|
| |
- use a proper macro for interface name ipfw0.
- add missing section number for bpf cross reference.
|
|
|
|
|
|
| |
calculated dynamically.
PR: kern/143653
|
|
|
|
| |
Checked with: md5, diff -x -w
|
|
|
|
| |
Checked with: md5, diff -w
|
|
|
|
|
|
|
|
|
|
|
|
| |
the "sockarg" ipfw option matches packets associated to
a local socket and with a non-zero so_user_cookie value.
The value is made available as tablearg, so it can be used
as a skipto target or pipe number in ipfw/dummynet rules.
Code by Paul Joe, manpage by me.
Submitted by: Paul Joe
MFC after: 1 week
|
|
|
|
|
|
| |
It's a bit more pedantic regarding .Bl list elements. This has an added
benefit of unbreaking the ipfw(8) manpage, where groff was silently
skipping one list element.
|
| |
|
|
|
|
| |
They have no effect when coming in pairs, or before .Bl/.Bd
|
|
|
|
| |
Approved by: rrs (mentor)
|
|
|
|
| |
MFC after: 3 weeks
|
|
|
|
|
|
| |
translating these manual pages. Minor corrections by me.
Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>
|
|
|
|
|
|
|
|
| |
thus don't depend on one_pass flag anymore.
This is a POLA violation, but it is quite difficult to restore
the old behavior with new code. Also, the new behavior matches
behavior of the older "tee" action, and this is more intuitive.
|
| |
|
|
|
|
| |
Reported by: Robert Noland
|
|
|
|
|
|
|
| |
which should improve readability, and also to ease the port to
platforms that do not support %llu
MFC after: 3 days
|
|
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
| |
Submitted by: Marcin Wisnicki
|
|
|
|
|
| |
PR: bin/121424
Submitted by: "Julian H. Stacey" <jhs berklix.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 }
(note that the above example could be better written as
ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8
Submitted by: Riccardo Panicucci
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dscp as a search key in table lookups;
+ (re)implement a sysctl variable to control the expire frequency of
pipes and queues when they become empty;
+ add 'queue number' as optional part of the flow_id. This can be
enabled with the command
queue X config mask queue ...
and makes it possible to support priority-based schedulers, where
packets should be grouped according to the priority and not some
fields in the 5-tuple.
This is implemented as follows:
- redefine a field in the ipfw_flow_id (in sys/netinet/ip_fw.h) but
without changing the size or shape of the structure, so there are
no ABI changes. On passing, also document how other fields are
used, and remove some useless assignments in ip_fw2.c
- implement small changes in the userland code to set/read the field;
- revise the functions in ip_dummynet.c to manipulate masks so they
also handle the additional field;
There are no ABI changes in this commit.
|
|
|
|
|
|
|
|
|
|
| |
of ip->ip_tos) in a table. This can be useful to direct traffic to
different pipes/queues according to the DSCP of the packet, as follows:
ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue
This change is a no-op (but harmless) until the two-line kernel
side is committed, which will happen shortly.
|
|
|
|
|
| |
The filtering of the output is done in the kernel instead of userland
to reduce the amount of data transfered.
|
| |
|
| |
|
|
|
|
| |
data size increasing while we fetch the info.
|
| |
|
|
|
|
| |
some extra initialization)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and tested over the past two months in the ipfw3-head branch. This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.
The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.
In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.
Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.
Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.
Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.
CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N
which searches the specified field in table N and sets tablearg
accordingly.
With dst-ip or src-ip the option replicates two existing options.
When used with other arguments, the option can be useful to
quickly dispatch traffic based on other fields.
Work supported by the Onelab project.
MFC after: 1 week
|
|
|
|
| |
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
| |
it seems that now it is necessary for 'forward' to work outside lo0.
The bug (and fix) was reported on 8.0. This patch probably applies
to RELENG_7 as well.
It seems that 'pf' has a similar bug.
Submitted by: Lytochkin Boris
MFC after: 3 days
|
|
|
|
|
| |
Submitted by: gcc 4.3
MFC after: 3 days
|
|
|
|
|
|
| |
staticize two functions.
MFC after: 3 days
|
|
|
|
|
| |
Reviewed by: luigi
MFC after: 1 week
|
|
|
|
|
|
| |
PR: 133765
Submitted by: Konstantin Zolotukhin <erebus@gorodok.net>
MFC after: 3 days
|
|
|
|
|
| |
Submitted by: Ben Kaduk
Approved by: re (kib)
|
|
|
|
|
|
| |
PR: docs/136061
Submitted by: Ben Kaduk
MFC after: 1 week
|
|
|
|
|
|
| |
- fix printing of pipe profile data.
- introduce new pipe parameter: 'burst' - how much data can be sent through
pipe bypassing bandwidth limit.
|
|
|
|
|
|
|
|
|
| |
"profile" files (bandwidth is mandatory when using a
profile, so it makes sense to have everything in one place).
Update the manpage accordingly.
Submitted by: Marta Carbone
|
|
|
|
|
|
| |
Detected building with gcc 4.3.3
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pipes, queues, tags, rule numbers and so on.
These are all different namespaces, and the only thing they have in
common is the fact they use a 16-bit slot to represent the argument.
There is some confusion in the code, mostly for historical reasons,
on how the values 0 and 65535 should be used. At the moment, 0 is
forbidden almost everywhere, while 65535 is used to represent a
'tablearg' argument, i.e. the result of the most recent table() lookup.
For now, try to use explicit constants for the min and max allowed
values, and do not overload the default rule number for that.
Also, make the MTAG_IPFW declaration only visible to the kernel.
NOTE: I think the issue needs to be revisited before 8.0 is out:
the 2^16 namespace limit for rule numbers and pipe/queue is
annoying, and we can easily bump the limit to 2^32 which gives
a lot more flexibility in partitioning the namespace.
MFC after: 5 days
|
|
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
types of MAC overheads such as preambles, link level retransmissions
and more.
Note- this commit changes the userland/kernel ABI for pipes
(but not for ordinary firewall rules) so you need to rebuild
kernel and /sbin/ipfw to use dummynet features.
Please check the manpage for details on the new feature.
The MFC would be trivial but it breaks the ABI, so it will
be postponed until after 7.2 is released.
Interested users are welcome to apply the patch manually
to their RELENG_7 tree.
Work supported by the European Commission, Projects Onelab and
Onelab2 (contract 224263).
|
| |
|