| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
IP: version, tos, ttl, len, id
TCP: seq#, ack#, window size
Reviewed by: silence on freebsd-{net,ipfw}
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It also squashes 99% of packet kiddie synflood orgies. For example, to
rate syn packets without MSS,
ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss
Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
|
| |
|
|
|
|
|
|
| |
It was not discussed and should probably not happen.
Requested by: msmith and others
|
|
|
|
|
|
|
|
| |
the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk
Reviewed by: phk
Approved by: mdodd
|
|
|
|
|
|
|
|
| |
similar to ipfilter's keep-state.
Look at the updated ipfw(8) manpage for details.
Approved-by: jordan
|
|
|
|
|
|
|
| |
Support masks on TCP/UDP ports.
Minor cleanup of ip_fw_chk() to avoid repeated calls to PULLUP_TO
at each rule.
|
|
|
|
|
|
| |
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot). This is consistant with the other
BSD's who made this change quite some time ago. More commits to come.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
to ip_reass()
- style(9) fixes
Reviewed by: julian, green
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with a match probability to achieve non-deterministic behaviour of
the firewall. This can be extremely useful for testing purposes
such as simulating random packet drop without having to use dummynet
(which already does the same thing), and simulating multipath effects
and the associated out-of-order delivery (this time in conjunction
with dummynet).
The overhead on normal rules is just one comparison with 0.
Since it would have been trivial to implement this by just adding
a field to the ip_fw structure, I decided to do it in a
backward-compatible way (i.e. struct ip_fw is unchanged, and as a
consequence you don't need to recompile ipfw if you don't want to
use this feature), since this was also useful for -STABLE.
When, at some point, someone decides to change struct ip_fw, please
add a length field and a version number at the beginning, so userland
apps can keep working even if they are out of sync with the kernel.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
_or_ you may specify "log logamount number" to set logging specifically
the rule.
In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
|
| |
|
|
|
|
| |
All relevant changes have been made (including ipfw.8).
|
|
|
|
|
|
|
|
| |
- unifdef -DCOMPAT_IPFW (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
compiled-in hooks in ip_init(). This means they initialize the same
way both in-kernel and as kld modules. (IPFW initializes now :-)
|
| |
|
|
|
|
|
|
| |
This will allow us to add dummynet to 3.0
Recompile /sbin/ipfw AND your kernel.
|
|
|
|
|
|
| |
another specialized mbuf type in the process. Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.
/sbin/ipfw must be recompiled!!!
Reviewed by: Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.
NOTE:
o The ipfw struct has changed requiring a recompile of both kernel
and userland ipfw utility.
o This probably should not be brought into 2.2.
PR: 3738
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
accommodate the expanded name, the ICMP types bitmap has been
reduced from 256 bits to 32.
A recompile of kernel and user level ipfw is required.
To be merged into 2.2 after a brief period in -current.
PR: bin/4209
Reviewed by: Archie Cobbs <archie@whistle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...
see the man page for a complete description.
|
|
|
|
| |
ready for it yet.
|
| |
|
|
|
|
|
|
|
|
| |
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
|
|
|
|
|
| |
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
|
|
|
|
|
|
|
| |
now completely consistent across all IP protocols and should be quite a
bit faster.
Discussed with: fenner & alex
|
|
|
|
|
|
| |
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Log ICMP type during verbose output.
- Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service
attacks via syslog flooding.
- Filter based on ICMP type.
- Timestamp chain entries when they are matched.
- Interfaces can now be matched with a wildcard specification (i.e.
will match any interface unit for a given name).
- Prevent the firewall chain from being manipulated when securelevel
is greater than 2.
- Fixed bug that allowed the default policy to be deleted.
- Ability to zero individual accounting entries.
- Remove definitions of old_chk_ptr and old_ctl_ptr when compiling
ipfw as a lkm.
- Remove some redundant code shared between ip_fw_init and ipfw_load.
Closes PRs: 1192, 1219, and 1267.
|
| |
|
|
|
|
|
| |
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
|
|
|
|
|
| |
Use this to read rules out of ipfw.
Add the lkm code to ipfw.c
|
|
|
|
|
| |
Filter on the direction (in/out).
Filter on fragment/not fragment.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.
Code in -current & -stable is now the same.
|
|
|
|
|
|
|
|
| |
matching IP options..Check and test this - i made only a couple
of rough tests and this could be buggy.. Ipaccounting can't use
IP Options (and i don't see any need to cound packets with specific
options either..)
More to come...
|
| |
|
|
|
|
|
|
|
| |
caused by dtom() being used on an mbuf cluster. The fix involves passing
around the mbuf pointer.
Submitted by: Bill Fenner
|
| |
|
|
|
|
| |
as interface name/unit...
|
|
|
|
|
|
|
| |
1) Firewall is not subdivided on forwarding / blocking chains
anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
|
|
|
|
| |
Structure fields changed to seem more standart.
|
|
|
|
|
| |
Handle right fragmented packets. Remove checking option
from kernel..
|
| |
|
|
|
|
|
| |
Poul: Please take this into BETA. It's non-intrusive, and a rather
substantial improvement over what was there before.
|
|
|
|
|
| |
people are born lucky..
Submitted by: ugen
|