summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_fw.h
Commit message (Collapse)AuthorAgeFilesLines
* Added #include of <sys/queue.h> so that this file is more "self"-sufficent.bde1998-02-031-1/+3
|
* Bump up packet and byte counters to 64-bit unsigned ints. As aalex1998-01-081-5/+8
| | | | | | | | | | | | | consequence, ipfw's list command now adjusts its output at runtime based on the largest packet/byte counter values. NOTE: o The ipfw struct has changed requiring a recompile of both kernel and userland ipfw utility. o This probably should not be brought into 2.2. PR: 3738
* Removed unused #includes.bde1997-10-281-3/+1
|
* Fixed gratuitous ANSIisms.bde1997-09-161-2/+2
|
* Support interface names up to 15 characters in length. In order toalex1997-08-081-3/+5
| | | | | | | | | | | | accommodate the expanded name, the ICMP types bitmap has been reduced from 256 bits to 32. A recompile of kernel and user level ipfw is required. To be merged into 2.2 after a brief period in -current. PR: bin/4209 Reviewed by: Archie Cobbs <archie@whistle.com>
* Submitted by: Whistle Communications (archie Cobbs)julian1997-06-021-45/+96
| | | | | | | | | | | | | | | these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same. The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ... see the man page for a complete description.
* Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are notpeter1997-02-221-1/+1
| | | | ready for it yet.
* implement "not" keyword for inverting the address logicadam1997-01-161-0/+2
|
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Add hooks for an IP NAT module, much like the firewall stuff...sos1996-08-211-12/+1
| | | | | Move the sockopt definitions for the firewall code from ip_fw.h to in.h where it belongs.
* Completely rewrite handling of protocol field for firewalls, things arepst1996-08-131-8/+2
| | | | | | | now completely consistent across all IP protocols and should be quite a bit faster. Discussed with: fenner & alex
* Adding changes to ipfw and the kernel to support ip packet diversion..julian1996-07-101-5/+10
| | | | | | This stuff should not be too destructive if the IPDIVERT is not compiled in.. be aware that this changes the size of the ip_fw struct so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
* Big sweep over ipfw, picking up where Poul left off:alex1996-06-091-17/+24
| | | | | | | | | | | | | | | | | | | - Log ICMP type during verbose output. - Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service attacks via syslog flooding. - Filter based on ICMP type. - Timestamp chain entries when they are matched. - Interfaces can now be matched with a wildcard specification (i.e. will match any interface unit for a given name). - Prevent the firewall chain from being manipulated when securelevel is greater than 2. - Fixed bug that allowed the default policy to be deleted. - Ability to zero individual accounting entries. - Remove definitions of old_chk_ptr and old_ctl_ptr when compiling ipfw as a lkm. - Remove some redundant code shared between ip_fw_init and ipfw_load. Closes PRs: 1192, 1219, and 1267.
* Correct spelling error in commentgpalmer1996-06-021-2/+2
|
* Add feature for tcp "established".phk1996-04-031-7/+2
| | | | | Change interface between netinet and ip_fw to be more general, and thus hopefully also support other ip filtering implementations.
* Make getsockopt() capable of handling more than one mbuf worth of data.phk1996-02-241-11/+3
| | | | | Use this to read rules out of ipfw. Add the lkm code to ipfw.c
* The new firewall functionality:phk1996-02-241-9/+15
| | | | | Filter on the direction (in/out). Filter on fragment/not fragment.
* Big sweep over the IPFIREWALL and IPACCT code.phk1996-02-231-64/+36
| | | | | | | | | | | | | | Close the ip-fragment hole. Waste less memory. Rewrite to contemporary more readable style. Kill separate IPACCT facility, use "accept" rules in IPFIREWALL. Filter incoming >and< outgoing packets. Replace "policy" by sticky "deny all" rule. Rules have numbers used for ordering and deletion. Remove "rerorder" code entirely. Count packet & bytecount matches for rules. Code in -current & -stable is now the same.
* Well..finally..this is the first part..it should take care ofugen1995-10-011-3/+23
| | | | | | | | matching IP options..Check and test this - i made only a couple of rough tests and this could be buggy.. Ipaccounting can't use IP Options (and i don't see any need to cound packets with specific options either..) More to come...
* Added $Id$.dg1995-07-231-0/+2
|
* Fixed panic that occurs on certain firewall rejected packets that wasdg1995-07-091-2/+2
| | | | | | | caused by dtom() being used on an mbuf cluster. The fix involves passing around the mbuf pointer. Submitted by: Bill Fenner
* Remove trailing whitespace.rgrimes1995-05-301-3/+3
|
* Allow "via" to be specified ever as IP adress orugen1995-02-241-2/+24
| | | | as interface name/unit...
* Actual firewall change.ugen1995-01-121-11/+28
| | | | | | | 1) Firewall is not subdivided on forwarding / blocking chains anymore.Actually only one chain left-it was the blocking one. 2) LKM support.ip_fwdef.c is function pointers definition and goes into kernel along with all INET stuff.
* Add clear one accounting entry control.ugen1994-12-131-10/+11
| | | | Structure fields changed to seem more standart.
* Add match by interface from which packet arrived (via)ugen1994-12-121-2/+1
| | | | | Handle right fragmented packets. Remove checking option from kernel..
* Added: ICMP reply,TCP SYN check,logging..ugen1994-11-281-12/+21
|
* Ugen J.S.Antsilevich's latest, happiest, IP firewall code.jkh1994-11-161-16/+29
| | | | | Poul: Please take this into BETA. It's non-intrusive, and a rather substantial improvement over what was there before.
* Ugen makes it in with 10 seconds to spare with a one-char diff. Somejkh1994-11-081-1/+1
| | | | | people are born lucky.. Submitted by: ugen
* Almost 12th hour (the 11th hour was almost an hour ago :-) patchesjkh1994-11-081-25/+35
| | | | from Ugen.
* Latest changes from Uben.jkh1994-10-311-6/+4
| | | | Submitted by: uben
* IP Firewall code from Daniel Boulet and J.S.Antsilevichjkh1994-10-281-0/+77
Submitted by: danny ugen
OpenPOWER on IntegriCloud