| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.
NOTE:
o The ipfw struct has changed requiring a recompile of both kernel
and userland ipfw utility.
o This probably should not be brought into 2.2.
PR: 3738
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
accommodate the expanded name, the ICMP types bitmap has been
reduced from 256 bits to 32.
A recompile of kernel and user level ipfw is required.
To be merged into 2.2 after a brief period in -current.
PR: bin/4209
Reviewed by: Archie Cobbs <archie@whistle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...
see the man page for a complete description.
|
|
|
|
| |
ready for it yet.
|
| |
|
|
|
|
|
|
|
|
| |
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
|
|
|
|
|
| |
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
|
|
|
|
|
|
|
| |
now completely consistent across all IP protocols and should be quite a
bit faster.
Discussed with: fenner & alex
|
|
|
|
|
|
| |
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Log ICMP type during verbose output.
- Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service
attacks via syslog flooding.
- Filter based on ICMP type.
- Timestamp chain entries when they are matched.
- Interfaces can now be matched with a wildcard specification (i.e.
will match any interface unit for a given name).
- Prevent the firewall chain from being manipulated when securelevel
is greater than 2.
- Fixed bug that allowed the default policy to be deleted.
- Ability to zero individual accounting entries.
- Remove definitions of old_chk_ptr and old_ctl_ptr when compiling
ipfw as a lkm.
- Remove some redundant code shared between ip_fw_init and ipfw_load.
Closes PRs: 1192, 1219, and 1267.
|
| |
|
|
|
|
|
| |
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
|
|
|
|
|
| |
Use this to read rules out of ipfw.
Add the lkm code to ipfw.c
|
|
|
|
|
| |
Filter on the direction (in/out).
Filter on fragment/not fragment.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.
Code in -current & -stable is now the same.
|
|
|
|
|
|
|
|
| |
matching IP options..Check and test this - i made only a couple
of rough tests and this could be buggy.. Ipaccounting can't use
IP Options (and i don't see any need to cound packets with specific
options either..)
More to come...
|
| |
|
|
|
|
|
|
|
| |
caused by dtom() being used on an mbuf cluster. The fix involves passing
around the mbuf pointer.
Submitted by: Bill Fenner
|
| |
|
|
|
|
| |
as interface name/unit...
|
|
|
|
|
|
|
| |
1) Firewall is not subdivided on forwarding / blocking chains
anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
|
|
|
|
| |
Structure fields changed to seem more standart.
|
|
|
|
|
| |
Handle right fragmented packets. Remove checking option
from kernel..
|
| |
|
|
|
|
|
| |
Poul: Please take this into BETA. It's non-intrusive, and a rather
substantial improvement over what was there before.
|
|
|
|
|
| |
people are born lucky..
Submitted by: ugen
|
|
|
|
| |
from Ugen.
|
|
|
|
| |
Submitted by: uben
|
|
Submitted by: danny ugen
|