From 9a711a67d4aa86f9a25f182702a0f82bc85a7859 Mon Sep 17 00:00:00 2001 From: hrs Date: Mon, 9 Jul 2012 07:16:19 +0000 Subject: Make ipfw0 logging pseudo-interface clonable. It can be created automatically by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8) after a boot. Discussed on: freebsd-ipfw@ --- sbin/ipfw/ipfw.8 | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 7974ed6..7f38157 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 3, 2012 +.Dd July 9, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -560,7 +560,22 @@ is set to 0 (default), one can use .Xr bpf 4 attached to the .Li ipfw0 -pseudo interface. There is no overhead if no +pseudo interface. +This pseudo interface can be created after a boot +manually by using the following command: +.Bd -literal -offset indent +# ifconfig ipfw0 create +.Ed +.Pp +Or, automatically at boot time by adding the following +line to the +.Xr rc.conf 5 +file: +.Bd -literal -offset indent +firewall_logif="YES" +.Ed +.Pp +There is no overhead if no .Xr bpf 4 is attached to the pseudo interface. .Pp -- cgit v1.1 From c32d9276849a13a4b25143acf8787063c1435d2c Mon Sep 17 00:00:00 2001 From: issyl0 Date: Mon, 16 Jul 2012 22:15:30 +0000 Subject: In ipfw(8), make the text about dynamic rules consistent. PR: docs/120539 Approved by: gabor (mentor) MFC after: 5 days --- sbin/ipfw/ipfw.8 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 7f38157..ce4594e 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 9, 2012 +.Dd July 16, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -2967,9 +2967,11 @@ This will let the firewall install dynamic rules only for those connection which start with a regular SYN packet coming from the inside of our network. Dynamic rules are checked when encountering the first -.Cm check-state -or +occurrence of a +.Cm check-state , .Cm keep-state +or +.Cm limit rule. A .Cm check-state -- cgit v1.1 From d8e2c218a2f038ccc70ed8fe056b40c23f743930 Mon Sep 17 00:00:00 2001 From: luigi Date: Mon, 30 Jul 2012 10:55:23 +0000 Subject: Fix some compile errors at high WARNS, including one for an uninitialized variable. unused parameters and variables are annotated with (void)foo; /* UNUSED */ instead of __unused, because this code needs to build also on linux and windows. --- sbin/ipfw/dummynet.c | 14 ++++++++------ sbin/ipfw/ipfw2.c | 5 +++-- sbin/ipfw/nat.c | 2 ++ 3 files changed, 13 insertions(+), 8 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/dummynet.c b/sbin/ipfw/dummynet.c index 3719e9b..28dc2c7 100644 --- a/sbin/ipfw/dummynet.c +++ b/sbin/ipfw/dummynet.c @@ -759,7 +759,8 @@ load_extra_delays(const char *filename, struct dn_profile *p, void ipfw_config_pipe(int ac, char **av) { - int i, j; + int i; + u_int j; char *end; struct dn_id *buf, *base; struct dn_sch *sch = NULL; @@ -1282,8 +1283,8 @@ parse_range(int ac, char *av[], uint32_t *v, int len) av--; } if (v[1] < v[0] || - v[1] < 0 || v[1] >= DN_MAX_ID-1 || - v[0] < 0 || v[1] >= DN_MAX_ID-1) { + v[1] >= DN_MAX_ID-1 || + v[1] >= DN_MAX_ID-1) { continue; /* invalid entry */ } n++; @@ -1310,11 +1311,12 @@ void dummynet_list(int ac, char *av[], int show_counters) { struct dn_id *oid, *x = NULL; - int ret, i, l; + int ret, i; int n; /* # of ranges */ - int buflen; - int max_size; /* largest obj passed up */ + u_int buflen, l; + u_int max_size; /* largest obj passed up */ + (void)show_counters; // XXX unused, but we should use it. ac--; av++; /* skip 'list' | 'show' word */ diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index dd22ad0..f714035 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -412,7 +412,7 @@ do_cmd(int optname, void *optval, uintptr_t optlen) * and calls setsockopt(). * Function returns 0 on success or -1 otherwise. */ -int +static int do_setcmd3(int optname, void *optval, socklen_t optlen) { socklen_t len; @@ -3930,6 +3930,7 @@ ipfw_table_handler(int ac, char *av[]) uint32_t a, type, mask, addrlen; uint32_t tables_max; + mask = 0; // XXX uninitialized ? len = sizeof(tables_max); if (sysctlbyname("net.inet.ip.fw.tables_max", &tables_max, &len, NULL, 0) == -1) @@ -4135,7 +4136,7 @@ table_list(uint16_t num, int need_header) if (sz < xent->len) break; sz -= xent->len; - xent = (void *)xent + xent->len; + xent = (ipfw_table_xentry *)((char *)xent + xent->len); } free(tbl); diff --git a/sbin/ipfw/nat.c b/sbin/ipfw/nat.c index 6bec36c..9b4ac84 100644 --- a/sbin/ipfw/nat.c +++ b/sbin/ipfw/nat.c @@ -318,6 +318,7 @@ estimate_redir_addr(int *ac, char ***av) char *sep = **av; u_int c = 0; + (void)ac; /* UNUSED */ while ((sep = strchr(sep, ',')) != NULL) { c++; sep++; @@ -379,6 +380,7 @@ estimate_redir_port(int *ac, char ***av) char *sep = **av; u_int c = 0; + (void)ac; /* UNUSED */ while ((sep = strchr(sep, ',')) != NULL) { c++; sep++; -- cgit v1.1 From c90cd26f1610fbff118edf8a8a1a97b6d25f0f42 Mon Sep 17 00:00:00 2001 From: luigi Date: Mon, 30 Jul 2012 11:02:22 +0000 Subject: remove the last __unused instance in sbin/ipfw. This particular function (show_prerequisites() ) we should actually remove the argument from the callers as well, but i'll do it at a later time. --- sbin/ipfw/ipfw2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index f714035..530f319 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -976,8 +976,9 @@ print_icmptypes(ipfw_insn_u32 *cmd) #define HAVE_OPTIONS 0x8000 static void -show_prerequisites(int *flags, int want, int cmd __unused) +show_prerequisites(int *flags, int want, int cmd) { + (void)cmd; /* UNUSED */ if (co.comment_only) return; if ( (*flags & HAVE_IP) == HAVE_IP) -- cgit v1.1 From ce75cc6b07b16d62ee8d016684e049bfa2c87e98 Mon Sep 17 00:00:00 2001 From: kevlo Date: Tue, 11 Sep 2012 07:54:41 +0000 Subject: Remove unused values --- sbin/ipfw/nat.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/nat.c b/sbin/ipfw/nat.c index 9b4ac84..bff28e1 100644 --- a/sbin/ipfw/nat.c +++ b/sbin/ipfw/nat.c @@ -421,7 +421,7 @@ setup_redir_port(char *buf, int *ac, char ***av) /* * Extract local address. */ - if ((sep = strchr(**av, ',')) != NULL) { + if (strchr(**av, ',') != NULL) { r->laddr.s_addr = INADDR_NONE; r->lport = ~0; numLocalPorts = 1; @@ -454,7 +454,7 @@ setup_redir_port(char *buf, int *ac, char ***av) /* * Extract public port and optionally address. */ - if ((sep = strchr(**av, ':')) != NULL) { + if (strchr(**av, ':') != NULL) { if (StrToAddrAndPortRange(**av, &r->paddr, protoName, &portRange) != 0) errx(EX_DATAERR, "redirect_port: " @@ -482,7 +482,7 @@ setup_redir_port(char *buf, int *ac, char ***av) * option for this redirect entry, else stop here processing arg[cv]. */ if (*ac != 0 && isdigit(***av)) { - if ((sep = strchr(**av, ':')) != NULL) { + if (strchr(**av, ':') != NULL) { if (StrToAddrAndPortRange(**av, &r->raddr, protoName, &portRange) != 0) errx(EX_DATAERR, "redirect_port: " -- cgit v1.1 From 563984a874a9e7dd23e1f1819bd8c07c3910a639 Mon Sep 17 00:00:00 2001 From: bjk Date: Tue, 18 Sep 2012 02:33:23 +0000 Subject: Whitespace cleanup for ipfw.8 -- start each sentence on a new line, and put a comma after e.g. and i.e.. While here, wrap long lines. PR: docs/157452 Approved by: hrs (mentor) --- sbin/ipfw/ipfw.8 | 91 ++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 58 insertions(+), 33 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index ce4594e..a6f5a73 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -141,7 +141,7 @@ the firewall will have a .Em stateful behaviour, i.e., upon a match it will create .Em dynamic rules , -i.e. rules that match packets with the same 5-tuple +i.e., rules that match packets with the same 5-tuple (protocol, source and destination addresses and ports) as the packet which caused their creation. Dynamic rules, which have a limited lifetime, are checked @@ -223,14 +223,15 @@ When listing and is specified, also show expired dynamic rules. .It Fl f Do not ask for confirmation for commands that can cause problems -if misused, -.No i.e. Cm flush . +if misused, i.e., +.Cm flush . If there is no tty associated with the process, this is implied. .It Fl i When listing a table (see the .Sx LOOKUP TABLES section below for more information on lookup tables), format values -as IP addresses. By default, values are shown as integers. +as IP addresses. +By default, values are shown as integers. .It Fl n Only check syntax of the command strings, without actually passing them to the kernel. @@ -421,7 +422,7 @@ Keywords are case-sensitive, whereas arguments may or may not be case-sensitive depending on their nature (e.g.\& uid's are, hostnames are not). .Pp -Some arguments (e.g. port or address lists) are comma-separated +Some arguments (e.g., port or address lists) are comma-separated lists of values. In this case, spaces after commas ',' are allowed to make the line more readable. @@ -873,7 +874,8 @@ Takes rule number saved to internal stack by the last action and returns ruleset processing to the first rule with number greater than number of corresponding .Cm call -rule. See description of the +rule. +See description of the .Cm call action for more details. .Pp @@ -960,23 +962,29 @@ Initially this is limited to the values 0 through 15, see Processing continues at the next rule. It is possible to use the .Cm tablearg -keyword with a setfib. If tablearg value is not within compiled FIB range packet fib is set to 0. +keyword with a setfib. +If tablearg value is not within compiled FIB range packet fib is set to 0. .It Cm reass Queue and reassemble ip fragments. -If the packet is not fragmented, counters are updated and processing continues with the next rule. +If the packet is not fragmented, counters are updated and +processing continues with the next rule. If the packet is the last logical fragment, the packet is reassembled and, if .Va net.inet.ip.fw.one_pass -is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates. -If the packet is a fragment in the middle, it is consumed and processing stops immediately. +is set to 0, processing continues with the next rule, else packet is +allowed to pass and search terminates. +If the packet is a fragment in the middle, it is consumed and +processing stops immediately. .Pp Fragments handling can be tuned via .Va net.inet.ip.maxfragpackets and .Va net.inet.ip.maxfragsperpacket -which limit, respectively, the maximum number of processable fragments (default: 800) and +which limit, respectively, the maximum number of processable +fragments (default: 800) and the maximum number of fragments per packet (default: 16). .Pp -NOTA BENE: since fragments do not contain port numbers, they should be avoided with the +NOTA BENE: since fragments do not contain port numbers, +they should be avoided with the .Nm reass rule. Alternatively, direction-based (like @@ -1596,7 +1604,8 @@ This is the short form of .It Cm sockarg Matches packets that are associated to a local socket and for which the SO_USER_COOKIE socket option has been set -to a non-zero value. As a side effect, the value of the +to a non-zero value. +As a side effect, the value of the option is made available as .Cm tablearg value, which in turn can be used as @@ -1746,7 +1755,7 @@ connected networks instead of all source addresses. .El .Sh LOOKUP TABLES Lookup tables are useful to handle large sparse sets of -addresses or other search keys (e.g. ports, jail IDs, interface names). +addresses or other search keys (e.g., ports, jail IDs, interface names). In the rest of this section we will use the term ``address''. There may be up to 65535 different lookup tables, numbered 0 to 65534. .Pp @@ -1784,7 +1793,8 @@ the routing table (see .Xr route 4 ) . .Pp Lookup tables currently support only ports, jail IDs, IPv4/IPv6 addresses -and interface names. Wildcards is not supported for interface names. +and interface names. +Wildcards is not supported for interface names. .Pp The .Cm tablearg @@ -1813,7 +1823,8 @@ Section for example usage of tables and the tablearg keyword. When used with the .Cm skipto action, the user should be aware that the code will walk the ruleset -up to a rule equal to, or past, the given number, and should therefore try keep the +up to a rule equal to, or past, the given number, +and should therefore try keep the ruleset compact between the skipto and the target rules. .Sh SETS OF RULES Each rule belongs to one of 32 different @@ -2021,10 +2032,12 @@ As an example, using ``src-ip 0xffffff00'' creates one instance for each /24 destination subnet. .Pp The FLOW_MASK, together with the SCHED_MASK, is used to split -packets into flows. As an example, using +packets into flows. +As an example, using ``src-ip 0x000000ff'' together with the previous SCHED_MASK makes a flow for -each individual source address. In turn, flows for each /24 +each individual source address. +In turn, flows for each /24 subnet will be sent to the same scheduler instance. .Pp The above diagram holds even for the @@ -2143,12 +2156,13 @@ A file specifying the additional overhead incurred in the transmission of a packet on the link. .Pp Some link types introduce extra delays in the transmission -of a packet, e.g. because of MAC level framing, contention on +of a packet, e.g., because of MAC level framing, contention on the use of the channel, MAC level retransmissions and so on. From our point of view, the channel is effectively unavailable for this extra time, which is constant or variable depending -on the link type. Additionally, packets may be dropped after this -time (e.g. on a wireless link after too many retransmissions). +on the link type. +Additionally, packets may be dropped after this +time (e.g., on a wireless link after too many retransmissions). We can model the additional delay with an empirical curve that represents its distribution. .Bd -literal -offset indent @@ -2184,7 +2198,7 @@ If not specified here, it must be present explicitly as a configuration parameter for the pipe; .It Cm loss-level Ar L the probability above which packets are lost. -(0.0 <= L <= 1.0, default 1.0 i.e. no loss); +(0.0 <= L <= 1.0, default 1.0 i.e., no loss); .It Cm samples Ar N the number of samples used in the internal representation of the curve (2..1024; default 100); @@ -2249,7 +2263,8 @@ but gives no service guarantees. .It Cm wf2q+ implements the WF2Q+ algorithm, which is a Weighted Fair Queueing algorithm which permits flows to share bandwidth according to -their weights. Note that weights are not priorities; even a flow +their weights. +Note that weights are not priorities; even a flow with a minuscule weight will never starve. WF2Q+ has O(log N) per-packet processing cost, where N is the number of flows, and is the default algorithm used by previous versions @@ -2535,7 +2550,8 @@ in .Xr natd 8 for more information. .It Cm tablearg -Uses argument supplied in lookup table. See +Uses argument supplied in lookup table. +See .Sx LOOKUP TABLES section below for more information on lookup tables. .El @@ -2597,11 +2613,13 @@ or before ipfw module gets loaded. .Bl -tag -width indent .It Va net.inet.ip.fw.default_to_accept: No 0 -Defines ipfw last rule behavior. This value overrides +Defines ipfw last rule behavior. +This value overrides .Cd "options IPFW_DEFAULT_TO_(ACCEPT|DENY)" from kernel configuration file. .It Va net.inet.ip.fw.tables_max: No 128 -Defines number of tables available in ipfw. Number cannot exceed 65534. +Defines number of tables available in ipfw. +Number cannot exceed 65534. .El .Sh SYSCTL VARIABLES A set of @@ -2631,12 +2649,14 @@ Option 1 should never be selected as this forms a security risk. An attacker can establish multiple fake associations by sending AddIP messages. .It Va net.inet.ip.alias.sctp.chunk_proc_limit: No 5 -Defines the maximum number of chunks in an SCTP packet that will be parsed for a +Defines the maximum number of chunks in an SCTP packet that will be +parsed for a packet that matches an existing association. This value is enforced to be greater or equal than .Cm net.inet.ip.alias.sctp.initialising_chunk_proc_limit . A high value is -a DoS risk yet setting too low a value may result in important control chunks in +a DoS risk yet setting too low a value may result in +important control chunks in the packet not being located and parsed. .It Va net.inet.ip.alias.sctp.error_on_ootb: No 1 Defines when the @@ -2658,7 +2678,8 @@ This value is only useful if the .Nm nat is tracking global IP addresses. .It Cm 3 -ErrorM is sent in response to all OOTB packets on both the local and global side +ErrorM is sent in response to all OOTB packets on both +the local and global side (DoS risk). .El .Pp @@ -2709,12 +2730,14 @@ will only be an INIT or ASCONF-AddIP packet. A higher value may become a DoS risk as malformed packets can consume processing resources. .It Va net.inet.ip.alias.sctp.param_proc_limit: No 25 -Defines the maximum number of parameters within a chunk that will be parsed in a +Defines the maximum number of parameters within a chunk that will be +parsed in a packet. As for other similar sysctl variables, larger values pose a DoS risk. .It Va net.inet.ip.alias.sctp.log_level: No 0 Level of detail in the system log messages (0 \- minimal, 1 \- event, -2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). May be a good +2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). +May be a good option in high loss environments. .It Va net.inet.ip.alias.sctp.shutdown_time: No 15 Timeout value while waiting for SHUTDOWN-COMPLETE. @@ -2733,7 +2756,8 @@ association is limited to this value .El .Pp This variable is fully dynamic, the new value will be adopted for all newly -arriving associations, existing associations are treated as they were previously. +arriving associations, existing associations are treated +as they were previously. Global tracking will decrease the number of collisions within the .Nm nat at a cost @@ -3280,7 +3304,8 @@ Some early work (1999-2000) on the traffic shaper supported by Akamba Corp. .Pp The ipfw core (ipfw2) has been completely redesigned and -reimplemented by Luigi Rizzo in summer 2002. Further +reimplemented by Luigi Rizzo in summer 2002. +Further actions and options have been added by various developer over the years. .Pp -- cgit v1.1 From 8ae051cca31518c696bd2a3e2b4ec0aa28d0e8f6 Mon Sep 17 00:00:00 2001 From: bjk Date: Tue, 18 Sep 2012 16:00:44 +0000 Subject: Fix grammar in the portion about FIBs. Also, cross-reference setfib(2) instead of setfib(1) for the 16-FIB limit. PR: docs/157452 Approved by: hrs (mentor) --- sbin/ipfw/ipfw.8 | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index a6f5a73..af4a2c5 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -957,25 +957,27 @@ actions. The packet is tagged so as to use the FIB (routing table) .Ar fibnum in any subsequent forwarding decisions. -Initially this is limited to the values 0 through 15, see -.Xr setfib 1 . +In the current implementation, this is limited to the values 0 through 15, see +.Xr setfib 2 . Processing continues at the next rule. It is possible to use the .Cm tablearg -keyword with a setfib. -If tablearg value is not within compiled FIB range packet fib is set to 0. +keyword with setfib. +If the tablearg value is not within the compiled range of fibs, +the packet's fib is set to 0. .It Cm reass -Queue and reassemble ip fragments. +Queue and reassemble IP fragments. If the packet is not fragmented, counters are updated and processing continues with the next rule. If the packet is the last logical fragment, the packet is reassembled and, if .Va net.inet.ip.fw.one_pass -is set to 0, processing continues with the next rule, else packet is -allowed to pass and search terminates. -If the packet is a fragment in the middle, it is consumed and +is set to 0, processing continues with the next rule. +Otherwise, the packet is allowed to pass and the search terminates. +If the packet is a fragment in the middle of a logical group of fragments, +it is consumed and processing stops immediately. .Pp -Fragments handling can be tuned via +Fragment handling can be tuned via .Va net.inet.ip.maxfragpackets and .Va net.inet.ip.maxfragsperpacket -- cgit v1.1 From 095dbb2067f73f3584321ab8ecfdb9692c3b7bab Mon Sep 17 00:00:00 2001 From: melifaro Date: Mon, 24 Sep 2012 17:31:08 +0000 Subject: Permit table to be used as IPv6 address. Reported by: Serhiy Popov MFC after: 2 weeks --- sbin/ipfw/ipv6.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipv6.c b/sbin/ipfw/ipv6.c index ee93d98..8271080 100644 --- a/sbin/ipfw/ipv6.c +++ b/sbin/ipfw/ipv6.c @@ -352,6 +352,22 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av) return (1); } + if (strncmp(av, "table(", 6) == 0) { + char *p = strchr(av + 6, ','); + uint32_t *dm = ((ipfw_insn_u32 *)cmd)->d; + + if (p) + *p++ = '\0'; + cmd->o.opcode = O_IP_DST_LOOKUP; + cmd->o.arg1 = strtoul(av + 6, NULL, 0); + if (p) { + cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32); + dm[0] = strtoul(p, NULL, 0); + } else + cmd->o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } + av = strdup(av); while (av) { /* @@ -469,7 +485,11 @@ add_srcip6(ipfw_insn *cmd, char *av) { fill_ip6((ipfw_insn_ip6 *)cmd, av); - if (F_LEN(cmd) == 0) { /* any */ + if (cmd->opcode == O_IP_DST_SET) /* set */ + cmd->opcode = O_IP_SRC_SET; + else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ + cmd->opcode = O_IP_SRC_LOOKUP; + else if (F_LEN(cmd) == 0) { /* any */ } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ cmd->opcode = O_IP6_SRC_ME; } else if (F_LEN(cmd) == @@ -487,7 +507,11 @@ add_dstip6(ipfw_insn *cmd, char *av) { fill_ip6((ipfw_insn_ip6 *)cmd, av); - if (F_LEN(cmd) == 0) { /* any */ + if (cmd->opcode == O_IP_DST_SET) /* set */ + ; + else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */ + ; + else if (F_LEN(cmd) == 0) { /* any */ } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */ cmd->opcode = O_IP6_DST_ME; } else if (F_LEN(cmd) == -- cgit v1.1 From b2ee4f5a3f77e7c7823b6cc9daecac3be7b63d2d Mon Sep 17 00:00:00 2001 From: melifaro Date: Mon, 24 Sep 2012 17:34:30 +0000 Subject: Whitespace fixes MFC after: 2 weeks --- sbin/ipfw/ipv6.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipv6.c b/sbin/ipfw/ipv6.c index 8271080..6326590 100644 --- a/sbin/ipfw/ipv6.c +++ b/sbin/ipfw/ipv6.c @@ -336,21 +336,21 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av) * Note d[1] points to struct in6_add r mask6 of cmd */ - cmd->o.len &= ~F_LEN_MASK; /* zero len */ + cmd->o.len &= ~F_LEN_MASK; /* zero len */ - if (strcmp(av, "any") == 0) - return (1); + if (strcmp(av, "any") == 0) + return (1); - if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/ - cmd->o.len |= F_INSN_SIZE(ipfw_insn); - return (1); - } + if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/ + cmd->o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } - if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/ - cmd->o.len |= F_INSN_SIZE(ipfw_insn); - return (1); - } + if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/ + cmd->o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } if (strncmp(av, "table(", 6) == 0) { char *p = strchr(av + 6, ','); @@ -368,8 +368,8 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av) return (1); } - av = strdup(av); - while (av) { + av = strdup(av); + while (av) { /* * After the address we can have '/' indicating a mask, * or ',' indicating another address follows. -- cgit v1.1 From 71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 Mon Sep 17 00:00:00 2001 From: ae Date: Thu, 25 Oct 2012 09:39:14 +0000 Subject: Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks --- sbin/ipfw/ipfw.8 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index af4a2c5..5542ddc 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 16, 2012 +.Dd October 25, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -777,8 +777,11 @@ use with transparent proxy servers. .Pp To enable .Cm fwd -a custom kernel needs to be compiled with the option -.Cd "options IPFIREWALL_FORWARD" . +the +.Xr sysctl 8 +variable +.Va net.pfil.forward +should be set to 1. .It Cm nat Ar nat_nr | tablearg Pass packet to a nat instance -- cgit v1.1 From 4354018055d167b2dd190c0ed81b74972a32fe2c Mon Sep 17 00:00:00 2001 From: ae Date: Fri, 2 Nov 2012 01:20:55 +0000 Subject: Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Suggested by: andre --- sbin/ipfw/ipfw.8 | 8 -------- 1 file changed, 8 deletions(-) (limited to 'sbin/ipfw') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 5542ddc..db0dfc0 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -774,14 +774,6 @@ This makes the .Xr netstat 1 entry look rather weird but is intended for use with transparent proxy servers. -.Pp -To enable -.Cm fwd -the -.Xr sysctl 8 -variable -.Va net.pfil.forward -should be set to 1. .It Cm nat Ar nat_nr | tablearg Pass packet to a nat instance -- cgit v1.1