Document new table values.
Sponsored by: Yandex LLC
This commit is contained in:
Alexander V. Chernikov
parent
b1d105bc68
commit
5371ab1408
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/projects/ipfw/; revision=272477
@ -118,6 +118,8 @@ in-kernel NAT.
|
|||||||
.Cm internal iflist
|
.Cm internal iflist
|
||||||
.Nm
|
.Nm
|
||||||
.Cm internal talist
|
.Cm internal talist
|
||||||
|
.Nm
|
||||||
|
.Cm internal vlist
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
@ -1918,18 +1920,6 @@ Matches packet fields specified by
|
|||||||
type suboptions with table entries.
|
type suboptions with table entries.
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
The following value format types are supported:
|
|
||||||
.Bl -tag -width indent
|
|
||||||
.It Ar value-ftype : Ar number | ip
|
|
||||||
.It Cm number
|
|
||||||
Default for
|
|
||||||
.Ar number
|
|
||||||
value type.
|
|
||||||
Shows values as unsigned integer.
|
|
||||||
.It Cm ip
|
|
||||||
Show values as IPv4 addresses.
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
Tables require explicit creation via
|
Tables require explicit creation via
|
||||||
.Cm create
|
.Cm create
|
||||||
before use.
|
before use.
|
||||||
@ -1937,13 +1927,12 @@ before use.
|
|||||||
The following creation options are supported:
|
The following creation options are supported:
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
.It Ar create-options : Ar create-option | create-options
|
.It Ar create-options : Ar create-option | create-options
|
||||||
.It Ar create-option : Cm type Ar table-type | Cm ftype Ar value-ftype | Cm algo Ar algo-desc |
|
.It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
|
||||||
.Cm limit Ar number | Cm locked
|
.Cm limit Ar number | Cm locked
|
||||||
.It Cm type
|
.It Cm type
|
||||||
Table key type.
|
Table key type.
|
||||||
.It Cm ftype
|
.It Cm valtype
|
||||||
Table value format type.
|
Table value mask.
|
||||||
Affects userland formatting only.
|
|
||||||
.It Cm algo
|
.It Cm algo
|
||||||
Table algorithm to use (see below).
|
Table algorithm to use (see below).
|
||||||
.It Cm limit
|
.It Cm limit
|
||||||
@ -1958,10 +1947,7 @@ keyword.
|
|||||||
The following options can be changed:
|
The following options can be changed:
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
.It Ar modify-options : Ar modify-option | modify-options
|
.It Ar modify-options : Ar modify-option | modify-options
|
||||||
.It Ar modify-option : Cm ftype Ar value-ftype | Cm limit Ar number
|
.It Ar modify-option : Cm limit Ar number
|
||||||
.It Cm ftype
|
|
||||||
Set table value format type.
|
|
||||||
Affects userland formatting only.
|
|
||||||
.It Cm limit
|
.It Cm limit
|
||||||
Alter maximum number of items that may be inserted into table.
|
Alter maximum number of items that may be inserted into table.
|
||||||
.El
|
.El
|
||||||
@ -1974,8 +1960,6 @@ commands.
|
|||||||
.Pp
|
.Pp
|
||||||
Tables of the same
|
Tables of the same
|
||||||
.Ar type
|
.Ar type
|
||||||
and
|
|
||||||
.Ar valtype
|
|
||||||
can be swapped with each other using
|
can be swapped with each other using
|
||||||
.Cm swap Ar name
|
.Cm swap Ar name
|
||||||
command.
|
command.
|
||||||
@ -2035,8 +2019,7 @@ The following lookup algorithms are supported:
|
|||||||
Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see
|
Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see
|
||||||
.Xr route 4 ) .
|
.Xr route 4 ) .
|
||||||
Default choice for
|
Default choice for
|
||||||
.Ar
|
.Ar addr
|
||||||
addr
|
|
||||||
type.
|
type.
|
||||||
.It Cm addr:hash
|
.It Cm addr:hash
|
||||||
Separate auto-growing hashes for IPv4 and IPv6.
|
Separate auto-growing hashes for IPv4 and IPv6.
|
||||||
@ -2066,12 +2049,36 @@ This can significantly reduce number of rules in some configurations.
|
|||||||
If two tables are used in a rule, the result of the second (destination)
|
If two tables are used in a rule, the result of the second (destination)
|
||||||
is used.
|
is used.
|
||||||
.Pp
|
.Pp
|
||||||
|
Each record may hold one or more values according to
|
||||||
|
.Ar value-mask .
|
||||||
|
This mask is set on table creation via
|
||||||
|
.Cm valtype
|
||||||
|
option.
|
||||||
The following value types are supported:
|
The following value types are supported:
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
.It Ar value-type : Ar number
|
.It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
|
||||||
.It Cm number
|
.It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
|
||||||
Default value type.
|
.Ar netgraph | limit | ipv4
|
||||||
If value is not specified, defaults to 0.
|
.It Cm skipto
|
||||||
|
rule number to jump to.
|
||||||
|
.It Cm pipe
|
||||||
|
Pipe number to use.
|
||||||
|
.It Cm fib
|
||||||
|
fib number to match/set.
|
||||||
|
.It Cm nat
|
||||||
|
nat number to jump to.
|
||||||
|
.It Cm dscp
|
||||||
|
dscp value to match/set.
|
||||||
|
.It Cm tag
|
||||||
|
tag number to match/set.
|
||||||
|
.It Cm divert
|
||||||
|
port number to divert traffic to.
|
||||||
|
.It Cm netgraph
|
||||||
|
hook number to move packet to.
|
||||||
|
.It Cm limit
|
||||||
|
maximum number of connections.
|
||||||
|
.It Cm ipv4
|
||||||
|
IPv4 nexthop to fwd packets to.
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
@ -2083,20 +2090,14 @@ action parameters:
|
|||||||
rule options:
|
rule options:
|
||||||
.Cm limit, tagged.
|
.Cm limit, tagged.
|
||||||
.Pp
|
.Pp
|
||||||
When used with
|
|
||||||
.Cm fwd
|
|
||||||
it is possible to supply table entries with values
|
|
||||||
that are in the form of IP addresses or hostnames.
|
|
||||||
See the
|
|
||||||
.Sx EXAMPLES
|
|
||||||
Section for example usage of tables and the tablearg keyword.
|
|
||||||
.Pp
|
|
||||||
When used with the
|
When used with the
|
||||||
.Cm skipto
|
.Cm skipto
|
||||||
action, the user should be aware that the code will walk the ruleset
|
action, the user should be aware that the code will walk the ruleset
|
||||||
up to a rule equal to, or past, the given number,
|
up to a rule equal to, or past, the given number.
|
||||||
and should therefore try keep the
|
.Pp
|
||||||
ruleset compact between the skipto and the target rules.
|
See the
|
||||||
|
.Sx EXAMPLES
|
||||||
|
Section for example usage of tables and the tablearg keyword.
|
||||||
.Sh SETS OF RULES
|
.Sh SETS OF RULES
|
||||||
Each rule or table belongs to one of 32 different
|
Each rule or table belongs to one of 32 different
|
||||||
.Em sets
|
.Em sets
|
||||||
@ -3473,15 +3474,16 @@ action, the table entries may include hostnames and IP addresses.
|
|||||||
.Pp
|
.Pp
|
||||||
In the following example per-interface firewall is created:
|
In the following example per-interface firewall is created:
|
||||||
.Pp
|
.Pp
|
||||||
.Dl "ipfw table IN create type iface"
|
.Dl "ipfw table IN create type iface valtype skipto,fib"
|
||||||
.Dl "ipfw table IN add vlan20 12000"
|
.Dl "ipfw table IN add vlan20 12000,12"
|
||||||
.Dl "ipfw table IN add vlan30 13000"
|
.Dl "ipfw table IN add vlan30 13000,13"
|
||||||
.Dl "ipfw table OUT create type iface"
|
.Dl "ipfw table OUT create type iface valtype skipto"
|
||||||
.Dl "ipfw table OUT add vlan20 22000"
|
.Dl "ipfw table OUT add vlan20 22000"
|
||||||
.Dl "ipfw table OUT add vlan30 23000"
|
.Dl "ipfw table OUT add vlan30 23000"
|
||||||
.Dl ".."
|
.Dl ".."
|
||||||
.Dl "ipfw add 100 ipfw skipto tablearg ip from any to any recv 'table(IN)' in"
|
.Dl "ipfw add 100 ipfw setfib tablearg ip from any to any recv 'table(IN)' in"
|
||||||
.Dl "ipfw add 200 ipfw skipto tablearg ip from any to any xmit 'table(OUT)' out"
|
.Dl "ipfw add 200 ipfw skipto tablearg ip from any to any recv 'table(IN)' in"
|
||||||
|
.Dl "ipfw add 300 ipfw skipto tablearg ip from any to any xmit 'table(OUT)' out"
|
||||||
.Pp
|
.Pp
|
||||||
The following example illustrate usage of flow tables:
|
The following example illustrate usage of flow tables:
|
||||||
.Pp
|
.Pp
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user