Commit Graph

3775 Commits

Author SHA1 Message Date
Luigi Rizzo
3004afca6e Userland side of:
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.

This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.

Suggested by: Paul Richards
2003-07-15 23:08:44 +00:00
Luigi Rizzo
bbc39c8391 Make sure that comments are printed at the end of a rule.
Reported by:  Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
2003-07-15 10:23:43 +00:00
Luigi Rizzo
f3a126d3d8 Fix one typo in help() string, remove whitespace at end of line and
other minor whitespace changes.

Replace u_char with uint8_t in a few places.
2003-07-14 18:57:41 +00:00
Maxim Konovalov
007fe4e38a o Rename local variables, do not shadow global declarations. 2003-07-14 12:43:48 +00:00
Maxim Konovalov
0fe0c0cc20 o Kill MINICMPLEN, there is ICMP_MINLEN already. 2003-07-14 12:42:47 +00:00
Maxim Konovalov
e88178dd90 o Be ready to get a reply with length up to IP_MAXPACKET.
o Warn when recieved packet length is not equal to length of the
packet we sent out. Idea from NetBSD.
o Fit the dump of packet with wrong data to 80 columns (from NetBSD).

Comments from:	bde
2003-07-14 12:37:03 +00:00
Luigi Rizzo
26bf4d78c2 ccept of empty lines when reading from a file (this fixes a bug
introduced in the latest commits).

Also:

* update the 'ipfw -h' output;

* allow rules of the form "100 add allow ..." i.e. with the index first.
  (requested by Paul Richards). This was an undocumented ipfw1 behaviour,
  and it is left undocumented.

and minor code cleanups.
2003-07-14 08:39:49 +00:00
Greg Lehey
17fe3d1d42 Remove reference to max block size. dump no longer limits the block size. 2003-07-14 02:22:55 +00:00
Luigi Rizzo
1b43a426de Add a '-T' flag to print the timestamp as numeric value instead
of converting it with ctime(). This is a lot more convenient for
postprocessing.

Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
2003-07-12 08:35:25 +00:00
Luigi Rizzo
7d3f835703 Document the existence of comments in ipfw rules,
the new flags handled when reading from a file,
and clarify that only numeric values are allowed for icmptypes.

MFC after: 3 days
2003-07-12 07:01:48 +00:00
Luigi Rizzo
62ff38ae06 In random order:
* make the code compile with WARNS=5 (at least on i386), mostly
  by adding 'const' specifier and replacing "void *" with "char *"
  in places where pointer arithmetic was used.
  This also spotted a few places where invalid tests (e.g. uint < 0)
  were used.

* support ranges in "list" and "show" commands. Now you can say

        ipfw show 100-1000 4000-8000

  which is very convenient when you have large rulesets.

* implement comments in ipfw commands. These are implemented in the
  kernel as O_NOP commands (which always match) whose body contains
  the comment string. In userland, a comment is a C++-style comment:

        ipfw add allow ip from me to any // i can talk to everybody

  The choice of '//' versus '#' is somewhat arbitrary, but because
  the preprocessor/readfile part of ipfw used to strip away '#',
  I did not want to change this behaviour.

  If a rule only contains a comment

        ipfw add 1000 // this rule is just a comment

  then it is stored as a 'count' rule (this is also to remind
  the user that scanning through a rule is expensive).

* improve handling of flags (still to be completed).
  ipfw_main() was written thinking of 'one rule per ipfw invocation',
  and so flags are set and never cleared. With readfile/preprocessor
  support, this changes and certain flags should be reset on each
  line. For the time being, only fix handling of '-a' which
  differentiates the "list" and "show" commands.

* rework the preprocessor support -- ipfw_main() already had most
  of the parsing code, so i have moved in there the only missing
  bit (stripping away '#' and comments) and removed the parsing
  from ipfw_readfile().
  Also, add some more options (such as -c, -N, -S) to the readfile
  section.

MFC after: 3 days
2003-07-12 06:53:16 +00:00
Alexander Kabaev
8a50130bbb Do not compare unsigned int values with ULONG_MAX. The comparison is
always false on 64bit platforms and GCC 3.3.1 issues warning there.
2003-07-11 05:47:05 +00:00
Daniel Harris
a10c9747dc Correct to match reality regarding interface names.
PR:		51006
Submitted by:	"Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua>
mdoc clue by:	"Simon L. Nielsen" <simon@nitro.dk>
MFC after:	10 days
2003-07-08 13:24:42 +00:00
Luigi Rizzo
4d233f6b0d * introduce a section on SYNTAX to document the handling
spaces and comma-separated lists of arguments;

* reword the description of address specifications, to include
  previous and current changes for address sets and lists;

* document the new '-n' flag.

* update the section on differences between ipfw1 and ipfw2
  (this is becoming boring!)

MFC after: 3 days
2003-07-08 08:07:03 +00:00
Luigi Rizzo
571f8c1b7a A bunch of changes (mostly syntactic sugar, all backward compatible):
* Make the addr-set size optional (defaults to /24)
    You can now write 1.2.3.0/24{56-80} or  1.2.3.0{56-80}
    Also make the parser more strict.

  * Support a new format for the list of addresses:
        1.2.3.4,5.6.7.8/30,9.10.11.12/22,12.12.12.13, ...
    which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK

  * Allow spaces after commas to make lists of addresses more readable.
        1.2.3.4, 5.6.7.8/30, 9.10.11.12/22, 12.12.12.13, ...

  * ipfw will now accept full commands as a single argument and strip
    extra leading/trailing whitespace as below:
        ipfw "-q add allow ip from 1.2.3.4 to 5.6.7.8, 9.10.11.23 "
    This should help in moving the body of ipfw into a library
    that user programs can invoke.

  * Cleanup some comments and data structures.

  * Do not print rule counters for dynamic rules with ipfw -d list
    (PR 51182)

  * Improve 'ipfw -h' output (PR 46785)

  * Add a '-n' flag to test the syntax of commands without actually
    calling [gs]etsockopt() (PR 44238)

  * Support the '-n' flag also with the preprocessors;

Manpage commit to follow.

MFC after: 3 days
2003-07-08 07:52:47 +00:00
Warner Losh
fd6a8f23ef Drop the pid file after we call the final daemon call. w/o -n would
give the wrong pid.

Submitted by: ru and Lukas Ertl
PR: 54113
2003-07-05 00:43:50 +00:00
Luigi Rizzo
c3e5b9f154 Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.

Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week
2003-07-04 21:42:32 +00:00
Gordon Tetlow
7bbe9e619f Remove smbfs, portalfs, and nwfs from sbin. The sources live in usr.sbin
now.
2003-07-02 16:22:43 +00:00
Gordon Tetlow
d928e581a9 Move mount_portalfs, mount_smbfs, and mount_nwfs from sbin to usr.sbin.
They don't have alot of reason to be in sbin and contribute to library
bloat in the dynamic case. If you are using any of these filesystem
type to hold your /usr, please seek professional help.

The actual code was repo-copied by joe.
2003-07-02 16:16:49 +00:00
Ian Dowse
318f2fb4bf Add a new mount flag MNT_BYFSID that can be used to unmount a file
system by specifying the file system ID instead of a path. Use this
by default in umount(8). This avoids the need to perform any vnode
operations to look up the mount point, so it makes it possible to
unmount a file system whose root vnode cannot be looked up (e.g.
due to a dead NFS server, or a file system that has become detached
from the hierarchy because an underlying file system was unmounted).
It also provides an unambiguous way to specify which file system is
to be unmunted.

Since the ability to unmount using a path name is retained only for
compatibility, that case now just uses a simple string comparison
of the supplied path against f_mntonname of each mounted file system.

Discussed on:	freebsd-arch
mdoc help from:	ru
2003-07-01 17:40:23 +00:00
Gordon Tetlow
3bb374ebb1 Remove pathnames.h.
Pointed out by:	Mathieu Arnold <mat@mat.cc>
2003-06-29 19:03:52 +00:00
Gordon Tetlow
6d1b4a4730 Tweak a couple of utilities so they compile cleanly for /rescue. Mostly
path fixes.

Submitted by:	Tim Kientzle <kientzle@acm.org>
2003-06-29 18:46:18 +00:00
Gordon Tetlow
1386defade Move path definitions to include/paths.h. This makes it easier to override
these definitions in the /rescue case.

Submitted by:	Tim Kientzle <kientzle@acm.org>
2003-06-29 18:06:05 +00:00
Gordon Tetlow
a3ba4c65fd Convert fsck and mount to using execvP to find fsck_foo and mount_foo.
This simplifies the code path and makes the default path easy to override
in the /rescue case.

Submitted by:	Tim Kientzle <kientzle@acm.org>
2003-06-29 17:53:48 +00:00
Sam Leffler
cf260fe35a o update for new 802.11 support
o fix channel command so channel - does what the man page says
2003-06-28 06:23:40 +00:00
Luigi Rizzo
2bb3712f4e remove extra whitespace and blank lines 2003-06-27 17:18:14 +00:00
Sam Leffler
2559c28876 o correct mode request handling
o add 802.11 alias support
o suppress display of the default "mode autoselect" when showing the "phy mode"
2003-06-25 15:05:17 +00:00
Ruslan Ermilov
a70dc55680 The current recommended default time to live (TTL) for the Internet
Protocol (IP) is 64 [RFC791, RFC1122].

Prodded by:	Igor Kucherenko <kivvy@sunbay.com>
Obtained from:	http://www.iana.org/assignments/ip-parameters
2003-06-25 13:02:18 +00:00
Luigi Rizzo
9d2d07e07d remove unused file (RELENG_5 and above use ipfw2, the old ipfw1
has been unused and unmaintained for a long time).
2003-06-24 07:10:13 +00:00
Luigi Rizzo
29c1402aa2 Split some long lines to fit 80 columns (the code in RELENG_4
was already correct).
2003-06-23 22:32:14 +00:00
Luigi Rizzo
9ef3f16d08 syntactic sugar: support range notation such as
1.2.3.4/24{5,6,7,10-20,60-90}
for set of ip addresses.
Previously you needed to specify every address in the range, which
was unconvenient and lead to very long lines.
Internally the set is still stored in the same way, just the
input and output routines are modified.

Manpage update still missing.

Perhaps a similar preprocessing step would be useful for port ranges.

MFC after: 3 days
2003-06-23 08:20:28 +00:00
Maxim Konovalov
064d54a248 o Fix sets of rules usage example.
PR:		docs/53625
Submitted by:	Kostyuk Oleg <cub@cub.org.ua>
MFC after:	1 week
2003-06-23 07:48:32 +00:00
Luigi Rizzo
44c884e134 Add support for multiple values and ranges for the "iplen", "ipttl",
"ipid" options. This feature has been requested by several users.
On passing, fix some minor bugs in the parser.  This change is fully
backward compatible so if you have an old /sbin/ipfw and a new
kernel you are not in trouble (but you need to update /sbin/ipfw
if you want to use the new features).

Document the changes in the manpage.

Now you can write things like

	ipfw add skipto 1000 iplen 0-500

which some people were asking to give preferential treatment to
short packets.

The 'MFC after' is just set as a reminder, because I still need
to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately
change the size of certain kernel structures; not that it matters
a lot since ipfw2 is entirely optional and not the default...)

PR: bin/48015

MFC after: 1 week
2003-06-22 17:33:19 +00:00
Ian Dowse
4784a46912 Replace the code for reading and writing the kernel message buffer
with a new implementation that has a mostly reentrant "addchar"
routine, supports multiple message buffers in the kernel, and hides
the implementation details from callers.

The new code uses a kind of sequence number to represend the current
read and write positions in the buffer. This approach (suggested
mainly by bde) permits the read and write pointers to be maintained
separately, which reduces the number of atomic operations that are
required. The "mostly reentrant" above refers to the way that while
it is now always safe to have any number of concurrent writers,
readers could see the message buffer after a writer has advanced
the pointers but before it has witten the new character.

Discussed on:	freebsd-arch
2003-06-22 02:18:31 +00:00
Christian Brueffer
121095fdfc Remove another reference to ffsinfo.8 2003-06-17 22:47:11 +00:00
Christian Brueffer
6ff8ac45ad Remove references to ffsinfo(8) for now. It was disconnected from
the build almost a year ago.
2003-06-17 19:21:43 +00:00
Maxim Sobolev
b49349cfce Xref police: chmod(8) -> chmod(1). 2003-06-17 09:53:03 +00:00
Poul-Henning Kamp
e76c239428 Compile sunlabel on all archs. 2003-06-17 09:12:42 +00:00
Maxim Konovalov
c82b8dcedd o Pass a correct argument to printf(3).
PR:		bin/51750
Submitted by:	Vasil Dimov <vd@datamax.bg>
MFC after:	2 weeks
2003-06-16 09:44:53 +00:00
Robert Watson
a78d3eaffc Tighten up the string->integer conversion in sysctl(8):
(1) Reject zero-length strings for CTLTYPE_INT, _UINT, _LONG,
    _ULONG.  Do not silently convert to 0.

(2) When converting CTLTYPE_INT, _UINT, _LONG, and _ULONG, check the
    end pointer generated by strtol() and strtoul() rather than
    discarding it.  Reject the string if either none of the string
    was useful for conversion to an integer, or if there was
    trailing garbage.

I.e., we will not allow you to set a numeric sysctl to a value unless
we can completely convert the string argument to a numeric value.
I tripped over this when I put the following in /etc/sysctl.conf:

   kern.maxfiles="4000"

Ouch.
2003-06-15 06:26:08 +00:00
Kenneth D. Merry
50a7fdaed8 Remove MAINTAINER= lines in the makefiles for camcontrol, iostat, libcam
and libdevstat, since the new way of doing things is to just list
maintainership in src/MAINTAINERS.

Also, remove duplicate entries in src/MAINTAINERS for those utilities.  I
already had entries for them.
2003-06-14 05:28:01 +00:00
Ruslan Ermilov
3d23e8b897 If the -proxy_only option is used, the -alias_address/-interface
options are not required.

Suggested by:	Vaclav Petricek
MFC after:	2 weeks
2003-06-13 22:15:42 +00:00
Greg Lehey
dd3b91651f Remove label command. It has been deprecated since December 1998, and
recent changes broke it altogether.

Prompted by:  phk
2003-06-12 05:55:59 +00:00
Greg Lehey
df0267cb7f Remove "label" keyword. 2003-06-12 05:54:53 +00:00
David E. O'Brien
ebc82d5522 style clean. 2003-06-11 23:24:31 +00:00
Robert Watson
f79c46d3f4 Add "-n" argument, which causes mdconfig to simply print the unit
number X, rather than mdX, making it easier to script tests that
use md devices but don't want to make assumptions about any existing
md use (such as in diskless environments).
2003-06-11 06:38:24 +00:00
Poul-Henning Kamp
98e7d61119 Be consistent about module names. 2003-06-09 21:50:41 +00:00
Poul-Henning Kamp
df622d54f8 GEOMification of CCD.
You need your kernel and ccdconfig(8) to be in sync, particularly if your
source tree is on a ccd device.
2003-06-09 19:25:07 +00:00
Juli Mallett
feff4d8507 Marshal newfs -L (filesystem volume names), the names are not marshalled
with any quoting, but that should be OK for re-input, regardless.
2003-06-09 09:26:02 +00:00
Philippe Charnier
4f898f942d .Nm -> .Xr 2003-06-08 12:57:39 +00:00