Commit Graph

796 Commits

Author SHA1 Message Date
Ceri Davies
da52fc464a ipfw.8: there never was a "skip-action" action
It was renamed during review of D1776 but this entry slipped through.

PR:		243284
Reported by:	pprocacci@gmail.com
Obtained from:	Chad Jacob Milios <milios@ccsys.com>
2023-01-25 18:15:18 +00:00
Jose Luis Duran
bdd60b224f ipfw: Add missing 'va' code point name
Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name.

Reviewed By: melifaro, pauamma
Differential Revision: https://reviews.freebsd.org/D37508
MFC after:	2 weeks
2023-01-13 20:21:27 +00:00
Goran Mekic
3599da158e ipfw: Fix ipfw/dnctl detection
Running "dnctl" vs "/sbin/dnctl" gave different results, because we
looked at the entire argv[0] string, rather than the basename.

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D37431
2022-11-22 09:53:20 +01:00
Gleb Smirnoff
05b9737f10 ipfw: make it possible to specify MTU for "unreach needfrag" action
Reviewed by:		ae, pauamma
Differential revision:	https://reviews.freebsd.org/D36140
2022-08-17 08:24:11 -07:00
Arseny Smalyuk
81cac3906e ipfw: add support radix tables and table lookup for MAC addresses
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.

Usage example:
  ipfw table 1 create type mac
  ipfw table 1 add 11:22:33:44:55:66/48
  ipfw add skipto tablearg src-mac 'table(1)'
  ipfw add deny src-mac 'table(1, 100)'
  ipfw add deny lookup dst-mac 1

Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.

Reviewed by:	melifaro
Obtained from:	Yandex LLC
MFC after:	1 month
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D35103
2022-06-04 19:12:29 +03:00
Eugene Grosbein
9d7cefc278 ipfw.8: spell "layer2" consistently throughout the manual page
MFC after:	1 week
2022-05-14 04:30:29 +07:00
Kristof Provost
9d406e088e dnctl: Support reading config from file like ipfw(8)
Extend the dnctl (dummynet config) tool to be able to read commands from
a file, just like ipfw already does.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33627
2022-01-03 09:50:18 +01:00
Kristof Provost
0b95680e07 ipfw: Introduce dnctl
Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.

/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.

Reviewed by:	donner
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30465
2021-09-08 17:17:50 +02:00
Luiz Otavio O Souza
20ffd88ed5 ipfw: use unsigned int for dummynet bandwidth
This allows the maximum value of 4294967295 (~4Gb/s) instead of previous
value of 2147483647 (~2Gb/s).

Reviewed by:	np, scottl
Obtained from:	pfSense
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D31582
2021-08-19 10:48:53 +02:00
Gordon Bergling
809ad8170a ipfw(8): Fix a typo in an error message
- s/suport/support/

MFC after:	5 days
2021-08-11 09:53:01 +02:00
Lutz Donnerhacke
c8250c5ada ipfw.8: synopsis misses nat show form
Document the existing behavior, which is currently only available by
reading third party documentation or the source code itself.

PR:		254617
Submitted by:	Oliver Kiddle
MFC after:	2 weeks
Differential Revision: https://reviews.freebsd.org/D30189
2021-06-04 12:55:59 +02:00
Lutz Donnerhacke
802637be06 ipfw.8: Fix table example
Fix some erronous lines in the example section.

PR:		248943
Submitted by:	Jose Luis Duran
MFC after:	2 weeks
Reviewers:	ae, manpages (gbe)
Differential Revision: https://reviews.freebsd.org/D30191
2021-05-11 17:38:26 +02:00
Lutz Donnerhacke
f6f297871d sbin/ipfw: Allow tablearg as hostname
Hostnames starting with "tablearg" are considered as a functional
argument instead of a literal.

Reported by:	ae
Reviewers:	ae
MFC after:	1 week
Differential Revision: https://reviews.freebsd.org/D30208
2021-05-11 10:44:33 +02:00
Lutz Donnerhacke
6cb13813ca sbin/ipfw: Fix parsing error in table based forward
The argument parser does not recognise the optional port for an
"tablearg" argument.  Fix simplifies the code by make the internal
representation expicit for the parser.

PR:		252744
MFC:		1 week
Reported by:	<bugs.freebsd.org@mx.zzux.com>
Approved by:	nc
Tested by:	<bugs.freebsd.org@mx.zzux.com>
Differential Revision: https://reviews.freebsd.org/D30164
2021-05-08 22:52:17 +02:00
Lutz Donnerhacke
bf7cc0f9cb sbin/ipfw: Fix null pointer deference when printing counters
ipfw -[tT] prints statistics of the last access. If the rule was never
used, the counter might be not exist.  This happens unconditionally on
inserting a new rule.  Avoid printing statistics in this case.

PR:	255491
Reported by:	Haisheng Zhouz
Reviewed by:	ae
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D30046
2021-05-02 21:28:46 +02:00
Roman Bogorodskiy
066a576c5f ipfw: update man page example for nat show log
In d6164b77f8 the ability to show
ranges of nat log entries was removed.

PR:	254192
Reviewed by:	allanjude
2021-04-07 15:37:46 +00:00
Andrey V. Elsukov
13ad237a19 ipfw: make algo name argument optional for some table types
Most of table types currently supported by ipfw have only one
algorithm implementation. When user creates such tables, allow
to omit algo name in arguments. E.g. now it is possible:
	ipfw table T1 create type number
	ipfw table T2 create type iface
	ipfw table T3 create type flow

PR:		233072
MFC after:	1 week
Sponsored by:	Yandex LLC
2021-02-25 16:57:47 +03:00
Neel Chauhan
a08cdb6cfb Allow setting alias port ranges in libalias and ipfw. This will allow a system
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port aliasing ranges.

Reviewed by:		donner, kp
Approved by:		0mp (mentor), donner, kp
Differential Revision:	https://reviews.freebsd.org/D23450
2021-02-02 13:24:17 -08:00
Evgeniy Khramtsov
682c31db4e ipfw(8) crashes when ext6hdr option is omitted
Verify that the option is passed, error out if it's not.
The problem can be trivially triggered with `ipfw add allow ext6hdr`.

PR:		253169
Reviewed by:	kp@
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D28447
2021-02-01 21:25:11 +01:00
Gordon Bergling
bae74ca922 ipfw(8): Fix a few mandoc related issues
- no blank before trailing delimiter
- missing section argument: Xr inet_pton
- skipping paragraph macro: Pp before Ss
- unusual Xr order: syslogd after sysrc
- tab in filled text

There were a few multiline NAT examples which used the .Dl macro with
tabs. I converted them to .Bd, which is a more suitable macro for that case.

MFC after:	1 week
2020-12-19 12:47:40 +00:00
Gordon Bergling
8636dd5703 ipfw(8): Bugfixes for some issues reported by mandoc
- whitespace at end of input line
- new sentence, new line
- skipping paragraph macro: Pp before Pp

MFC after:	1 week
2020-10-03 18:30:01 +00:00
Andrey V. Elsukov
b876085f55 Fix compatibility regression after r364117.
Properly handle the case, when some opcode keywords follow after
the `frag` opcode without additional options.

Reported by:	Evgeniy Khramtsov <evgeniy at khramtsov org>
2020-09-11 10:07:09 +00:00
Stefan Eßer
0fa427fe19 Change printf format string to include the extra blank
This is a follow up change to r364321 after a discussion about the style.
All near by places use extra blanks in format strings, and while use of the
format string to provide the extra blank may need more cycles than adding 1
to twidth, it generates shorter code and is clearer in the opinion of some
reviewers of the previous change.

Not objected to by:	emaste
MFC after:		3 days
2020-09-01 09:02:43 +00:00
Fernando Apesteguía
71230912a7 ipfw(8): Fix typo in man page
s/exmaple/example

Approved by:	manpages (gbe@)
Differential Revision:	https://reviews.freebsd.org/D26147
2020-08-21 17:45:17 +00:00
Ed Maste
c1b355d378 ipfw: line up ipfw -t list with and without timestamp
From the PR:
    When I run `ipfw -t list` on release/12 or current, I get misaligned
    output between lines that do and do not have a last match timestamp,
    like so:

    00100 Tue Aug 11 03:03:26 2020 allow ip from any to any via lo0
    00200                         deny ip from any to 127.0.0.0/8

    (specifically, the "allow" and "deny" strings do not line up)

PR:		248608
Submitted by:	Taylor Stearns
MFC after:	3 days
2020-08-17 18:53:23 +00:00
Gleb Smirnoff
825398f946 ipfw: make the "frag" keyword accept additional options "mf",
"df", "rf" and "offset".  This allows to match on specific
bits of ip_off field.

For compatibility reasons lack of keyword means "offset".

Reviewed by:	ae
Differential Revision:	https://reviews.freebsd.org/D26021
2020-08-11 15:46:22 +00:00
Andrey V. Elsukov
2403d47744 Fix SIGSEGV in ipfw(8) when NAT64 prefix length is omitted.
Submitted by:	Evgeniy Khramtsov <evgeniy at khramtsov org>
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D25734
2020-08-05 11:26:49 +00:00
Adrian Chadd
268a20a0e7 [ipfw] quieten maybe-uninitialized errors in ipfw when compiled under mips-gcc-6.3.0.
This is mostly an exercise to set variables to NULL/0 when declared, but
one was ensuring a string variable was set before printing it.
We should never see "<unknown>" in a printed rule; if we do then this code
definitely has some bugs that need addressing.
2020-07-14 05:07:16 +00:00
Mark Johnston
165236a101 ipfw(8): Handle unaligned pointers in pr_u64.
struct _ipfw_dyn_rule is defined as packed, and as a result, its
uint64_t fields are misaligned on some 32-bit platforms.  Since
pr_u64() is explicitly supposed to handle this case, avoid using a
uint64_t * for the input pointer to make sure that the compiler won't
(correctly) warn about the misalignment.

Reported by:	jenkins
MFC with:	r363164
2020-07-13 19:10:16 +00:00
Mark Johnston
56707bee4b ipfw(8): Fix most warnings with the default WARNS level.
- Add missing const and static qualifiers.
- Avoid shadowing the global "co" by renaming it to "g_co".
- Avoid mixing signedness in loop bound checks.
- Leave -Wcast-align warnings disabled for now.

Reviewed by:	ae, melifaro
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D25456
2020-07-13 17:51:04 +00:00
Mark Johnston
a3349dd906 ipfw: Support the literal IPv6 address syntax in the fwd command.
Discussed with:	rgrimes, Lutz Donnerhacke
Submitted by:	Neel Chauhan <neel AT neelc DOT org>
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D24011
2020-06-25 19:27:22 +00:00
Mark Johnston
27b3db9709 ipfw(8): In fill_ip6(), use a single statement for both "me" and "me6".
Submitted by:	Neel Chauhan <neel AT neelc DOT org>
Reviewed by:	rgrimes, Lutz Donnerhacke
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24403
2020-06-24 15:05:42 +00:00
Andrey V. Elsukov
db1102f213 Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy
NAT instance.

The NAT44 group of opcodes for IP_FW3 socket option is modern way
to control NAT instances and this method can be used in future to
switch from numeric to named NAT instances, like was done for ipfw
tables.
The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control
plane that doesn't support versioned operations. This interface will
be retired soon.

Reviewed by:	melifaro
MFC after:	10 days
Sponsored by:	Yandex LLC
2020-03-24 12:27:02 +00:00
Alexander V. Chernikov
e3bf606c5d Revert r358858 as it breaks some ipfw(8) setups.
Reported by:	O. Hartmann <o.hartmann@walstatt.org>
2020-03-11 08:08:53 +00:00
Alexander V. Chernikov
8149b12da1 Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst().
Submitted by:	Neel Chauhan <neel AT neelc DOT org>
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D21812
2020-03-10 20:30:21 +00:00
Eugene Grosbein
04777538e7 ipfw nat: add missing bits after r357092 (RFC 6598/Carrier Grade NAT)
Submitted by:	Neel Chauhan <neel AT neelc DOT org>
Reviewed by:	Lutz Donnerhacke
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D23448
2020-02-12 00:46:33 +00:00
Alexander V. Chernikov
75b893375f Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.
In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
 This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware.
Also, we add a new NAT option to ipfw called unreg_cgn, which is like
 unreg_only, but also is RFC 6598-aware.  The reason for the new
 flags/options is to avoid breaking existing networks, especially those
 which rely on RFC 6598 as an external address.

Submitted by:	Neel Chauhan <neel AT neelc DOT org>
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D22877
2020-01-24 20:35:41 +00:00
Xin LI
f00c55e25a Use strlcat().
MFC after:	2 weeks
2019-11-30 05:57:54 +00:00
Andrey V. Elsukov
51b1593065 Explicitly initialize the memory buffer to store O_ICMP6TYPE opcode.
By default next_cmd() initializes only first u32 of opcode. O_ICMP6TYPE
opcode has array of bit masks to store corresponding ICMPv6 types.
An opcode that precedes O_ICMP6TYPE, e.g. O_IP6_DST, can have variable
length and during opcode filling it can modify memory that will be used
by O_ICMP6TYPE opcode. Without explicit initialization this leads to
creation of wrong opcode.

Reported by:	Boris N. Lytochkin
Obtained from:	Yandex LLC
MFC after:	3 days
2019-10-15 09:50:02 +00:00
Kyle Evans
c144616b7d ipfw: fix jail option after r348215
r348215 changed jail_getid(3) to validate passed-in jids as active jails
(as the function is documented to return -1 if the jail does not exist).
This broke the jail option (in some cases?) as the jail historically hasn't
needed to exist at the time of rule parsing; jids will get stored and later
applied.

Fix this caller to attempt to parse *av as a number first and just use it
as-is to match historical behavior. jail_getid(3) must still be used in
order for name arguments to work, but it's strictly a fallback in case we
weren't given a number.

Reported and tested by:	Ari Suutari <ari stonepile fi>
Reviewed by:	ae
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D21128
2019-08-05 00:08:25 +00:00
Andrey V. Elsukov
55507128b9 Restore ipfw(8)'s compact output support broken after r331668.
Also modify it a bit. Now -c option omits only 'from any to any' part
and works for different protocols (not just for ip).

Reported by:	Dmitry Selivanov <dseliv at gmail>
MFC after:	1 week
2019-06-25 09:08:24 +00:00
Andrey V. Elsukov
978f2d1728 Add "tcpmss" opcode to match the TCP MSS value.
With this opcode it is possible to match TCP packets with specified
MSS option, whose value corresponds to configured in opcode value.
It is allowed to specify single value, range of values, or array of
specific values or ranges. E.g.

 # ipfw add deny log tcp from any to any tcpmss 0-500

Reviewed by:	melifaro,bcr
Obtained from:	Yandex LLC
MFC after:	1 week
Sponsored by:	Yandex LLC
2019-06-21 10:54:51 +00:00
Andrey V. Elsukov
09899450ed Remove unused token that was added in r348235.
MFC after:	2 weeks
2019-05-27 06:34:36 +00:00
Andrey V. Elsukov
05ab1ef64e Add missing and or-flush options to "ipfw table <NAME> create"
command to simplify firewall reloading.

The `missing` option suppresses EEXIST error code, but does check that
existing table has the same parameters as new one. The `or-flush` option
implies `missing` option and additionally does flush for table if it
is already exist.

Submitted by:	lev
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D18339
2019-05-24 11:06:24 +00:00
Andrey V. Elsukov
761618de05 Handle HAVE_PROTO flag and print "proto" keyword for O_IP4 and O_IP6
opcodes when it is needed.
This should fix the problem, when printed by `ipfw show` rule could not
be added due to missing "proto" keyword.

MFC after:	2 weeks
2019-04-29 09:52:53 +00:00
Benedict Reuschling
da343996fa Typo fix in ipfw.8: amd -> and
There is an (obvious) typo in the following sentence:

"Please note, that keep-state amd limit imply implicit check-state for ..."

Replace the "amd" with "and", bump .Dd.

PR:			237438
Submitted by:		michael@galassi.us
MFC after:		3 days
2019-04-21 18:27:13 +00:00
Andrey V. Elsukov
9883abca1f Remove extra spaces.
MFC after:	1 month
2019-03-19 11:16:42 +00:00
Andrey V. Elsukov
d18c1f26a4 Reapply r345274 with build fixes for 32-bit architectures.
Update NAT64LSN implementation:

  o most of data structures and relations were modified to be able support
    large number of translation states. Now each supported protocol can
    use full ports range. Ports groups now are belongs to IPv4 alias
    addresses, not hosts. Each ports group can keep several states chunks.
    This is controlled with new `states_chunks` config option. States
    chunks allow to have several translation states for single alias address
    and port, but for different destination addresses.
  o by default all hash tables now use jenkins hash.
  o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path.
  o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
    special prefix "::" value should be used for this purpose when instance
    is created.
  o due to modified internal data structures relations, the socket opcode
    that does states listing was changed.

Obtained from:	Yandex LLC
MFC after:	1 month
Sponsored by:	Yandex LLC
2019-03-19 10:57:03 +00:00
Andrey V. Elsukov
d6369c2d18 Revert r345274. It appears that not all 32-bit architectures have
necessary CK primitives.
2019-03-18 14:00:19 +00:00
Andrey V. Elsukov
d7a1cf06f3 Update NAT64LSN implementation:
o most of data structures and relations were modified to be able support
  large number of translation states. Now each supported protocol can
  use full ports range. Ports groups now are belongs to IPv4 alias
  addresses, not hosts. Each ports group can keep several states chunks.
  This is controlled with new `states_chunks` config option. States
  chunks allow to have several translation states for single alias address
  and port, but for different destination addresses.
o by default all hash tables now use jenkins hash.
o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path.
o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
  special prefix "::" value should be used for this purpose when instance
  is created.
o due to modified internal data structures relations, the socket opcode
  that does states listing was changed.

Obtained from:	Yandex LLC
MFC after:	1 month
Sponsored by:	Yandex LLC
2019-03-18 12:59:08 +00:00