freebsd-nq/sys/modules/ipfw/Makefile

# $FreeBSD$

.PATH: ${SRCTOP}/sys/netpfil/ipfw

KMOD=	ipfw
SRCS=	ip_fw2.c ip_fw_pfil.c ip_fw_bpf.c
SRCS+=	ip_fw_dynamic.c ip_fw_log.c ip_fw_eaction.c
SRCS+=	ip_fw_sockopt.c ip_fw_table.c ip_fw_table_algo.c ip_fw_iface.c
SRCS+=	ip_fw_table_value.c
SRCS+=	opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h

CFLAGS+= -DIPFIREWALL
#
#If you want it verbose
#CFLAGS+= -DIPFIREWALL_VERBOSE
#CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
#
#If you want it to pass all packets by default
#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
#

.include <bsd.kmod.mk>
$Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00			`# $FreeBSD$`
Firewall can be used as lkm module.To use it firewall should NOT be compiled into kernel. Then it can be loaded.This is misc module but i'v got no problemms with it,so shouldn't you i suppose.. BTW this is very stupid to have one module in CVS for ALL lkm's... 1995-01-12 13:03:02 +00:00
sys/modules: normalize .CURDIR-relative paths to SRCTOP This simplifies make output/logic Tested with: `cd sys/modules; make ALL_MODULES=` on amd64 MFC after: 1 month Sponsored by: Dell EMC Isilon 2017-03-04 10:10:17 +00:00			`.PATH: ${SRCTOP}/sys/netpfil/ipfw`
Use a consistent style and one much closer to the rest of /usr/src 2001-01-06 14:00:42 +00:00
Sample initial set of kld-ified modules. Not all have been completely converted yet. These are more of a starting point. This is NOT connected to the parent Makefile. OK'ed by jkh (who is ever so patiently waiting) 1998-10-16 04:30:52 +00:00			`KMOD= ipfw`
Move logging via BPF support into separate file. * make interface cloner VNET-aware; * simplify cloner code and use if_clone_simple(); * migrate LOGIF_LOCK() to rmlock; * add ipfw_bpf_mtap2() function to pass mbuf to BPF; * introduce new additional ipfwlog0 pseudo interface. It differs from ipfw0 by DLT type used in bpfattach. This interface is intended to used by ipfw modules to dump packets with additional info attached. Currently pflog format is used. ipfw_bpf_mtap2() function uses second argument to determine which interface use for dumping. If dlen is equal to ETHER_HDR_LEN it uses old ipfw0 interface, if dlen is equal to PFLOG_HDRLEN - ipfwlog0 will be used. Obtained from: Yandex LLC Sponsored by: Yandex LLC 2016-08-13 15:41:04 +00:00			`SRCS= ip_fw2.c ip_fw_pfil.c ip_fw_bpf.c`
Add External Actions KPI to ipfw(9). It allows implementing loadable kernel modules with new actions and without needing to modify kernel headers and ipfw(8). The module registers its action handler and keyword string, that will be used as action name. Using generic syntax user can add rules with this action. Also ipfw(8) can be easily modified to extend basic syntax for external actions, that become a part base system. Sample modules will coming soon. Obtained from: Yandex LLC Sponsored by: Yandex LLC 2016-04-14 22:51:23 +00:00			`SRCS+= ip_fw_dynamic.c ip_fw_log.c ip_fw_eaction.c`
* Add generic ipfw interface tracking API * Rewrite interface tables to use interface indexes Kernel changes: * Add generic interface tracking API: - ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates state & bumps ref) - ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to update ifindex) - ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer) - ipfw_iface_unref(unlocked, drops reference) Additionally, consumer callbacks are called in interface withdrawal/departure. * Rewrite interface tables to use iface tracking API. Currently tables are implemented the following way: runtime data is stored as sorted array of {ifidx, val} for existing interfaces full data is stored inside namedobj instance (chained hashed table). * Add IP_FW_XIFLIST opcode to dump status of tracked interfaces * Pass @chain ptr to most non-locked algorithm callbacks: (prepare_add, prepare_del, flush_entry ..). This may be needed for better interaction of given algorithm an other ipfw subsystems * Add optional "change_ti" algorithm handler to permit updating of cached table_info pointer (happens in case of table_max resize) * Fix small bug in ipfw_list_tables() * Add badd (insert into sorted array) and bdel (remove from sorted array) funcs Userland changes: * Add "iflist" cmd to print status of currently tracked interface * Add stringnum_cmp for better interface/table names sorting 2014-07-28 19:01:25 +00:00			`SRCS+= ip_fw_sockopt.c ip_fw_table.c ip_fw_table_algo.c ip_fw_iface.c`
Add support for multi-field values inside ipfw tables. This is the last major change in given branch. Kernel changes: * Use 64-bytes structures to hold multi-value variables. * Use shared array to hold values from all tables (assume each table algo is capable of holding 32-byte variables). * Add some placeholders to support per-table value arrays in future. * Use simple eventhandler-style API to ease the process of adding new table items. Currently table addition may required multiple UH drops/ acquires which is quite tricky due to atomic table modificatio/swap support, shared array resize, etc. Deal with it by calling special notifier capable of rolling back state before actually performing swap/resize operations. Original operation then restarts itself after acquiring UH lock. * Bump all objhash users default values to at least 64 * Fix custom hashing inside objhash. Userland changes: * Add support for dumping shared value array via "vlist" internal cmd. * Some small print/fill_flags dixes to support u32 values. * valtype is now bitmask of <skipto\|pipe\|fib\|nat\|dscp\|tag\|divert\|netgraph\|limit\|ipv4\|ipv6>. New values can hold distinct values for each of this types. * Provide special "legacy" type which assumes all values are the same. * More helpers/docs following.. Some examples: 3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6 3:41 [1] zfscurr0# ipfw table mimimi info +++ table(mimimi), set(0) +++ kindex: 2, type: addr references: 0, valtype: skipto,limit,ipv4,ipv6 algorithm: addr:radix items: 0, size: 296 3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1 added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1 3:42 [1] zfscurr0# ipfw table mimimi list +++ table(mimimi), set(0) +++ 10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1 2014-08-31 23:51:09 +00:00			`SRCS+= ip_fw_table_value.c`
Unconditionally enable support for O_IPSEC opcode. IPsec support can be loaded as kernel module, thus do not depend from kernel option IPSEC and always build O_IPSEC opcode implementation as enabled. Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC 2017-11-17 22:40:02 +00:00			`SRCS+= opt_inet.h opt_inet6.h opt_ipdivert.h opt_ipfw.h`
Use a consistent style and one much closer to the rest of /usr/src 2001-01-06 14:00:42 +00:00
No need to use a magic IPFIREWALL_MODULE - the build system supplies one already we can test for. 1999-04-20 14:31:23 +00:00			`CFLAGS+= -DIPFIREWALL`
Firewall can be used as lkm module.To use it firewall should NOT be compiled into kernel. Then it can be loaded.This is misc module but i'v got no problemms with it,so shouldn't you i suppose.. BTW this is very stupid to have one module in CVS for ALL lkm's... 1995-01-12 13:03:02 +00:00			`#`
Checking new lkm structure.. 1995-01-12 13:57:51 +00:00			`#If you want it verbose`
Firewall can be used as lkm module.To use it firewall should NOT be compiled into kernel. Then it can be loaded.This is misc module but i'v got no problemms with it,so shouldn't you i suppose.. BTW this is very stupid to have one module in CVS for ALL lkm's... 1995-01-12 13:03:02 +00:00			`#CFLAGS+= -DIPFIREWALL_VERBOSE`
Use IPFIREWALL_MODULE instead of ACTUALLY_LKM_NOT_KERNEL to indicate LKM'ness. ACTUALLY_LKM_NOT_KERNEL is supposed to be so ugly that it only gets used until <machine/conf.h> goes away. bsd.kmod.mk should define a better-named general macro for this. Some places use PSEUDO_LKM. This is another bad name. Makefile: Added IPFIREWALL_VERBOSE_LIMIT option (commented out). 1996-06-23 14:28:02 +00:00			`#CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100`
Firewall can be used as lkm module.To use it firewall should NOT be compiled into kernel. Then it can be loaded.This is misc module but i'v got no problemms with it,so shouldn't you i suppose.. BTW this is very stupid to have one module in CVS for ALL lkm's... 1995-01-12 13:03:02 +00:00			`#`
Add example for IPFIREWALL_DEFAULT_TO_ACCEPT 1997-09-10 04:19:07 +00:00			`#If you want it to pass all packets by default`
			`#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT`
			`#`
Firewall can be used as lkm module.To use it firewall should NOT be compiled into kernel. Then it can be loaded.This is misc module but i'v got no problemms with it,so shouldn't you i suppose.. BTW this is very stupid to have one module in CVS for ALL lkm's... 1995-01-12 13:03:02 +00:00
Use .include <bsd.kmod.mk> to get to ../../*/conf/kmod.mk instead of encoding the relative path. 2000-05-27 01:14:33 +00:00			`.include <bsd.kmod.mk>`