Commit Graph

149 Commits

Author SHA1 Message Date
Christian S.J. Peron
31c88a3043 Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)
2004-08-12 22:06:55 +00:00
Andre Oppermann
5f9541ecbd New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it
 belongs to a directly connected network.  If the network is directly
 connected, then the interface the packet came on in is compared to
 the interface the network is connected to.  When incoming interface
 and directly connected interface are not the same, the packet does
 not match.

Usage example:

 ipfw add deny ip from any to any not antispoof in

Manpage education by:	ru
2004-08-09 16:12:10 +00:00
Andre Oppermann
55db762b76 Extend versrcreach by checking against the rt_flags for RTF_REJECT and
RTF_BLACKHOLE as well.

To quote the submitter:

 The uRPF loose-check implementation by the industry vendors, at least on Cisco
 and possibly Juniper, will fail the check if the route of the source address
 is pointed to Null0 (on Juniper, discard or reject route). What this means is,
 even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
 uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
 as a pseudo-packet-firewall without using any manual filtering configuration --
 one can simply inject a IGP or BGP prefix with next-hop set to a static route
 that directs to null/discard facility. This results in uRPF Loose-check failing
 on all packets with source addresses that are within the range of the nullroute.

Submitted by:	James Jun <james@towardex.com>
2004-07-21 19:55:14 +00:00
Ruslan Ermilov
9806e23132 Mechanically kill hard sentence breaks. 2004-07-02 21:45:06 +00:00
Ruslan Ermilov
cd8b5ae0ae Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets.  Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after:	1 week
2004-06-09 20:10:38 +00:00
Maxim Konovalov
5cbcfccb41 o Fix usage example.
PR:		docs/67065
Submitted by:	David Syphers
2004-05-23 19:05:59 +00:00
Andre Oppermann
22b5770b99 Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table.  The
default route is ignored because it would match everything and
render the check pointless.

This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.

Example:

 ipfw add 1000 deny ip from any to any not versrcreach

also known in Cisco-speak as:

  ip verify unicast source reachable-via any

Reviewed by:	luigi
2004-04-23 14:28:38 +00:00
Ceri Davies
a155540f4b Backout revision 1.140; it seems that the previous version is clear
enough.

Requested by:	ru
2004-03-27 14:13:53 +00:00
Maxim Konovalov
1621280872 o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.
PR:		docs/64534
Submitted by:	Dmitry Cherkasov
MFC after:	1 week
2004-03-26 19:09:22 +00:00
Ceri Davies
cdfd991b87 Clarify the description of the "established" option.
PR:		docs/50391
Submitted by:	root@edcsm.jussieu.fr
MFC after:	1 week
2004-03-22 21:24:38 +00:00
Mike Makonnen
c6609fcd7c grammar 2004-01-23 06:37:19 +00:00
Maxim Konovalov
3abea06d63 o -c (compact) flag is ipfw2 feature.
PR:		bin/56328
MFC after:	3 days
2004-01-15 12:59:44 +00:00
Maxim Konovalov
d06b32b094 o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.
MFC after:	3 days
2004-01-15 12:57:04 +00:00
Maxim Konovalov
cec4ab6a04 o Legitimate -f (force) flags for -p (preprocessor) case.
PR:		bin/60433
Submitted:	Bjoern A. Zeeb
MFC after:	3 weeks
2003-12-24 13:04:04 +00:00
Luigi Rizzo
ac6cec512b Add a -b flag to /sbin/ipfw to print only action and comment for each
rule, thus omitting the entire body.
This makes the output a lot more readable for complex rulesets
(provided, of course, you have annotated your ruleset appropriately!)

MFC after: 3 days
2003-12-12 16:14:28 +00:00
Sam Leffler
d559f5c3d8 Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate
code is compiled in to support the O_IPSEC operator.  Previously no
support was included and ipsec rules were always matching.  Note that
we do not return an error when an ipsec rule is added and the kernel
does not have IPsec support compiled in; this is done intentionally
but we may want to revisit this (document this in the man page).

PR:		58899
Submitted by:	Bjoern A. Zeeb
Approved by:	re (rwatson)
2003-12-02 00:23:45 +00:00
Ralf S. Engelschall
d1f602f79e fix typo: s/sytem/system/ 2003-09-26 12:22:28 +00:00
Peter Pentchev
94679655fd Document the alternate way of matching MAC addresses: by a bitmask.
PR:		56021
Submitted by:	Glen Gibb <grg@ridley.unimelb.edu.au>
MFC after:	1 month
2003-09-10 06:41:16 +00:00
Luigi Rizzo
a0e26ba089 Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specific 2003-07-22 07:41:24 +00:00
Luigi Rizzo
3004afca6e Userland side of:
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.

This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.

Suggested by: Paul Richards
2003-07-15 23:08:44 +00:00
Luigi Rizzo
1b43a426de Add a '-T' flag to print the timestamp as numeric value instead
of converting it with ctime(). This is a lot more convenient for
postprocessing.

Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
2003-07-12 08:35:25 +00:00
Luigi Rizzo
7d3f835703 Document the existence of comments in ipfw rules,
the new flags handled when reading from a file,
and clarify that only numeric values are allowed for icmptypes.

MFC after: 3 days
2003-07-12 07:01:48 +00:00
Daniel Harris
a10c9747dc Correct to match reality regarding interface names.
PR:		51006
Submitted by:	"Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua>
mdoc clue by:	"Simon L. Nielsen" <simon@nitro.dk>
MFC after:	10 days
2003-07-08 13:24:42 +00:00
Luigi Rizzo
4d233f6b0d * introduce a section on SYNTAX to document the handling
spaces and comma-separated lists of arguments;

* reword the description of address specifications, to include
  previous and current changes for address sets and lists;

* document the new '-n' flag.

* update the section on differences between ipfw1 and ipfw2
  (this is becoming boring!)

MFC after: 3 days
2003-07-08 08:07:03 +00:00
Luigi Rizzo
c3e5b9f154 Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.

Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week
2003-07-04 21:42:32 +00:00
Maxim Konovalov
064d54a248 o Fix sets of rules usage example.
PR:		docs/53625
Submitted by:	Kostyuk Oleg <cub@cub.org.ua>
MFC after:	1 week
2003-06-23 07:48:32 +00:00
Luigi Rizzo
44c884e134 Add support for multiple values and ranges for the "iplen", "ipttl",
"ipid" options. This feature has been requested by several users.
On passing, fix some minor bugs in the parser.  This change is fully
backward compatible so if you have an old /sbin/ipfw and a new
kernel you are not in trouble (but you need to update /sbin/ipfw
if you want to use the new features).

Document the changes in the manpage.

Now you can write things like

	ipfw add skipto 1000 iplen 0-500

which some people were asking to give preferential treatment to
short packets.

The 'MFC after' is just set as a reminder, because I still need
to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately
change the size of certain kernel structures; not that it matters
a lot since ipfw2 is entirely optional and not the default...)

PR: bin/48015

MFC after: 1 week
2003-06-22 17:33:19 +00:00
Crist J. Clark
010dabb047 Add a 'verrevpath' option that verifies the interface that a packet
comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.

Experimental. The usage and rule format for the feature may still be
subject to change.
2003-03-15 01:13:00 +00:00
Ruslan Ermilov
8b5381e069 /modules is gone long ago, use the safe equivalents. 2003-03-03 22:46:36 +00:00
Christian Brueffer
16b3d3546d Correct examples for stateful inspection
PR:		47817
Submitted by:	Simon L.Nielsen <simon@nitro.dk>
Reviewed by:	ceri, luigi
2003-02-04 01:33:25 +00:00
Matthew Dillon
6690be9efa It turns out that we do not need to add a new ioctl to unbreak a
default-to-deny firewall.  Simply turning off IPFW via a preexisting
sysctl does the job.  To make it more apparent (since nobody picked up
on this in a week's worth of flames), the boolean sysctl's have been
integrated into the /sbin/ipfw command set in an obvious and straightforward
manner.  For example, you can now do 'ipfw disable firewall' or
'ipfw enable firewall'.  This is far easier to remember then the
net.inet.ip.fw.enable sysctl.

Reviewed by:	imp
MFC after:	3 days
2003-01-12 03:31:10 +00:00
Giorgos Keramidas
c41a3921ef Fix a reference to the order of SYNOPSIS lines.
Submitted by:	Olivier Cherrier <Olivier.Cherrier@cediti.be>
		on freebsd-net
MFC after:	3 days
2003-01-05 00:09:23 +00:00
Kelly Yancey
ca6e3cb0e4 Make preprocessor support more generic by passing all command-line options
after -p except for the last (the ruleset file to process) to the
preprocessor for interpretation.  This allows command-line options besides
-U and -D to be passed to cpp(1) and m4(1) as well as making it easier to
use other preprocessors.

Sponsored By:	NTT Multimedia Communications Labs
MFC after:	1 week
2002-12-23 20:08:21 +00:00
Luigi Rizzo
99652d0eb2 Update documentation to match the behaviour of ipfw with respect
to net.inet.ip.fw.one_pass.
Add to notes to explain the exact behaviour of "prob xxx" and "log"
options.

Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c)
2002-11-26 19:51:40 +00:00
Luigi Rizzo
4d5fe224c6 Misc fixes from Chris Pepper, plus additional explainations on
dummynet operation.

MFC after: 3 days
2002-10-28 07:03:56 +00:00
Sean Chittenden
927a76bb5e Increase the max dummynet hash size from 1024 to 65536. Default is still
1024.

Silence on:	-net, -ipfw 4weeks+
Reviewed by:	dd
Approved by:	knu (mentor)
MFC after:	3 weeks
2002-10-12 07:45:23 +00:00
Maxim Konovalov
8bca894718 o Fix a typo.
o Remove EOL spaces.

Submitted by:	Harold Gutch <logix@foobar.franken.de> (typo patch)
Approved by:	luigi
MFC after:	3 days
2002-09-22 11:30:51 +00:00
Marc Fonvieille
eea54e1396 Typo: s/o packet/on packet/
PR:		docs/42543
Submitted by:	Michael Lyngbøl <lyngbol@bifrost.lyngbol.dk>
2002-09-08 09:01:08 +00:00
Tom Rhodes
ce66ddb763 s/filesystem/file system/g as discussed on -developers 2002-08-21 18:11:48 +00:00
Luigi Rizzo
f0ac20f7d2 Whoops, the manpage lied... ipfw2 has always accepted addr:mask
specifications.
2002-08-21 05:57:41 +00:00
Luigi Rizzo
5a155b405e One more (hopefully the last one) step in cleaning up the syntax,
following Julian's good suggestion: since you can specify any match
pattern as an option, rules now have the following format:

	[<proto> from <src> to <dst>] [options]

i.e. the first part is now entirely optional (and left there just
for compatibility with ipfw1 rulesets).

Add a "-c" flag to show/list rules in the compact form
(i.e. without the "ip from any to any" part) when possible.
The default is to include it so that scripts processing ipfw's
canonical output will still work.
Note that as part of this cleanup (and to remove ambiguity), MAC
fields now can only be specified in the options part.

Update the manpage to reflect the syntax.

Clarify the behaviour when a match is attempted on fields which
are not present in the packet, e.g. port numbers on non TCP/UDP
packets, and the "not" operator is specified. E.g.

	ipfw add allow not src-port 80

will match also ICMP packets because they do not have port numbers, so
"src-port 80" will fail and "not src-port 80" will succeed. For such
cases it is advised to insert further options to prevent undesired results
(e.g. in the case above, "ipfw add allow proto tcp not src-port 80").

We definitely need to rewrite the parser using lex and yacc!
2002-08-19 12:36:54 +00:00
Luigi Rizzo
e706181ba6 Major cleanup of the parser and printing routines in an attempt to
render the syntax less ambiguous.

Now rules can be in one of these two forms

	<action> <protocol> from <src> to <dst> [options]
	<action> MAC dst-mac src-mac mac-type [options]

however you can now specify MAC and IP header fields as options e.g.

	ipfw add allow all from any to any mac-type arp
	ipfw add allow all from any to any { dst-ip me or src-ip me }

which makes complex expressions a lot easier to write and parse.
The "all from any to any" part is there just for backward compatibility.

Manpage updated accordingly.
2002-08-19 04:52:15 +00:00
Luigi Rizzo
654399a477 Complete list of differences between ipfw1 and ipfw2. 2002-08-16 14:27:22 +00:00
Luigi Rizzo
99e5e64504 sys/netinet/ip_fw2.c:
Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops
    for firewall-generated packets (the constant has to go in sys/mbuf.h).

    Better comments on keepalive generation, and enforce dyn_rst_lifetime
    and dyn_fin_lifetime to be less than dyn_keepalive_period.

    Enforce limits (up to 64k) on the number of dynamic buckets, and
    retry allocation with smaller sizes.

    Raise default number of dynamic rules to 4096.

    Improved handling of set of rules -- now you can atomically
    enable/disable multiple sets, move rules from one set to another,
    and swap sets.

sbin/ipfw/ipfw2.c:

    userland support for "noerror" pipe attribute.

    userland support for sets of rules.

    minor improvements on rule parsing and printing.

sbin/ipfw/ipfw.8:

    more documentation on ipfw2 extensions, differences from ipfw1
    (so we can use the same manpage for both), stateful rules,
    and some additional examples.
    Feedback and more examples needed here.
2002-08-16 10:31:47 +00:00
Luigi Rizzo
ac4ed01f56 Major revision of the ipfw manpage, trying to make it up-to-date
with ipfw2 extensions and give examples of use of the new features.

This is just a preliminary commit, where i simply added the basic
syntax for the extensions, and clean up the page (e.g. by listing
things in alphabetical rather than random order).
I would appreciate feedback and possible corrections/extensions
by interested parties.

Still missing are a more detailed description of stateful rules
(with keepalives), interaction with of stateful rules and natd (don't do
that!), examples of use with the recently introduced rule sets.

There is an issue related to the MFC: RELENG_4 still has ipfw as a
default, and ipfw2 is optional. We have two options here: MFC this
page as ipfw(8) adding a large number of "SORRY NOT IN IPFW" notes,
or create a new ipfw2(8) manpage just for -stable users.  I am all
for the first approach, but of course am listening to your comments.
2002-08-10 15:04:40 +00:00
Sheldon Hearn
b7563355f3 Add SEE ALSO references to papers handling RED. 2002-07-25 09:37:11 +00:00
Philippe Charnier
e1205e80e5 The .Nm utility 2002-07-06 19:34:18 +00:00
Crist J. Clark
0f56b10c4b Enlighten those who read the FINE POINTS of the documentation a bit
more on how ipfw(8) deals with tiny fragments. While we're at it, add
a quick log message to even let people know we dropped a packet. (Note
that the second FINE POINT is somewhat redundant given the first, but
since the code is there, leave the docs for it.)

MFC after:	1 day
2002-05-01 06:29:16 +00:00
Ruslan Ermilov
6bfa982817 mdoc(7) police: tidy up the markup in revision 1.96. 2002-01-10 15:41:06 +00:00
Robert Watson
e036a58dab o Note that packets diverted using a 'divert' socket, and then
reinserted by a userland process, will lose a number of packet
  attributes, including their source interface.  This may affect
  the behavior of later rules, and while not strictly a BUG, may
  cause unexpected behavior if not clearly documented.  A similar
  note for natd(8) might be desirable.
2002-01-03 01:00:23 +00:00