Commit Graph

45 Commits

Author SHA1 Message Date
Peter Wemm
664a31e496 Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot).  This is consistant with the other
BSD's who made this change quite some time ago.  More commits to come.
1999-12-29 04:46:21 +00:00
Archie Cobbs
8948e4ba8e Miscellaneous fixes/cleanups relating to ipfw and divert(4):
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
  of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
  to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
  to ip_reass()
- style(9) fixes

Reviewed by:	julian, green
1999-12-06 00:43:07 +00:00
Peter Wemm
c3aac50f28 $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
Brian Feldman
4d1bb12d6c Correction: uid -> gid (comment) 1999-08-27 23:46:02 +00:00
Luigi Rizzo
772759420f Implement probabilistic rule match in ipfw. Each rule can be associated
with a match probability to achieve non-deterministic behaviour of
the firewall. This can be extremely useful for testing purposes
such as simulating random packet drop without having to use dummynet
(which already does the same thing), and simulating multipath effects
and the associated out-of-order delivery (this time in conjunction
with dummynet).

The overhead on normal rules is just one comparison with 0.

Since it would have been trivial to implement this by just adding
a field to the ip_fw structure, I decided to do it in a
backward-compatible way (i.e. struct ip_fw is unchanged, and as a
consequence you don't need to recompile ipfw if you don't want to
use this feature), since this was also useful for -STABLE.

When, at some point, someone decides to change struct ip_fw, please
add a length field and a version number at the beginning, so userland
apps can keep working even if they are out of sync with the kernel.
1999-08-11 15:34:47 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
Brian Feldman
f8075bf9b3 Correct a really gross comment format. 1999-07-28 22:22:57 +00:00
Brian Feldman
7a2aab80b0 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
Peter Wemm
66e55756b5 Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW  (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
  compiled-in hooks in ip_init().  This means they initialize the same
  way both in-kernel and as kld modules.  (IPFW initializes now :-)
1999-04-20 13:32:06 +00:00
Luigi Rizzo
b715f178c6 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
Poul-Henning Kamp
67a895f650 Widen and change the layout of the IPFW structures flag element.
This will allow us to add dummynet to 3.0

Recompile /sbin/ipfw AND your kernel.
1998-09-02 19:14:01 +00:00
Garrett Wollman
cfe8b629f1 Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Bruce Evans
e7a5897899 Added #include of <sys/queue.h> so that this file is more "self"-sufficent. 1998-02-03 22:19:35 +00:00
Alexander Langer
1c910ddbf9 Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.

NOTE:
  o The ipfw struct has changed requiring a recompile of both kernel
    and userland ipfw utility.

  o This probably should not be brought into 2.2.

PR:		3738
1998-01-08 03:03:54 +00:00
Bruce Evans
55b211e3af Removed unused #includes. 1997-10-28 15:59:26 +00:00
Bruce Evans
514ede0953 Fixed gratuitous ANSIisms. 1997-09-16 11:44:05 +00:00
Alexander Langer
750f6aad7b Support interface names up to 15 characters in length. In order to
accommodate the expanded name, the ICMP types bitmap has been
reduced from 256 bits to 32.

A recompile of kernel and user level ipfw is required.

To be merged into 2.2 after a brief period in -current.

PR:		bin/4209
Reviewed by:	Archie Cobbs <archie@whistle.com>
1997-08-08 14:36:29 +00:00
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
Adam David
839cc09e53 implement "not" keyword for inverting the address logic 1997-01-16 21:04:29 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Søren Schmidt
fed1c7e9e4 Add hooks for an IP NAT module, much like the firewall stuff...
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
1996-08-21 21:37:07 +00:00
Paul Traina
cc98643e68 Completely rewrite handling of protocol field for firewalls, things are
now completely consistent across all IP protocols and should be quite a
bit faster.

Discussed with: fenner & alex
1996-08-13 19:43:41 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Alexander Langer
7a99108603 Big sweep over ipfw, picking up where Poul left off:
- Log ICMP type during verbose output.
  - Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service
    attacks via syslog flooding.
  - Filter based on ICMP type.
  - Timestamp chain entries when they are matched.
  - Interfaces can now be matched with a wildcard specification (i.e.
    will match any interface unit for a given name).
  - Prevent the firewall chain from being manipulated when securelevel
    is greater than 2.
  - Fixed bug that allowed the default policy to be deleted.
  - Ability to zero individual accounting entries.
  - Remove definitions of old_chk_ptr and old_ctl_ptr when compiling
    ipfw as a lkm.
  - Remove some redundant code shared between ip_fw_init and ipfw_load.

Closes PRs: 1192, 1219, and 1267.
1996-06-09 23:46:21 +00:00
Gary Palmer
b750974745 Correct spelling error in comment 1996-06-02 00:15:19 +00:00
Poul-Henning Kamp
23bf99538c Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
1996-04-03 13:52:20 +00:00
Poul-Henning Kamp
09bb5f7589 Make getsockopt() capable of handling more than one mbuf worth of data.
Use this to read rules out of ipfw.
Add the lkm code to ipfw.c
1996-02-24 13:38:28 +00:00
Poul-Henning Kamp
b83e431483 The new firewall functionality:
Filter on the direction (in/out).
	Filter on fragment/not fragment.
1996-02-24 00:17:35 +00:00
Poul-Henning Kamp
e7319bab6b Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.
1996-02-23 15:47:58 +00:00
Ugen J.S. Antsilevich
37afa1e829 Well..finally..this is the first part..it should take care of
matching IP options..Check and test this - i made only a couple
of rough tests and this could be buggy.. Ipaccounting can't use
IP Options (and i don't see any need to cound packets with specific
options either..)
More to come...
1995-10-01 21:52:50 +00:00
David Greenman
f70b105004 Added $Id$. 1995-07-23 05:36:31 +00:00
David Greenman
c6e8c3576e Fixed panic that occurs on certain firewall rejected packets that was
caused by dtom() being used on an mbuf cluster. The fix involves passing
around the mbuf pointer.

Submitted by:	Bill Fenner
1995-07-09 14:29:46 +00:00
Rodney W. Grimes
9b2e535452 Remove trailing whitespace. 1995-05-30 08:16:23 +00:00
Ugen J.S. Antsilevich
29fe22b93f Allow "via" to be specified ever as IP adress or
as interface name/unit...
1995-02-24 14:33:54 +00:00
Ugen J.S. Antsilevich
4dd1662b4c Actual firewall change.
1) Firewall is not subdivided on forwarding / blocking chains
   anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
1995-01-12 13:06:32 +00:00
Ugen J.S. Antsilevich
3107b31b8d Add clear one accounting entry control.
Structure fields changed to seem more standart.
1994-12-13 15:57:34 +00:00
Ugen J.S. Antsilevich
10a642bb05 Add match by interface from which packet arrived (via)
Handle right fragmented packets. Remove checking option
from kernel..
1994-12-12 17:20:55 +00:00
Ugen J.S. Antsilevich
c334f8666a Added: ICMP reply,TCP SYN check,logging.. 1994-11-28 12:35:14 +00:00
Jordan K. Hubbard
63f8d699ac Ugen J.S.Antsilevich's latest, happiest, IP firewall code.
Poul:  Please take this into BETA.  It's non-intrusive, and a rather
substantial improvement over what was there before.
1994-11-16 10:17:11 +00:00
Jordan K. Hubbard
dbdc296687 Ugen makes it in with 10 seconds to spare with a one-char diff. Some
people are born lucky..
Submitted by:	ugen
1994-11-08 14:25:17 +00:00
Jordan K. Hubbard
72e8fea57e Almost 12th hour (the 11th hour was almost an hour ago :-) patches
from Ugen.
1994-11-08 12:47:29 +00:00
Jordan K. Hubbard
0a87b23329 Latest changes from Uben.
Submitted by:	uben
1994-10-31 23:58:04 +00:00
Jordan K. Hubbard
100ba1a617 IP Firewall code from Daniel Boulet and J.S.Antsilevich
Submitted by:	danny ugen
1994-10-28 15:09:49 +00:00