d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
52,741 Commits 6 Branches 133 Tags 2.6 GiB
6bf02e51da
Commit Graph

143 Commits

Author SHA1 Message Date
Ruslan Ermilov
bc95ac80b2 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as 
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
 2000-10-12 07:59:14 +00:00
Ruslan Ermilov
3ab6704228 Reset globals for every new command read from preprocessed file. 2000-10-11 13:02:30 +00:00
Ruslan Ermilov
de2e7393d6 Only interpret the last command line argument as a file to 
be preprocessed if it is specified as an absolute pathname.

PR:		bin/16179
 2000-10-11 12:17:06 +00:00
Ruslan Ermilov
1e7492ffe1 Convert this Makefile to the usual style. 2000-10-06 11:18:11 +00:00
Ruslan Ermilov
79a74459fa Document the latest firewall knobs. 2000-10-06 11:17:06 +00:00
Ruslan Ermilov
507c85be96 Respect the protocol when looking the port up by service name. 
PR:		21742
 2000-10-04 07:59:19 +00:00
Ruslan Ermilov
8ace7a5e69 Do not force argument to ``ipid'' modifier be in hex, and 
accept value of zero as valid for IP Identification field.
 2000-10-03 11:23:29 +00:00
Ruslan Ermilov
1b4ea5a1a3 Fixed the printing of TCP flags. 2000-10-03 10:37:03 +00:00
Bill Fumerola
98b829924f Add new fields for more granularity: 
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:	silence on freebsd-{net,ipfw}
 2000-10-02 03:03:31 +00:00
Ruslan Ermilov
3ea420e391 Document that net.inet.ip.fw.one_pass only affects dummynet(4). 
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
 2000-09-29 08:39:06 +00:00
Warner Losh
595a9d6ebc optreset is declared in unistd.h now. 2000-08-16 07:36:30 +00:00
Bill Fumerola
9a6eeac9f4 Fix a paste-o in the tcpoptions check (not a security problem, just a 
error in the usage printf())

Reviewed by:	rwatson
 2000-07-17 03:02:15 +00:00
Kris Kennaway
ada79f6035 Don't call sprintf() with no format string. 2000-07-10 08:22:21 +00:00
Bill Fumerola
976a1c9106 Reorder the "prob" section in the output of list/show so it can be copy/pasted 
into add without problems.

The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
 2000-06-18 02:48:19 +00:00
Luigi Rizzo
8a0b95d610 Fix behaviour of "ipfw pipe show" -- previous code gave 
ambiguous data to the userland program (kernel operation was
safe, anyways).
 2000-06-14 10:07:22 +00:00
Ruslan Ermilov
e439c30cf4 Fixed style bugs of rev 1.66. 2000-06-12 09:43:00 +00:00
Dan Moschuk
9714563d83 Add tcpoptions to ipfw. This works much in the same way as ipoptions do. 
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
 2000-06-08 15:34:51 +00:00
Luigi Rizzo
afb87ed2fd Document new dummynet functionality, namely WF2Q+ and RED 2000-06-08 13:38:57 +00:00
Luigi Rizzo
6c28099089 userland side of WF2Q+ support in dummynet. 
Manpage coming later...
 2000-06-08 10:08:39 +00:00
Sheldon Hearn
353fa3b66d Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
Jeroen Ruigrok van der Werven
f1fb54a2f5 Remove unused include, and place sys includes at top, which enabled 
us to remove this include.
 2000-05-01 20:19:44 +00:00
Brian Feldman
0f95689794 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a 
rule that logs without a log limit, use "logamount 0" in addition to "log".
 2000-04-30 06:44:11 +00:00
Ruslan Ermilov
ac13e0c5a0 A huge rewrite of the manual page (mostly -mdoc related). 
Reviewed by:	luigi, sheldonh
 2000-02-28 15:21:12 +00:00
Luigi Rizzo
20aed43d30 Use correct field for dst_port when displaying masks on dynamic pipes. 2000-02-13 11:46:59 +00:00
Luigi Rizzo
d69f84c0b4 Support and document new stateful ipfw features. 
Approved-by: jordan
 2000-02-10 14:25:26 +00:00
Luigi Rizzo
8c020cb775 Support per-flow queueing in dummynet. 
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
 2000-01-08 11:19:19 +00:00
Archie Cobbs
56345b0f5c Turn on 'ipfw tee'. Update man page. Please note (from the man page): 
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
 1999-12-06 01:00:24 +00:00
Ruslan Ermilov
42c9b5b974 Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
Brian Feldman
1efcedf596 Make the "uid" and "gid" code better. Now it can detect invalid user 
names/numbers.

Reviewed by:	chris
 1999-09-03 18:18:46 +00:00
Peter Wemm
7f3dea244c $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
Brian Feldman
32e7924603 To christen the brand new security category for syslog, we get IPFW 
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
 1999-08-21 18:35:55 +00:00
Luigi Rizzo
e2bd328224 Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
Luigi Rizzo
f0706ad422 Userland and manual page changes for probabilistic rule match. 
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
 1999-08-11 15:36:13 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit 
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
 1999-08-01 16:57:24 +00:00
Brian Feldman
7a2aab80b0 This is the much-awaited cleaned up version of IPFW [ug]id support. 
All relevant changes have been made (including ipfw.8).
 1999-06-19 18:43:33 +00:00
Ruslan Ermilov
689b0bd1d4 Document the usage of escape character in a service name. 
PR:		7101
Reminded by:	jhs
 1999-06-15 12:56:38 +00:00
Ruslan Ermilov
0a81860b0b Workaround the problem that the first (and only first) port name 
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
 1999-06-11 09:43:53 +00:00
Ruslan Ermilov
43866c3e76 Fix the parsing of ip addresses on a command line. 
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
 1999-06-04 11:20:59 +00:00
Ruslan Ermilov
06e70c77bb Spelling corrections for dummynet. 
Reviewed by:	des,luigi
 1999-06-02 05:59:48 +00:00
Kris Kennaway
39aa78dd44 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes, 
grammatical fixes.

Submitted by:	Philippe Charnier
 1999-05-29 08:12:38 +00:00
Luigi Rizzo
e142fadecb close pr 10889: 
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
 1999-05-24 10:01:22 +00:00
Guy Helmer
dc90479cca Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
Guy Helmer
b67579bd36 Explain when packets are tesed by the firewall rules and what attributes 
of packets can be tested.

PR:		docs/7437
 1999-04-28 02:49:29 +00:00
Guy Helmer
e5a49961b1 Convert LKM/modload to KLD/kldload. Add ref to kldload(8). 
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
 1999-04-08 13:56:25 +00:00
Archie Cobbs
14112159be Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
Archie Cobbs
6f206f2ef2 Fix misleading wording in ipfw(8) man page. 
PR: docs/9603
 1999-01-21 19:51:04 +00:00
Luigi Rizzo
d120b1c1fc Remove coredump when running "ipfw pipe" without more arguments. 
PR: 8937
 1998-12-27 11:23:05 +00:00
Guy Helmer
b46dfa405c Mention affect of securelevel 3 and higher on attempts to change filter lists. 
Prompted by:	PR docs/7785
 1998-12-16 17:10:03 +00:00
Luigi Rizzo
b13ebaaa5c ipfw changes for dummynet. manpages still missing 1998-12-14 18:43:03 +00:00
Archie Cobbs
b31a38612b Disallow ipfw "tee" rules until it is actually implemented. 
PR:		bin/8471
 1998-12-07 05:54:37 +00:00