Commit Graph

178 Commits

Author SHA1 Message Date
Christian S.J. Peron
cd5f2f95b6 Restore the documentation about uid, gid or prison based rules requiring
that debug.mpsafenet be set to 0. It is still possible for dead locks to
occur while these filtering options are used due to the layering violation
inherent in their implementation.

Discussed:	-current, rwatson, glebius
2005-10-23 16:15:02 +00:00
Max Laier
13f5260916 Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.
Reminded by:	ru
2005-09-28 08:18:55 +00:00
Bjoern A. Zeeb
9066356ba1 * Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.

Submitted by:	sysctl handling derived from patch from ume needed for ip6fw
Obtained from:	is_icmp6_query and send_reject6 derived from similar
		functions of netinet6,ip6fw
Reviewed by:	ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after:	6 days
2005-08-13 11:02:34 +00:00
Colin Percival
e5610d524c Bump document date. Remove EOL whitespace introduced in previous
commit.  Start new line at sentence break in previous commit.

Approved by:	re (implicit, fixing a commit made 5 minutes ago)
2005-07-01 10:04:33 +00:00
Colin Percival
4beacf6666 Document some limitations of uid/gid rules.
Approved by:	re (rwatson)
MFC after:	3 days
2005-07-01 09:51:10 +00:00
Ruslan Ermilov
55c82bf0d4 Markup fixes.
Approved by:	re (blanket)
2005-06-14 11:24:56 +00:00
Brian Feldman
5278d40bcc Better explain, then actually implement the IPFW ALTQ-rule first-match
policy.  It may be used to provide more detailed classification of
traffic without actually having to decide its fate at the time of
classification.

MFC after:	1 week
2005-06-04 19:04:31 +00:00
Max Laier
57cd6d263b Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.
This is the last requirement before we can retire ip6fw.

Reviewed by:	dwhite, brooks(earlier version)
Submitted by:	dwhite (manpage)
Silence from:	-ipfw
2005-06-03 01:10:28 +00:00
Gleb Smirnoff
0c0e9713a6 'ngtee' also depends on net.inet.ip.fw.one_pass. 2005-05-11 12:58:15 +00:00
Gleb Smirnoff
0af8180f8c IPFW version 2 is the only option now in HEAD. Do not confuse
users of future releases with instructions about building IPFW2
on RELENG_4.
2005-05-04 13:14:57 +00:00
Brooks Davis
8195404bed Add IPv6 support to IPFW and Dummynet.
Submitted by:	Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
2005-04-18 18:35:05 +00:00
Andre Oppermann
099dd0430b Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option:

 options IPFIREWALL_FORWARD_EXTENDED

This option has to be specified in addition to IPFIRWALL_FORWARD.

With this option even packets targeted for an IP address local
to the host can be redirected.  All restrictions to ensure proper
behaviour for locally generated packets are turned off.  Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.

Document the two kernel options.

PR:		kern/71910
PR:		kern/73129
MFC after:	1 week
2005-02-22 17:40:40 +00:00
Ruslan Ermilov
0227791b40 Expand *n't contractions. 2005-02-13 22:25:33 +00:00
Gleb Smirnoff
dc490fa2e9 Sort SEE ALSO.
Submitted by:	ru
2005-02-07 08:51:34 +00:00
Gleb Smirnoff
1676543619 Document how interaction with ng_ipfw node is configured. 2005-02-05 18:29:03 +00:00
Ruslan Ermilov
6087df9e8b Sort sections. 2005-01-18 10:09:38 +00:00
Ruslan Ermilov
5b1eeb71f2 Markup nits. 2005-01-15 11:21:24 +00:00
Ruslan Ermilov
214144704b Scheduled mdoc(7) sweep. 2005-01-10 16:17:34 +00:00
Christian S.J. Peron
02a85ee096 Update the IPFW man page to reflect reality. mpsafenet=0 is no longer
required when using ucred based rules.

Pointed out by:	seanc (thanks!)
MFC after:	1 month
2004-12-10 02:38:21 +00:00
Ceri Davies
20f13585ef Be more clear that "bridged" is a synonym for "layer2".
PR:		docs/44400
Submitted by:	Constantin Stefanov <cstef at mail dot ru>
2004-11-03 21:51:34 +00:00
Andre Oppermann
24fc79b0a4 Refuse to unload the ipdivert module unless the 'force' flag is given to kldunload.
Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8)
man pages.
2004-10-22 19:12:01 +00:00
Christian S.J. Peron
93962a3a50 Add a note to the man page warning users about possible lock order
reversals+system lock ups if they are using ucred based rules
while running with debug.mpsafenet=1.

I am working on merging a shared locking mechanism into ipfw which
should take care of this problem, but it still requires a bit more
testing and review.
2004-10-09 20:07:33 +00:00
Brian Feldman
26dc327082 Reference altq(4) instead of pf.conf(5).
Tip of the hat to:	mlaier
2004-10-08 03:31:09 +00:00
Brian Feldman
c99ee9e042 Add support to IPFW for matching by TCP data length. 2004-10-03 00:47:15 +00:00
Brian Feldman
391a0e3306 Add the documentation for IPFW's diverted(-loopback|-output) matches. 2004-10-03 00:35:52 +00:00
Brian Feldman
974dfe3084 Add to IPFW the ability to do ALTQ classification/tagging. 2004-10-03 00:17:46 +00:00
Ruslan Ermilov
bf899c64f3 Prepare for 5.x soon becoming -STABLE.
Pointed out by:	-current users
2004-09-19 14:30:59 +00:00
Andre Oppermann
7c0102f575 Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied
and sent to the DIVERT socket while the original packet continues with the
next rule.  Unlike a normally diverted packet no IP reassembly attemts are
made on tee'd packets and they are passed upwards totally unmodified.

Note: This will not be MFC'd to 4.x because of major infrastucture changes.

PR:		kern/64240 (and many others collapsed into that one)
2004-09-13 16:46:05 +00:00
Christian S.J. Peron
a8247db1de Remove trailing whitespace and change "prisoniD" to "prisonID".
Pointed out by:	simon
Approved by:	bmilekic (mentor)
2004-08-13 02:50:59 +00:00
Christian S.J. Peron
31c88a3043 Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)
2004-08-12 22:06:55 +00:00
Andre Oppermann
5f9541ecbd New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it
 belongs to a directly connected network.  If the network is directly
 connected, then the interface the packet came on in is compared to
 the interface the network is connected to.  When incoming interface
 and directly connected interface are not the same, the packet does
 not match.

Usage example:

 ipfw add deny ip from any to any not antispoof in

Manpage education by:	ru
2004-08-09 16:12:10 +00:00
Andre Oppermann
55db762b76 Extend versrcreach by checking against the rt_flags for RTF_REJECT and
RTF_BLACKHOLE as well.

To quote the submitter:

 The uRPF loose-check implementation by the industry vendors, at least on Cisco
 and possibly Juniper, will fail the check if the route of the source address
 is pointed to Null0 (on Juniper, discard or reject route). What this means is,
 even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
 uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
 as a pseudo-packet-firewall without using any manual filtering configuration --
 one can simply inject a IGP or BGP prefix with next-hop set to a static route
 that directs to null/discard facility. This results in uRPF Loose-check failing
 on all packets with source addresses that are within the range of the nullroute.

Submitted by:	James Jun <james@towardex.com>
2004-07-21 19:55:14 +00:00
Ruslan Ermilov
9806e23132 Mechanically kill hard sentence breaks. 2004-07-02 21:45:06 +00:00
Ruslan Ermilov
cd8b5ae0ae Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets.  Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after:	1 week
2004-06-09 20:10:38 +00:00
Maxim Konovalov
5cbcfccb41 o Fix usage example.
PR:		docs/67065
Submitted by:	David Syphers
2004-05-23 19:05:59 +00:00
Andre Oppermann
22b5770b99 Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table.  The
default route is ignored because it would match everything and
render the check pointless.

This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.

Example:

 ipfw add 1000 deny ip from any to any not versrcreach

also known in Cisco-speak as:

  ip verify unicast source reachable-via any

Reviewed by:	luigi
2004-04-23 14:28:38 +00:00
Ceri Davies
a155540f4b Backout revision 1.140; it seems that the previous version is clear
enough.

Requested by:	ru
2004-03-27 14:13:53 +00:00
Maxim Konovalov
1621280872 o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.
PR:		docs/64534
Submitted by:	Dmitry Cherkasov
MFC after:	1 week
2004-03-26 19:09:22 +00:00
Ceri Davies
cdfd991b87 Clarify the description of the "established" option.
PR:		docs/50391
Submitted by:	root@edcsm.jussieu.fr
MFC after:	1 week
2004-03-22 21:24:38 +00:00
Mike Makonnen
c6609fcd7c grammar 2004-01-23 06:37:19 +00:00
Maxim Konovalov
3abea06d63 o -c (compact) flag is ipfw2 feature.
PR:		bin/56328
MFC after:	3 days
2004-01-15 12:59:44 +00:00
Maxim Konovalov
d06b32b094 o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.
MFC after:	3 days
2004-01-15 12:57:04 +00:00
Maxim Konovalov
cec4ab6a04 o Legitimate -f (force) flags for -p (preprocessor) case.
PR:		bin/60433
Submitted:	Bjoern A. Zeeb
MFC after:	3 weeks
2003-12-24 13:04:04 +00:00
Luigi Rizzo
ac6cec512b Add a -b flag to /sbin/ipfw to print only action and comment for each
rule, thus omitting the entire body.
This makes the output a lot more readable for complex rulesets
(provided, of course, you have annotated your ruleset appropriately!)

MFC after: 3 days
2003-12-12 16:14:28 +00:00
Sam Leffler
d559f5c3d8 Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate
code is compiled in to support the O_IPSEC operator.  Previously no
support was included and ipsec rules were always matching.  Note that
we do not return an error when an ipsec rule is added and the kernel
does not have IPsec support compiled in; this is done intentionally
but we may want to revisit this (document this in the man page).

PR:		58899
Submitted by:	Bjoern A. Zeeb
Approved by:	re (rwatson)
2003-12-02 00:23:45 +00:00
Ralf S. Engelschall
d1f602f79e fix typo: s/sytem/system/ 2003-09-26 12:22:28 +00:00
Peter Pentchev
94679655fd Document the alternate way of matching MAC addresses: by a bitmask.
PR:		56021
Submitted by:	Glen Gibb <grg@ridley.unimelb.edu.au>
MFC after:	1 month
2003-09-10 06:41:16 +00:00
Luigi Rizzo
a0e26ba089 Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specific 2003-07-22 07:41:24 +00:00
Luigi Rizzo
3004afca6e Userland side of:
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.

This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.

Suggested by: Paul Richards
2003-07-15 23:08:44 +00:00
Luigi Rizzo
1b43a426de Add a '-T' flag to print the timestamp as numeric value instead
of converting it with ctime(). This is a lot more convenient for
postprocessing.

Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
2003-07-12 08:35:25 +00:00