Commit Graph

545 Commits

Author SHA1 Message Date
Alexander V. Chernikov
fb2b51fab1 Add net.inet.ip.fw.dyn_keep_states sysctl which
re-links dynamic states to default rule instead of
flushing on rule deletion.
This can be useful while performing ruleset reload
(think about `atomic` reload via changing sets).
Currently it is turned off by default.

MFC after:	2 weeks
Sponsored by:	Yandex LLC
2013-12-18 20:17:05 +00:00
Alexander V. Chernikov
1058f17749 Check ipfw table numbers in both user and kernel space before rule addition.
Found by:	Saychik Pavel <umka@localka.net>
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2013-11-28 10:28:28 +00:00
Alexander V. Chernikov
4d47b0d69c Fix key lookup in ipfw(8) broken since r232865.
Print warning for IPv4 address strings which are valid in
inet_aton() but not valid in inet_pton(). (1)

Found by:	Özkan KIRIK <ozkan.kirik@gmail.com>
Submitted by:	Ian Smith <smithi@nimnet.asn.au> (1)
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2013-11-27 10:10:25 +00:00
Stefan Eßer
8310a2b88c Remove duplicated parapgraph.
MFC after:	3 days
2013-07-24 08:36:29 +00:00
Alexander V. Chernikov
21278efe5b Fix ipfw(8) sets of ipv6 addresses handling.
Conditionally use stack buffer instead of calling strdup().

PR:		bin/104921
MFC after:	2 weeks
2013-05-18 04:49:00 +00:00
Joel Dahl
2063b2c09b Minor spelling and grammar fixes. 2013-04-11 19:05:24 +00:00
Joel Dahl
b22247c287 Remove EOL whitespace. 2013-03-21 11:22:13 +00:00
Alexander V. Chernikov
2d6fcc3912 Remove unused variable. 2013-03-20 10:36:38 +00:00
Alexander V. Chernikov
ae01d73c04 Add ipfw support for setting/matching DiffServ codepoints (DSCP).
Setting DSCP support is done via O_SETDSCP which works for both
IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4.
Dscp can be specified by name (AFXY, CSX, BE, EF), by value
(0..63) or via tablearg.

Matching DSCP is done via another opcode (O_DSCP) which accepts several
classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words).

Many people made their variants of this patch, the ones I'm aware of are
(in alphabetic order):

Dmitrii Tejblum
Marcelo Araujo
Roman Bogorodskiy (novel)
Sergey Matveichuk (sem)
Sergey Ryabin

PR:		kern/102471, kern/121122
MFC after:	2 weeks
2013-03-20 10:35:33 +00:00
Alexander V. Chernikov
f71133f64f Do not suddenly fail on some rulesets if -n (syntax check only) is specified
and ipfw(4) module is not loaded.

MFC after:	2 weeks
2013-03-04 19:01:38 +00:00
Alexander V. Chernikov
579ed7bd05 Implement buffer size checking in ipfw(8) add cmd.
PR:		bin/65961
Submitted by:	Eugene Grosbein <eugen@grosbein.pp.ru>
MFC after:	2 weeks
2013-03-03 14:05:03 +00:00
Alexander V. Chernikov
136b1ada11 Fix ipfw table argument parsing/printing.
Fix style.

PR:		kern/175909
Submitted by:	Daniel Hagerty <hag@linnaean.org>
MFC after:	2 weeks
2013-03-02 18:51:26 +00:00
Andrey V. Elsukov
ffdbf9da3b Remove the recently added sysctl variable net.pfil.forward.
Instead, add protocol specific mbuf flags M_IP_NEXTHOP and
M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain
contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup
only when this flag is set.

Suggested by:	andre
2012-11-02 01:20:55 +00:00
Andrey V. Elsukov
c1de64a495 Remove the IPFIREWALL_FORWARD kernel option and make possible to turn
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.

Sponsored by:	Yandex LLC
Discussed with:	net@
MFC after:	2 weeks
2012-10-25 09:39:14 +00:00
Alexander V. Chernikov
26dd50684e Whitespace fixes
MFC after:	2 weeks
2012-09-24 17:34:30 +00:00
Alexander V. Chernikov
7e00325dff Permit table to be used as IPv6 address.
Reported by:	Serhiy Popov <sergiuspso@ukr.net>
MFC after:	2 weeks
2012-09-24 17:31:08 +00:00
Benjamin Kaduk
2aecf1d196 Fix grammar in the portion about FIBs. Also, cross-reference
setfib(2) instead of setfib(1) for the 16-FIB limit.

PR:		docs/157452
Approved by:	hrs (mentor)
2012-09-18 16:00:44 +00:00
Benjamin Kaduk
3a99e819f3 Whitespace cleanup for ipfw.8 -- start each sentence on a new line,
and put a comma after e.g. and i.e..  While here, wrap long lines.

PR:		docs/157452
Approved by:	hrs (mentor)
2012-09-18 02:33:23 +00:00
Kevin Lo
3dedcef753 Remove unused values 2012-09-11 07:54:41 +00:00
Luigi Rizzo
a4a16855c3 remove the last __unused instance in sbin/ipfw.
This particular function (show_prerequisites() ) we should actually
remove the argument from the callers as well, but i'll do it at a
later time.
2012-07-30 11:02:22 +00:00
Luigi Rizzo
6a7bb02d77 Fix some compile errors at high WARNS, including one
for an uninitialized variable.

unused parameters and variables are annotated with
	(void)foo;	/* UNUSED */
instead of __unused, because this code needs to build
also on linux and windows.
2012-07-30 10:55:23 +00:00
Isabell Long
8e68324104 In ipfw(8), make the text about dynamic rules consistent.
PR:		docs/120539
Approved by:	gabor (mentor)
MFC after:	5 days
2012-07-16 22:15:30 +00:00
Hiroki Sato
8efbd296e0 Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on:	freebsd-ipfw@
2012-07-09 07:16:19 +00:00
Isabell Long
82cecbea69 - Make ipfw's sched rules case insensitive, for user-friendliness.
- Add a note to the ipfw(8) man page about the rules no longer being
case sensitive.
- Fix some typos in the man page.

PR:		docs/164772
Reviewed by:	bz
Approved by:	gabor (doc mentor, src committer)
MFC after:	2 weeks
2012-07-03 08:42:48 +00:00
Alexander V. Chernikov
2bd61de08c Update maximum number of tables available in ipfw to reflect
changes done in r233478.

Approved by:      kib(mentor)
MFC after:        3 days
2012-06-09 20:47:58 +00:00
Joel Dahl
5da4420931 mdoc: use Po and Pc macros instead of parens. Also avoid starting a line
with Ns.
2012-05-12 17:14:55 +00:00
Eitan Adler
50d675f7a9 Remove trailing whitespace per mdoc lint warning
Disussed with:	gavin
No objection from:	doc
Approved by:	joel
MFC after:	3 days
2012-03-29 05:02:12 +00:00
Alexander V. Chernikov
732d27b32d - Permit number of ipfw tables to be changed in runtime.
net.inet.ip.fw.tables_max is now read-write.

- Bump IPFW_TABLES_MAX to 65535
Default number of tables is still 128

- Remove IPFW_TABLES_MAX from ipfw(8) code.

Sponsored by Yandex LLC

Approved by:    kib(mentor)

MFC after:      2 weeks
2012-03-25 20:37:59 +00:00
Joel Dahl
091eeb4841 Remove superfluous paragraph macro. 2012-03-25 09:21:09 +00:00
Alexander V. Chernikov
f8bee51a69 - Add ipfw eXtended tables permitting radix to be used for any kind of keys.
- Add support for IPv6 and interface extended tables
- Make number of tables to be loader tunable in range 0..65534.
- Use IP_FW3 opcode for all new extended table cmds

No ABI changes are introduced. Old userland will see valid tables for
IPv4 tables and no entries otherwise. Flush works for any table.

IP_FW3 socket option is used to encapsulate all new opcodes:
 /* IP_FW3 header/opcodes */
 typedef struct _ip_fw3_opheader {
        uint16_t opcode;        /* Operation opcode */
        uint16_t reserved[3];   /* Align to 64-bit boundary */
 } ip_fw3_opheader;

New opcodes added:
 IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST

ipfw(8) table argument parsing behavior is changed:
 'ipfw table 999 add host' now assumes 'host' to be interface name instead of
 hostname.

New tunable:
 net.inet.ip.fw.tables_max controls number of table supported by ipfw in given
 VNET instance. 128 is still the default value.

New syntax:
ipfw add skipto tablearg ip from any to any via table(42) in
ipfw add skipto tablearg ip from any to any via table(4242) out

This is a bit hackish, special interface name '\1' is used to signal interface
table number is passed in p.glob field.

Sponsored by Yandex LLC

Reviewed by:    ae
Approved by:    ae (mentor)

MFC after:      4 weeks
2012-03-12 14:07:57 +00:00
Luigi Rizzo
fa8d2a59bc remove some write-only variables.
There is another block of code that is now useless as the computation
is done in the kernel.
2012-03-01 17:35:16 +00:00
Gavin Atkinson
1748d1e513 Correct capitalization of "Hz" in user-visible text (manpages, printf(),
etc).

MFC after:	3 days
2012-02-28 13:19:34 +00:00
Gleb Smirnoff
600103fc0b Bump .Dd for r231076.
Submitted by:	bz
2012-02-06 11:51:04 +00:00
Gleb Smirnoff
23ccd3d976 Make the 'tcpwin' option of ipfw(8) accept ranges and lists.
Submitted by:	sem
2012-02-06 11:35:29 +00:00
Ulrich Spörlein
4b85a12f71 Spelling fixes for sbin/ 2012-01-07 16:09:33 +00:00
Ed Schouten
b3608ae18f Replace index() and rindex() calls with strchr() and strrchr().
The index() and rindex() functions were marked LEGACY in the 2001
revision of POSIX and were subsequently removed from the 2008 revision.
The strchr() and strrchr() functions are part of the C standard.

This makes the source code a lot more consistent, as most of these C
files also call into other str*() routines. In fact, about a dozen
already perform strchr() calls.
2012-01-03 18:51:58 +00:00
Eitan Adler
9dad738716 - Add fallthrough comment
Approved by:	pluknet
Found with:	Coverity Prevent(tm)
CID:		10125
2011-12-24 22:37:27 +00:00
Gleb Smirnoff
8d913bf8e8 Fix parsing of redirect_addr argument.
PR:		kern/162739
MFC after:	3 days
2011-11-23 18:38:08 +00:00
Eitan Adler
3b6dc18ef5 - fix duplicate "a a" in some comments
Submitted by:	eadler
Approved by:	simon
MFC after:	3 days
2011-11-13 17:06:33 +00:00
Gleb Smirnoff
0809c540f4 Note that NAT instance argument can be tablearg.
PR:		misc/162265
Submitted by:	Paul Procacci <pprocacci gmail.com>
2011-11-10 12:05:26 +00:00
Bjoern A. Zeeb
8a006adb24 Add support for IPv6 to ipfw fwd:
Distinguish IPv4 and IPv6 addresses and optional port numbers in
user space to set the option for the correct protocol family.
Add support in the kernel for carrying the new IPv6 destination
address and port.
Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change
the address in the IP header.
Add support for IPv6 forwarding to a non-local destination.
Add a regession test uitilizing VIMAGE to check all 20 possible
combinations I could think of.

Obtained from:	David Dolson at Sandvine Incorporated
		(original version for ipfw fwd IPv6 support)
Sponsored by:	Sandvine Incorporated
PR:		bin/117214
MFC after:	4 weeks
Approved by:	re (kib)
2011-08-20 17:05:11 +00:00
John Baldwin
e89359c21e Fix a regression where a rule containing a source port option after a
destination IP would incorrectly display the source port as a destination
port.

Reviewed by:	luigi
Approved by:	re (kib)
MFC after:	1 week
2011-08-17 14:39:45 +00:00
Andrey V. Elsukov
9527ec6e52 Add new rule actions "call" and "return" to ipfw. They make
possible to organize subroutines with rules.

The "call" action saves the current rule number in the internal
stack and rules processing continues from the first rule with
specified number (similar to skipto action). If later a rule with
"return" action is encountered, the processing returns to the first
rule with number of "call" rule saved in the stack plus one or higher.

Submitted by:	Vadim Goncharov
Discussed by:	ipfw@, luigi@
2011-06-29 10:06:58 +00:00
Andrey V. Elsukov
0dba401da6 Improve error reporting. Use corresponding error message when file to be
preprocessed is missing. Also suggest to use absolute pathname if -p option
is specified.

PR:             bin/156653
MFC after:      2 weeks
2011-06-29 06:45:44 +00:00
Gleb Smirnoff
6ca60beb25 Actually, if code had followed style(9), there would be less stupid errors
like the one fixed in r223416.

Noticed by:	julian
2011-06-24 12:55:16 +00:00
Gleb Smirnoff
0103912db8 One more braino from me.
Pointy hat to:	glebius
Submitted by:	Alexander V. Chernikov <melifaro ipfw.ru>
2011-06-22 08:20:01 +00:00
Ben Laurie
5f301949ef Fix clang warnings.
Approved by:	philip (mentor)
2011-06-18 13:56:33 +00:00
Gleb Smirnoff
ce97208218 - Fix my braino in the 220835, when I used strtok(). It isn't
applicable here, since modifies the string. Switch to strchr().
- Restore support for undocumented optional parameters of
  redir_port and redir_proto, that were disabled in 220835.
- While here, change !isalpha() checks on optinal parameters
  for isdigit().

Submitted by:	Alexander V. Chernikov <melifaro ipfw.ru>
PR:		kern/143653
2011-06-17 12:12:52 +00:00
Andrey V. Elsukov
1875bbfe54 Implement "global" mode for ipfw nat. It is similar to natd(8)
"globalport" option for multiple NAT instances.

If ipfw rule contains "global" keyword instead of nat_number, then
for each outgoing packet ipfw_nat looks up translation state in all
configured nat instances. If an entry is found, packet aliased
according to that entry, otherwise packet is passed unchanged.

User can specify "skip_global" option in NAT configuration to exclude
an instance from the lookup in global mode.

PR:		kern/157867
Submitted by:	Alexander V. Chernikov (previous version)
Tested by:	Eugene Grosbein
2011-06-14 13:35:24 +00:00
Andrey V. Elsukov
980ccceb94 Check nat id a bit more strictly. 2011-06-14 13:02:26 +00:00