Commit Graph

195 Commits

Author SHA1 Message Date
Crist J. Clark
0f56b10c4b Enlighten those who read the FINE POINTS of the documentation a bit
more on how ipfw(8) deals with tiny fragments. While we're at it, add
a quick log message to even let people know we dropped a packet. (Note
that the second FINE POINT is somewhat redundant given the first, but
since the code is there, leave the docs for it.)

MFC after:	1 day
2002-05-01 06:29:16 +00:00
Matthew Dillon
170ac683f2 I've been meaning to do this for a while. Add an underscore to the
time_to_xxx() and xxx_to_time() functions.  e.g. _time_to_xxx()
instead of time_to_xxx(), to make it more obvious that these are
stopgap functions & placemarkers and not meant to create a defacto
standard.  They will eventually be replaced when a real standard
comes out of committee.
2002-01-19 23:20:02 +00:00
Ruslan Ermilov
6bfa982817 mdoc(7) police: tidy up the markup in revision 1.96. 2002-01-10 15:41:06 +00:00
Robert Watson
e036a58dab o Note that packets diverted using a 'divert' socket, and then
reinserted by a userland process, will lose a number of packet
  attributes, including their source interface.  This may affect
  the behavior of later rules, and while not strictly a BUG, may
  cause unexpected behavior if not clearly documented.  A similar
  note for natd(8) might be desirable.
2002-01-03 01:00:23 +00:00
Yaroslav Tykhiy
c1201321e4 Move the discussion of how many times a packet will pass through
ipfirewall(4) to the IMPLEMENTATION NOTES section because it
considers kernel internals and may confuse newbies if placed
at the very beginning of the manpage (where it used to be previously.)

Not objected by:	luigi
2002-01-02 20:48:21 +00:00
Yaroslav Tykhiy
5b20d7fa96 Clarify the "show" ipfw(8) command.
PR:		docs/31263
Permitted by:	luigi
2002-01-02 20:16:15 +00:00
Yaroslav Tykhiy
a66dbdf331 Fix a typo: wierd -> weird 2002-01-02 19:46:14 +00:00
Julian Elischer
116f97b066 Fix documentation to match reality 2001-12-28 22:24:26 +00:00
Yaroslav Tykhiy
b6ee452478 Implement matching IP precedence in ipfw(4).
Submitted by:   Igor Timkin <ivt@gamma.ru>
2001-12-21 18:43:37 +00:00
Ralf S. Engelschall
43ce89e115 At least once mention the long names of WF2Q+ (Worst-case Fair Weighted
Fair Queueing) and RED (Random Early Detection) to both give the reader
a hint what they are and to make it easier to find out more information
about them.
2001-12-14 21:51:28 +00:00
David E. O'Brien
2d68bf45bf Default to WARNS=2.
Binary builds that cannot handle this must explicitly set WARNS=0.

Reviewed by:	mike
2001-12-04 02:19:58 +00:00
Luigi Rizzo
2022d11f02 sync the code with the one in stable (mostly formatting changes). 2001-11-04 23:19:46 +00:00
Luigi Rizzo
d32ab253ae Fix a typo in a format string, and fix error checking for missing
masks in "limit" rules.
2001-11-01 08:45:02 +00:00
Josef Karthauser
b404d15b59 More white space changes. 2001-10-29 03:46:28 +00:00
Josef Karthauser
285e176b66 More stylistic tidying. 2001-10-29 03:25:49 +00:00
Josef Karthauser
a87d240115 Remove training white spaces, and some other style violations. 2001-10-29 00:37:24 +00:00
Matthew Dillon
9ef76b94a7 Properly convert long to time_t 2001-10-28 20:19:14 +00:00
Josef Karthauser
6e97e2e10f Remove some extraneous spaces from the usage message. 2001-10-28 02:10:40 +00:00
Dima Dorfman
075908f115 Repair typo.
PR:		31262
Submitted by:	<swear@blarg.net>
2001-10-14 22:46:05 +00:00
Ruslan Ermilov
4ae29521b3 mdoc(7) police: fix markup. 2001-10-01 14:13:36 +00:00
Bill Fumerola
b53adbbf93 now that jlemon has added a hash table to lookup locally configured ip
addresses (and the macros that ipfw(4) use to lookup data for the 'me'
keyword have been converted) remove a comment about using 'me' being a
"computationally expensive" operation.

while I'm here, change two instances of "IP number" to "IP address"
2001-09-29 06:33:42 +00:00
Luigi Rizzo
830cc17841 Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week
2001-09-27 23:44:27 +00:00
Luigi Rizzo
32f967a3c0 A bunch of minor changes to the code (see below) for readability, code size
and speed. No new functionality added (yet) apart from a bugfix.
MFC will occur in due time and probably in stages.

BUGFIX: fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (there is a PR on this).

OTHER CHANGES: minor changes to the internal struct for static and dynamic rules.
Requires rebuild of ipfw binary.

Add comments to show how data structures are linked together.
(It probably makes no sense to keep the chain pointers separate
from actual rule descriptors. They will be hopefully merged soon.

keep a (sysctl-readable) counter for the number of static rules,
to speed up IP_FW_GET operations

initial support for a "grace time" for expired connections, so we
can set timeouts for closing connections to much shorter times.

merge zero_entry() and resetlog_entry(), they use basically the
same code.

clean up and reduce replication of code for removing rules,
both for readability and code size.

introduce a separate lifetime for dynamic UDP rules.

fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (PR ...)

restructure dynamic rule descriptors

introduce some local variables to avoid multiple dereferencing of
pointer chains (reduces code size and hopefully increases speed).
2001-09-20 13:52:49 +00:00
Ruslan Ermilov
4387c7c2af Non-decimal ``skipto'' rule numbers are meaningless.
Noticed by:	"Marc G. Fournier" <scrappy@hub.org>
MFC after:	3 days
2001-09-19 15:12:14 +00:00
Ruslan Ermilov
c4d9468ea0 mdoc(7) police:
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
2001-08-07 15:48:51 +00:00
Ruslan Ermilov
f47a6dce89 Fixed one more breakage introduced in 1.103 cleanup.
ICMP types were reported incorrectly:

# ipfw add allow icmp from any to any icmptypes 0,8

PR:		bin/29185
Submitted by:	Mike Durian <durian@boogie.com>
2001-08-06 13:03:38 +00:00
David E. O'Brien
57a72165c7 style(9) 2001-08-01 07:05:51 +00:00
Crist J. Clark
ed41e60f75 Error messaging in ipfw(8) was out of hand, almost 50 lines of usage
information for any command line error, the actual error message
almost always (and sometimes irretrievably) lost scrolling off the top
of the screen. Now just print the error. Give ipfw(8) no arguments for
the old usage summary.

Thanks to Lyndon Nerenberg <lyndon@orthanc.ab.ca> for the patch and
PR, but I had already done this when ru pointed out the PR.

PR:		bin/28729
Approved by:	ru
MFC after:	1 week
2001-07-22 06:40:11 +00:00
Ruslan Ermilov
9fe48c6e8d mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 11:04:34 +00:00
Crist J. Clark
9dbb5e6869 Fix rule parsing breakage introduced in 1.103 cleanup. 'tcp' and
'icmp' rules could drop into infinite loops when given bad arguments.

Reviewed by:	ru, des
Approved by:	ru
2001-07-10 05:44:51 +00:00
Dima Dorfman
70d51341bf mdoc(7) police: remove extraneous .Pp before and/or after .Sh. 2001-07-09 09:54:33 +00:00
Kris Kennaway
8fb0816a85 Silence format string warnings.
MFC after:	2 weeks
2001-07-01 22:00:26 +00:00
Chris Costello
fb478e5d0b Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in the
checklist.

MFC after:	1 week
2001-06-06 20:56:56 +00:00
Dag-Erling Smørgrav
266b63f4d0 Invert the meaning of the -d option (i.e. default to *not* list dynamic rules,
but list them if -d was specified).

Avoid listing expired dynamic rules unless the (new) -e option was specified.

If specific rule numbers were listed on the command line, and the -d flag was
specified, only list dynamic rules that match the specified rule numbers.

Try to partly clean up the bleeding mess this file has become.  If there is
any justice in this world, the responsible parties (you know who you are!)
should expect to wake up one morning with a horse's head in their bed.  The
code still looks like spaghetti, but at least now it's *properly intented*
spaghetti (hmm?  did somebody say "tagliatelle"?).
2001-06-04 23:56:26 +00:00
David Malone
78e4a3143e Add a flag to "ipfw show" which supresses the display of dynamic
rules.  Also, don't show dynamic rules if you only asked to see a
certain rule number.

PR:		18550
Submitted by:	Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Approved by:	luigi
MFC after:	2 weeks
2001-05-20 10:01:39 +00:00
Ruslan Ermilov
506c373bc0 Update comment to match ipfw/ipfw.c,v 1.95. 2001-04-13 06:49:47 +00:00
Bruce Evans
594279ec73 Fixed some printf format errors (don't assume that ntohl() returns u_long). 2001-04-05 07:37:55 +00:00
Ruslan Ermilov
0a5779d45b - Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.
2001-03-26 14:33:27 +00:00
Ruslan Ermilov
fe655281c5 Set the default manual section for sbin/ to 8. 2001-03-20 18:13:31 +00:00
Ruslan Ermilov
7350bb3af1 mdoc(7) police: removed hard sentence break introduced in rev 1.82. 2001-03-16 07:39:46 +00:00
Dima Dorfman
32de505213 Explain that TCP fragments with an offset of 1 are reported as being
dropped by rule -1 if logging is enabled.

PR:		25796
Submitted by:	Crist J. Clark <cjclark@alum.mit.edu>
Approved by:	nik
2001-03-16 01:28:11 +00:00
Ruslan Ermilov
dc60ef4a4e Document that the IPFW messages are logged via syslogd(8). 2001-02-22 09:12:44 +00:00
Ruslan Ermilov
d4339464da mdoc(7) police: normalize the construct. 2001-02-15 08:36:20 +00:00
Sheldon Hearn
63ca8f4ad1 Fix grammar nit in previous commit. 2001-02-14 15:03:20 +00:00
Poul-Henning Kamp
bb07ec8c84 Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
2001-02-13 14:12:37 +00:00
Robert Watson
65450f2f77 o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets.  This patch
  stops overloading those bits in the IP firewall rules, and moves
  colliding flags to a seperate field, ipflg.  The IPFW userland
  management tool, ipfw(8), is updated to reflect this change.  New TCP
  flags related to ECN are now included in tcp.h for reference, although
  we don't currently implement TCP+ECN.

o To use this fix without completely rebuilding, it is sufficient to copy
  ip_fw.h and tcp.h into your appropriate include directory, then rebuild
  the ipfw kernel module, and ipfw tool, and install both.  Note that a
  mismatch between module and userland tool will result in incorrect
  installation of firewall rules that may have unexpected effects.  This
  is an MFC candidate, following shakedown.  This bug does not appear
  to affect ipfilter.

Reviewed by:	security-officer, billf
Reported by:	Aragon Gouveia <aragon@phat.za.net>
2001-01-09 03:10:30 +00:00
Ruslan Ermilov
d90d7015f9 Prepare for mdoc(7)NG. 2000-12-27 14:40:52 +00:00
Ruslan Ermilov
1252c1bb05 Prepare for mdoc(7)NG. 2000-12-18 15:16:24 +00:00
Ruslan Ermilov
f4d874a1db mdoc(7) police: do not split author names in the AUTHORS section. 2000-11-22 09:35:58 +00:00
Ruslan Ermilov
7c7fb079b9 mdoc(7) police: use the new features of the Nm macro. 2000-11-20 16:52:27 +00:00