d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
43405724ec
freebsd-nq/sys/netinet
History
Luigi Rizzo 43405724ec One bugfix and one new feature. 
The bugfix (ipfw2.c) makes the handling of port numbers with
a dash in the name, e.g. ftp-data, consistent with old ipfw:
use \\ before the - to consider it as part of the name and not
a range separator.

The new feature (all this description will go in the manpage):

each rule now belongs to one of 32 different sets, which can
be optionally specified in the following form:

	ipfw add 100 set 23 allow ip from any to any

If "set N" is not specified, the rule belongs to set 0.

Individual sets can be disabled, enabled, and deleted with the commands:

	ipfw disable set N
	ipfw enable set N
	ipfw delete set N

Enabling/disabling of a set is atomic. Rules belonging to a disabled
set are skipped during packet matching, and they are not listed
unless you use the '-S' flag in the show/list commands.
Note that dynamic rules, once created, are always active until
they expire or their parent rule is deleted.
Set 31 is reserved for the default rule and cannot be disabled.

All sets are enabled by default. The enable/disable status of the sets
can be shown with the command

	ipfw show sets

Hopefully, this feature will make life easier to those who want to
have atomic ruleset addition/deletion/tests. Examples:

To add a set of rules atomically:

	ipfw disable set 18
	ipfw add ... set 18 ...		# repeat as needed
	ipfw enable set 18

To delete a set of rules atomically

	ipfw disable set 18
	ipfw delete set 18
	ipfw enable set 18

To test a ruleset and disable it and regain control if something
goes wrong:

	ipfw disable set 18
	ipfw add ... set 18 ...         # repeat as needed
	ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18

    here if everything goes well, you press control-C before
    the "sleep" terminates, and your ruleset will be left
    active. Otherwise, e.g. if you cannot access your box,
    the ruleset will be disabled after the sleep terminates.

I think there is only one more thing that one might want, namely
a command to assign all rules in set X to set Y, so one can
test a ruleset using the above mechanisms, and once it is
considered acceptable, make it part of an existing ruleset.
2002-08-10 04:37:32 +00:00
..
libalias Don't forget to recalculate the IP checksum of the original 2002-07-23 00:16:19 +00:00
accf_data.c Remove so*_locked(), which were backed out by mistake. 2002-06-18 07:42:02 +00:00
accf_http.c Remove so*_locked(), which were backed out by mistake. 2002-06-18 07:42:02 +00:00
icmp6.h Revised MLD-related definitions 2002-05-06 16:28:25 +00:00
icmp_var.h Remove __P. 2002-03-19 21:25:46 +00:00
if_atm.c - Change the newly turned INVARIANTS #ifdef blocks (they were changed from 2002-05-21 18:52:24 +00:00
if_atm.h Remove __P. 2002-03-19 21:25:46 +00:00
if_ether.c Introduce support for Mandatory Access Control and extensible 2002-07-31 16:45:16 +00:00
if_ether.h Fixed some style bugs in the removal of __P(()). Continuation lines 2002-03-24 10:19:10 +00:00
igmp_var.h Remove __P. 2002-03-19 21:25:46 +00:00
igmp.c Introduce support for Mandatory Access Control and extensible 2002-07-31 16:46:56 +00:00
igmp.h
in_cksum.c
in_gif.c just merged cosmetic changes from KAME to ease sync between KAME and FreeBSD. 2002-04-19 04:46:24 +00:00
in_gif.h Remove __P. 2002-03-19 21:25:46 +00:00
in_pcb.c cleanup usage of ip6_mapped_addr_on and ip6_v6only. now, 2002-07-25 17:40:45 +00:00
in_pcb.h do not refer to IN6P_BINDV6ONLY anymore. 2002-07-22 15:51:02 +00:00
in_proto.c Remove __P. 2002-03-19 21:25:46 +00:00
in_rmx.c Remove __P. 2002-03-19 21:25:46 +00:00
in_systm.h Remove __P. 2002-03-19 21:25:46 +00:00
in_var.h Fixed some style bugs in the removal of __P(()). Continuation lines 2002-03-24 10:19:10 +00:00
in.c Lock up inpcb. 2002-06-10 20:05:46 +00:00
in.h Remove some duplicate types that should have been removed as part of 2002-05-11 23:28:51 +00:00
ip6.h Sync with recent KAME. 2001-06-11 12:39:29 +00:00
ip_divert.c Introduce support for Mandatory Access Control and extensible 2002-07-31 16:42:47 +00:00
ip_dummynet.c Fix a panic when doing "ipfw add pipe 1 log ..." 2002-07-17 07:21:42 +00:00
ip_dummynet.h fix indentation of a comment 2002-06-23 09:14:24 +00:00
ip_ecn.c initialize local variable explicitly 2002-04-11 02:14:21 +00:00
ip_ecn.h Remove __P. 2002-03-19 21:25:46 +00:00
ip_encap.c just merged cosmetic changes from KAME to ease sync between KAME and FreeBSD. 2002-04-19 04:46:24 +00:00
ip_encap.h Remove __P. 2002-03-19 21:25:46 +00:00
ip_flow.c s/FREE/free/ 2001-11-04 17:35:31 +00:00
ip_flow.h
ip_fw2.c One bugfix and one new feature. 2002-08-10 04:37:32 +00:00
ip_fw.c Remove (almost all) global variables that were used to hold 2002-06-22 11:51:02 +00:00
ip_fw.h One bugfix and one new feature. 2002-08-10 04:37:32 +00:00
ip_icmp.c Introduce support for Mandatory Access Control and extensible 2002-08-01 03:53:04 +00:00
ip_icmp.h Remove __P. 2002-03-19 21:25:46 +00:00
ip_id.c Remove __P. 2002-03-19 21:25:46 +00:00
ip_input.c Fix handling of packets which matched an "ipfw fwd" rule on the input side. 2002-08-03 14:59:45 +00:00
ip_mroute.c Just a comment on some additional consistency checks that could 2002-06-26 21:00:53 +00:00
ip_mroute.h Remove __P. 2002-03-19 21:25:46 +00:00
ip_output.c Introduce support for Mandatory Access Control and extensible 2002-07-31 17:21:01 +00:00
ip_var.h Introduce support for Mandatory Access Control and extensible 2002-07-30 23:09:20 +00:00
ip.h o Add IPOPT_ESO for the 'Extended Security' IP option (RFC1108) 2001-12-14 19:37:32 +00:00
ipprotosw.h KSE Milestone 2 2001-09-12 08:38:13 +00:00
raw_ip.c Introduce support for Mandatory Access Control and extensible 2002-07-31 18:30:34 +00:00
tcp_debug.c Work to fix LINT build. 2002-08-02 18:08:14 +00:00
tcp_debug.h
tcp_fsm.h WARNS=n and lint(1) silencer. Declare an array of (const) strings 2002-02-03 11:57:32 +00:00
tcp_input.c Introduce support for Mandatory Access Control and extensible 2002-07-31 19:06:49 +00:00
tcp_output.c Introduce support for Mandatory Access Control and extensible 2002-07-31 19:06:49 +00:00
tcp_reass.c Introduce support for Mandatory Access Control and extensible 2002-07-31 19:06:49 +00:00
tcp_seq.h Move initialization of snd_recover into tcp_sendseqinit(). 2001-11-21 18:45:51 +00:00
tcp_subr.c Document the undocumented assumption that at least one of the PCB 2002-08-01 03:54:43 +00:00
tcp_syncache.c Handle PMTU discovery in syn-ack packets slightly differently; 2002-08-05 22:34:15 +00:00
tcp_timer.c Fix overflows in intermediate calculations in sysctl_msec_to_ticks(). 2002-07-20 23:48:59 +00:00
tcp_timer.h Introduce two new sysctl's: 2002-07-18 19:06:12 +00:00
tcp_timewait.c Document the undocumented assumption that at least one of the PCB 2002-08-01 03:54:43 +00:00
tcp_usrreq.c Use a common way to release locks before exit. 2002-07-29 09:01:39 +00:00
tcp_var.h Add the tcps_sndrexmitbad statistic, keep track of late acks that caused 2002-07-19 18:29:38 +00:00
tcp.h o Minor style(9)ism to make consistent with -STABLE 2001-01-09 18:26:17 +00:00
tcpip.h Remove struct full_tcpiphdr{}. 2001-02-26 20:10:16 +00:00
udp_usrreq.c bugfix: move check for udp_blackhole before the one for icmp_bandlim. 2002-08-04 20:50:13 +00:00
udp_var.h Notify functions can destroy the pcb, so they have to return an 2002-06-14 08:35:21 +00:00
udp.h