Document table set-awareness in ipfw(8).
This commit is contained in:
parent
21ceaa3a9f
commit
35ad1fed6c
@ -48,41 +48,41 @@ in-kernel NAT.
|
||||
.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive
|
||||
.Ss LOOKUP TABLES
|
||||
.Nm
|
||||
.Cm table Ar name Cm create Ar create-options
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
|
||||
.Nm
|
||||
.Cm table Ar name Cm destroy
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm destroy
|
||||
.Nm
|
||||
.Cm table Ar name Cm modify Ar modify-options
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
|
||||
.Nm
|
||||
.Cm table Ar name Cm swap Ar name
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm swap Ar name
|
||||
.Nm
|
||||
.Cm table Ar name Cm add Ar table-key Op Ar value
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
|
||||
.Nm
|
||||
.Cm table Ar name Cm add Op Ar table-key Ar value ...
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
|
||||
.Nm
|
||||
.Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
|
||||
.Nm
|
||||
.Cm table Ar name Cm delete Op Ar table-key ...
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
|
||||
.Nm
|
||||
.Cm table Ar name Cm lookup Ar addr
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm lookup Ar addr
|
||||
.Nm
|
||||
.Cm table Ar name Cm lock
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm lock
|
||||
.Nm
|
||||
.Cm table Ar name Cm unlock
|
||||
.Oo Cm set Ar N Oc Cm table Ar name Cm unlock
|
||||
.Nm
|
||||
.Cm table
|
||||
.Oo Cm set Ar N Oc Cm table
|
||||
.Brq Ar name | all
|
||||
.Cm list
|
||||
.Nm
|
||||
.Cm table
|
||||
.Oo Cm set Ar N Oc Cm table
|
||||
.Brq Ar name | all
|
||||
.Cm info
|
||||
.Nm
|
||||
.Cm table
|
||||
.Oo Cm set Ar N Oc Cm table
|
||||
.Brq Ar name | all
|
||||
.Cm detail
|
||||
.Nm
|
||||
.Cm table
|
||||
.Oo Cm set Ar N Oc Cm table
|
||||
.Brq Ar name | all
|
||||
.Cm flush
|
||||
.Ss DUMMYNET CONFIGURATION (TRAFFIC SHAPER AND PACKET SCHEDULER)
|
||||
@ -1867,6 +1867,17 @@ addresses or other search keys (e.g., ports, jail IDs, interface names).
|
||||
In the rest of this section we will use the term ``key''.
|
||||
Table name needs to match the following spec:
|
||||
.Ar table-name .
|
||||
Tables with the same name can be created in different
|
||||
.Ar sets .
|
||||
However, rule links to the tables in
|
||||
.Ar set 0
|
||||
by default.
|
||||
This behavior can be controlled by
|
||||
.Va net.inet.ip.fw.tables_sets
|
||||
variable.
|
||||
See the
|
||||
.Sx SETS OF RULES
|
||||
section for more information.
|
||||
There may be up to 65535 different lookup tables.
|
||||
.Pp
|
||||
The following table types are supported:
|
||||
@ -2058,6 +2069,7 @@ The following value types are supported:
|
||||
Default value type.
|
||||
If value is not specified, defaults to 0.
|
||||
.El
|
||||
.Pp
|
||||
The
|
||||
.Cm tablearg
|
||||
argument can be used with the following actions:
|
||||
@ -2082,17 +2094,25 @@ up to a rule equal to, or past, the given number,
|
||||
and should therefore try keep the
|
||||
ruleset compact between the skipto and the target rules.
|
||||
.Sh SETS OF RULES
|
||||
Each rule belongs to one of 32 different
|
||||
Each rule or table belongs to one of 32 different
|
||||
.Em sets
|
||||
, numbered 0 to 31.
|
||||
Set 31 is reserved for the default rule.
|
||||
.Pp
|
||||
By default, rules are put in set 0, unless you use the
|
||||
By default, rules or tables are put in set 0, unless you use the
|
||||
.Cm set N
|
||||
attribute when entering a new rule.
|
||||
attribute when adding a new rule or table.
|
||||
Sets can be individually and atomically enabled or disabled,
|
||||
so this mechanism permits an easy way to store multiple configurations
|
||||
of the firewall and quickly (and atomically) switch between them.
|
||||
.Pp
|
||||
By default, tables from set 0 are referenced when adding rule with
|
||||
table opcodes regardless of rule set.
|
||||
This behavior can be changed by setting
|
||||
.Va net.inet.ip.fw.tables_set
|
||||
variable to 1.
|
||||
Rule's set will then be used for table references.
|
||||
.Pp
|
||||
The command to enable/disable sets is
|
||||
.Bd -ragged -offset indent
|
||||
.Nm
|
||||
|
Loading…
Reference in New Issue
Block a user