d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ipfw(8): Fix a few mandoc related issues

Browse Source 
- no blank before trailing delimiter
- missing section argument: Xr inet_pton
- skipping paragraph macro: Pp before Ss
- unusual Xr order: syslogd after sysrc
- tab in filled text

There were a few multiline NAT examples which used the .Dl macro with
tabs. I converted them to .Bd, which is a more suitable macro for that case.

MFC after:	1 week
This commit is contained in:
Gordon Bergling 2020-12-19 12:47:40 +00:00
parent ea0dd3ca44
commit bae74ca922
1 changed files with 50 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
sbin/ipfw/ipfw.8
View File

@ -305,7 +305,6 @@ Finally, counters can be reset with the
and and
.Cm resetlog .Cm resetlog
commands. commands.
.Pp
.Ss COMMAND OPTIONS .Ss COMMAND OPTIONS
The following general options are available when invoking The following general options are available when invoking
.Nm : .Nm :
@ -389,7 +388,8 @@ listed.
When listing pipes, sort according to one of the four When listing pipes, sort according to one of the four
counters (total or current packets or bytes). counters (total or current packets or bytes).
.It Fl t .It Fl t
When listing, show last match timestamp converted with ctime(). When listing, show last match timestamp converted with
.Fn ctime .
.It Fl T .It Fl T
When listing, show last match timestamp as seconds from the epoch. When listing, show last match timestamp as seconds from the epoch.
This form can be more convenient for postprocessing by scripts. This form can be more convenient for postprocessing by scripts.
@ -1441,7 +1441,7 @@ list.
Matches all IPv6 addresses with base Matches all IPv6 addresses with base
.Ar addr .Ar addr
(specified as allowed by (specified as allowed by
.Xr inet_pton .Xr inet_pton 3
or a hostname) or a hostname)
and mask width of and mask width of
.Cm masklen .Cm masklen
@ -1450,12 +1450,12 @@ bits.
Matches all IPv6 addresses with base Matches all IPv6 addresses with base
.Ar addr .Ar addr
(specified as allowed by (specified as allowed by
.Xr inet_pton .Xr inet_pton 3
or a hostname) or a hostname)
and the mask of and the mask of
.Ar mask , .Ar mask ,
specified as allowed by specified as allowed by
.Xr inet_pton . .Xr inet_pton 3 .
As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match
fe:*:*:*:0:640:*:*. fe:*:*:*:0:640:*:*.
This form is advised only for non-contiguous This form is advised only for non-contiguous
@ -1518,7 +1518,7 @@ operand, and possibly grouped into
.Pp .Pp
The following match patterns can be used (listed in alphabetical order): The following match patterns can be used (listed in alphabetical order):
.Bl -tag -width indent .Bl -tag -width indent
.It Cm // this is a comment. .It Cm // this is a comment .
Inserts the specified text as a comment in the rule. Inserts the specified text as a comment in the rule.
Everything following // is considered as a comment and stored in the rule. Everything following // is considered as a comment and stored in the rule.
You can have comment-only rules, which are listed as having a You can have comment-only rules, which are listed as having a
@ -1806,7 +1806,10 @@ keyword is special name used for compatibility with old rulesets.
.It Cm layer2 .It Cm layer2
Matches only layer2 packets, i.e., those passed to Matches only layer2 packets, i.e., those passed to
.Nm .Nm
from ether_demux() and ether_output_frame(). from
.Fn ether_demux
and
.Fn ether_output_frame .
.It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
The firewall will only allow The firewall will only allow
.Ar N .Ar N
@ -2258,8 +2261,8 @@ Shows generic table information and algo-specific data.
The following lookup algorithms are supported: The following lookup algorithms are supported:
.Bl -tag -width indent .Bl -tag -width indent
.It Ar algo-desc : algo-name | "algo-name algo-data" .It Ar algo-desc : algo-name | "algo-name algo-data"
.It Ar algo-name: Ar addr:radix | addr:hash | iface:array | number:array | flow:hash .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash
.It Cm addr:radix .It Cm addr: radix
Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see
.Xr route 4 ) . .Xr route 4 ) .
Default choice for Default choice for
@ -2330,11 +2333,11 @@ IPv6 nexthop to fwd packets to.
The The
.Cm tablearg .Cm tablearg
argument can be used with the following actions: argument can be used with the following actions:
.Cm nat, pipe , queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, .Cm nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib ,
action parameters: action parameters:
.Cm tag, untag, .Cm tag, untag ,
rule options: rule options:
.Cm limit, tagged. .Cm limit, tagged .
.Pp .Pp
When used with the When used with the
.Cm skipto .Cm skipto
@ -2614,7 +2617,6 @@ mode can be enabled by setting the
.Va net.inet.ip.dummynet.io_fast .Va net.inet.ip.dummynet.io_fast
.Xr sysctl 8 .Xr sysctl 8
variable to a non-zero value. variable to a non-zero value.
.Pp
.Ss PIPE, QUEUE AND SCHEDULER CONFIGURATION .Ss PIPE, QUEUE AND SCHEDULER CONFIGURATION
The The
.Em pipe , .Em pipe ,
@ -3550,7 +3552,6 @@ Note that the behavior of stateless translator with respect to not matched
packets differs from stateful translator. packets differs from stateful translator.
If corresponding addresses was not found in the lookup tables, the packet If corresponding addresses was not found in the lookup tables, the packet
will not be dropped and the search continues. will not be dropped and the search continues.
.Pp
.Ss XLAT464 CLAT translation .Ss XLAT464 CLAT translation
XLAT464 CLAT NAT64 translator implements client-side stateless translation as XLAT464 CLAT NAT64 translator implements client-side stateless translation as
defined in RFC6877 and is very similar to statless NAT64 translator defined in RFC6877 and is very similar to statless NAT64 translator
@ -3662,12 +3663,12 @@ or
.Xr kenv 1 .Xr kenv 1
before ipfw module gets loaded. before ipfw module gets loaded.
.Bl -tag -width indent .Bl -tag -width indent
.It Va net.inet.ip.fw.default_to_accept: No 0 .It Va net.inet.ip.fw.default_to_accept : No 0
Defines ipfw last rule behavior. Defines ipfw last rule behavior.
This value overrides This value overrides
.Cd "options IPFW_DEFAULT_TO_(ACCEPT|DENY)" .Cd "options IPFW_DEFAULT_TO_(ACCEPT|DENY)"
from kernel configuration file. from kernel configuration file.
.It Va net.inet.ip.fw.tables_max: No 128 .It Va net.inet.ip.fw.tables_max : No 128
Defines number of tables available in ipfw. Defines number of tables available in ipfw.
Number cannot exceed 65534. Number cannot exceed 65534.
.El .El
@ -3682,7 +3683,7 @@ These are shown below together with their default value
.Xr sysctl 8 .Xr sysctl 8
command what value is actually in use) and meaning: command what value is actually in use) and meaning:
.Bl -tag -width indent .Bl -tag -width indent
.It Va net.inet.ip.alias.sctp.accept_global_ootb_addip: No 0 .It Va net.inet.ip.alias.sctp.accept_global_ootb_addip : No 0
Defines how the Defines how the
.Nm nat .Nm nat
responds to receipt of global OOTB ASCONF-AddIP: responds to receipt of global OOTB ASCONF-AddIP:
@ -3698,7 +3699,7 @@ will accept and process all OOTB global AddIP messages.
Option 1 should never be selected as this forms a security risk. Option 1 should never be selected as this forms a security risk.
An attacker can An attacker can
establish multiple fake associations by sending AddIP messages. establish multiple fake associations by sending AddIP messages.
.It Va net.inet.ip.alias.sctp.chunk_proc_limit: No 5 .It Va net.inet.ip.alias.sctp.chunk_proc_limit : No 5
Defines the maximum number of chunks in an SCTP packet that will be Defines the maximum number of chunks in an SCTP packet that will be
parsed for a parsed for a
packet that matches an existing association. packet that matches an existing association.
@ -3708,7 +3709,7 @@ A high value is
a DoS risk yet setting too low a value may result in a DoS risk yet setting too low a value may result in
important control chunks in important control chunks in
the packet not being located and parsed. the packet not being located and parsed.
.It Va net.inet.ip.alias.sctp.error_on_ootb: No 1 .It Va net.inet.ip.alias.sctp.error_on_ootb : No 1
Defines when the Defines when the
.Nm nat .Nm nat
responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets. responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
@ -3745,7 +3746,7 @@ ASCONF-AddIP.
Value 3 should never be chosen (except for debugging) as the Value 3 should never be chosen (except for debugging) as the
.Nm nat .Nm nat
will respond to all OOTB global packets (a DoS risk). will respond to all OOTB global packets (a DoS risk).
.It Va net.inet.ip.alias.sctp.hashtable_size: No 2003 .It Va net.inet.ip.alias.sctp.hashtable_size : No 2003
Size of hash tables used for Size of hash tables used for
.Nm nat .Nm nat
lookups (100 < prime_number > 1000001). lookups (100 < prime_number > 1000001).
@ -3764,35 +3765,35 @@ should make these larger.
A prime number is best for the table size. A prime number is best for the table size.
The sysctl The sysctl
update function will adjust your input value to the next highest prime number. update function will adjust your input value to the next highest prime number.
.It Va net.inet.ip.alias.sctp.holddown_time: No 0 .It Va net.inet.ip.alias.sctp.holddown_time : No 0
Hold association in table for this many seconds after receiving a Hold association in table for this many seconds after receiving a
SHUTDOWN-COMPLETE. SHUTDOWN-COMPLETE.
This allows endpoints to correct shutdown gracefully if a This allows endpoints to correct shutdown gracefully if a
shutdown_complete is lost and retransmissions are required. shutdown_complete is lost and retransmissions are required.
.It Va net.inet.ip.alias.sctp.init_timer: No 15 .It Va net.inet.ip.alias.sctp.init_timer : No 15
Timeout value while waiting for (INIT-ACK|AddIP-ACK). Timeout value while waiting for (INIT-ACK|AddIP-ACK).
This value cannot be 0. This value cannot be 0.
.It Va net.inet.ip.alias.sctp.initialising_chunk_proc_limit: No 2 .It Va net.inet.ip.alias.sctp.initialising_chunk_proc_limit : No 2
Defines the maximum number of chunks in an SCTP packet that will be parsed when Defines the maximum number of chunks in an SCTP packet that will be parsed when
no existing association exists that matches that packet. no existing association exists that matches that packet.
Ideally this packet Ideally this packet
will only be an INIT or ASCONF-AddIP packet. will only be an INIT or ASCONF-AddIP packet.
A higher value may become a DoS A higher value may become a DoS
risk as malformed packets can consume processing resources. risk as malformed packets can consume processing resources.
.It Va net.inet.ip.alias.sctp.param_proc_limit: No 25 .It Va net.inet.ip.alias.sctp.param_proc_limit : No 25
Defines the maximum number of parameters within a chunk that will be Defines the maximum number of parameters within a chunk that will be
parsed in a parsed in a
packet. packet.
As for other similar sysctl variables, larger values pose a DoS risk. As for other similar sysctl variables, larger values pose a DoS risk.
.It Va net.inet.ip.alias.sctp.log_level: No 0 .It Va net.inet.ip.alias.sctp.log_level : No 0
Level of detail in the system log messages (0 \- minimal, 1 \- event, Level of detail in the system log messages (0 \- minimal, 1 \- event,
2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
May be a good May be a good
option in high loss environments. option in high loss environments.
.It Va net.inet.ip.alias.sctp.shutdown_time: No 15 .It Va net.inet.ip.alias.sctp.shutdown_time : No 15
Timeout value while waiting for SHUTDOWN-COMPLETE. Timeout value while waiting for SHUTDOWN-COMPLETE.
This value cannot be 0. This value cannot be 0.
.It Va net.inet.ip.alias.sctp.track_global_addresses: No 0 .It Va net.inet.ip.alias.sctp.track_global_addresses : No 0
Enables/disables global IP address tracking within the Enables/disables global IP address tracking within the
.Nm nat .Nm nat
and places an and places an
@ -3819,7 +3820,7 @@ problems in complex networks with multiple
We recommend not tracking We recommend not tracking
global IP addresses, this will still result in a fully functional global IP addresses, this will still result in a fully functional
.Nm nat . .Nm nat .
.It Va net.inet.ip.alias.sctp.up_timer: No 300 .It Va net.inet.ip.alias.sctp.up_timer : No 300
Timeout value to keep an association up with no traffic. Timeout value to keep an association up with no traffic.
This value cannot be 0. This value cannot be 0.
.It Va net.inet.ip.dummynet.codel.interval : No 100000 .It Va net.inet.ip.dummynet.codel.interval : No 100000
@ -4050,7 +4051,7 @@ and
must be strictly lower than 5 seconds, the period of must be strictly lower than 5 seconds, the period of
repetition of keepalives. repetition of keepalives.
The firewall enforces that. The firewall enforces that.
.It Va net.inet.ip.fw.dyn_keep_states: No 0 .It Va net.inet.ip.fw.dyn_keep_states : No 0
Keep dynamic states on rule/set deletion. Keep dynamic states on rule/set deletion.
States are relinked to default rule (65535). States are relinked to default rule (65535).
This can be handly for ruleset reload. This can be handly for ruleset reload.
@ -4131,7 +4132,6 @@ List all table lookup algorithms currently available.
There are far too many possible uses of There are far too many possible uses of
.Nm .Nm
so this Section will only give a small set of examples. so this Section will only give a small set of examples.
.Pp
.Ss BASIC PACKET FILTERING .Ss BASIC PACKET FILTERING
This command adds an entry which denies all tcp packets from This command adds an entry which denies all tcp packets from
.Em cracker.evil.org .Em cracker.evil.org
@ -4542,24 +4542,26 @@ To see configurations of all instances:
.Dl "ipfw nat show config" .Dl "ipfw nat show config"
.Pp .Pp
Or a redirect rule with mixed modes could looks like: Or a redirect rule with mixed modes could looks like:
.Pp .Bd -literal -offset 2n
.Dl "ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66" ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66
.Dl " redirect_port tcp 192.168.0.1:80 500" redirect_port tcp 192.168.0.1:80 500
.Dl " redirect_proto udp 192.168.1.43 192.168.1.1" redirect_proto udp 192.168.1.43 192.168.1.1
.Dl " redirect_addr 192.168.0.10,192.168.0.11" redirect_addr 192.168.0.10,192.168.0.11
.Dl " 10.0.0.100 # LSNAT" 10.0.0.100 # LSNAT
.Dl " redirect_port tcp 192.168.0.1:80,192.168.0.10:22" redirect_port tcp 192.168.0.1:80,192.168.0.10:22
.Dl " 500 # LSNAT" 500 # LSNAT
.Ed
.Pp .Pp
or it could be split in: or it could be split in:
.Pp .Bd -literal -offset 2n
.Dl "ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66" ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66
.Dl "ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500" ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500
.Dl "ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1" ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1
.Dl "ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12" ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12
.Dl " 10.0.0.100" 10.0.0.100
.Dl "ipfw nat 5 config redirect_port tcp" ipfw nat 5 config redirect_port tcp
.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500
.Ed
.Pp .Pp
Sometimes you may want to mix NAT and dynamic rules. Sometimes you may want to mix NAT and dynamic rules.
It could be achieved with It could be achieved with
@ -4711,8 +4713,8 @@ can be changed in a similar way as for
.Xr kldload 8 , .Xr kldload 8 ,
.Xr reboot 8 , .Xr reboot 8 ,
.Xr sysctl 8 , .Xr sysctl 8 ,
.Xr sysrc 8 , .Xr syslogd 8 ,
.Xr syslogd 8 .Xr sysrc 8
.Sh HISTORY .Sh HISTORY
The The
.Nm .Nm