Commit Graph

750 Commits

Author SHA1 Message Date
Andrey V. Elsukov
9883abca1f Remove extra spaces.
MFC after:	1 month
2019-03-19 11:16:42 +00:00
Andrey V. Elsukov
d18c1f26a4 Reapply r345274 with build fixes for 32-bit architectures.
Update NAT64LSN implementation:

  o most of data structures and relations were modified to be able support
    large number of translation states. Now each supported protocol can
    use full ports range. Ports groups now are belongs to IPv4 alias
    addresses, not hosts. Each ports group can keep several states chunks.
    This is controlled with new `states_chunks` config option. States
    chunks allow to have several translation states for single alias address
    and port, but for different destination addresses.
  o by default all hash tables now use jenkins hash.
  o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path.
  o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
    special prefix "::" value should be used for this purpose when instance
    is created.
  o due to modified internal data structures relations, the socket opcode
    that does states listing was changed.

Obtained from:	Yandex LLC
MFC after:	1 month
Sponsored by:	Yandex LLC
2019-03-19 10:57:03 +00:00
Andrey V. Elsukov
d6369c2d18 Revert r345274. It appears that not all 32-bit architectures have
necessary CK primitives.
2019-03-18 14:00:19 +00:00
Andrey V. Elsukov
d7a1cf06f3 Update NAT64LSN implementation:
o most of data structures and relations were modified to be able support
  large number of translation states. Now each supported protocol can
  use full ports range. Ports groups now are belongs to IPv4 alias
  addresses, not hosts. Each ports group can keep several states chunks.
  This is controlled with new `states_chunks` config option. States
  chunks allow to have several translation states for single alias address
  and port, but for different destination addresses.
o by default all hash tables now use jenkins hash.
o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path.
o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
  special prefix "::" value should be used for this purpose when instance
  is created.
o due to modified internal data structures relations, the socket opcode
  that does states listing was changed.

Obtained from:	Yandex LLC
MFC after:	1 month
Sponsored by:	Yandex LLC
2019-03-18 12:59:08 +00:00
Andrey V. Elsukov
5c04f73e07 Add NAT64 CLAT implementation as defined in RFC6877.
CLAT is customer-side translator that algorithmically translates 1:1
private IPv4 addresses to global IPv6 addresses, and vice versa.
It is implemented as part of ipfw_nat64 kernel module. When module
is loaded or compiled into the kernel, it registers "nat64clat" external
action. External action named instance can be created using `create`
command and then used in ipfw rules. The create command accepts two
IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted,
IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used.

  # ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX
  # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out
  # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in

Obtained from:	Yandex LLC
Submitted by:	Boris N. Lytochkin
MFC after:	1 month
Relnotes:	yes
Sponsored by:	Yandex LLC
2019-03-18 11:44:53 +00:00
Andrey V. Elsukov
002cae78da Add SPDX-License-Identifier and update year in copyright.
MFC after:	1 month
2019-03-18 10:50:32 +00:00
Andrey V. Elsukov
b11efc1eb6 Modify struct nat64_config.
Add second IPv6 prefix to generic config structure and rename another
fields to conform to RFC6877. Now it contains two prefixes and length:
PLAT is provider-side translator that translates N:1 global IPv6 addresses
to global IPv4 addresses. CLAT is customer-side translator (XLAT) that
algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses.
Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn)
translators.

Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept
prefix length and use plat_plen to specify prefix length.

Retire net.inet.ip.fw.nat64_allow_private sysctl variable.
Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to
configure this ability separately for each NAT64 instance.

Obtained from:	Yandex LLC
MFC after:	1 month
Sponsored by:	Yandex LLC
2019-03-18 10:39:14 +00:00
Guangyuan Yang
65847dc90a Fix typos and caps for ipfw(8) man page.
MFC after:	3 days
PR:		236030
Submitted by:	olgeni
2019-03-01 19:06:13 +00:00
Tom Rhodes
bdf56516d2 Grammar tweaks in ipfw manual page. 2019-02-28 20:43:03 +00:00
Bryan Drewery
10e3bebf9e Fix build of r343877
MFC after:	2 weeks
X-MFC-with:	r343877
Pointyhat to:	bdrewery
2019-02-07 21:41:27 +00:00
Bryan Drewery
2b3d664738 ipfw table list: Fix showing header outside of 'all'.
Properly pass down is_all to table_show_list().  This restores the behavior
before r272840 so that only 'ipfw table all list' shows the headers.

MFC after:	2 weeks
Relnotes:	yes
2019-02-07 21:05:44 +00:00
Andrey V. Elsukov
a5178bca19 Allow use underscores and dots in service names without escaping.
PR:		234237
MFC after:	1 week
2018-12-21 10:41:45 +00:00
Andrey V. Elsukov
a895c1c28a Rework how protocol number is tracked in rule. Save it when O_PROTO
opcode will be printed. This should solve the problem, when protocol
name is not printed in `ipfw -N show`.

Reported by:	Claudio Eichenberger <cei at yourshop.com>
MFC after:	1 week
2018-12-10 16:23:11 +00:00
Andrey V. Elsukov
5f9c94c592 Use correct size for IPv4 address in gethostbyaddr().
When u_long is 8 bytes, it returns EINVAL and 'ipfw -N show' doesn't work.

Reported by:	Claudio Eichenberger <cei at yourshop.com>
MFC after:	1 week
2018-12-10 15:42:13 +00:00
Andrey V. Elsukov
d66f9c86fa Add ability to request listing and deleting only for dynamic states.
This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but
after rules reloading some state must be deleted. Added new flag '-D'
for such purpose.

Retire '-e' flag, since there can not be expired states in the meaning
that this flag historically had.

Also add "verbose" mode for listing of dynamic states, it can be enabled
with '-v' flag and adds additional information to states list. This can
be useful for debugging.

Obtained from:	Yandex LLC
MFC after:	2 months
Sponsored by:	Yandex LLC
2018-12-04 16:12:43 +00:00
Eugene Grosbein
3b78397008 Small language fix after r340978.
MFC after:	3 days
2018-11-26 16:10:20 +00:00
Eugene Grosbein
3a498c2e8a ipfw.8: add new section to EXAMPLES:
SELECTIVE MIRRORING
     If your network has network traffic analyzer connected to your host
     directly via dedicated interface or remotely via RSPAN vlan, you can
     selectively mirror some ethernet layer2 frames to the analyzer.
     ...
2018-11-26 16:02:17 +00:00
Guangyuan Yang
e9e747efe2 Fix a minor typo in ipfw(8) manual page.
PR:		230747
Submitted by:	f.toscan@hotmail.it
MFC after:	1 week
2018-11-23 03:42:05 +00:00
Guangyuan Yang
14b520eaa2 Fix incorrect DSCP value range from 0..64 to 0..63.
PR:		232786
Submitted by:	Sergey Akhmatov <sergey@akhmatov.ru>
Reviewed by:	AllanJude
MFC after:	1 week
2018-11-21 00:22:31 +00:00
Andrey V. Elsukov
5786c6b9f9 Make multiline APPLY_MASK() macro to be function-like.
Reported by:	cem
MFC after:	1 week
2018-11-20 18:38:28 +00:00
Eugene Grosbein
d95e8d6474 Fix part of the SYNOPSIS documenting LIST OF RULES AND PREPROCESSING
that is still referred as last section of the SYNOPSIS later
but was erroneously situated in the section IN-KERNEL NAT.

MFC after:	1 month
2018-11-13 13:57:15 +00:00
Andrey V. Elsukov
b2b5660688 Add ability to use dynamic external prefix in ipfw_nptv6 module.
Now an interface name can be specified for nptv6 instance instead of
ext_prefix. The module will track if_addr_ext events and when suitable
IPv6 address will be added to specified interface, it will be configured
as external prefix. When address disappears instance becomes unusable,
i.e. it doesn't match any packets.

Reviewed by:	0mp (manpages)
Tested by:	Dries Michiels <driesm dot michiels gmail com>
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D17765
2018-11-12 11:20:59 +00:00
Eugene Grosbein
6ff080c445 ipfw.8: fix small syntax error in an example
MFC after:	3 days
2018-11-08 13:17:38 +00:00
Andrey V. Elsukov
8f47ad010c Do not print "ip6" keyword in print_icmp6types() for O_ICMP6TYPE opcode.
It produces incompatibility when rules listing is used again to
restore saved ruleset, because "ip6" keyword produces separate opcode.
The kernel already has the check and only IPv6 packets will be checked
for matching.

PR:		232939
MFC after:	3 days
2018-11-06 07:41:32 +00:00
Eugene Grosbein
5a2b0b0daa ipfw(8): clarify layer2 processing abilities
Make it clear that ipfw action set for layer2 frames it a bit limited.

PR:			59835
Reviewed by:		yuripv
MFC after:		1 month
Differential Revision:	https://reviews.freebsd.org/D17719
2018-11-04 06:35:48 +00:00
Andrey V. Elsukov
880d3c76b5 Do not use bzero() for the O_ICMP6TYPE opcode.
The buffer is already zeroed in compile_rule() function, and also it
may contain configured F_NOT flag in o.len field. This fixes the filling
for "not icmp6types" opcode.

PR:		232939
MFC after:	3 days
2018-11-03 20:05:50 +00:00
Andrey V. Elsukov
427dc1f755 Use correct format specificator to print setdscp action.
PR:		232642
MFC after:	3 days
2018-10-25 18:06:23 +00:00
Andrey V. Elsukov
aa2715612c Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add ability
to switch the output method in run-time. Also document some sysctl
variables that can by changed for NAT64 module.

NAT64 had compile time option IPFIREWALL_NAT64_DIRECT_OUTPUT to use
if_output directly from nat64 module. By default is used netisr based
output method. Now both methods can be used, but they require different
handling by rules.

Obtained from:	Yandex LLC
MFC after:	3 weeks
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D16647
2018-10-21 16:29:12 +00:00
Andrey V. Elsukov
094d6f8d75 Add IPFW_RULE_JUSTOPTS flag, that is used by ipfw(8) to mark rule,
that was added using "new rule format". And then, when the kernel
returns rule with this flag, ipfw(8) can correctly show it.

Reported by:	lev
MFC after:	3 weeks
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D17373
2018-10-21 15:10:59 +00:00
Guangyuan Yang
c049e7c448 Add description, parameters, options, sysctl and examples of using AQMs to ipfw man page. CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet exist in FreeBSD 11 and 10.3.
Submitted by:	ralsaadi@swin.edu.au
Reviewed by:	AllanJude
Approved by:	re (gjb)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D12507
2018-09-27 18:14:01 +00:00
Andrey V. Elsukov
c5bf4b1bc6 Add "src-ip" or "dst-ip" keyword to the output, when we are printing the
rest of rule options.

Reported by:	lev
Approved by:	re (gjb)
MFC after:	1 week
2018-09-26 15:37:48 +00:00
Patrick Kelsey
249cc75fd1 Extended pf(4) ioctl interface and pfctl(8) to allow bandwidths of
2^32 bps or greater to be used.  Prior to this, bandwidth parameters
would simply wrap at the 2^32 boundary.  The computations in the HFSC
scheduler and token bucket regulator have been modified to operate
correctly up to at least 100 Gbps.  No other algorithms have been
examined or modified for correct operation above 2^32 bps (some may
have existing computation resolution or overflow issues at rates below
that threshold).  pfctl(8) will now limit non-HFSC bandwidth
parameters to 2^32 - 1 before passing them to the kernel.

The extensions to the pf(4) ioctl interface have been made in a
backwards-compatible way by versioning affected data structures,
supporting all versions in the kernel, and implementing macros that
will cause existing code that consumes that interface to use version 0
without source modifications.  If version 0 consumers of the interface
are used against a new kernel that has had bandwidth parameters of
2^32 or greater configured by updated tools, such bandwidth parameters
will be reported as 2^32 - 1 bps by those old consumers.

All in-tree consumers of the pf(4) interface have been updated.  To
update out-of-tree consumers to the latest version of the interface,
define PFIOC_USE_LATEST ahead of any includes and use the code of
pfctl(8) as a guide for the ioctls of interest.

PR:	211730
Reviewed by:	jmallett, kp, loos
MFC after:	2 weeks
Relnotes:	yes
Sponsored by:	RG Nets
Differential Revision:	https://reviews.freebsd.org/D16782
2018-08-22 19:38:48 +00:00
Andrey V. Elsukov
f4d5e7d8b5 Restore the behaviour changed in r337536, when bad ipfw delete command
returns error.

Now -q option only makes it quiet. And when -f flag is specified, the
command will ignore errors and continue executing with next batched
command.

MFC after:	2 weeks
2018-08-10 14:10:22 +00:00
Andrey V. Elsukov
e327ad3377 If -q flag is specified, do not complain when we are trying to delete
nonexistent NAT instance or nonexistent rule.

This allows execute batched `delete` commands and do not fail when
found nonexistent rule.

Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2018-08-09 12:46:30 +00:00
Andrey V. Elsukov
f7c4fdee1a Add "record-state", "set-limit" and "defer-action" rule options to ipfw.
"record-state" is similar to "keep-state", but it doesn't produce implicit
O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the
same feature as "record-state", it is single opcode without implicit
O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic
states. When rule with this opcode is matched, the rule's action will
not be executed, instead dynamic state will be created. And when this
state will be matched by "check-state", then rule action will be executed.
This allows create a more complicated rulesets.

Submitted by:	lev
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D1776
2018-07-09 11:35:18 +00:00
Jamie Gritton
de68a3200a Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),
sockstat(1), ugidfw(8)
These are the last of the jail-aware userland utilities that didn't work
 with names.

PR:		229266
MFC after:	3 days
Differential Revision:	D16047
2018-07-03 23:47:20 +00:00
Andrey V. Elsukov
0df37a208c Remove extra "ipfw" from example.
MFC after:	1 week
2018-06-28 09:42:30 +00:00
Andrey V. Elsukov
51d5442fef Fix the printing of rule comments.
Change uint8_t type of opcode argument to int in the print_opcode()
function. Use negative value to print the rest of opcodes, because
zero value is O_NOP, and it can't be uses for this purpose.

Reported by:	lev
MFC after:	1 week
2018-05-10 12:25:01 +00:00
Andrey V. Elsukov
c54e0abbc6 Update NAT64 documentation, now we support any IPv6 prefixes.
MFC after:	1 month
2018-05-09 12:25:23 +00:00
Andrey V. Elsukov
782360dec3 Bring in some last changes in NAT64 implementation:
o Modify ipfw(8) to be able set any prefix6 not just Well-Known,
  and also show configured prefix6;
o relocate some definitions and macros into proper place;
o convert nat64_debug and nat64_allow_private variables to be
  VNET-compatible;
o add struct nat64_config that keeps generic configuration needed
  to NAT64 code;
o add nat64_check_prefix6() function to check validness of specified
  by user IPv6 prefix according to RFC6052;
o use nat64_check_private_ip4() and nat64_embed_ip4() functions
  instead of nat64_get_ip4() and nat64_set_ip4() macros. This allows
  to use any configured IPv6 prefixes that are allowed by RFC6052;
o introduce NAT64_WKPFX flag, that is set when IPv6 prefix is
  Well-Known IPv6 prefix. It is used to reduce overhead to check this;
o modify nat64lsn_cfg and nat64stl_cfg structures to use nat64_config
  structure. And respectivelly modify the rest of code;
o remove now unused ro argument from nat64_output() function;
o remove __FreeBSD_version ifdef, NAT64 was not merged to older versions;
o add commented -DIPFIREWALL_NAT64_DIRECT_OUTPUT flag to module's Makefile
  as example.

Obtained from:	Yandex LLC
MFC after:	1 month
Sponsored by:	Yandex LLC
2018-05-09 11:59:24 +00:00
Andrey V. Elsukov
0f71e509e5 Fix indenting in ipv6.c file, use tabs instead of mixing tabs and spaces.
MFC after:	1 week
2018-04-12 20:05:26 +00:00
Andrey V. Elsukov
bd32e33552 Remove printing of "not" keyword from print_ip6() function.
After r331668 handling of F_NOT flag done in one place by
print_instruction() function. Also remove unused argument from
print_ip[6]() functions.

MFC after:	1 week
2018-04-12 19:44:04 +00:00
Andrey V. Elsukov
09a6be91bc Remove printing of "not" keyword from print_ip() function.
After r331668 handling of F_NOT flag done in one place by
print_instruction() function.

MFC after:	1 week
2018-04-12 19:34:35 +00:00
Oleg Bulyzhin
e5e8324fea Fix typo.
MFC after:	1 week
2018-04-11 11:17:57 +00:00
Andrey V. Elsukov
aed0267989 Rework ipfw rules parsing and printing code.
Introduce show_state structure to keep information about printed opcodes.
Split show_static_rule() function into several smaller functions. Make
parsing and printing opcodes into several passes. Each printed opcode
is marked in show_state structure and will be skipped in next passes.
Now show_static_rule() function is simple, it just prints each part
of rule separately: action, modifiers, proto, src and dst addresses,
options. The main goal of this change is avoiding occurrence of wrong
result of `ifpw show` command, that can not be parsed by ipfw(8).
Also now it is possible to make some simple static optimizations
by reordering of opcodes in the rule.

PR:		222705
Discussed with:	melifaro
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2018-03-28 12:44:28 +00:00
Andrey V. Elsukov
b43b604b30 Remove note that fwd tablearg is supported only by IPv4. IPv6 is
supported too.

MFC after:	1 week
2018-03-19 10:50:27 +00:00
Andrey V. Elsukov
12c080e613 Do not try to reassemble IPv6 fragments in "reass" rule.
ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets
that it gets. Until proper IPv6 fragments handling function will be
implemented, pass IPv6 packets to next rule.

PR:		170604
MFC after:	1 week
2018-03-12 09:40:46 +00:00
Conrad Meyer
4e0a8b6105 ipfw(8): Fix endianness for Legacy and Ipv4 table hostname values
The lookup_host() helper subroutine emits a struct in_addr value in network
byte order via caller passed pointer.  However, the table value is expected
to be stored in host byte order.  On little-endian machines, this produced a
reversed endian table value for Legacy or IPv4 table types when the value
was a hostname (instead of a plain IP address).

Fix by using ntohl() on the output 32-bit address.

While here, avoid some aliasing violations by storing the lookup_host()
output in an intermediate object of the correct type.

PR:		226429
Reported by:	bugs.freebsd.org AT mx.zzux.com (also: Tested by)
Security:	ipfw hostname table rules could potentially not act as admin intended
Sponsored by:	Dell EMC Isilon
2018-03-08 17:23:18 +00:00
Alan Somers
6ef82c0ae2 fix typo in ipfw(8). No functional change.
Submitted by:	zxzharmlesszxz
Pull Request:	https://github.com/freebsd/freebsd/pull/132
2018-02-27 17:12:33 +00:00
Nick Hibma
9ea81ab56a DSCP values passed to setdscp need to be lowercase.
See definition of f_ipdscp values. They are compared against using bcmp
which is case sensitive.

MFC after:	1 week
2018-02-13 10:11:39 +00:00