Commit Graph

708 Commits

Author SHA1 Message Date
ae
95b4812930 Do not try to reassemble IPv6 fragments in "reass" rule.
ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets
that it gets. Until proper IPv6 fragments handling function will be
implemented, pass IPv6 packets to next rule.

PR:		170604
MFC after:	1 week
2018-03-12 09:40:46 +00:00
cem
9940b6585e ipfw(8): Fix endianness for Legacy and Ipv4 table hostname values
The lookup_host() helper subroutine emits a struct in_addr value in network
byte order via caller passed pointer.  However, the table value is expected
to be stored in host byte order.  On little-endian machines, this produced a
reversed endian table value for Legacy or IPv4 table types when the value
was a hostname (instead of a plain IP address).

Fix by using ntohl() on the output 32-bit address.

While here, avoid some aliasing violations by storing the lookup_host()
output in an intermediate object of the correct type.

PR:		226429
Reported by:	bugs.freebsd.org AT mx.zzux.com (also: Tested by)
Security:	ipfw hostname table rules could potentially not act as admin intended
Sponsored by:	Dell EMC Isilon
2018-03-08 17:23:18 +00:00
asomers
c5dd533506 fix typo in ipfw(8). No functional change.
Submitted by:	zxzharmlesszxz
Pull Request:	https://github.com/freebsd/freebsd/pull/132
2018-02-27 17:12:33 +00:00
n_hibma
6d5125e8c2 DSCP values passed to setdscp need to be lowercase.
See definition of f_ipdscp values. They are compared against using bcmp
which is case sensitive.

MFC after:	1 week
2018-02-13 10:11:39 +00:00
eadler
f156130c4f Fix a few more speelling errors
Reviewed by:		bjk
Reviewed by:		jilles (incl formal "accept")
Differential Revision:	https://reviews.freebsd.org/D13650
2017-12-28 01:31:28 +00:00
ae
ad460b0f5e Fix rule number truncation, use uint16_t type to specify rulenum.
PR:		224555
MFC after:	1 week
2017-12-24 01:55:12 +00:00
pfg
d61fecb273 Revert r327005 - SPDX tags for license similar to BSD-2-Clause.
After consultation with SPDX experts and their matching guidelines[1],
the licensing doesn't exactly match the BSD-2-Clause. It yet remains to be
determined if they are equivalent or if there is a recognized license that
matches but it is safer to just revert the tags.

Let this also be a reminder that on FreeBSD, SPDX tags are only advisory
and have no legal value (but IANAL).

Pointyhat to:	pfg
Thanks to:	Rodney Grimes, Gary O'Neall

[1] https://spdx.org/spdx-license-list/matching-guidelines
2017-12-20 20:25:28 +00:00
pfg
95df0f2b7e SPDX: These are fundamentally BSD-2-Clause.
They just omit the introductory line and numbering.
2017-12-19 22:40:16 +00:00
tuexen
6fd4821b43 Add to ipfw support for sending an SCTP packet containing an ABORT chunk.
This is similar to the TCP case. where a TCP RST segment can be sent.

There is one limitation: When sending an ABORT in response to an incoming
packet, it should be tested if there is no ABORT chunk in the received
packet. Currently, it is only checked if the first chunk is an ABORT
chunk to avoid parsing the whole packet, which could result in a DOS attack.

Thanks to Timo Voelker for helping me to test this patch.
Reviewed by: bcr@ (man page part), ae@ (generic, non-SCTP part)
Differential Revision:	https://reviews.freebsd.org/D13239
2017-11-26 18:19:01 +00:00
bdrewery
a598c4b809 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
ae
3c04e58c0c Return 'errno' value from the table_do_modify_record(), it is expected
by table_modify_record().

This makes quiet operations with tables really quiet.

PR:		222953
MFC after:	1 week
2017-10-13 11:01:33 +00:00
tuexen
3e60409b2a Whitespace changes: Remove leading spaces followed by a tab. 2017-10-02 20:02:25 +00:00
tuexen
b3b79fd3fd Fix a bug which avoided that rules for matching port numbers for SCTP
packets where actually matched.
While there, make clean in the man-page that SCTP port numbers are
supported in rules.

MFC after:	1 month
2017-10-02 18:25:30 +00:00
manu
54e47e4fc2 ipfw: Note that bandwidth can take G suffix in the manpage
Reported by:	Jose Luis Duran (github)
2017-06-23 17:31:07 +00:00
manu
72d95f3521 ipfw: dummynet: Add 'G' and 'g' suffix for bandwidth configuration/display
MFC after:	2 weeks
Sponsored by:	Gandi.net
2017-06-23 14:00:28 +00:00
asomers
9c3f448df0 sbin/ipfw: strcpy, strncpy => strlcpy
Reported by:	Coverity
CID:		1356162, 1356166
MFC after:	3 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D10662
2017-06-13 14:57:48 +00:00
manu
319ad50d98 ipfw.8: Note that the ipfw_nat kernel module must be loaded or that the
IPFIREWALL_NAT options must be in the kernel config in order to use in-kernel
nat.

MFC after:	3 days
2017-06-01 09:14:49 +00:00
ae
8008a4e2e2 Allow zero port specification in table entries with type flow.
PR:		217620
MFC after:	1 week
2017-05-17 10:56:22 +00:00
ae
e8f3ed315e Add ipfw table all destroy support.
PR:		212669
MFC after:	1 week
2017-05-02 17:16:24 +00:00
ae
decf82b5e7 In parse_range() validate both range values instead of checking
the top  value twice.

PR:		202295
MFC after:	1 week
2017-05-02 05:20:54 +00:00
ae
bfda0532b1 Add sets support for ipfw table info/list/flush commands.
PR:		212668
MFC after:	1 week
2017-05-02 05:02:12 +00:00
ae
11e7e3951b Properly initialize ipfw_range_tlv variable to fix possible EINVAL
in case when ipfw delete/zero/resetlog command issued for several rules
in the loop. Also reorder some variables by size.

PR:		218993
MFC after:	1 week
2017-05-02 01:03:59 +00:00
marius
8021171c73 In fill_ip6(), the value of the pointer av changes before it is
free(3)ed. Thus, introduce a new variable to track the original
value.

Submitted by:		Tom Rix
Differential Revision:	https://reviews.freebsd.org/D9962
2017-04-23 21:17:59 +00:00
ae
fccd5b2db9 Add ipfw_pmod kernel module.
The module is designed for modification of a packets of any protocols.
For now it implements only TCP MSS modification. It adds the external
action handler for "tcp-setmss" action.

A rule with tcp-setmss action does additional check for protocol and
TCP flags. If SYN flag is present, it parses TCP options and modifies
MSS option if its value is greater than configured value in the rule.
Then it adjustes TCP checksum if needed. After handling the search
continues with the next rule.

Obtained from:	Yandex LLC
MFC after:	2 weeks
Relnotes:	yes
Sponsored by:	Yandex LLC
No objection from: #network
Differential Revision:	https://reviews.freebsd.org/D10150
2017-04-03 03:07:48 +00:00
ae
5b90a3f01f Add O_EXTERNAL_DATA opcode support.
This opcode can be used to attach some data to external action opcode.
And unlike to O_EXTERNAL_INSTANCE opcode, this opcode does not require
creating of named instance to pass configuration arguments to external
action handler. The data is coming just next to O_EXTERNAL_ACTION opcode.

The userlevel part currenly supports formatting for opcode with ipfw_insn
size, by default it expects u16 numeric value in the arg1.

Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2017-04-03 02:44:40 +00:00
ae
452baa814d Change the syntax of ipfw's named states.
Since the state name is an optional argument, it often can conflict
with other options. To avoid ambiguity now the state name must be
prefixed with a colon.

Obtained from:	Yandex LLC
MFC after:	2 week
Sponsored by:	Yandex LLC
2017-03-15 13:36:35 +00:00
marius
35fedb74e5 Fix a bug in r272840; given that the optlen parameter of setsockopt(2)
is a 32-bit socklen_t, do_get3() passes the kernel to access the wrong
32-bit half on big-endian LP64 machines when simply casting the 64-bit
size_t optlen to a socklen_t pointer.
While at it and given that the intention of do_get3() apparently is to
hide/wrap the fact that socket options are used for communication with
ipfw(4), change the optlen parameter of do_set3() to be of type size_t
and as such more appropriate than uintptr_t, too.

MFC after:	3 days
2016-12-28 23:34:28 +00:00
oleg
2f47929e75 Fix 'ipfw delete set N':
do not emit meaningless 'rule 0 not found' warning if set was already empty.

MFC after:	1 week
2016-11-29 10:43:58 +00:00
ae
eaf81b99c6 Add missing support of named lookup tables to the IPv6 code.
PR:		214419
MFC after:	1 week
Sponsored by:	Yandex LLC
2016-11-15 07:13:16 +00:00
ae
095c3cdc33 Add support for non-contiguous IPv6 masks in ipfw(8) rules.
For example fe::640:0:0/ffff::ffff:ffff:0:0 will match
addresses fe:*:*:*:0:640:*:*

Submitted by:	Eugene Mamchits <mamchits at yandex-team dot ru>
Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
2016-10-18 15:14:46 +00:00
bz
55cbdc7ad3 Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated
more than 7 years ago in favour of a sysctl in r192648.
2016-08-21 18:55:30 +00:00
ae
fe7e60ec8a Add an ability to attach comment to check-state rules.
MFC after:	1 week
2016-08-14 18:34:16 +00:00
ae
de0a5f6a76 Do not warn about ambiguous state name when we inspect a comment token.
Reported by:	lev
2016-08-14 18:05:41 +00:00
ae
c20dcf312d Make statistics nat64lsn, nat64stl an nptv6 output netstat-like:
"@value @description" and fix build due to -Wformat errors.
2016-08-14 13:17:55 +00:00
ae
fbd6330956 Add stats reset command implementation to NPTv6 module
to be able reset statistics counters.

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
2016-08-13 16:45:14 +00:00
ae
8c03d2551f Add ipfw_nat64 module that implements stateless and stateful NAT64.
The module works together with ipfw(4) and implemented as its external
action module.

Stateless NAT64 registers external action with name nat64stl. This
keyword should be used to create NAT64 instance and to address this
instance in rules. Stateless NAT64 uses two lookup tables with mapped
IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.

A configuration of instance should looks like this:
 1. Create lookup tables:
 # ipfw table T46 create type addr valtype ipv6
 # ipfw table T64 create type addr valtype ipv4
 2. Fill T46 and T64 tables.
 3. Add rule to allow neighbor solicitation and advertisement:
 # ipfw add allow icmp6 from any to any icmp6types 135,136
 4. Create NAT64 instance:
 # ipfw nat64stl NAT create table4 T46 table6 T64
 5. Add rules that matches the traffic:
 # ipfw add nat64stl NAT ip from any to table(T46)
 # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96
 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
    via NAT64 host.

Stateful NAT64 registers external action with name nat64lsn. The only
one option required to create nat64lsn instance - prefix4. It defines
the pool of IPv4 addresses used for translation.

A configuration of instance should looks like this:
 1. Add rule to allow neighbor solicitation and advertisement:
 # ipfw add allow icmp6 from any to any icmp6types 135,136
 2. Create NAT64 instance:
 # ipfw nat64lsn NAT create prefix4 A.B.C.D/28
 3. Add rules that matches the traffic:
 # ipfw add nat64lsn NAT ip from any to A.B.C.D/28
 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96
 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
    via NAT64 host.

Obtained from:	Yandex LLC
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D6434
2016-08-13 16:09:49 +00:00
ae
4500e11f0a Restore "nat global" support.
Now zero value of arg1 used to specify "tablearg", use the old "tablearg"
value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace
hardcoded magic number to specify "nat global". Also replace 65535 magic
number with corresponding macro. Fix typo in comments.

PR:		211256
Tested by:	Victor Chernov
MFC after:	3 days
2016-08-11 10:10:10 +00:00
ae
c6aaca92fc Fix formatting of setfib opcode.
Zero fib is correct value and it conflicts with IP_FW_TARG.
Use bprint_uint_arg() only when opcode contains IP_FW_TARG,
otherwise just print numeric value with cleared high-order bit.

MFC after:	3 days
2016-08-08 18:30:50 +00:00
ae
357073584e Fix constructing of setdscp opcode with tablearg keyword.
setdscp's argument can have zero value that conflicts with IP_FW_TARG value.
Always set high-order bit if parser doesn't find tablearg keyword.

MFC after:	3 days
2016-08-08 18:10:30 +00:00
ae
24f451b374 An old tables implementation had all tables preallocated,
so when user did `ipfw table N flush` it always worked, but now
when table N doesn't exist the kernel returns ESRCH error.
This isn't fatal error for flush and destroy commands. Do not
call err(3) when errno is equal to ESRCH. Also warn only when
quiet mode isn't enabled. This fixes a regression in behavior,
when old rules are loaded from file.
Also use correct value for switch in the table_swap().

Reported by:	Kevin Oberman
MFC after:	3 days
2016-08-01 13:38:48 +00:00
ae
e679279326 Add named dynamic states support to ipfw(4).
The keep-state, limit and check-state now will have additional argument
flowname. This flowname will be assigned to dynamic rule by keep-state
or limit opcode. And then can be matched by check-state opcode or
O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize
compatibility with old rulesets default flowname introduced.
It will be assigned to the rules when user has omitted state name in
keep-state and check-state opcodes. Also if name is ambiguous (can be
evaluated as rule opcode) it will be replaced to default.

Reviewed by:	julian
Obtained from:	Yandex LLC
MFC after:	1 month
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D6674
2016-07-19 04:56:59 +00:00
ae
2c47439b3f Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
as defined in RFC 6296. The module works together with ipfw(4) and
implemented as its external action module. When it is loaded, it registers
as eaction and can be used in rules. The usage pattern is similar to
ipfw_nat(4). All matched by rule traffic goes to the NPT module.

Reviewed by:	hrs
Obtained from:	Yandex LLC
MFC after:	1 month
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D6420
2016-07-18 19:46:31 +00:00
cy
7caf2cf8de r302561 broke buildworld. This patch fixes that.
MFC after:	3 days
X-MFC with:	r302561
2016-07-11 13:41:40 +00:00
ae
92de0ba37b Flush buffer after output. This fixes adding new data to already
printed flows.

PR:		210882
MFC after:	3 days
2016-07-11 12:44:58 +00:00
ae
fbde243b6c Hide warning about non-existent lookup tables and informational messages
about modified table entry when quied mode enabled.

Approved by:	re (hrs)
Obtained from:	Yandex LLC
2016-07-02 11:54:20 +00:00
truckman
debdc06d9e Belatedly bump .Dd date for Dummynet AQM import in r300779. 2016-06-02 00:42:15 +00:00
truckman
2a78edb668 Import Dummynet AQM version 0.2.1 (CoDel, FQ-CoDel, PIE and FQ-PIE).
Centre for Advanced Internet Architectures

Implementing AQM in FreeBSD

* Overview <http://caia.swin.edu.au/freebsd/aqm/index.html>

* Articles, Papers and Presentations
  <http://caia.swin.edu.au/freebsd/aqm/papers.html>

* Patches and Tools <http://caia.swin.edu.au/freebsd/aqm/downloads.html>

Overview

Recent years have seen a resurgence of interest in better managing
the depth of bottleneck queues in routers, switches and other places
that get congested. Solutions include transport protocol enhancements
at the end-hosts (such as delay-based or hybrid congestion control
schemes) and active queue management (AQM) schemes applied within
bottleneck queues.

The notion of AQM has been around since at least the late 1990s
(e.g. RFC 2309). In recent years the proliferation of oversized
buffers in all sorts of network devices (aka bufferbloat) has
stimulated keen community interest in four new AQM schemes -- CoDel,
FQ-CoDel, PIE and FQ-PIE.

The IETF AQM working group is looking to document these schemes,
and independent implementations are a corner-stone of the IETF's
process for confirming the clarity of publicly available protocol
descriptions. While significant development work on all three schemes
has occured in the Linux kernel, there is very little in FreeBSD.

Project Goals

This project began in late 2015, and aims to design and implement
functionally-correct versions of CoDel, FQ-CoDel, PIE and FQ_PIE
in FreeBSD (with code BSD-licensed as much as practical). We have
chosen to do this as extensions to FreeBSD's ipfw/dummynet firewall
and traffic shaper. Implementation of these AQM schemes in FreeBSD
will:
* Demonstrate whether the publicly available documentation is
  sufficient to enable independent, functionally equivalent implementations

* Provide a broader suite of AQM options for sections the networking
  community that rely on FreeBSD platforms

Program Members:

* Rasool Al Saadi (developer)

* Grenville Armitage (project lead)

Acknowledgements:

This project has been made possible in part by a gift from the
Comcast Innovation Fund.

Submitted by:	Rasool Al-Saadi <ralsaadi@swin.edu.au>
X-No objection:	core
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D6388
2016-05-26 21:40:13 +00:00
ae
ee940751c3 Make ipfw internal olist output more user friendly.
Print object type as string for known types.

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
2016-05-17 11:22:08 +00:00
ae
f79f8e9de8 Make named objects set-aware. Now it is possible to create named
objects with the same name in different sets.

Add optional manage_sets() callback to objects rewriting framework.
It is intended to implement handler for moving and swapping named
object's sets. Add ipfw_obj_manage_sets() function that implements
generic sets handler. Use new callback to implement sets support for
lookup tables.
External actions objects are global and they don't support sets.
Modify eaction_findbyname() to reflect this.
ipfw(8) now may fail to move rules or sets, because some named objects
in target set may have conflicting names.
Note that ipfw_obj_ntlv type was changed, but since lookup tables
actually didn't support sets, this change is harmless.

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
2016-05-17 07:47:23 +00:00
pfg
9308a287b4 sbin: minor spelling fixes.
No functional change.
2016-04-30 19:04:59 +00:00