Commit Graph

297 Commits

Author SHA1 Message Date
csjp
88c0121fcb Since "d" is an array of 32 bit values, it is more
correct to change the cast from unsigned int to uint32_t.

Pointed out by:	luigi
2004-09-21 22:12:43 +00:00
ru
35fa627d61 Prepare for 5.x soon becoming -STABLE.
Pointed out by:	-current users
2004-09-19 14:30:59 +00:00
andre
eba7c4085c Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied
and sent to the DIVERT socket while the original packet continues with the
next rule.  Unlike a normally diverted packet no IP reassembly attemts are
made on tee'd packets and they are passed upwards totally unmodified.

Note: This will not be MFC'd to 4.x because of major infrastucture changes.

PR:		kern/64240 (and many others collapsed into that one)
2004-09-13 16:46:05 +00:00
csjp
b1981485f7 Currently when ipfw(8) generates the micro-instructions for rules which
contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical
operator bits get clobbered. Making it impossible to use the ``NOT'' or
``OR'' operators with uid, gid and jail based constraints.

The ipfw_insn instruction template contains a ``len'' element which
stores two pieces of information, the size of the instruction
(in 32-bit words) in the low 6 bits of "len" with the 2 remaining
bits to implement OR and NOT.

The current code clobbers the OR and NOT bits by initializing the
``len'' element to the size, rather than OR'ing the bits. This change
fixes this by changing the initialization of cmd->len to an OR operation
for the O_UID, O_GID and O_JAIL opcodes.

This may be a MFC candidate for RELENG_5.

Reviewed by:	andre
Approved by:	luigi
PR:		kern/63961 (partially)
2004-09-11 19:44:29 +00:00
maxim
e510005b1a o Initialize a local variable and make gcc happy.
PR:		bin/71485
Submitted by:	Jukka A. Ukkonen
2004-09-10 13:42:24 +00:00
maxim
d003e4e10f o Restore a historical ipfw1 logamount behaviour: rules with 'log'
keyword but without 'logamount' limit the amount of their log messages
by net.inet.ip.fw.verbose_limit sysctl value.

RELENG_5 candidate.

PR:		kern/46080
Submitted by:	Dan Pelleg
MFC after:	1 week
2004-08-29 08:25:02 +00:00
pjd
aa05ee70bc Fix 'show' command for pipes and queues.
PR:		bin/70311
Submitted by:	Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
MFC after:	3 days
2004-08-23 19:20:27 +00:00
csjp
d0ccd82499 Remove trailing whitespace and change "prisoniD" to "prisonID".
Pointed out by:	simon
Approved by:	bmilekic (mentor)
2004-08-13 02:50:59 +00:00
csjp
6661aed38d Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)
2004-08-12 22:06:55 +00:00
andre
649b4336f4 New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it
 belongs to a directly connected network.  If the network is directly
 connected, then the interface the packet came on in is compared to
 the interface the network is connected to.  When incoming interface
 and directly connected interface are not the same, the packet does
 not match.

Usage example:

 ipfw add deny ip from any to any not antispoof in

Manpage education by:	ru
2004-08-09 16:12:10 +00:00
andre
695543e4da Extend versrcreach by checking against the rt_flags for RTF_REJECT and
RTF_BLACKHOLE as well.

To quote the submitter:

 The uRPF loose-check implementation by the industry vendors, at least on Cisco
 and possibly Juniper, will fail the check if the route of the source address
 is pointed to Null0 (on Juniper, discard or reject route). What this means is,
 even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
 uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
 as a pseudo-packet-firewall without using any manual filtering configuration --
 one can simply inject a IGP or BGP prefix with next-hop set to a static route
 that directs to null/discard facility. This results in uRPF Loose-check failing
 on all packets with source addresses that are within the range of the nullroute.

Submitted by:	James Jun <james@towardex.com>
2004-07-21 19:55:14 +00:00
ru
46fddaa54b Mechanically kill hard sentence breaks. 2004-07-02 21:45:06 +00:00
ru
08b51f3241 Fixed a bug spotted by compiling with -Wall. 2004-06-10 07:51:11 +00:00
ru
27bed143c8 Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets.  Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after:	1 week
2004-06-09 20:10:38 +00:00
csjp
77c46c25ea o Move NEED1 macro to the top of the source file.
o Add sanity checking to the firewall delete operation
  which tells the user that a firewall rule
  specification is required.

The previous behaviour was to exit without reporting any
errors to the user.

Approved by:	bmilekic (mentor)
2004-06-02 21:12:55 +00:00
maxim
2b2f469df0 o Fix usage example.
PR:		docs/67065
Submitted by:	David Syphers
2004-05-23 19:05:59 +00:00
stefanf
5aa1920310 Remove spurious semicolons.
Approved by:	das (mentor)
Reviewed by:	ipfw@
2004-05-18 13:57:37 +00:00
csjp
02de288baa Remove redundant sanity check before add_mac() when adding
mac ipfw rules. The exact same sanity check is performed as
the first operation of add_mac(), so there is no sense
in doing it twice.

Approved by:	bmilekic (mentor)
PR:		bin/55981
2004-05-09 01:53:31 +00:00
andre
d4f49f008f Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table.  The
default route is ignored because it would match everything and
render the check pointless.

This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.

Example:

 ipfw add 1000 deny ip from any to any not versrcreach

also known in Cisco-speak as:

  ip verify unicast source reachable-via any

Reviewed by:	luigi
2004-04-23 14:28:38 +00:00
maxim
7c2d493645 o Fix an incorrect parsing of 0.0.0.0/0 expression.
PR:		kern/64778
MFC after:	6 weeks
2004-04-09 17:26:01 +00:00
ceri
77f01944ce Backout revision 1.140; it seems that the previous version is clear
enough.

Requested by:	ru
2004-03-27 14:13:53 +00:00
maxim
b44c8fb7c5 o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.
PR:		docs/64534
Submitted by:	Dmitry Cherkasov
MFC after:	1 week
2004-03-26 19:09:22 +00:00
ceri
4eac8b9f7d Clarify the description of the "established" option.
PR:		docs/50391
Submitted by:	root@edcsm.jussieu.fr
MFC after:	1 week
2004-03-22 21:24:38 +00:00
maxim
ed6eaf7bd9 o Pass a correct argument to errx(3).
PR:		bin/61846
Submitted by:	Eugene Grosbein
MFC after:	1 week
2004-01-24 19:20:09 +00:00
mtm
2ee2805e83 grammar 2004-01-23 06:37:19 +00:00
maxim
d675b0ba7c o -c (compact) flag is ipfw2 feature.
PR:		bin/56328
MFC after:	3 days
2004-01-15 12:59:44 +00:00
maxim
36a468e048 o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.
MFC after:	3 days
2004-01-15 12:57:04 +00:00
maxim
912d84fa39 o Legitimate -f (force) flags for -p (preprocessor) case.
PR:		bin/60433
Submitted:	Bjoern A. Zeeb
MFC after:	3 weeks
2003-12-24 13:04:04 +00:00
luigi
d2a6451a37 Add a -b flag to /sbin/ipfw to print only action and comment for each
rule, thus omitting the entire body.
This makes the output a lot more readable for complex rulesets
(provided, of course, you have annotated your ruleset appropriately!)

MFC after: 3 days
2003-12-12 16:14:28 +00:00
sam
69806d879e Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate
code is compiled in to support the O_IPSEC operator.  Previously no
support was included and ipsec rules were always matching.  Note that
we do not return an error when an ipsec rule is added and the kernel
does not have IPsec support compiled in; this is done intentionally
but we may want to revisit this (document this in the man page).

PR:		58899
Submitted by:	Bjoern A. Zeeb
Approved by:	re (rwatson)
2003-12-02 00:23:45 +00:00
brooks
f1e94c6f29 Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By:	re (in principle)
Reviewed By:	njl, imp
Tested On:	i386, amd64, sparc64
Obtained From:	NetBSD (if_xname)
2003-10-31 18:32:15 +00:00
sam
7e54937ddb remove include of route.h now that ip_dummynet.h no longer exposes
data structures that have an embedded struct route

Sponsored by:	FreeBSD Foundation
2003-10-03 21:01:48 +00:00
rse
47a2447530 fix typo: s/sytem/system/ 2003-09-26 12:22:28 +00:00
roam
222b91160b Document the alternate way of matching MAC addresses: by a bitmask.
PR:		56021
Submitted by:	Glen Gibb <grg@ridley.unimelb.edu.au>
MFC after:	1 month
2003-09-10 06:41:16 +00:00
tmm
c8c49c9053 Apply a bandaid to get this working on sparc64 again; the introduction
of do_cmd() broke things, because this function assumes that a socklen_t
is large enough to hold a pointer.
A real solution to this problem would be a rewrite of do_cmd() to
treat the optlen parameter consistently and not use it to carry
a pointer or integer dependent on the context.
2003-09-04 15:57:37 +00:00
maxim
c789fb5e20 Check an arguments count before proceed in sysctl_handler().
PR:		bin/56298
Submitted by:	Kang Liu <liukang@bjpu.edu.cn>
MFC after:	2 weeks

# We need a regression test suit for ipfw(2)/ipfw(8) badly.
2003-09-02 10:36:40 +00:00
luigi
6e0440c7df Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specific 2003-07-22 07:41:24 +00:00
maxim
5d0d1d89af o Initialize do_pipe before command parsing.
PR:		bin/54649
Submitted by:	Andy Gilligan <andy@evo6.org>
MFC after:	3 days
2003-07-21 09:56:05 +00:00
luigi
d9b36adf9d Userland side of:
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.

This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.

Suggested by: Paul Richards
2003-07-15 23:08:44 +00:00
luigi
ce0c00f511 Make sure that comments are printed at the end of a rule.
Reported by:  Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
2003-07-15 10:23:43 +00:00
luigi
a122d1d461 Fix one typo in help() string, remove whitespace at end of line and
other minor whitespace changes.

Replace u_char with uint8_t in a few places.
2003-07-14 18:57:41 +00:00
luigi
be37c541ae ccept of empty lines when reading from a file (this fixes a bug
introduced in the latest commits).

Also:

* update the 'ipfw -h' output;

* allow rules of the form "100 add allow ..." i.e. with the index first.
  (requested by Paul Richards). This was an undocumented ipfw1 behaviour,
  and it is left undocumented.

and minor code cleanups.
2003-07-14 08:39:49 +00:00
luigi
043fe49d63 Add a '-T' flag to print the timestamp as numeric value instead
of converting it with ctime(). This is a lot more convenient for
postprocessing.

Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
2003-07-12 08:35:25 +00:00
luigi
896ab15831 Document the existence of comments in ipfw rules,
the new flags handled when reading from a file,
and clarify that only numeric values are allowed for icmptypes.

MFC after: 3 days
2003-07-12 07:01:48 +00:00
luigi
1282338878 In random order:
* make the code compile with WARNS=5 (at least on i386), mostly
  by adding 'const' specifier and replacing "void *" with "char *"
  in places where pointer arithmetic was used.
  This also spotted a few places where invalid tests (e.g. uint < 0)
  were used.

* support ranges in "list" and "show" commands. Now you can say

        ipfw show 100-1000 4000-8000

  which is very convenient when you have large rulesets.

* implement comments in ipfw commands. These are implemented in the
  kernel as O_NOP commands (which always match) whose body contains
  the comment string. In userland, a comment is a C++-style comment:

        ipfw add allow ip from me to any // i can talk to everybody

  The choice of '//' versus '#' is somewhat arbitrary, but because
  the preprocessor/readfile part of ipfw used to strip away '#',
  I did not want to change this behaviour.

  If a rule only contains a comment

        ipfw add 1000 // this rule is just a comment

  then it is stored as a 'count' rule (this is also to remind
  the user that scanning through a rule is expensive).

* improve handling of flags (still to be completed).
  ipfw_main() was written thinking of 'one rule per ipfw invocation',
  and so flags are set and never cleared. With readfile/preprocessor
  support, this changes and certain flags should be reset on each
  line. For the time being, only fix handling of '-a' which
  differentiates the "list" and "show" commands.

* rework the preprocessor support -- ipfw_main() already had most
  of the parsing code, so i have moved in there the only missing
  bit (stripping away '#' and comments) and removed the parsing
  from ipfw_readfile().
  Also, add some more options (such as -c, -N, -S) to the readfile
  section.

MFC after: 3 days
2003-07-12 06:53:16 +00:00
dannyboy
63315d41e1 Correct to match reality regarding interface names.
PR:		51006
Submitted by:	"Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua>
mdoc clue by:	"Simon L. Nielsen" <simon@nitro.dk>
MFC after:	10 days
2003-07-08 13:24:42 +00:00
luigi
8efa9fd678 * introduce a section on SYNTAX to document the handling
spaces and comma-separated lists of arguments;

* reword the description of address specifications, to include
  previous and current changes for address sets and lists;

* document the new '-n' flag.

* update the section on differences between ipfw1 and ipfw2
  (this is becoming boring!)

MFC after: 3 days
2003-07-08 08:07:03 +00:00
luigi
45a53225d8 A bunch of changes (mostly syntactic sugar, all backward compatible):
* Make the addr-set size optional (defaults to /24)
    You can now write 1.2.3.0/24{56-80} or  1.2.3.0{56-80}
    Also make the parser more strict.

  * Support a new format for the list of addresses:
        1.2.3.4,5.6.7.8/30,9.10.11.12/22,12.12.12.13, ...
    which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK

  * Allow spaces after commas to make lists of addresses more readable.
        1.2.3.4, 5.6.7.8/30, 9.10.11.12/22, 12.12.12.13, ...

  * ipfw will now accept full commands as a single argument and strip
    extra leading/trailing whitespace as below:
        ipfw "-q add allow ip from 1.2.3.4 to 5.6.7.8, 9.10.11.23 "
    This should help in moving the body of ipfw into a library
    that user programs can invoke.

  * Cleanup some comments and data structures.

  * Do not print rule counters for dynamic rules with ipfw -d list
    (PR 51182)

  * Improve 'ipfw -h' output (PR 46785)

  * Add a '-n' flag to test the syntax of commands without actually
    calling [gs]etsockopt() (PR 44238)

  * Support the '-n' flag also with the preprocessors;

Manpage commit to follow.

MFC after: 3 days
2003-07-08 07:52:47 +00:00
luigi
c530f5973f Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.

Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week
2003-07-04 21:42:32 +00:00
luigi
131318184e remove extra whitespace and blank lines 2003-06-27 17:18:14 +00:00