Commit Graph

469 Commits

Author SHA1 Message Date
Paolo Pisati
ff2f6fe80f Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
2006-12-29 21:59:17 +00:00
Tom Rhodes
1cc7aa7d96 Add a note about rule syntax compared to the shell used so users do not get
frustraited when:
ipfw add 201 deny ip from any to table(2) in via xl1
returns "Badly placed ( )'s"

PR:	73638
2006-10-09 22:12:08 +00:00
Giorgos Keramidas
223ccb5450 When addr/mask examples are given, show both a host and network
address, to avoid confusing the users that a full address is
always required.

Submitted by:   Josh Paetzel <josh@tcbug.org> (through freebsd-doc)
MFC after:	3 days
2006-10-04 19:29:05 +00:00
Maxim Konovalov
c24384096d o Check for a required "pathname" argument presence.
PR:		bin/95146
Submitted by:	candy-sendpr@kgc.co.jp
MFC after:	3 weeks
2006-09-29 08:00:40 +00:00
Ruslan Ermilov
8266d47670 Markup fixes. 2006-09-18 11:55:10 +00:00
John Hay
268f526c05 Check the length of the ipv4 and ipv6 address lists. It must be less
than F_LEN_MASK.

MFC after:	5 days
2006-09-16 19:27:40 +00:00
John Hay
e7f2ec5364 Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),
otherwise this command

ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129

turns into icmp6types 1,2,32,33,34,...94,95,128,129

PR:		102422 (part 1)
Submitted by:	Andrey V. Elsukov <bu7cher at yandex.ru>
MFC after:	5 days
2006-09-16 06:34:30 +00:00
David Malone
cb0bfd9b89 A pipe bandwidth of 10MBits/s should probably
be understood as    10Mbits/s not 10MBytes/s.

Submitted by:	Gavin McCullagh <gavin.mccullagh@nuim.ie>
MFC after:	1 week
2006-08-23 14:29:18 +00:00
David Malone
e28cb02537 Regigle parens to try and get the intended affect. This should fix people
having trouble with the "me6" keyword. Also, we were using inet_pton on
the wrong variable in one place.

Reviewed by:	mlaier (previous version of patch)
Obtained from:	Sascha Blank (inet_pton change)
MFC after:	1 week
2006-08-20 20:10:36 +00:00
Julian Elischer
1b97421aae Fix typo. 2006-08-20 05:42:58 +00:00
Julian Elischer
afad78e259 comply with style police
Submitted by:	ru
MFC after:	1 month
2006-08-18 22:36:05 +00:00
Julian Elischer
c487be961a Allow ipfw to forward to a destination that is specified by a table.
for example:
  fwd tablearg ip from any to table(1)
where table 1 has entries of the form:
1.1.1.0/24 10.2.3.4
208.23.2.0/24 router2

This allows trivial implementation of a secondary routing table implemented
in the firewall layer.

I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.

Reviewed by:	Glebius
MFC after:	1 month
2006-08-17 22:49:50 +00:00
Julian Elischer
3095bda433 Take IP_FIREWALL_EXTENDED out of the man page too.
MFC after: 1 week
2006-08-17 00:46:06 +00:00
Stefan Farfeleder
299652afbc Use the SLIST_NEXT macro instead of sle_next.
Checked with:	cmp(1)
2006-08-05 13:58:50 +00:00
Oleg Bulyzhin
84fd82e86f Specify correct argument range for tag/untag keywords.
Approved by:	glebius (mentor)
2006-07-25 11:07:31 +00:00
Oleg Bulyzhin
254c472561 Add support of 'tablearg' feature for:
- 'tag' & 'untag' action parameters.
- 'tagged' & 'limit' rule options.
Rule examples:
	pipe 1 tag tablearg ip from table(1) to any
	allow ip from any to table(2) tagged tablearg
	allow tcp from table(3) to any 25 setup limit src-addr tablearg

sbin/ipfw/ipfw2.c:
1) new macros
   GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
   PRINT_UINT_ARG - support of 'tablearg' keyword.
2) strtoport(): do not silently truncate/accept invalid port list expressions
   like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.

Approved by:	glebius (mentor)
MFC after:	1 month
2006-06-15 09:39:22 +00:00
Max Laier
81bd0dc0bc Print dynamic rules for IPv6 as well.
PR:		bin/98349
Submitted by:	Mark Andrews
MFC after:	2 weeks
2006-06-02 05:17:17 +00:00
Oleg Bulyzhin
6a7d5cb645 Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by:	Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by:	Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by:	glebius (mentor)
Idea from:	OpenBSD PF
MFC after:	1 month
2006-05-24 13:09:55 +00:00
Max Laier
926bbf905e For src/dest parsing take off the netmask before checking for AF with
inet_pton.  This fixes cases like "fe02::/16".

PR:		bin/91245
Reported by:	Fredrik Lindberge
2006-05-14 03:53:04 +00:00
Max Laier
270404f55a Update manpage for net.inet6.ip6.fw.enable sysctl.
Requested by:	bz
2006-05-12 18:09:33 +00:00
Julian Elischer
905c41b537 Amazing.. two screwups in one commit.
I'm piling on thise pointy hats on top of each other.
At least they nest..
2006-03-31 12:54:17 +00:00
Julian Elischer
dbadd6b028 I can't believe that no-one noticed that I broke ipfw table del
for over a month!
put {}  around if clause with multiple statements
2006-03-31 12:40:09 +00:00
Hajimu UMEMOTO
c6ec022631 Revert `proto ip' back to the previous behavior. The kernel side of
ipfw2 doesn't allow zero as protocol number.

MFC after:	3 days
2006-03-05 15:55:46 +00:00
Julian Elischer
4f6ac14677 oops, mismerge from working sources.. not only add new code,
but remove old code!
2006-02-14 03:13:12 +00:00
Julian Elischer
21899082ae Stop ipfw from aborting when asked to delete a table entry that
doesn't exist or add one that is already present, if the -q flag
is set. Useful for "ipfw -q /dev/stdin" when the command above is
invoked from  something like python or TCL to feed commands
down the throat of ipfw.
MFC in: 1 week
2006-02-14 03:10:29 +00:00
Ruslan Ermilov
f9395aff27 Fix a markup glitch. 2006-02-03 16:41:13 +00:00
Gleb Smirnoff
7f3c5f6ac3 Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore. 2006-01-13 16:44:56 +00:00
Gleb Smirnoff
331655f15e Document 'tablearg' keyword.
Wording by:	emaste
2006-01-13 15:48:38 +00:00
Ruslan Ermilov
a5b0d9050a [mdoc] add missing space before a punctuation type argument. 2005-12-13 17:07:52 +00:00
Gleb Smirnoff
40b1ae9e00 Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.

An example usage:

  ipfw pipe 1000 config bw 1000Kbyte/s
  ipfw pipe 4000 config bw 4000Kbyte/s
  ipfw table 1 add x.x.x.x 1000
  ipfw table 1 add x.x.x.y 4000
  ipfw pipe tablearg ip from table(1) to any

In the example above the rule will throw different packets to different pipes.

TODO:
  - Support "skipto" action, but without searching all rules.
  - Improve parser, so that it warns about bad rules. These are:
    - "tablearg" argument to action, but no "table" in the rule. All
      traffic will be blocked.
    - "tablearg" argument to action, but "table" searches for entry with
      a specific value. All traffic will be blocked.
    - "tablearg" argument to action, and two "table" looks - for src and
      for dst. The last lookup will match.
2005-12-13 12:16:03 +00:00
Gleb Smirnoff
02d48226cc Cleanup _FreeBSD_version. 2005-12-09 13:03:30 +00:00
Hajimu UMEMOTO
36c263cca9 We couldn't specify the rule for filtering tunnel traffic since an
IPv6 support was committed:

- Stop treating `ip' and `ipv6' as special in `proto' option as they
  conflict with /etc/protocols.

- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.

- When protocol is specified as numeric, treat it as it is even it is
  41 (ipv6).

- Allow zero for protocol as it is valid number of `ip'.

Still, we cannot specify an IPv6 over an IPv4 tunnel like before such
as:

	pass ipv6 from any to any

But, now, you can specify it like:

	pass ip4 from any to any proto ipv6

PR:		kern/89472
Reported by:	Ga l Roualland <gael.roualland__at__dial.oleane.com>
MFC after:	1 week
2005-11-29 15:25:09 +00:00
Gleb Smirnoff
e36ffd3b15 Catch up with ip_dummynet.h rev. 1.38 and fix build. 2005-11-29 12:01:26 +00:00
Gleb Smirnoff
b090e4ce1f Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),
thus removing a few XXXes.
  Document the ABI breakage in UPDATING.
2005-11-29 08:59:41 +00:00
Ruslan Ermilov
4e9e907d63 -mdoc sweep. 2005-11-18 10:36:29 +00:00
Christian S.J. Peron
cd5f2f95b6 Restore the documentation about uid, gid or prison based rules requiring
that debug.mpsafenet be set to 0. It is still possible for dead locks to
occur while these filtering options are used due to the layering violation
inherent in their implementation.

Discussed:	-current, rwatson, glebius
2005-10-23 16:15:02 +00:00
Max Laier
13f5260916 Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.
Reminded by:	ru
2005-09-28 08:18:55 +00:00
Bjoern A. Zeeb
9066356ba1 * Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.

Submitted by:	sysctl handling derived from patch from ume needed for ip6fw
Obtained from:	is_icmp6_query and send_reject6 derived from similar
		functions of netinet6,ip6fw
Reviewed by:	ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after:	6 days
2005-08-13 11:02:34 +00:00
Colin Percival
e5610d524c Bump document date. Remove EOL whitespace introduced in previous
commit.  Start new line at sentence break in previous commit.

Approved by:	re (implicit, fixing a commit made 5 minutes ago)
2005-07-01 10:04:33 +00:00
Colin Percival
4beacf6666 Document some limitations of uid/gid rules.
Approved by:	re (rwatson)
MFC after:	3 days
2005-07-01 09:51:10 +00:00
Ruslan Ermilov
55c82bf0d4 Markup fixes.
Approved by:	re (blanket)
2005-06-14 11:24:56 +00:00
Max Laier
b730879ffa add_proto() now fills proto for us so stop to 'guess' the protocol from the
command and rather trust the value add_proto filled in.  While here, fix an
oversight in the pretty printing of ip6/4 options.
2005-06-07 14:11:17 +00:00
Brian Feldman
5278d40bcc Better explain, then actually implement the IPFW ALTQ-rule first-match
policy.  It may be used to provide more detailed classification of
traffic without actually having to decide its fate at the time of
classification.

MFC after:	1 week
2005-06-04 19:04:31 +00:00
Max Laier
57cd6d263b Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.
This is the last requirement before we can retire ip6fw.

Reviewed by:	dwhite, brooks(earlier version)
Submitted by:	dwhite (manpage)
Silence from:	-ipfw
2005-06-03 01:10:28 +00:00
Max Laier
ffa4a5867a Unbreak handling of "ip[v]6" protocol and option flag. No more segfaults
and not every protocol is IPv6.
2005-05-21 03:27:33 +00:00
Gleb Smirnoff
0c0e9713a6 'ngtee' also depends on net.inet.ip.fw.one_pass. 2005-05-11 12:58:15 +00:00
Gleb Smirnoff
0af8180f8c IPFW version 2 is the only option now in HEAD. Do not confuse
users of future releases with instructions about building IPFW2
on RELENG_4.
2005-05-04 13:14:57 +00:00
Brooks Davis
d360073b23 Fix a the previous commit. I wanted to remove the if and always run the
body not remove both.

Reported by:	ceri
Pointy hat:	brooks
2005-04-26 20:22:31 +00:00
Brooks Davis
38aede1cce Don't force IPv6 proto to be printed numericaly.
Noticed by:	ceri
2005-04-26 20:00:07 +00:00
Brooks Davis
8195404bed Add IPv6 support to IPFW and Dummynet.
Submitted by:	Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
2005-04-18 18:35:05 +00:00
Brooks Davis
776c10059d Be more specific when complaining about bit masks. 2005-04-05 22:26:02 +00:00
Andre Oppermann
099dd0430b Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option:

 options IPFIREWALL_FORWARD_EXTENDED

This option has to be specified in addition to IPFIRWALL_FORWARD.

With this option even packets targeted for an IP address local
to the host can be redirected.  All restrictions to ensure proper
behaviour for locally generated packets are turned off.  Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.

Document the two kernel options.

PR:		kern/71910
PR:		kern/73129
MFC after:	1 week
2005-02-22 17:40:40 +00:00
Ruslan Ermilov
0227791b40 Expand *n't contractions. 2005-02-13 22:25:33 +00:00
Gleb Smirnoff
dc490fa2e9 Sort SEE ALSO.
Submitted by:	ru
2005-02-07 08:51:34 +00:00
Gleb Smirnoff
1676543619 Document how interaction with ng_ipfw node is configured. 2005-02-05 18:29:03 +00:00
Gleb Smirnoff
670742a102 Add a ng_ipfw node, implementing a quick and simple interface between
ipfw(4) and netgraph(4) facilities.

Reviewed by:	andre, brooks, julian
2005-02-05 12:06:33 +00:00
Gleb Smirnoff
bd528823ec Don't print extra " via ", if we have already printed one. While here,
slightly style brackets.

PR:		misc/75297
MFC after:	1 week
2005-01-18 15:13:20 +00:00
Ruslan Ermilov
6087df9e8b Sort sections. 2005-01-18 10:09:38 +00:00
Ruslan Ermilov
5b1eeb71f2 Markup nits. 2005-01-15 11:21:24 +00:00
Brooks Davis
0175018610 Deprecate unmaintainable uses of strncmp to implement abbreviations.
This commit replaces those with two new functions that simplify the code
and produce warnings that the syntax is deprecated.  A small number of
sensible abbreviations may be explicitly added based on user feedback.

There were previously three types of strncmp use in ipfw:
 - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av
   to match string or any shortened form of it.  I have replaced this
   with a new function _substrcmp(av, "string") which returns 0 if av
   is a substring of "string", but emits a warning if av is not exactly
   "string".

 - The next type was two instances of strncmp(av, "by", 2) which allowed
   the abbreviation of bytes to "by", "byt", etc.  Unfortunately, it
   also supported "bykHUygh&*g&*7*ui".  I added a second new function
   _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but
   complains if the user doesn't spell out the word "bytes".

 - There is also one correct use of strncmp to match "table(" which might
   have another token after it without a space.

Since I changed all the lines anyway, I also fixed the treatment of
strncmp's return as a boolean in many cases.  I also modified a few
strcmp cases as well to be fully consistent.
2005-01-15 01:46:41 +00:00
Ruslan Ermilov
214144704b Scheduled mdoc(7) sweep. 2005-01-10 16:17:34 +00:00
Brooks Davis
610055c9e2 Write some bit mask limits in hex rather than decimal so they look less
magic.
2005-01-07 01:21:23 +00:00
Christian S.J. Peron
02a85ee096 Update the IPFW man page to reflect reality. mpsafenet=0 is no longer
required when using ucred based rules.

Pointed out by:	seanc (thanks!)
MFC after:	1 month
2004-12-10 02:38:21 +00:00
Brooks Davis
448d1e830b Remove a duplicate line from an apparent merge error in rev 1.63. 2004-11-25 01:09:41 +00:00
Ceri Davies
20f13585ef Be more clear that "bridged" is a synonym for "layer2".
PR:		docs/44400
Submitted by:	Constantin Stefanov <cstef at mail dot ru>
2004-11-03 21:51:34 +00:00
Andre Oppermann
24fc79b0a4 Refuse to unload the ipdivert module unless the 'force' flag is given to kldunload.
Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8)
man pages.
2004-10-22 19:12:01 +00:00
Christian S.J. Peron
93962a3a50 Add a note to the man page warning users about possible lock order
reversals+system lock ups if they are using ucred based rules
while running with debug.mpsafenet=1.

I am working on merging a shared locking mechanism into ipfw which
should take care of this problem, but it still requires a bit more
testing and review.
2004-10-09 20:07:33 +00:00
Brian Feldman
26dc327082 Reference altq(4) instead of pf.conf(5).
Tip of the hat to:	mlaier
2004-10-08 03:31:09 +00:00
Brian Feldman
17db1a040f Commit forgotten documentation for "diverted" rules. 2004-10-08 03:24:10 +00:00
Brian Feldman
a5559720e1 Remove blindly-copied extra include path. 2004-10-03 06:32:37 +00:00
Brian Feldman
c99ee9e042 Add support to IPFW for matching by TCP data length. 2004-10-03 00:47:15 +00:00
Brian Feldman
391a0e3306 Add the documentation for IPFW's diverted(-loopback|-output) matches. 2004-10-03 00:35:52 +00:00
Brian Feldman
6daf7ebd28 Add support to IPFW for classification based on "diverted" status
(that is, input via a divert socket).
2004-10-03 00:26:35 +00:00
Brian Feldman
5599f1b52b Remove accidentally-added O_DIVERTED section. 2004-10-03 00:24:42 +00:00
Brian Feldman
974dfe3084 Add to IPFW the ability to do ALTQ classification/tagging. 2004-10-03 00:17:46 +00:00
Christian S.J. Peron
d413c2e405 Since "d" is an array of 32 bit values, it is more
correct to change the cast from unsigned int to uint32_t.

Pointed out by:	luigi
2004-09-21 22:12:43 +00:00
Ruslan Ermilov
bf899c64f3 Prepare for 5.x soon becoming -STABLE.
Pointed out by:	-current users
2004-09-19 14:30:59 +00:00
Andre Oppermann
7c0102f575 Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied
and sent to the DIVERT socket while the original packet continues with the
next rule.  Unlike a normally diverted packet no IP reassembly attemts are
made on tee'd packets and they are passed upwards totally unmodified.

Note: This will not be MFC'd to 4.x because of major infrastucture changes.

PR:		kern/64240 (and many others collapsed into that one)
2004-09-13 16:46:05 +00:00
Christian S.J. Peron
3a27af0dd4 Currently when ipfw(8) generates the micro-instructions for rules which
contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical
operator bits get clobbered. Making it impossible to use the ``NOT'' or
``OR'' operators with uid, gid and jail based constraints.

The ipfw_insn instruction template contains a ``len'' element which
stores two pieces of information, the size of the instruction
(in 32-bit words) in the low 6 bits of "len" with the 2 remaining
bits to implement OR and NOT.

The current code clobbers the OR and NOT bits by initializing the
``len'' element to the size, rather than OR'ing the bits. This change
fixes this by changing the initialization of cmd->len to an OR operation
for the O_UID, O_GID and O_JAIL opcodes.

This may be a MFC candidate for RELENG_5.

Reviewed by:	andre
Approved by:	luigi
PR:		kern/63961 (partially)
2004-09-11 19:44:29 +00:00
Maxim Konovalov
00ed660991 o Initialize a local variable and make gcc happy.
PR:		bin/71485
Submitted by:	Jukka A. Ukkonen
2004-09-10 13:42:24 +00:00
Maxim Konovalov
9ec4f2e1b3 o Restore a historical ipfw1 logamount behaviour: rules with 'log'
keyword but without 'logamount' limit the amount of their log messages
by net.inet.ip.fw.verbose_limit sysctl value.

RELENG_5 candidate.

PR:		kern/46080
Submitted by:	Dan Pelleg
MFC after:	1 week
2004-08-29 08:25:02 +00:00
Pawel Jakub Dawidek
c3d6fe74a7 Fix 'show' command for pipes and queues.
PR:		bin/70311
Submitted by:	Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
MFC after:	3 days
2004-08-23 19:20:27 +00:00
Christian S.J. Peron
a8247db1de Remove trailing whitespace and change "prisoniD" to "prisonID".
Pointed out by:	simon
Approved by:	bmilekic (mentor)
2004-08-13 02:50:59 +00:00
Christian S.J. Peron
31c88a3043 Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)
2004-08-12 22:06:55 +00:00
Andre Oppermann
5f9541ecbd New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it
 belongs to a directly connected network.  If the network is directly
 connected, then the interface the packet came on in is compared to
 the interface the network is connected to.  When incoming interface
 and directly connected interface are not the same, the packet does
 not match.

Usage example:

 ipfw add deny ip from any to any not antispoof in

Manpage education by:	ru
2004-08-09 16:12:10 +00:00
Andre Oppermann
55db762b76 Extend versrcreach by checking against the rt_flags for RTF_REJECT and
RTF_BLACKHOLE as well.

To quote the submitter:

 The uRPF loose-check implementation by the industry vendors, at least on Cisco
 and possibly Juniper, will fail the check if the route of the source address
 is pointed to Null0 (on Juniper, discard or reject route). What this means is,
 even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
 uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
 as a pseudo-packet-firewall without using any manual filtering configuration --
 one can simply inject a IGP or BGP prefix with next-hop set to a static route
 that directs to null/discard facility. This results in uRPF Loose-check failing
 on all packets with source addresses that are within the range of the nullroute.

Submitted by:	James Jun <james@towardex.com>
2004-07-21 19:55:14 +00:00
Ruslan Ermilov
9806e23132 Mechanically kill hard sentence breaks. 2004-07-02 21:45:06 +00:00
Ruslan Ermilov
1a41a8e4ce Fixed a bug spotted by compiling with -Wall. 2004-06-10 07:51:11 +00:00
Ruslan Ermilov
cd8b5ae0ae Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets.  Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after:	1 week
2004-06-09 20:10:38 +00:00
Christian S.J. Peron
04f708340a o Move NEED1 macro to the top of the source file.
o Add sanity checking to the firewall delete operation
  which tells the user that a firewall rule
  specification is required.

The previous behaviour was to exit without reporting any
errors to the user.

Approved by:	bmilekic (mentor)
2004-06-02 21:12:55 +00:00
Maxim Konovalov
5cbcfccb41 o Fix usage example.
PR:		docs/67065
Submitted by:	David Syphers
2004-05-23 19:05:59 +00:00
Stefan Farfeleder
c85c1d2779 Remove spurious semicolons.
Approved by:	das (mentor)
Reviewed by:	ipfw@
2004-05-18 13:57:37 +00:00
Christian S.J. Peron
19d4beceb2 Remove redundant sanity check before add_mac() when adding
mac ipfw rules. The exact same sanity check is performed as
the first operation of add_mac(), so there is no sense
in doing it twice.

Approved by:	bmilekic (mentor)
PR:		bin/55981
2004-05-09 01:53:31 +00:00
Andre Oppermann
22b5770b99 Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table.  The
default route is ignored because it would match everything and
render the check pointless.

This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.

Example:

 ipfw add 1000 deny ip from any to any not versrcreach

also known in Cisco-speak as:

  ip verify unicast source reachable-via any

Reviewed by:	luigi
2004-04-23 14:28:38 +00:00
Maxim Konovalov
14533a98b9 o Fix an incorrect parsing of 0.0.0.0/0 expression.
PR:		kern/64778
MFC after:	6 weeks
2004-04-09 17:26:01 +00:00
Ceri Davies
a155540f4b Backout revision 1.140; it seems that the previous version is clear
enough.

Requested by:	ru
2004-03-27 14:13:53 +00:00
Maxim Konovalov
1621280872 o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.
PR:		docs/64534
Submitted by:	Dmitry Cherkasov
MFC after:	1 week
2004-03-26 19:09:22 +00:00
Ceri Davies
cdfd991b87 Clarify the description of the "established" option.
PR:		docs/50391
Submitted by:	root@edcsm.jussieu.fr
MFC after:	1 week
2004-03-22 21:24:38 +00:00
Maxim Konovalov
66d217f8db o Pass a correct argument to errx(3).
PR:		bin/61846
Submitted by:	Eugene Grosbein
MFC after:	1 week
2004-01-24 19:20:09 +00:00
Mike Makonnen
c6609fcd7c grammar 2004-01-23 06:37:19 +00:00
Maxim Konovalov
3abea06d63 o -c (compact) flag is ipfw2 feature.
PR:		bin/56328
MFC after:	3 days
2004-01-15 12:59:44 +00:00
Maxim Konovalov
d06b32b094 o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature.
MFC after:	3 days
2004-01-15 12:57:04 +00:00
Maxim Konovalov
cec4ab6a04 o Legitimate -f (force) flags for -p (preprocessor) case.
PR:		bin/60433
Submitted:	Bjoern A. Zeeb
MFC after:	3 weeks
2003-12-24 13:04:04 +00:00
Luigi Rizzo
ac6cec512b Add a -b flag to /sbin/ipfw to print only action and comment for each
rule, thus omitting the entire body.
This makes the output a lot more readable for complex rulesets
(provided, of course, you have annotated your ruleset appropriately!)

MFC after: 3 days
2003-12-12 16:14:28 +00:00
Sam Leffler
d559f5c3d8 Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate
code is compiled in to support the O_IPSEC operator.  Previously no
support was included and ipsec rules were always matching.  Note that
we do not return an error when an ipsec rule is added and the kernel
does not have IPsec support compiled in; this is done intentionally
but we may want to revisit this (document this in the man page).

PR:		58899
Submitted by:	Bjoern A. Zeeb
Approved by:	re (rwatson)
2003-12-02 00:23:45 +00:00
Brooks Davis
9bf40ede4a Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By:	re (in principle)
Reviewed By:	njl, imp
Tested On:	i386, amd64, sparc64
Obtained From:	NetBSD (if_xname)
2003-10-31 18:32:15 +00:00
Sam Leffler
2091a3fbaf remove include of route.h now that ip_dummynet.h no longer exposes
data structures that have an embedded struct route

Sponsored by:	FreeBSD Foundation
2003-10-03 21:01:48 +00:00
Ralf S. Engelschall
d1f602f79e fix typo: s/sytem/system/ 2003-09-26 12:22:28 +00:00
Peter Pentchev
94679655fd Document the alternate way of matching MAC addresses: by a bitmask.
PR:		56021
Submitted by:	Glen Gibb <grg@ridley.unimelb.edu.au>
MFC after:	1 month
2003-09-10 06:41:16 +00:00
Thomas Moestl
884be75cce Apply a bandaid to get this working on sparc64 again; the introduction
of do_cmd() broke things, because this function assumes that a socklen_t
is large enough to hold a pointer.
A real solution to this problem would be a rewrite of do_cmd() to
treat the optlen parameter consistently and not use it to carry
a pointer or integer dependent on the context.
2003-09-04 15:57:37 +00:00
Maxim Konovalov
1c56ad9b8e Check an arguments count before proceed in sysctl_handler().
PR:		bin/56298
Submitted by:	Kang Liu <liukang@bjpu.edu.cn>
MFC after:	2 weeks

# We need a regression test suit for ipfw(2)/ipfw(8) badly.
2003-09-02 10:36:40 +00:00
Luigi Rizzo
a0e26ba089 Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specific 2003-07-22 07:41:24 +00:00
Maxim Konovalov
6fa74f7d88 o Initialize do_pipe before command parsing.
PR:		bin/54649
Submitted by:	Andy Gilligan <andy@evo6.org>
MFC after:	3 days
2003-07-21 09:56:05 +00:00
Luigi Rizzo
3004afca6e Userland side of:
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.

This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.

Suggested by: Paul Richards
2003-07-15 23:08:44 +00:00
Luigi Rizzo
bbc39c8391 Make sure that comments are printed at the end of a rule.
Reported by:  Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
2003-07-15 10:23:43 +00:00
Luigi Rizzo
f3a126d3d8 Fix one typo in help() string, remove whitespace at end of line and
other minor whitespace changes.

Replace u_char with uint8_t in a few places.
2003-07-14 18:57:41 +00:00
Luigi Rizzo
26bf4d78c2 ccept of empty lines when reading from a file (this fixes a bug
introduced in the latest commits).

Also:

* update the 'ipfw -h' output;

* allow rules of the form "100 add allow ..." i.e. with the index first.
  (requested by Paul Richards). This was an undocumented ipfw1 behaviour,
  and it is left undocumented.

and minor code cleanups.
2003-07-14 08:39:49 +00:00
Luigi Rizzo
1b43a426de Add a '-T' flag to print the timestamp as numeric value instead
of converting it with ctime(). This is a lot more convenient for
postprocessing.

Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
2003-07-12 08:35:25 +00:00
Luigi Rizzo
7d3f835703 Document the existence of comments in ipfw rules,
the new flags handled when reading from a file,
and clarify that only numeric values are allowed for icmptypes.

MFC after: 3 days
2003-07-12 07:01:48 +00:00
Luigi Rizzo
62ff38ae06 In random order:
* make the code compile with WARNS=5 (at least on i386), mostly
  by adding 'const' specifier and replacing "void *" with "char *"
  in places where pointer arithmetic was used.
  This also spotted a few places where invalid tests (e.g. uint < 0)
  were used.

* support ranges in "list" and "show" commands. Now you can say

        ipfw show 100-1000 4000-8000

  which is very convenient when you have large rulesets.

* implement comments in ipfw commands. These are implemented in the
  kernel as O_NOP commands (which always match) whose body contains
  the comment string. In userland, a comment is a C++-style comment:

        ipfw add allow ip from me to any // i can talk to everybody

  The choice of '//' versus '#' is somewhat arbitrary, but because
  the preprocessor/readfile part of ipfw used to strip away '#',
  I did not want to change this behaviour.

  If a rule only contains a comment

        ipfw add 1000 // this rule is just a comment

  then it is stored as a 'count' rule (this is also to remind
  the user that scanning through a rule is expensive).

* improve handling of flags (still to be completed).
  ipfw_main() was written thinking of 'one rule per ipfw invocation',
  and so flags are set and never cleared. With readfile/preprocessor
  support, this changes and certain flags should be reset on each
  line. For the time being, only fix handling of '-a' which
  differentiates the "list" and "show" commands.

* rework the preprocessor support -- ipfw_main() already had most
  of the parsing code, so i have moved in there the only missing
  bit (stripping away '#' and comments) and removed the parsing
  from ipfw_readfile().
  Also, add some more options (such as -c, -N, -S) to the readfile
  section.

MFC after: 3 days
2003-07-12 06:53:16 +00:00
Daniel Harris
a10c9747dc Correct to match reality regarding interface names.
PR:		51006
Submitted by:	"Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua>
mdoc clue by:	"Simon L. Nielsen" <simon@nitro.dk>
MFC after:	10 days
2003-07-08 13:24:42 +00:00
Luigi Rizzo
4d233f6b0d * introduce a section on SYNTAX to document the handling
spaces and comma-separated lists of arguments;

* reword the description of address specifications, to include
  previous and current changes for address sets and lists;

* document the new '-n' flag.

* update the section on differences between ipfw1 and ipfw2
  (this is becoming boring!)

MFC after: 3 days
2003-07-08 08:07:03 +00:00
Luigi Rizzo
571f8c1b7a A bunch of changes (mostly syntactic sugar, all backward compatible):
* Make the addr-set size optional (defaults to /24)
    You can now write 1.2.3.0/24{56-80} or  1.2.3.0{56-80}
    Also make the parser more strict.

  * Support a new format for the list of addresses:
        1.2.3.4,5.6.7.8/30,9.10.11.12/22,12.12.12.13, ...
    which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK

  * Allow spaces after commas to make lists of addresses more readable.
        1.2.3.4, 5.6.7.8/30, 9.10.11.12/22, 12.12.12.13, ...

  * ipfw will now accept full commands as a single argument and strip
    extra leading/trailing whitespace as below:
        ipfw "-q add allow ip from 1.2.3.4 to 5.6.7.8, 9.10.11.23 "
    This should help in moving the body of ipfw into a library
    that user programs can invoke.

  * Cleanup some comments and data structures.

  * Do not print rule counters for dynamic rules with ipfw -d list
    (PR 51182)

  * Improve 'ipfw -h' output (PR 46785)

  * Add a '-n' flag to test the syntax of commands without actually
    calling [gs]etsockopt() (PR 44238)

  * Support the '-n' flag also with the preprocessors;

Manpage commit to follow.

MFC after: 3 days
2003-07-08 07:52:47 +00:00
Luigi Rizzo
c3e5b9f154 Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.

Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week
2003-07-04 21:42:32 +00:00
Luigi Rizzo
2bb3712f4e remove extra whitespace and blank lines 2003-06-27 17:18:14 +00:00
Luigi Rizzo
9d2d07e07d remove unused file (RELENG_5 and above use ipfw2, the old ipfw1
has been unused and unmaintained for a long time).
2003-06-24 07:10:13 +00:00
Luigi Rizzo
29c1402aa2 Split some long lines to fit 80 columns (the code in RELENG_4
was already correct).
2003-06-23 22:32:14 +00:00
Luigi Rizzo
9ef3f16d08 syntactic sugar: support range notation such as
1.2.3.4/24{5,6,7,10-20,60-90}
for set of ip addresses.
Previously you needed to specify every address in the range, which
was unconvenient and lead to very long lines.
Internally the set is still stored in the same way, just the
input and output routines are modified.

Manpage update still missing.

Perhaps a similar preprocessing step would be useful for port ranges.

MFC after: 3 days
2003-06-23 08:20:28 +00:00
Maxim Konovalov
064d54a248 o Fix sets of rules usage example.
PR:		docs/53625
Submitted by:	Kostyuk Oleg <cub@cub.org.ua>
MFC after:	1 week
2003-06-23 07:48:32 +00:00
Luigi Rizzo
44c884e134 Add support for multiple values and ranges for the "iplen", "ipttl",
"ipid" options. This feature has been requested by several users.
On passing, fix some minor bugs in the parser.  This change is fully
backward compatible so if you have an old /sbin/ipfw and a new
kernel you are not in trouble (but you need to update /sbin/ipfw
if you want to use the new features).

Document the changes in the manpage.

Now you can write things like

	ipfw add skipto 1000 iplen 0-500

which some people were asking to give preferential treatment to
short packets.

The 'MFC after' is just set as a reminder, because I still need
to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately
change the size of certain kernel structures; not that it matters
a lot since ipfw2 is entirely optional and not the default...)

PR: bin/48015

MFC after: 1 week
2003-06-22 17:33:19 +00:00
Maxim Konovalov
c82b8dcedd o Pass a correct argument to printf(3).
PR:		bin/51750
Submitted by:	Vasil Dimov <vd@datamax.bg>
MFC after:	2 weeks
2003-06-16 09:44:53 +00:00
Bernd Walter
330462a315 Change handling to support strong alignment architectures such as alpha and
sparc64.

PR:		alpha/50658
Submitted by:	rizzo
Tested on:	alpha
2003-06-04 01:17:37 +00:00
Crist J. Clark
010dabb047 Add a 'verrevpath' option that verifies the interface that a packet
comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.

Experimental. The usage and rule format for the feature may still be
subject to change.
2003-03-15 01:13:00 +00:00
Maxim Konovalov
45f6135194 o Partially revert rev. 1.103, fix 'ipfw show': dynamically adjust a
width of fields for packets and bytes counters.

PR:		bin/47196
Reviewed by:	-audit
Not objected by: luigi, des

o Use %llu instead of deprecated %qu convert specification for ipfw
packets and bytes counters.

Noted by:	des
MFC after:	1 month
2003-03-13 10:51:53 +00:00
Ruslan Ermilov
8b5381e069 /modules is gone long ago, use the safe equivalents. 2003-03-03 22:46:36 +00:00
Christian Brueffer
16b3d3546d Correct examples for stateful inspection
PR:		47817
Submitted by:	Simon L.Nielsen <simon@nitro.dk>
Reviewed by:	ceri, luigi
2003-02-04 01:33:25 +00:00
Matthew Dillon
6690be9efa It turns out that we do not need to add a new ioctl to unbreak a
default-to-deny firewall.  Simply turning off IPFW via a preexisting
sysctl does the job.  To make it more apparent (since nobody picked up
on this in a week's worth of flames), the boolean sysctl's have been
integrated into the /sbin/ipfw command set in an obvious and straightforward
manner.  For example, you can now do 'ipfw disable firewall' or
'ipfw enable firewall'.  This is far easier to remember then the
net.inet.ip.fw.enable sysctl.

Reviewed by:	imp
MFC after:	3 days
2003-01-12 03:31:10 +00:00
Giorgos Keramidas
c41a3921ef Fix a reference to the order of SYNOPSIS lines.
Submitted by:	Olivier Cherrier <Olivier.Cherrier@cediti.be>
		on freebsd-net
MFC after:	3 days
2003-01-05 00:09:23 +00:00
Jens Schweikhardt
9d5abbddbf Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,
especially in troff files.
2003-01-01 18:49:04 +00:00
Kelly Yancey
ca6e3cb0e4 Make preprocessor support more generic by passing all command-line options
after -p except for the last (the ruleset file to process) to the
preprocessor for interpretation.  This allows command-line options besides
-U and -D to be passed to cpp(1) and m4(1) as well as making it easier to
use other preprocessors.

Sponsored By:	NTT Multimedia Communications Labs
MFC after:	1 week
2002-12-23 20:08:21 +00:00
Giorgos Keramidas
3d2209ae92 Align timestamps when -t is used in ipfw and ipfw2.
PR:		kern/44843
Approved by:	re (jhb)
2002-11-26 22:53:14 +00:00
Luigi Rizzo
12b5dc6a39 Fix a kernel panic with rules of the type
prob 0.5 pipe NN ....

due to the generation of an invalid ipfw instruction sequence.
No ABI change, but you need to upgrade /sbin/ipfw to generate the
correct code.

Approved by: re
2002-11-26 19:58:12 +00:00
Luigi Rizzo
99652d0eb2 Update documentation to match the behaviour of ipfw with respect
to net.inet.ip.fw.one_pass.
Add to notes to explain the exact behaviour of "prob xxx" and "log"
options.

Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c)
2002-11-26 19:51:40 +00:00
Maxim Konovalov
a54587ad70 Kill EOL whitespaces, style(9) fix. 2002-11-06 15:09:34 +00:00
Maxim Konovalov
d6abaeebeb Fix UID/GID options parsing.
PR:		bin/42579
Submitted by:	Belousov Oleg <oleg@belousov.com>
Approved by:	luigi
MFC after:	2 weeks
2002-11-06 14:57:18 +00:00
Luigi Rizzo
4d5fe224c6 Misc fixes from Chris Pepper, plus additional explainations on
dummynet operation.

MFC after: 3 days
2002-10-28 07:03:56 +00:00
Maxime Henrion
7c697970f4 Fix ipfw2 panics on 64-bit platforms.
Quoting luigi:

In order to make the userland code fully 64-bit clean it may
be necessary to commit other changes that may or may not cause
a minor change in the ABI.

Reviewed by:	luigi
2002-10-24 18:04:44 +00:00
Sean Chittenden
927a76bb5e Increase the max dummynet hash size from 1024 to 65536. Default is still
1024.

Silence on:	-net, -ipfw 4weeks+
Reviewed by:	dd
Approved by:	knu (mentor)
MFC after:	3 weeks
2002-10-12 07:45:23 +00:00
Maxim Konovalov
3ec6f79c1e Do not dump core on 'ipfw add unreach': handling null strings in
fill_reject_code(). Please note ipfw/ipfw2.c is not affected.

PR:		bin/42304
Submitted by:	Andy@wantpackets.com
MFC after:	1 day
2002-09-25 11:22:36 +00:00
Maxim Konovalov
8bca894718 o Fix a typo.
o Remove EOL spaces.

Submitted by:	Harold Gutch <logix@foobar.franken.de> (typo patch)
Approved by:	luigi
MFC after:	3 days
2002-09-22 11:30:51 +00:00