Commit Graph

481 Commits

Author SHA1 Message Date
luigi
32deede1ae fix a buffer overflow with large (100k+) number of input lines.
MFC after:	3 days
2010-04-12 08:27:53 +00:00
ume
69c698c974 Set net.inet6.ip6.fw.enable as well. 2010-04-06 12:28:08 +00:00
luigi
45fd7e5066 fix another bug in "ipfw set N ..."
Submitted by:	Marcin Wisnicki
2010-03-24 23:06:16 +00:00
gavin
9cc3706fd5 Tweak language to make one point potentially clearer for non-native spekers
PR:		bin/121424
Submitted by:	"Julian H. Stacey" <jhs berklix.org>
2010-03-20 14:42:16 +00:00
luigi
ea650b19a1 accept lower case m as a synonym for Mega (bit/s or bytes/s). 2010-03-15 18:26:09 +00:00
luigi
b958ac2aee print correctly commands of the form
ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 }

(note that the above example could be better written as

	ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8

Submitted by:	Riccardo Panicucci
2010-03-15 18:20:51 +00:00
luigi
3c242d0b3e + implement (two lines) the kernel side of 'lookup dscp N' to use the
dscp as a search key in table lookups;

+ (re)implement a sysctl variable to control the expire frequency of
  pipes and queues when they become empty;

+ add 'queue number' as optional part of the flow_id. This can be
  enabled with the command

        queue X config mask queue ...

  and makes it possible to support priority-based schedulers, where
  packets should be grouped according to the priority and not some
  fields in the 5-tuple.
  This is implemented as follows:
  - redefine a field in the ipfw_flow_id (in sys/netinet/ip_fw.h) but
    without changing the size or shape of the structure, so there are
    no ABI changes. On passing, also document how other fields are
    used, and remove some useless assignments in ip_fw2.c

  - implement small changes in the userland code to set/read the field;

  - revise the functions in ip_dummynet.c to manipulate masks so they
    also handle the additional field;

There are no ABI changes in this commit.
2010-03-15 17:14:27 +00:00
luigi
3a68724891 Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bits
of ip->ip_tos) in a table. This can be useful to direct traffic to
different pipes/queues according to the DSCP of the packet, as follows:

    ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue

This change is a no-op (but harmless) until the two-line kernel
side is committed, which will happen shortly.
2010-03-15 15:43:35 +00:00
luigi
0d5da117aa implement listing of a subset of pipes/queues/schedulers.
The filtering of the output is done in the kernel instead of userland
to reduce the amount of data transfered.
2010-03-11 22:42:33 +00:00
luigi
d3ede2e999 add back DPADD (removed by mistake in a previous commit) 2010-03-08 14:43:55 +00:00
luigi
859f5adfa0 more documentation on new dummynet features. 2010-03-05 14:13:58 +00:00
luigi
7053937fa6 make the listing of queues/pipes/schedulers handle the case of
data size increasing while we fetch the info.
2010-03-04 16:56:36 +00:00
luigi
b486493f31 fix handling of sets 2010-03-04 16:55:32 +00:00
luigi
9b5097a55e reduce diffs with the cross-platform version (windows needs
some extra initialization)
2010-03-04 16:54:56 +00:00
luigi
302fda42a4 remove stale comment 2010-03-04 16:08:51 +00:00
luigi
5ceeac4aa8 Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch.  This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.

The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.

In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.

Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.

Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.

Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.

CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
2010-03-02 17:40:48 +00:00
ru
4d27ff91d0 Fixed dependencies (make checkdpadd). 2010-02-25 20:24:19 +00:00
luigi
84d17b9dde implement a new match option,
lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N

which searches the specified field in table N and sets tablearg
accordingly.
With dst-ip or src-ip the option replicates two existing options.
When used with other arguments, the option can be useful to
quickly dispatch traffic based on other fields.

Work supported by the Onelab project.

MFC after:	1 week
2009-12-15 09:46:27 +00:00
luigi
507718c519 fix the indentation for addr: values
MFC after:	3 days
2009-12-15 09:32:35 +00:00
luigi
d0b8e66dba restore setting of sin_len (was removed in 1.146 last february) as
it seems that now it is necessary for 'forward' to work outside lo0.
The bug (and fix) was reported on 8.0. This patch probably applies
to RELENG_7 as well.
It seems that 'pf' has a similar bug.

Submitted by:	Lytochkin Boris
MFC after:	3 days
2009-12-06 18:04:26 +00:00
luigi
62461e96f5 fix argument type in the call to expand_number
Submitted by:	gcc 4.3
MFC after:	3 days
2009-12-04 14:18:30 +00:00
luigi
98a49a6613 use qsort_r instead of heapsort;
staticize two functions.

MFC after:	3 days
2009-12-03 12:23:48 +00:00
netchild
10efa8a238 Fix minor resource leak in a function.
Reviewed by:	luigi
MFC after:	1 week
2009-11-21 10:46:49 +00:00
brueffer
2100141d0b Fix setfib(1) section number.
PR:		133765
Submitted by:	Konstantin Zolotukhin <erebus@gorodok.net>
MFC after:	3 days
2009-09-18 14:17:00 +00:00
oleg
0c8702bb1e - 'burst' description rewritten.
Submitted by:	Ben Kaduk
Approved by:	re (kib)
2009-06-26 19:49:06 +00:00
maxim
c26bbc521d o Kill grammar nits.
PR:		docs/136061
Submitted by:	Ben Kaduk
MFC after:	1 week
2009-06-26 05:09:00 +00:00
oleg
11197296ca - fix dummynet 'fast' mode for WF2Q case.
- fix printing of pipe profile data.
- introduce new pipe parameter: 'burst' - how much data can be sent through
  pipe bypassing bandwidth limit.
2009-06-24 22:57:07 +00:00
luigi
bf5db0adae Permit the specification of bandwidth values within
"profile" files (bandwidth is mandatory when using a
profile, so it makes sense to have everything in one place).

Update the manpage accordingly.

Submitted by:	Marta Carbone
2009-06-08 14:32:29 +00:00
luigi
d90175e4d6 add a missing format in a printf
Detected building with gcc 4.3.3

MFC after:	3 days
2009-06-08 10:53:18 +00:00
luigi
78a4bbf287 Several ipfw options and actions use a 16-bit argument to indicate
pipes, queues, tags, rule numbers and so on.
These are all different namespaces, and the only thing they have in
common is the fact they use a 16-bit slot to represent the argument.

There is some confusion in the code, mostly for historical reasons,
on how the values 0 and 65535 should be used. At the moment, 0 is
forbidden almost everywhere, while 65535 is used to represent a
'tablearg' argument, i.e. the result of the most recent table() lookup.

For now, try to use explicit constants for the min and max allowed
values, and do not overload the default rule number for that.

Also, make the MTAG_IPFW declaration only visible to the kernel.

NOTE: I think the issue needs to be revisited before 8.0 is out:
the 2^16 namespace limit for rule numbers and pipe/queue is
annoying, and we can easily bump the limit to 2^32 which gives
a lot more flexibility in partitioning the namespace.

MFC after:	5 days
2009-06-05 16:16:07 +00:00
luigi
2e85daee53 remove a printf that was only useful for debugging.
MFC after:	3 days
2009-06-05 13:11:34 +00:00
trhodes
c9f2c65c9f Kill hard sentence break added in the previous revision. 2009-04-11 08:52:02 +00:00
luigi
5c7675fccb Add emulation of delay profiles, which lets you model various
types of MAC overheads such as preambles, link level retransmissions
and more.

Note- this commit changes the userland/kernel ABI for pipes
(but not for ordinary firewall rules) so you need to rebuild
kernel and /sbin/ipfw to use dummynet features.

Please check the manpage for details on the new feature.

The MFC would be trivial but it breaks the ABI, so it will
be postponed until after 7.2 is released.

Interested users are welcome to apply the patch manually
to their RELENG_7 tree.

Work supported by the European Commission, Projects Onelab and
Onelab2 (contract 224263).
2009-04-09 12:46:00 +00:00
maxim
d45acb8459 o Grammar. 2009-04-08 17:46:45 +00:00
luigi
7543af0746 Various cleanup of text, moving a couple of paragraphs
above to avoid referencing undefined terms (humans are not compilers
but still care about these things).

Change some .Sh to .Ss to better reflect the structure of the text.

No new content.
2009-04-08 15:18:21 +00:00
trhodes
263a066905 Remove contractions, reword a sentence to avoid a double negative,
and bump document date for previous change.

OKed by:	piso
2009-04-07 13:51:41 +00:00
piso
30d15f06f1 Improve a bit reass documentation:
-document fragment handling sysctls
-mention some caveats about fragments handling (and to deal with it)
2009-04-05 15:24:27 +00:00
piso
c9b4c10995 Implement an ipfw action to reassemble ip packets: reass. 2009-04-01 20:23:47 +00:00
brueffer
4bb1b51862 Mdoc style, spelling, grammar and wording fixes. This manpage needs more work. 2009-03-19 10:42:07 +00:00
luigi
359ccc0fed move a variable declaration to the beginning of the block
(unfortunately, it is far away; we need to pack this code in
a better way).
2009-03-05 08:08:09 +00:00
luigi
b29749721a remove some signed/unsigned and one const/!const warning 2009-03-05 08:01:58 +00:00
luigi
d5c4f3cf08 mark a function static, as it is 2009-03-05 08:01:19 +00:00
piso
d34fad2923 Add SCTP NAT support.
Submitted by: CAIA (http://caia.swin.edu.au)
2009-02-07 18:49:42 +00:00
luigi
af5756126e Explain that we assume AF_INET and only use the addr and port field
from a struct sockaddr_in, so there is no need to initialize sin_len
2009-02-02 11:02:19 +00:00
luigi
bec0413580 remove duplicate #include 2009-02-02 10:58:05 +00:00
luigi
23001c70f6 put the altq-related functions into a separate file.
Minor cleanup of the includes used by the various source files,
including annotations of why certain headers are used.
2009-02-01 16:00:49 +00:00
luigi
427f135f75 Avoid the use of duplicated typedefs -- see the comment for details. 2009-01-28 11:43:12 +00:00
luigi
5f74942998 fix printing of uint64_t values, so we can use WARNS=2 2009-01-27 20:26:45 +00:00
luigi
66a879082d fix wrong variable usage... 2009-01-27 12:24:53 +00:00
luigi
8a3b5c8587 Put nat and ipv6 support in their own files.
Usual moving of code with no changes from ipfw2.c to the
newly created files, and addition of prototypes to ipfw2.h

I have added forward declarations for ipfw_insn_* in ipfw2.h
to avoid a global dependency on ip_fw.h
2009-01-27 12:01:30 +00:00