Commit Graph

321 Commits

Author SHA1 Message Date
andre
9094f4f16b Bring back the full packet destination manipulation for 'ipfw fwd'
with the kernel compile time option:

 options IPFIREWALL_FORWARD_EXTENDED

This option has to be specified in addition to IPFIRWALL_FORWARD.

With this option even packets targeted for an IP address local
to the host can be redirected.  All restrictions to ensure proper
behaviour for locally generated packets are turned off.  Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.

Document the two kernel options.

PR:		kern/71910
PR:		kern/73129
MFC after:	1 week
2005-02-22 17:40:40 +00:00
ru
1541af42f1 Expand *n't contractions. 2005-02-13 22:25:33 +00:00
glebius
319ffb2bd2 Sort SEE ALSO.
Submitted by:	ru
2005-02-07 08:51:34 +00:00
glebius
c455085275 Document how interaction with ng_ipfw node is configured. 2005-02-05 18:29:03 +00:00
glebius
67c8ae0802 Add a ng_ipfw node, implementing a quick and simple interface between
ipfw(4) and netgraph(4) facilities.

Reviewed by:	andre, brooks, julian
2005-02-05 12:06:33 +00:00
glebius
038ca13cb7 Don't print extra " via ", if we have already printed one. While here,
slightly style brackets.

PR:		misc/75297
MFC after:	1 week
2005-01-18 15:13:20 +00:00
ru
13fe9ea5a2 Sort sections. 2005-01-18 10:09:38 +00:00
ru
ee49c96852 Markup nits. 2005-01-15 11:21:24 +00:00
brooks
a7b7255dba Deprecate unmaintainable uses of strncmp to implement abbreviations.
This commit replaces those with two new functions that simplify the code
and produce warnings that the syntax is deprecated.  A small number of
sensible abbreviations may be explicitly added based on user feedback.

There were previously three types of strncmp use in ipfw:
 - Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av
   to match string or any shortened form of it.  I have replaced this
   with a new function _substrcmp(av, "string") which returns 0 if av
   is a substring of "string", but emits a warning if av is not exactly
   "string".

 - The next type was two instances of strncmp(av, "by", 2) which allowed
   the abbreviation of bytes to "by", "byt", etc.  Unfortunately, it
   also supported "bykHUygh&*g&*7*ui".  I added a second new function
   _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but
   complains if the user doesn't spell out the word "bytes".

 - There is also one correct use of strncmp to match "table(" which might
   have another token after it without a space.

Since I changed all the lines anyway, I also fixed the treatment of
strncmp's return as a boolean in many cases.  I also modified a few
strcmp cases as well to be fully consistent.
2005-01-15 01:46:41 +00:00
ru
c56f1c1871 Scheduled mdoc(7) sweep. 2005-01-10 16:17:34 +00:00
brooks
182c46b20d Write some bit mask limits in hex rather than decimal so they look less
magic.
2005-01-07 01:21:23 +00:00
csjp
f104772590 Update the IPFW man page to reflect reality. mpsafenet=0 is no longer
required when using ucred based rules.

Pointed out by:	seanc (thanks!)
MFC after:	1 month
2004-12-10 02:38:21 +00:00
brooks
e25eb8fca3 Remove a duplicate line from an apparent merge error in rev 1.63. 2004-11-25 01:09:41 +00:00
ceri
46aaa9be63 Be more clear that "bridged" is a synonym for "layer2".
PR:		docs/44400
Submitted by:	Constantin Stefanov <cstef at mail dot ru>
2004-11-03 21:51:34 +00:00
andre
7c8480e7f1 Refuse to unload the ipdivert module unless the 'force' flag is given to kldunload.
Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8)
man pages.
2004-10-22 19:12:01 +00:00
csjp
379f33f67e Add a note to the man page warning users about possible lock order
reversals+system lock ups if they are using ucred based rules
while running with debug.mpsafenet=1.

I am working on merging a shared locking mechanism into ipfw which
should take care of this problem, but it still requires a bit more
testing and review.
2004-10-09 20:07:33 +00:00
green
12529a8a9d Reference altq(4) instead of pf.conf(5).
Tip of the hat to:	mlaier
2004-10-08 03:31:09 +00:00
green
a5dc9b9268 Commit forgotten documentation for "diverted" rules. 2004-10-08 03:24:10 +00:00
green
a1e8028c61 Remove blindly-copied extra include path. 2004-10-03 06:32:37 +00:00
green
cb606898b9 Add support to IPFW for matching by TCP data length. 2004-10-03 00:47:15 +00:00
green
cdf18c02e6 Add the documentation for IPFW's diverted(-loopback|-output) matches. 2004-10-03 00:35:52 +00:00
green
4f70622005 Add support to IPFW for classification based on "diverted" status
(that is, input via a divert socket).
2004-10-03 00:26:35 +00:00
green
4454a09917 Remove accidentally-added O_DIVERTED section. 2004-10-03 00:24:42 +00:00
green
a1ab5f0c7d Add to IPFW the ability to do ALTQ classification/tagging. 2004-10-03 00:17:46 +00:00
csjp
88c0121fcb Since "d" is an array of 32 bit values, it is more
correct to change the cast from unsigned int to uint32_t.

Pointed out by:	luigi
2004-09-21 22:12:43 +00:00
ru
35fa627d61 Prepare for 5.x soon becoming -STABLE.
Pointed out by:	-current users
2004-09-19 14:30:59 +00:00
andre
eba7c4085c Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied
and sent to the DIVERT socket while the original packet continues with the
next rule.  Unlike a normally diverted packet no IP reassembly attemts are
made on tee'd packets and they are passed upwards totally unmodified.

Note: This will not be MFC'd to 4.x because of major infrastucture changes.

PR:		kern/64240 (and many others collapsed into that one)
2004-09-13 16:46:05 +00:00
csjp
b1981485f7 Currently when ipfw(8) generates the micro-instructions for rules which
contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical
operator bits get clobbered. Making it impossible to use the ``NOT'' or
``OR'' operators with uid, gid and jail based constraints.

The ipfw_insn instruction template contains a ``len'' element which
stores two pieces of information, the size of the instruction
(in 32-bit words) in the low 6 bits of "len" with the 2 remaining
bits to implement OR and NOT.

The current code clobbers the OR and NOT bits by initializing the
``len'' element to the size, rather than OR'ing the bits. This change
fixes this by changing the initialization of cmd->len to an OR operation
for the O_UID, O_GID and O_JAIL opcodes.

This may be a MFC candidate for RELENG_5.

Reviewed by:	andre
Approved by:	luigi
PR:		kern/63961 (partially)
2004-09-11 19:44:29 +00:00
maxim
e510005b1a o Initialize a local variable and make gcc happy.
PR:		bin/71485
Submitted by:	Jukka A. Ukkonen
2004-09-10 13:42:24 +00:00
maxim
d003e4e10f o Restore a historical ipfw1 logamount behaviour: rules with 'log'
keyword but without 'logamount' limit the amount of their log messages
by net.inet.ip.fw.verbose_limit sysctl value.

RELENG_5 candidate.

PR:		kern/46080
Submitted by:	Dan Pelleg
MFC after:	1 week
2004-08-29 08:25:02 +00:00
pjd
aa05ee70bc Fix 'show' command for pipes and queues.
PR:		bin/70311
Submitted by:	Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
MFC after:	3 days
2004-08-23 19:20:27 +00:00
csjp
d0ccd82499 Remove trailing whitespace and change "prisoniD" to "prisonID".
Pointed out by:	simon
Approved by:	bmilekic (mentor)
2004-08-13 02:50:59 +00:00
csjp
6661aed38d Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
  to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
  want to add additional opcodes, they should append them to the end
  of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
  set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

    ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by:	pjd
Reviewed by:	rwatson
Approved by:	bmilekic (mentor)
2004-08-12 22:06:55 +00:00
andre
649b4336f4 New ipfw option "antispoof":
For incoming packets, the packet's source address is checked if it
 belongs to a directly connected network.  If the network is directly
 connected, then the interface the packet came on in is compared to
 the interface the network is connected to.  When incoming interface
 and directly connected interface are not the same, the packet does
 not match.

Usage example:

 ipfw add deny ip from any to any not antispoof in

Manpage education by:	ru
2004-08-09 16:12:10 +00:00
andre
695543e4da Extend versrcreach by checking against the rt_flags for RTF_REJECT and
RTF_BLACKHOLE as well.

To quote the submitter:

 The uRPF loose-check implementation by the industry vendors, at least on Cisco
 and possibly Juniper, will fail the check if the route of the source address
 is pointed to Null0 (on Juniper, discard or reject route). What this means is,
 even if uRPF Loose-check finds the route, if the route is pointed to blackhole,
 uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode
 as a pseudo-packet-firewall without using any manual filtering configuration --
 one can simply inject a IGP or BGP prefix with next-hop set to a static route
 that directs to null/discard facility. This results in uRPF Loose-check failing
 on all packets with source addresses that are within the range of the nullroute.

Submitted by:	James Jun <james@towardex.com>
2004-07-21 19:55:14 +00:00
ru
46fddaa54b Mechanically kill hard sentence breaks. 2004-07-02 21:45:06 +00:00
ru
08b51f3241 Fixed a bug spotted by compiling with -Wall. 2004-06-10 07:51:11 +00:00
ru
27bed143c8 Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets.  Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after:	1 week
2004-06-09 20:10:38 +00:00
csjp
77c46c25ea o Move NEED1 macro to the top of the source file.
o Add sanity checking to the firewall delete operation
  which tells the user that a firewall rule
  specification is required.

The previous behaviour was to exit without reporting any
errors to the user.

Approved by:	bmilekic (mentor)
2004-06-02 21:12:55 +00:00
maxim
2b2f469df0 o Fix usage example.
PR:		docs/67065
Submitted by:	David Syphers
2004-05-23 19:05:59 +00:00
stefanf
5aa1920310 Remove spurious semicolons.
Approved by:	das (mentor)
Reviewed by:	ipfw@
2004-05-18 13:57:37 +00:00
csjp
02de288baa Remove redundant sanity check before add_mac() when adding
mac ipfw rules. The exact same sanity check is performed as
the first operation of add_mac(), so there is no sense
in doing it twice.

Approved by:	bmilekic (mentor)
PR:		bin/55981
2004-05-09 01:53:31 +00:00
andre
d4f49f008f Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table.  The
default route is ignored because it would match everything and
render the check pointless.

This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.

Example:

 ipfw add 1000 deny ip from any to any not versrcreach

also known in Cisco-speak as:

  ip verify unicast source reachable-via any

Reviewed by:	luigi
2004-04-23 14:28:38 +00:00
maxim
7c2d493645 o Fix an incorrect parsing of 0.0.0.0/0 expression.
PR:		kern/64778
MFC after:	6 weeks
2004-04-09 17:26:01 +00:00
ceri
77f01944ce Backout revision 1.140; it seems that the previous version is clear
enough.

Requested by:	ru
2004-03-27 14:13:53 +00:00
maxim
b44c8fb7c5 o The lenght of the port list is limited to 30 entries in ipfw2 not to 15.
PR:		docs/64534
Submitted by:	Dmitry Cherkasov
MFC after:	1 week
2004-03-26 19:09:22 +00:00
ceri
4eac8b9f7d Clarify the description of the "established" option.
PR:		docs/50391
Submitted by:	root@edcsm.jussieu.fr
MFC after:	1 week
2004-03-22 21:24:38 +00:00
maxim
ed6eaf7bd9 o Pass a correct argument to errx(3).
PR:		bin/61846
Submitted by:	Eugene Grosbein
MFC after:	1 week
2004-01-24 19:20:09 +00:00
mtm
2ee2805e83 grammar 2004-01-23 06:37:19 +00:00
maxim
d675b0ba7c o -c (compact) flag is ipfw2 feature.
PR:		bin/56328
MFC after:	3 days
2004-01-15 12:59:44 +00:00